Architecture |
IMAGE_FILE_MACHINE_AMD64
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date |
2021-Jan-01 23:59:42
|
Detected languages |
English - United States
|
Info |
Libraries used to perform cryptographic operations: |
Microsoft's Cryptography API
|
Suspicious |
This PE is packed with VMProtect |
Unusual section name found: .vmp0
Unusual section name found: .vmp1
|
Suspicious |
The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
- LoadLibraryA
- GetProcAddress
Can access the registry:
Possibly launches other programs:
Uses Microsoft's cryptographic API:
Has Internet access capabilities:
Leverages the raw socket API to access the Internet:
|
Malicious |
VirusTotal score: 39/71 (Scanned on 2021-01-07 12:03:37) |
Elastic:
malicious (high confidence)
MicroWorld-eScan:
Gen:Variant.Bulz.222216
FireEye:
Generic.mg.c3a788fd4e10376e
McAfee:
Artemis!C3A788FD4E10
Cylance:
Unsafe
Sangfor:
Malware
K7AntiVirus:
Trojan ( 0055b8231 )
Alibaba:
Packed:Win64/VMProtect.6ad12b2a
K7GW:
Trojan ( 0055b8231 )
Cybereason:
malicious.d4e103
Cyren:
W64/Trojan.IAPV-1042
Symantec:
Trojan.Gen.MBT
APEX:
Malicious
Avast:
Win64:Trojan-gen
BitDefender:
Gen:Variant.Bulz.222216
Paloalto:
generic.ml
AegisLab:
Trojan.Win32.Bulz.4!c
Ad-Aware:
Gen:Variant.Bulz.222216
Emsisoft:
Gen:Variant.Bulz.222216 (B)
F-Secure:
Heuristic.HEUR/AGEN.1110460
McAfee-GW-Edition:
BehavesLike.Win64.Generic.tc
Sophos:
Generic PUA LG (PUA)
Ikarus:
Trojan.Win64.Vmprotect
GData:
Gen:Variant.Bulz.222216
Avira:
HEUR/AGEN.1110460
Arcabit:
Trojan.Bulz.D36408
Microsoft:
Trojan:Win32/Tiggre!rfn
Cynet:
Malicious (score: 100)
AhnLab-V3:
Malware/Gen.RL_Reputation.R361595
ALYac:
Gen:Variant.Bulz.222216
MAX:
malware (ai score=83)
ESET-NOD32:
a variant of Win64/Packed.VMProtect.IH
TrendMicro-HouseCall:
TROJ_GEN.R002H09A221
SentinelOne:
Static AI - Suspicious PE
Fortinet:
W32/PossibleThreat
MaxSecure:
Trojan.Malware.300983.susgen
AVG:
Win64:Trojan-gen
CrowdStrike:
win/malicious_confidence_80% (D)
Qihoo-360:
Generic/HEUR/QVM202.0.5444.Malware.Gen
|
MD5 |
c3a788fd4e10376e089267469a526d3e
|
SHA1 |
b661aaaee3055cfc7f9912a6ab458cc5868e5541
|
SHA256 |
07656c9e45fe999b39c9df3120d931b47dec1d9878e9bcb7bbda3ff67cd41415
|
SHA3 |
ad480f6c91866e1a5fa914c587f71b40114d85c1c3621ffe9220bb91c3099b04
|
SSDeep |
393216:nx/AN8aSb0FLubeT9mUv135PbXb3ET3T6BCdk:nx4N8ae0U0EGhLqTkCdk
|
Imports Hash |
569aaed20474d732a1340fb447a4a69b
|
e_magic |
MZ
|
e_cblp |
0x90
|
e_cp |
0x3
|
e_crlc |
0
|
e_cparhdr |
0x4
|
e_minalloc |
0
|
e_maxalloc |
0xffff
|
e_ss |
0
|
e_sp |
0xb8
|
e_csum |
0
|
e_ip |
0
|
e_cs |
0
|
e_ovno |
0
|
e_oemid |
0
|
e_oeminfo |
0
|
e_lfanew |
0x80
|
Signature |
PE
|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections |
9
|
TimeDateStamp |
2021-Jan-01 23:59:42
|
PointerToSymbolTable |
0
|
NumberOfSymbols |
0
|
SizeOfOptionalHeader |
0xf0
|
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic |
PE32+
|
LinkerVersion |
14.0
|
SizeOfCode |
0x29ec00
|
SizeOfInitializedData |
0x109200
|
SizeOfUninitializedData |
0
|
AddressOfEntryPoint |
0x0000000000DD776D (Section: .vmp1)
|
BaseOfCode |
0x1000
|
ImageBase |
0x140000000
|
SectionAlignment |
0x1000
|
FileAlignment |
0x200
|
OperatingSystemVersion |
6.0
|
ImageVersion |
0.0
|
SubsystemVersion |
6.0
|
Win32VersionValue |
0
|
SizeOfImage |
0x1b1d000
|
SizeOfHeaders |
0x400
|
Checksum |
0
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve |
0x100000
|
SizeofStackCommit |
0x1000
|
SizeofHeapReserve |
0x100000
|
SizeofHeapCommit |
0x1000
|
LoaderFlags |
0
|
NumberOfRvaAndSizes |
16
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0x29ea9c
|
VirtualAddress |
0x1000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0xd442c
|
VirtualAddress |
0x2a0000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0x112fc
|
VirtualAddress |
0x375000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0x1b12c
|
VirtualAddress |
0x387000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0x94
|
VirtualAddress |
0x3a3000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0xa00c31
|
VirtualAddress |
0x3a4000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
|
MD5 |
c047792e73b8f62df415d0eaa1817b79
|
SHA1 |
110ddcd762f329920f01b225242e200e50c1e80d
|
SHA256 |
d735a1f5f59e0287d798c6eaa88b50a5ed893c873589b276600fb5d48c634073
|
SHA3 |
2f6829439afd40c2ad729f2dfbc1d5de92a1ea13be6d1273fd8acab5757160f3
|
VirtualSize |
0xd7538c
|
VirtualAddress |
0xda5000
|
SizeOfRawData |
0xd75400
|
PointerToRawData |
0x400
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
|
Entropy |
7.97835
|
MD5 |
4971cc249d1a6a51dd12b823870acd3e
|
SHA1 |
b5499c5c76338fbfcc99613833d759be8187dd12
|
SHA256 |
2d66c444fd75ef0564f11b8cc86772cc98e546bf5b5a180d05c0d315c627257d
|
SHA3 |
0e5278d1b563c032a90e7d6137fefa6337193259dafb9cb1d96b2011a8402f0c
|
VirtualSize |
0xb0
|
VirtualAddress |
0x1b1b000
|
SizeOfRawData |
0x200
|
PointerToRawData |
0xd75800
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
Entropy |
1.95195
|
MD5 |
448e0a451a227eb51e3c4f84bac6b79e
|
SHA1 |
ada543617500b9b1a1db5c9c9cad42f3d625fe3a
|
SHA256 |
c92af268c89952c12ff58487ac0803803a9b37ac4f5ab13afc0911e0fb17776f
|
SHA3 |
8a34f4ca9ab35c6d37f483d0a65863c1265ac675d893166b0da5455f5ba2b7dd
|
VirtualSize |
0x1e0
|
VirtualAddress |
0x1b1c000
|
SizeOfRawData |
0x200
|
PointerToRawData |
0xd75a00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
Entropy |
4.78028
|
ole32.dll |
CoInitialize
|
WS2_32.dll |
#22
|
WLDAP32.dll |
#46
|
CRYPT32.dll |
CertGetCertificateContextProperty
|
ADVAPI32.dll |
CryptAcquireContextA
|
KERNEL32.dll |
VirtualProtect
|
USER32.dll |
MoveWindow
|
SHELL32.dll |
ShellExecuteA
|
OLEAUT32.dll |
#9
|
SHLWAPI.dll |
SHDeleteKeyW
|
USERENV.dll |
UnloadUserProfile
|
RPCRT4.dll |
UuidCreate
|
urlmon.dll |
URLDownloadToFileA
|
bcrypt.dll |
BCryptGenRandom
|
WTSAPI32.dll |
WTSSendMessageW
|
KERNEL32.dll (#2) |
VirtualProtect
|
USER32.dll (#2) |
MoveWindow
|
KERNEL32.dll (#3) |
VirtualProtect
|
USER32.dll (#3) |
MoveWindow
|
Ordinal |
1
|
Address |
0xa7990
|
Ordinal |
2
|
Address |
0xb9040
|
Ordinal |
3
|
Address |
0xb14d0
|
Ordinal |
4
|
Address |
0xb1630
|
Ordinal |
5
|
Address |
0xb1490
|
Ordinal |
6
|
Address |
0xb1510
|
Ordinal |
7
|
Address |
0xad780
|
Ordinal |
8
|
Address |
0xb1960
|
Ordinal |
9
|
Address |
0xb9380
|
Ordinal |
10
|
Address |
0xa7a10
|
Ordinal |
11
|
Address |
0xb9090
|
Ordinal |
12
|
Address |
0xb14c0
|
Ordinal |
13
|
Address |
0xb16d0
|
Ordinal |
14
|
Address |
0xb14c0
|
Ordinal |
15
|
Address |
0xb14c0
|
Ordinal |
16
|
Address |
0xad7f0
|
Ordinal |
17
|
Address |
0xb1a00
|
Ordinal |
18
|
Address |
0xb93a0
|
Ordinal |
19
|
Address |
0x909d0
|
Ordinal |
20
|
Address |
0xb94d0
|
Ordinal |
21
|
Address |
0xb2140
|
Ordinal |
22
|
Address |
0xa7bc0
|
Ordinal |
23
|
Address |
0xb91c0
|
Ordinal |
24
|
Address |
0xa7e20
|
Ordinal |
25
|
Address |
0xa7ef0
|
Ordinal |
26
|
Address |
0x344260
|
Ordinal |
27
|
Address |
0xa7d40
|
Ordinal |
28
|
Address |
0xb1fe0
|
Ordinal |
29
|
Address |
0xa7ca0
|
Ordinal |
30
|
Address |
0xb92f0
|
Ordinal |
31
|
Address |
0x347e60
|
Ordinal |
32
|
Address |
0x347f00
|
Ordinal |
33
|
Address |
0x347eb0
|
Ordinal |
34
|
Address |
0x344270
|
Ordinal |
35
|
Address |
0x345ce0
|
Ordinal |
36
|
Address |
0x347e10
|
Ordinal |
37
|
Address |
0xb1740
|
Ordinal |
38
|
Address |
0xb1540
|
Ordinal |
39
|
Address |
0xb1c90
|
Ordinal |
40
|
Address |
0xad8f0
|
Ordinal |
41
|
Address |
0xacb20
|
Ordinal |
42
|
Address |
0xacbc0
|
Ordinal |
43
|
Address |
0xb95b0
|
Ordinal |
44
|
Address |
0xa7f60
|
Ordinal |
45
|
Address |
0xc11c0
|
Ordinal |
46
|
Address |
0xc11e0
|
Ordinal |
47
|
Address |
0xbc730
|
Ordinal |
48
|
Address |
0xb9610
|
Ordinal |
49
|
Address |
0xa8090
|
Ordinal |
50
|
Address |
0xb1b30
|
Ordinal |
51
|
Address |
0xa81f0
|
Ordinal |
52
|
Address |
0xa8260
|
Ordinal |
53
|
Address |
0xa84d0
|
Ordinal |
54
|
Address |
0xa8530
|
Ordinal |
55
|
Address |
0xa8240
|
Ordinal |
56
|
Address |
0xa8410
|
Ordinal |
57
|
Address |
0xa8470
|
Ordinal |
58
|
Address |
0xa8220
|
Ordinal |
59
|
Address |
0xa8350
|
Ordinal |
60
|
Address |
0xa83b0
|
Ordinal |
61
|
Address |
0xa8290
|
Ordinal |
62
|
Address |
0xa82f0
|
Ordinal |
63
|
Address |
0x5d930
|
Ordinal |
64
|
Address |
0xb1500
|
Ordinal |
65
|
Address |
0xbc770
|
Ordinal |
66
|
Address |
0xacb00
|
Ordinal |
67
|
Address |
0xacae0
|
Ordinal |
68
|
Address |
0x73db0
|
Ordinal |
69
|
Address |
0xa8150
|
Ordinal |
70
|
Address |
0x344250
|
Ordinal |
71
|
Address |
0xb1850
|
Ordinal |
72
|
Address |
0xb1820
|
Ordinal |
73
|
Address |
0xb1810
|
Ordinal |
74
|
Address |
0x5d6f0
|
Ordinal |
75
|
Address |
0xada00
|
Ordinal |
76
|
Address |
0xacc60
|
Ordinal |
77
|
Address |
0xacca0
|
Ordinal |
78
|
Address |
0xa8120
|
Ordinal |
79
|
Address |
0xa7af0
|
Ordinal |
80
|
Address |
0xb9170
|
Ordinal |
81
|
Address |
0xad840
|
Ordinal |
82
|
Address |
0xb9420
|
Ordinal |
83
|
Address |
0xb9690
|
Ordinal |
84
|
Address |
0xb1a10
|
Ordinal |
85
|
Address |
0xb90c0
|
Ordinal |
86
|
Address |
0xb9120
|
Ordinal |
87
|
Address |
0xb9740
|
Ordinal |
88
|
Address |
0xadbd0
|
Ordinal |
89
|
Address |
0x343400
|
Type |
RT_MANIFEST
|
Language |
English - United States
|
Codepage |
UNKNOWN
|
Size |
0x188
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
4.89623
|
MD5 |
b8e76ddb52d0eb41e972599ff3ca431b
|
SHA1 |
fc12d7ad112ddabfcd8f82f290d84e637a4d62f8
|
SHA256 |
165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8
|
SHA3 |
37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd
|
Size |
0x138
|
TimeDateStamp |
1970-Jan-01 00:00:00
|
Version |
0.0
|
GlobalFlagsClear |
(EMPTY)
|
GlobalFlagsSet |
(EMPTY)
|
CriticalSectionDefaultTimeout |
0
|
DeCommitFreeBlockThreshold |
0
|
DeCommitTotalFreeThreshold |
0
|
LockPrefixTable |
0
|
MaximumAllocationSize |
0
|
VirtualMemoryThreshold |
0
|
ProcessAffinityMask |
0
|
ProcessHeapFlags |
(EMPTY)
|
CSDVersion |
0
|
Reserved1 |
0
|
EditList |
0
|
SecurityCookie |
0x14037a6d0
|
[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .text has a size of 0!
[*] Warning: Section .rdata has a size of 0!
[*] Warning: Section .data has a size of 0!
[*] Warning: Section .pdata has a size of 0!
[*] Warning: Section _RDATA has a size of 0!
[*] Warning: Section .vmp0 has a size of 0!