Manalyze report for d261da3d15b54b9510f60f108ca708319c1c34cf53cd5594c320ecc03e7b4fb5

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2023-Nov-10 09:37:32

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: inkscape.org www.inkscape.org`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: OpenProcessToken` `Enumerates local disk drives: GetDriveTypeW`
Suspicious	The file contains overlay data.	`26070258 bytes of data starting at offset 0x42800.` `The overlay data has an entropy of 7.99742 and is possibly compressed or encrypted.` `Overlay data amounts for 98.966% of the executable.`
Malicious	VirusTotal score: 11/72 (Scanned on 2023-12-08 15:33:33)	`APEX: Malicious` `AVG: Win64:Evo-gen [Trj]` `Avast: Win64:Evo-gen [Trj]` `Bkav: W64.AIDetectMalware` `Elastic: malicious (moderate confidence)` `Fortinet: W32/PossibleThreat` `Google: Detected` `McAfee: Artemis!A41710E766B0` `Skyhigh: Artemis` `Varist: W64/S-adf50d55!Eldorado` `Zillya: Trojan.Agent.Script.1743086`

Hashes

MD5	`a41710e766b07034fef397453daf9bb5`
SHA1	`b43357ffc83bb57510fcc37655cf0f23d88e1015`
SHA256	`d261da3d15b54b9510f60f108ca708319c1c34cf53cd5594c320ecc03e7b4fb5`
SHA3	`27c3ced89c954ac25a0b8fea9864816637c7aa906d3e91515c1bde6bce425538`
SSDeep	`786432:eJ0daDidol/Qt5fMQAEFZ8W+e5RJ9MV5qW80h:bQcpMyZ8W+eHYVcW7`
Imports Hash	`20d446c1cb128febd23deb17efb67cf6`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2023-Nov-10 09:37:32
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x29c00`
SizeOfInitializedData	`0x18800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000000C200 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x49000`
SizeOfHeaders	`0x400`
Checksum	`0x1920025`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x1e8480`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`6f12541b07558e1c46246b2a798f0b6d`
SHA1	`9b87a6585852fcda1d3d8483136996ca658ea7e5`
SHA256	`d18cf403027fce2b848a37cc5ee21de353cd1260957b1b2d6b26aa7152040661`
SHA3	`0f5a6cd2dc96384d2650cff0a390aaee83a0509bc0f9976e7adc0ebaa03e069f`
VirtualSize	`0x29ba0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x29c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.48756`

.rdata

MD5	`b37eed9c9ff0b713b796d9307b8ced52`
SHA1	`c1eabf52fa4b90f38887191eb4d76c9725f60f5e`
SHA256	`d9a668d8fbfdcbdd71e0f62015dfdb41f72db282586adaaed5ce3d934620351f`
SHA3	`5463eec9cd80461b63a7735b0fdf55d687c590c07dfa08d651509c22e415f392`
VirtualSize	`0x12c0c`
VirtualAddress	`0x2b000`
SizeOfRawData	`0x12e00`
PointerToRawData	`0x2a000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.8094`

.data

MD5	`99d84572872f2ce8d9bdbc2521e1966e`
SHA1	`1745c4ccf67c876d978058025646a6fc708919e0`
SHA256	`38832a73d4f0bee667066837ff09b7b2d61d6a52f95f8ff67f31699d6259cd20`
SHA3	`58fe1fb70b3e9e03cced62aeeb962d64068bf67d1a451d70017c8ebd326cad3a`
VirtualSize	`0x3338`
VirtualAddress	`0x3e000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x3ce00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.82717`

.pdata

MD5	`a2a3bd363becd437dc0a7e6907c97754`
SHA1	`17572707870051e1003e0879a03b88f9335b7537`
SHA256	`ee455d46eb64a7d9f285ed638a1b1455abffd85fe9f8a2b2f513094b6b7f6017`
SHA3	`359b410bde204d5b053249b5968bd0cfdba4c6b59c95c7ae7bd32eddeafe7a49`
VirtualSize	`0x2298`
VirtualAddress	`0x42000`
SizeOfRawData	`0x2400`
PointerToRawData	`0x3dc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.32738`

_RDATA

MD5	`52ec5387fbc7d960d9158c15aab19421`
SHA1	`bd7580b061dbd1b296a29c9764f8d7750388e6d6`
SHA256	`b2efe87f9e28cc3b4cfb9be5c48da6a6d676ba5da3c574282787d2e9c987c665`
SHA3	`17dfdd7feb232f2d49b262eb7c79f5aba9e7752793659e3176427e2012c9c862`
VirtualSize	`0x15c`
VirtualAddress	`0x45000`
SizeOfRawData	`0x200`
PointerToRawData	`0x40000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.78092`

.rsrc

MD5	`6cc7dc53d2e33d91b7da5ae36d65e25d`
SHA1	`3c27de4adcd4caa37111f0d0eda3660e6d7ffe5c`
SHA256	`73775921d11111110947eb72027de514f0b99565ca89ee36863b58533a3b0629`
SHA3	`e7a2e1925dcc11867b41e28001ad6e058d6ca37a10cfb186de2584311b03efbb`
VirtualSize	`0x1c74`
VirtualAddress	`0x46000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x40200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.70051`

.reloc

MD5	`4138d4447f190c2657ec208ef31be551`
SHA1	`41f776fbf46111f4aac8e7ff1e7fa89541eda087`
SHA256	`6d0446dfad2fe0f8b0220b0031af4c220fbb7e9002fdb1c76bd38c4d17b85aed`
SHA3	`b89616b1b553c7efb9a63061f47fa6c98e5e668e1965a28a42e3c0c42647ddc6`
VirtualSize	`0x75c`
VirtualAddress	`0x48000`
SizeOfRawData	`0x800`
PointerToRawData	`0x42000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.24013`

Imports

USER32.dll	`CreateWindowExW` `MessageBoxW` `MessageBoxA` `SystemParametersInfoW` `DestroyIcon` `SetWindowLongPtrW` `GetWindowLongPtrW` `GetClientRect` `InvalidateRect` `ReleaseDC` `GetDC` `DrawTextW` `GetDialogBaseUnits` `EndDialog` `DialogBoxIndirectParamW` `MoveWindow` `SendMessageW`
COMCTL32.dll	`#380`
KERNEL32.dll	`GetStringTypeW` `GetFileAttributesExW` `HeapReAlloc` `FlushFileBuffers` `GetCurrentDirectoryW` `IsValidCodePage` `GetACP` `GetModuleHandleW` `MulDiv` `GetLastError` `SetDllDirectoryW` `GetModuleFileNameW` `CreateSymbolicLinkW` `GetProcAddress` `GetCommandLineW` `GetEnvironmentVariableW` `GetOEMCP` `ExpandEnvironmentStringsW` `CreateDirectoryW` `GetTempPathW` `WaitForSingleObject` `Sleep` `GetExitCodeProcess` `CreateProcessW` `GetStartupInfoW` `FreeLibrary` `LoadLibraryExW` `SetConsoleCtrlHandler` `FindClose` `FindFirstFileExW` `CloseHandle` `GetCurrentProcess` `LocalFree` `FormatMessageW` `MultiByteToWideChar` `WideCharToMultiByte` `GetCPInfo` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetProcessHeap` `GetTimeZoneInformation` `HeapSize` `WriteConsoleW` `SetEnvironmentVariableW` `RtlUnwindEx` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `SetEndOfFile` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `EncodePointer` `RaiseException` `RtlPcToFileHeader` `GetCommandLineA` `CreateFileW` `GetDriveTypeW` `GetFileInformationByHandle` `GetFileType` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `GetFullPathNameW` `RemoveDirectoryW` `FindNextFileW` `SetStdHandle` `DeleteFileW` `ReadFile` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `HeapFree` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleOutputCP` `GetFileSizeEx` `HeapAlloc` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `CompareStringW` `LCMapStringW`
ADVAPI32.dll	`OpenProcessToken` `GetTokenInformation` `ConvertStringSecurityDescriptorToSecurityDescriptorW` `ConvertSidToStringSidW`
GDI32.dll	`SelectObject` `DeleteObject` `CreateFontIndirectW`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x3a9`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.75106`
Detected Filetype	PNG graphic file
MD5	`ab558b17adc343180a43390c984c62ed`
SHA1	`71d594dbb31260638dd00ad302a1e1b27ab4313f`
SHA256	`15f0e7032c9d0aab8ac1ab2f127954b53c10169a93cf4c7f20e95e14f80b3762`
SHA3	`c2ff165755ae784ed404415af6e13ab868eaac4a6faf01ef0571ad893ca714e8`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x6ee`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.89145`
Detected Filetype	PNG graphic file
MD5	`07d935f99c23e33c490653c30a3a75ff`
SHA1	`d8cca27d82a888d120416a36cd6614dd74ee8428`
SHA256	`62ed9f64b60bf796c218b8ca107a471bbd7836412274d7a8c98f9cdbb5530c5f`
SHA3	`5a57579da26571c7227e7b1b52fb58bb1aadbe88990c4fff35c4eed566ffb41e`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xb4f`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.93468`
Detected Filetype	PNG graphic file
MD5	`a97f7db4f6dc2c70ecce08d8fb1ac6c9`
SHA1	`e0649202337f0f12427bd7e04a613c211ff2f526`
SHA256	`cf306c143832fc922493b73e1c5aa6771e005d8625b19a87cbd7d3d46722f4d0`
SHA3	`ac8fc0bb75038fbaf9ad7cdcf1a52bb56f9ac2723e580da0bbf1208233cb545b`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x30`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.31474`
Detected Filetype	Icon file
MD5	`253795e8849c6b67d2683a154c2fd404`
SHA1	`891daaa45333169312dfb0a1acdeba21d0ceb6ab`
SHA256	`b408b3d63a4f24bd0a700b3f0634b582c2b1017de4fabe31c3bfbb9d5bbaa3f6`
SHA3	`70e2180afa3175f941175c77d1150f5b84518f0a1ce091239644bbed2124b41a`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x50d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.25791`
MD5	`84da8dee6b319ea0b10b6de5489c6aae`
SHA1	`5f8991f3e065fd95614859a293f88b9c70e4bb23`
SHA256	`abf8f2022f12f350789d961aceaf9ccfd53e7ec58d8c9934cfce77779b4eac11`
SHA3	`08f0562915b54bedce5a84e9d32cb2efcc538268785103b1852338e20a3b4606`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2023-Nov-10 09:37:32
Version	`0.0`
SizeofData	`772`
AddressOfRawData	`0x3a860`
PointerToRawData	`0x39860`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14003e018`
GuardCFCheckFunctionPointer	`5368886304`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xdc64562c`
Unmarked objects	`0`
ASM objects (30795)	`8`
C++ objects (30795)	`187`
C objects (30795)	`10`
253 (VS2022 Update 4 (17.4.2) compiler 31935)	`4`
C++ objects (VS2022 Update 4 (17.4.2) compiler 31935)	`40`
C objects (VS2022 Update 4 (17.4.2) compiler 31935)	`17`
ASM objects (VS2022 Update 4 (17.4.2) compiler 31935)	`9`
Imports (30795)	`11`
Total imports	`139`
C objects (VS2022 Update 5 (17.5.4) compiler 32217)	`21`
Linker (VS2022 Update 5 (17.5.4) compiler 32217)	`1`

Errors

Leave a comment

No comments yet.