Manalyze report for c6b39ee166d5b0a2c8a9021ccd1593ae

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2024-Apr-08 20:15:43
Detected languages	English - United States

Plugin Output

Suspicious	This PE is packed with Themida	`Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found: .themida` `Section .themida is both writable and executable.` `Unusual section name found: .boot`
Info	The PE contains common functions which appear in legitimate applications.	`Can access the registry: RegEnumValueW`
Malicious	VirusTotal score: 33/71 (Scanned on 2024-04-09 18:43:03)	`AVG: Win64:TrojanX-gen [Trj]` `Antiy-AVL: Trojan[Packed]/Win64.Themida` `Arcabit: Trojan.Agent.GKKZ` `Avast: Win64:TrojanX-gen [Trj]` `BitDefender: Trojan.Agent.GKKZ` `Bkav: W64.AIDetectMalware` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: a variant of Win64/Packed.Themida.L suspicious` `Elastic: malicious (high confidence)` `Emsisoft: Trojan.Agent.GKKZ (B)` `FireEye: Generic.mg.c6b39ee166d5b0a2` `Fortinet: Riskware/Application` `GData: Trojan.Agent.GKKZ` `Google: Detected` `Ikarus: Win32.Outbreak` `Lionic: Trojan.Win32.Themida.4!c` `MAX: malware (ai score=87)` `Malwarebytes: Malware.Heuristic.2025` `MaxSecure: Trojan.Malware.300983.susgen` `MicroWorld-eScan: Trojan.Agent.GKKZ` `Microsoft: Trojan:Win32/Znyonm` `Sangfor: Trojan.Win32.Agent.V8v5` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win64.Dropper.wc` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.high.ml.score` `Varist: W64/Trojan.GJD.gen!Eldorado` `alibabacloud: VirTool:Win/Packed.Themida.L` `tehtris: Generic.Malware`

Hashes

MD5	`c6b39ee166d5b0a2c8a9021ccd1593ae`
SHA1	`e480e7c282f64e8b0179c82afe154dd59d14217d`
SHA256	`443b665c5f545a2bdd7855f86bf70a5ee7f35eda1b6b08615161f5809cbda02b`
SHA3	`101444895915ea127335422c495907c0499b89491e25885477aabbb3066cc048`
SSDeep	`49152:Kl0nJ28J4VZohYWVGGjW8NhSU7zwo8oXJ2R3KPHsI7coj2J+eNgRpqNc1a:KmnJrJ4DohYWVTJNkIZZ2R6vsmA+FDqN`
Imports Hash	`9ae539390e666701a9c361fdd5dc074e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`13`
TimeDateStamp	2024-Apr-08 20:15:43
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x16e00`
SizeOfInitializedData	`0x7400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000603058 (Section: .boot)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x960000`
SizeOfHeaders	`0x600`
Checksum	`0x376597`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

MD5	`0d06bf26da0e5986e8753884cc4f27b0`
SHA1	`35e3ae524eed5baabf4fd1f638cb2f1d0ce8a6f5`
SHA256	`e98cbf955eb3da3391a89b6117b8de29f5f30374edc8c9c5a06ff43473e1b600`
SHA3	`31767bafd21065644b8ad7d818090c2a118cf27c018d48208f4095752da916c1`
VirtualSize	`0x16301`
VirtualAddress	`0x1000`
SizeOfRawData	`0x9800`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.98027`

(#2)

MD5	`3885243fd18051233de0abf386a7841b`
SHA1	`b75e440b6e406cc7c91d45d28513b3043c415041`
SHA256	`6891041f0347b4c2a8a87050baf8a02ef95cf37bf55b441e56b8096ae419f2cc`
SHA3	`609110db60109d9962659a0e71c97fab97a8f71e300b0f62f6a8f37c0d0cb458`
VirtualSize	`0x8e6`
VirtualAddress	`0x18000`
SizeOfRawData	`0x600`
PointerToRawData	`0x9e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.13644`

(#3)

MD5	`3285a5496e71fa6c87a10fdfd422aac0`
SHA1	`7c17e17d1300dce032cc2d1acbe679beadd16734`
SHA256	`680966e5261a959b51433e4d685eba1d07e5d302e752383eda137239db9905f7`
SHA3	`a79ab218b957c39f3435db794fa0d3212955471a84b7c94531aba732db7b6d71`
VirtualSize	`0x518a`
VirtualAddress	`0x19000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0xa400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.77567`

(#4)

MD5	`944103e7a80451d767130b7253bf4f64`
SHA1	`6ccce40cfcf9f842ce9daf74a7b445876440a0b4`
SHA256	`842b2b907e01ac9562f23d65fbe5ea31e92e95dc2bb6cbde0747b6c694ef13ce`
SHA3	`d11bad6af7e8dda208887d3418ef2e9fabd5fb10b8edf02eecf21e45a0694dbc`
VirtualSize	`0xab0`
VirtualAddress	`0x1f000`
SizeOfRawData	`0x200`
PointerToRawData	`0xc200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.05149`

(#5)

MD5	`26db06a34b38134e04f599eb411f749b`
SHA1	`e2796e86ba68f0696814aaa242dba5310a96b0d9`
SHA256	`f7b41a3e03a5362750452b3e173b14c2ca9e3956061833f971403ea945639d67`
SHA3	`e449716fca0ee21d6f5da4bfd41bab09f29370d950b0591aaafecd7330a3b02d`
VirtualSize	`0x10ec`
VirtualAddress	`0x20000`
SizeOfRawData	`0xa00`
PointerToRawData	`0xc400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.60553`

(#6)

MD5	`7ac54e3308f6db65ecf9cb4c0e04da4a`
SHA1	`4dd81da7ff4b32ae51af5ff506dc4b0089f8b4c6`
SHA256	`8b10ab84032375c0488ce1a5518b65448faa668c73675a1a99054a092415e174`
SHA3	`d828e49a5094cdc173f287192c537f2d2c9969860eb5e8bfc3b70b7ef8fad269`
VirtualSize	`0x1e0`
VirtualAddress	`0x22000`
SizeOfRawData	`0x200`
PointerToRawData	`0xce00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.71055`

(#7)

MD5	`a775a6b08217ae0e641bdf8b4a67ff63`
SHA1	`d809ea6518820209136a672f95fee788d452235a`
SHA256	`ce14d4e3b6667054fddbc3a823e41a91505374982f04d817127205adf577193f`
SHA3	`d369756a5d9627ec1a012818db6ed05a42e2a0c0ef85f590ca0cb3393cb2f8b5`
VirtualSize	`0x108`
VirtualAddress	`0x23000`
SizeOfRawData	`0x200`
PointerToRawData	`0xd000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.50381`

.idata

MD5	`8101acdbbf6faf0eb70c7008d3b0179a`
SHA1	`d18aa504a397c12473eb67207b8247a0834e5d33`
SHA256	`dfe90e0911a9b8bbd277d1a82dcb84c92a82bdaf1051c42d9ffb73da635df80c`
SHA3	`94310738842861eefed3ed420e0f843bec2b1dd0dfc73a5c8e652abcda441dbc`
VirtualSize	`0x1000`
VirtualAddress	`0x24000`
SizeOfRawData	`0x600`
PointerToRawData	`0xd200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.0921`

.tls

MD5	`45631a09c47d59699fe672d074762f29`
SHA1	`3189a886ae22dda7b9e00aaeb29325aec3b2b335`
SHA256	`7d3b3d71986d9decd68bc39b76a2558bfa84c4f3f11fc22c782135091037915e`
SHA3	`9ea878f75964dca6f5bf807a9ec100d4c6a4169e05817872bc4b7c51193fe7c1`
VirtualSize	`0x1000`
VirtualAddress	`0x25000`
SizeOfRawData	`0x200`
PointerToRawData	`0xd800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.284569`

.rsrc

MD5	`d15d4a98e4f310c5fde6e7881e219847`
SHA1	`3a05911e6511d7f9de5614da8bbb55a4e15b0c87`
SHA256	`de69310fdd82288accfe9ff8c4cd48b896ded0342cc07f380231d7c4ecb98fe7`
SHA3	`810bdff894e569a97b98f917c92307ad761e9c27caf872656c34479081c16098`
VirtualSize	`0x1000`
VirtualAddress	`0x26000`
SizeOfRawData	`0x200`
PointerToRawData	`0xda00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.71768`

.themida

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x5dc000`
VirtualAddress	`0x27000`
SizeOfRawData	`0`
PointerToRawData	`0xdc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.boot

MD5	`71d4e34782b8381657bbb13abd791f2c`
SHA1	`aa646d9667c029334400b6e10c235c54ab503ab4`
SHA256	`f989c2ca993375bb7a953d492da7b0514d07cbab801c0b05539867e396d4400c`
SHA3	`5fed23ec47ab1b5e18fcc39e1cde03aac5cc70e92b1e28b6ec681f8029b2f799`
VirtualSize	`0x35b200`
VirtualAddress	`0x603000`
SizeOfRawData	`0x35b200`
PointerToRawData	`0xdc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.96361`

.reloc

MD5	`e09c6e8672fcbb76c08775d08812b8dd`
SHA1	`9c97b85e98d7b6d5123cb4b2724bfbf4a3245d1a`
SHA256	`844cb43725fe0dc24bb8791172c24657a1afd6becc5d4d38bc79e8818a791ce8`
SHA3	`161be55206a7e66cebb3d459848811961eb037844b6906ae9c9e5569e2e2e5da`
VirtualSize	`0x1000`
VirtualAddress	`0x95f000`
SizeOfRawData	`0x10`
PointerToRawData	`0x368e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ`
Entropy	`2.4746`

Imports

kernel32.dll	`GetModuleHandleA`
ADVAPI32.dll	`RegEnumValueW`
SHELL32.dll	`CommandLineToArgvW`
MSVCP140.dll	`?_Syserror_map@std@@YAPEBDH@Z`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
VCRUNTIME140.dll	`_CxxThrowException`
api-ms-win-crt-runtime-l1-1-0.dll	`terminate`
api-ms-win-crt-heap-l1-1-0.dll	`_set_new_mode`
api-ms-win-crt-convert-l1-1-0.dll	`atoi`
api-ms-win-crt-string-l1-1-0.dll	`_wcsicmp`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr`
api-ms-win-crt-stdio-l1-1-0.dll	`__p__commode`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xeaf3f7d7`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`14`
C objects (33218)	`10`
ASM objects (33218)	`4`
C++ objects (33218)	`32`
Imports (33218)	`6`
Imports (30795)	`7`
Total imports	`146`
C++ objects (LTCG) (33523)	`12`
ASM objects (33523)	`2`
Resource objects (33523)	`1`
Linker (33523)	`1`

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .themida has a size of 0!