Manalyze report for ca026bdf12e2dd537672225b342c5708

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2020-Jan-26 20:27:02
Detected languages	English - United States

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: .text0` `Unusual section name found: .text1`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress`
Malicious	VirusTotal score: 15/71 (Scanned on 2020-05-22 12:26:39)	`Cybereason: malicious.6313f3` `Symantec: Trojan.Gen.9` `APEX: Malicious` `Paloalto: generic.ml` `Rising: Trojan.Occamy!8.F1CD (CLOUD)` `Invincea: heuristic` `McAfee-GW-Edition: BehavesLike.Win64.Trojan.wc` `FireEye: Generic.mg.ca026bdf12e2dd53` `SentinelOne: DFI - Suspicious PE` `Cyren: W64/Trojan.CGNQ-5396` `Webroot: W32.Trojan.Gen` `Endgame: malicious (high confidence)` `MaxSecure: Trojan.Malware.74806141.susgen` `Panda: PUP/Gamehack` `CrowdStrike: win/malicious_confidence_80% (W)`

Hashes

MD5	`ca026bdf12e2dd537672225b342c5708`
SHA1	`9aaa9956313f35194b71f9ec4fd1c21141abf49f`
SHA256	`b6b300d51ec33133e760f0e52cdf8505fa554d04f66245102daba0f255637224`
SHA3	`7b27223cffdcb94557c064bd8a36368346e9662c72f2808d7c7f2a6a57cf6405`
SSDeep	`196608:Cnbz2f3seCngkST7m/Kb8vov7y8C5MpRH:Cn32/sbgkUmI8EufWP`
Imports Hash	`d5a599d545a3069275ae20d927c5df05`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2020-Jan-26 20:27:02
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xdee00`
SizeOfInitializedData	`0x35400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000078B204 (Section: .text1)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xe37000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xdec6f`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.rdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1d8d8`
VirtualAddress	`0xe0000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x6b60`
VirtualAddress	`0xfe000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.pdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x68c4`
VirtualAddress	`0x105000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.text0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x596077`
VirtualAddress	`0x10c000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

.text1

MD5	`52917d95d870ee6e211501390f74d595`
SHA1	`f2cb8d6f0ffadeb0184af7e78b93dc3380354ef8`
SHA256	`97244b7e9d526a931b00b0030455885349b7e1eb753c3cc6705b93215cf9239f`
SHA3	`7771e86581a2ccac5ab0ed2c6777f4ae40d566e727526ce5492a30012d31334c`
VirtualSize	`0x78a4c8`
VirtualAddress	`0x6a3000`
SizeOfRawData	`0x78a600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.94499`

.rsrc

MD5	`402f1bea80b111ef1992c4d5e07a7814`
SHA1	`bd90ba71811a1249667f404b41e0ee363b356205`
SHA256	`d4217854ee55450041bfb5348c3f692607f1a35389077541a05ba381cefe803b`
SHA3	`c99216d7787b0a24bd18b6fde5fd0177025fe416a52cf5ea23d9c8781d89435d`
VirtualSize	`0x8974`
VirtualAddress	`0xe2e000`
SizeOfRawData	`0x8a00`
PointerToRawData	`0x78aa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.17997`

Imports

USER32.dll	`GetWindowTextLengthW`
KERNEL32.dll	`CreateEventW`
GDI32.dll	`DeleteObject`
MSVCP140.dll	`_Mtx_init_in_situ`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
VCRUNTIME140.dll	`__C_specific_handler`
api-ms-win-crt-runtime-l1-1-0.dll	`_seh_filter_exe`
api-ms-win-crt-math-l1-1-0.dll	`_ldsign`
api-ms-win-crt-stdio-l1-1-0.dll	`fclose`
api-ms-win-crt-heap-l1-1-0.dll	`_set_new_mode`
api-ms-win-crt-convert-l1-1-0.dll	`strtod`
api-ms-win-crt-filesystem-l1-1-0.dll	`_lock_file`
api-ms-win-crt-locale-l1-1-0.dll	`localeconv`
api-ms-win-crt-string-l1-1-0.dll	`strnlen`
ntdll.dll	`RtlLookupFunctionEntry`
WTSAPI32.dll	`WTSSendMessageW`
KERNEL32.dll (#2)	`CreateEventW`
USER32.dll (#2)	`GetWindowTextLengthW`
KERNEL32.dll (#3)	`CreateEventW`
USER32.dll (#3)	`GetWindowTextLengthW`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.28766`
MD5	`e964d8b9e7899d6d15fa09739ac64af0`
SHA1	`452e202fc95346318b5f23e72138419031d70580`
SHA256	`1f6c15e6a513b67369c00e842184894df5c444b59fe2c7135d0b90664a8c8bf3`
SHA3	`46528114d992d2db37f0ed65a366db2db9ef8d7175a12d04791409c77e5adcca`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.79022`
MD5	`c9b9fb36918ff1ae7ca66abc3b3635f3`
SHA1	`3a0ab520f47db71db5116b7e8658a5168eb87a45`
SHA256	`2563566c9dd6777d7df40c903b12d41204f96b2293b139146b3f79d968ed3895`
SHA3	`63ee885e38b71be33f19b1196d2ce2a7adc59c5374e588a04cea314326915f8c`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.43381`
MD5	`0d57bdecb24ff411d5f8c7bbe45bdfa7`
SHA1	`de18cfa766c7fac977e443f424a2be75144759d5`
SHA256	`6dd737bddb2f130053ea5532e15856583bbf844d88f2fb99582a13aec614f2e6`
SHA3	`c53d4306053aa6a21d9448d8b6d44f14c6aa2c5eca6af67202af8bf4047b47cf`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.02663`
MD5	`5a099dc9ef65ccc1aaa46bbb4f7fcec5`
SHA1	`c1481f124f5d19ac15d918f6a2cd6a1a219c6b84`
SHA256	`eb70bae10bfc0bb0ab18c944895358f1a6846b2c39c51f0d5b9b643fb2d0cc35`
SHA3	`b6b580600aa6440410e24e815ad8b6c67938255d028227c256150e4a337ae85e`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x436b`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.96375`
Detected Filetype	PNG graphic file
MD5	`3c111d3bec96854aba9e3dfbb243809a`
SHA1	`29250ed32ae978d0a588395311d0c46f87e37966`
SHA256	`a8ff7b96bc8000df31f0f6f12e1b667c78fcdb1490e205dbece27fa05c47b7bc`
SHA3	`81d97c7e5566a2a9e1a3cb39c8b7acae66312d14d1166b8dde7614a05d72c9ac`

IDI_ICON1

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x4c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.64638`
Detected Filetype	Icon file
MD5	`ffb2b53d87197eda8c1ee431c21a95f1`
SHA1	`dedad442a1f612841fa34f703ce63ea8bf16d926`
SHA256	`cd15c1c03a7ef3c872b2f6201b983f252e07770c3cecc377bdf4bcf4e35578b4`
SHA3	`7c05e17a99aa4f432d3cccbbc9b63a95e965ad8660bd60d5366cb0780b8ea9d9`

Version Info

TLS Callbacks

Load Configuration

Size	`0x108`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1400fe038`

RICH Header

Errors

[!] Error: Could not read the exported DLL name.
[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .text has a size of 0!
[*] Warning: Section .rdata has a size of 0!
[*] Warning: Section .data has a size of 0!
[*] Warning: Section .pdata has a size of 0!
[*] Warning: Section .text0 has a size of 0!