Manalyze report for e9e07acb26dfc4e5eff539975c90dc9e76592730843916f37ad4ebb90580503a

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2025-Aug-28 23:16:51

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: services.info utils.net`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: OpenProcessToken` `Enumerates local disk drives: GetDriveTypeW`
Suspicious	The file contains overlay data.	`10186628 bytes of data starting at offset 0x40800.` `The overlay data has an entropy of 7.99614 and is possibly compressed or encrypted.` `Overlay data amounts for 97.472% of the executable.`
Malicious	VirusTotal score: 3/72 (Scanned on 2025-08-30 18:57:17)	`APEX: Malicious` `Cylance: Unsafe` `Skyhigh: BehavesLike.Win64.DLAssistant.tc`

Hashes

MD5	`d3f6f61bdb06396f0fac74cf043e99b7`
SHA1	`8308dfa20181fe5ba6c374acda703a2e0a1ac379`
SHA256	`e9e07acb26dfc4e5eff539975c90dc9e76592730843916f37ad4ebb90580503a`
SHA3	`9b7077da5d29ea739b4abaca6f51a73f232f8a4d3d6356f992a076616a298ee1`
SSDeep	`196608:ATg1XR2bB6yunlPzf+JiJCslEcEuM0W8/La6YPFghptQ3zsE:XmBRunlPSa7XbW8VgeQo`
Imports Hash	`ba5546933531fafa869b1f86a4e2a959`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2025-Aug-28 23:16:51
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x28a00`
SizeOfInitializedData	`0x17a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000000A6B0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x55000`
SizeOfHeaders	`0x400`
Checksum	`0x9fcf86`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x1e8480`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`cd519058a1cc7a614054b311d84d179b`
SHA1	`d2ded932a0aae9efe5fee20fa16358777929d95f`
SHA256	`cae883ec4367725a23a5543f11a18cf2d35429a198911a372a295ecadb0a2503`
SHA3	`73d95ded1bbe99c4b73df485183856b73660d0ea44f814c268a870c6241bc19a`
VirtualSize	`0x288a0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x28a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.49069`

.rdata

MD5	`d9b88963a4ecc0c59946cf63f5cdf7d7`
SHA1	`b454f63d124232d7729891a934693e08f60d63c7`
SHA256	`6a878a75d83d0962c23bc08ac0373211c493612a11d868c179d65d6ed807393d`
SHA3	`a6cbbb9a6b3e7c9650f0a27626f92e5b12bb498372395e04e5b3927817f0dbb3`
VirtualSize	`0x126e2`
VirtualAddress	`0x2a000`
SizeOfRawData	`0x12800`
PointerToRawData	`0x28e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.8461`

.data

MD5	`9bd2cebaa3285e8e266c4c373a15119d`
SHA1	`f2aa811253ab892e71f1b7504c587bf82745a97d`
SHA256	`13878d07209c0151066a7989eb52c9c525fdcd6026c746507293fbe575373207`
SHA3	`141f4caa29f203d52f830668bd6836286ce851198180260d3016eb590957b11a`
VirtualSize	`0x103f8`
VirtualAddress	`0x3d000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x3b600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.80892`

.pdata

MD5	`47e5659f5cd2366c7761336e5e8f1fbd`
SHA1	`d1233c922211aa2ea6e7162f0dda89322879324b`
SHA256	`f2e77f3b86348d5d60b2d664d6e0ae56ddae72647d5fe250046cd6a6089af5f0`
SHA3	`dc722e526f7e42eb5b642adffa2f81484647417f04616db4e5ee3e237e94b7da`
VirtualSize	`0x20c4`
VirtualAddress	`0x4e000`
SizeOfRawData	`0x2200`
PointerToRawData	`0x3c400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.30946`

_RDATA

MD5	`739c14bf73dcb926054c7e1038da65e4`
SHA1	`ee8e8e6c7c16e5d7d30de76f07f986c8f3b58aa0`
SHA256	`525b35994ae65c3f99896d17f7f4aa9523e864ec6d010b9b10f151d199276aab`
SHA3	`4697c40ede1fcbf48e4527c61cc548023d0efaee8db1ab8ab395b13354549b6e`
VirtualSize	`0x15c`
VirtualAddress	`0x51000`
SizeOfRawData	`0x200`
PointerToRawData	`0x3e600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.77335`

.rsrc

MD5	`ce427a98631bc5779024833cf567de61`
SHA1	`e2bb78c25b094cfea300ca130a3eaca8004b7b26`
SHA256	`da3e432ae36ae49e99d1447ec142a4000f99c4e20fff904759f17b893a472b03`
SHA3	`5cbbe9d8f08e67395a42c5f8206175076af338bd4af3ea0c40d8d122921ee05b`
VirtualSize	`0x1738`
VirtualAddress	`0x52000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x3e800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.51928`

.reloc

MD5	`b7279c82d58eeae8dc663879402c6f2e`
SHA1	`63cd7f76452e70da0d19e5f98896f2b8ef442b80`
SHA256	`0d93f2fc3a2729853909fac2608390da10dac5c4a605c07ec64e7bd7d75565c2`
SHA3	`20e086f79d1010671e68069f379da65f4b44eab2742d57855ed2a14e9633026e`
VirtualSize	`0x75c`
VirtualAddress	`0x54000`
SizeOfRawData	`0x800`
PointerToRawData	`0x40000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.23889`

Imports

KERNEL32.dll	`GetCommandLineW` `GetEnvironmentVariableW` `SetEnvironmentVariableW` `ExpandEnvironmentStringsW` `CreateDirectoryW` `GetTempPathW` `WaitForSingleObject` `Sleep` `GetExitCodeProcess` `CreateProcessW` `GetStartupInfoW` `LoadLibraryExW` `SetConsoleCtrlHandler` `FindClose` `FindFirstFileExW` `CloseHandle` `GetCurrentProcess` `LocalFree` `FormatMessageW` `MultiByteToWideChar` `WideCharToMultiByte` `WriteConsoleW` `GetProcAddress` `GetModuleFileNameW` `SetDllDirectoryW` `FreeLibrary` `GetLastError` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetModuleHandleW` `RtlUnwindEx` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `EncodePointer` `RaiseException` `RtlPcToFileHeader` `GetCommandLineA` `CreateFileW` `GetDriveTypeW` `GetFileInformationByHandle` `GetFileType` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `GetFullPathNameW` `RemoveDirectoryW` `FindNextFileW` `SetStdHandle` `DeleteFileW` `ReadFile` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `HeapFree` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleOutputCP` `GetFileSizeEx` `HeapAlloc` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `CompareStringW` `LCMapStringW` `GetCurrentDirectoryW` `FlushFileBuffers` `HeapReAlloc` `GetFileAttributesExW` `GetStringTypeW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetProcessHeap` `GetTimeZoneInformation` `HeapSize` `SetEndOfFile`
ADVAPI32.dll	`ConvertSidToStringSidW` `GetTokenInformation` `OpenProcessToken` `ConvertStringSecurityDescriptorToSecurityDescriptorW`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.14139`
MD5	`f86a03a2479d84d1900b5e788b145f4d`
SHA1	`665db4c5e085593a0b1c1723138dc62c87f0a288`
SHA256	`285d2586c73d77eefa96b9d24887c187ee4bf6b09a86030e622a1007080473e7`
SHA3	`39dbfd7343a3be7c38355ee405ac05e5bb1cb888a815c3d69101dc4ac43c9898`

0

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.7815`
Detected Filetype	Icon file
MD5	`3c68f77c35c26ff079a1c410ee44fa62`
SHA1	`0b40150c95fc2c6414c90d44ee78b8d8814b3393`
SHA256	`a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0`
SHA3	`590dcbf2ec3f485a6c24e3e627f383ee7588eb49978321f12c07d8190a6c1396`

1 (#2)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x591`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.30501`
MD5	`f8045e5d06a026991e7787193506a56e`
SHA1	`99f52a750c3d193c31b762b45732b298ee500f44`
SHA256	`dd3e2a06612a2ef5b5187fd6bf9c60408f93d57720f1f96fd003dcbc60112011`
SHA3	`a9c33ce31cc47c2f95bbb0f612cf7ee33a703105ee78d0cd0a3e3fd7e3c9f754`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2025-Aug-28 23:16:51
Version	`0.0`
SizeofData	`772`
AddressOfRawData	`0x39884`
PointerToRawData	`0x38684`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14003d018`
GuardCFCheckFunctionPointer	`5368882000`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0x1b1dedd`
Unmarked objects	`0`
ASM objects (30795)	`7`
C++ objects (30795)	`190`
C objects (30795)	`10`
253 (32420)	`3`
C++ objects (32420)	`40`
C objects (32420)	`17`
ASM objects (32420)	`9`
Imports (30795)	`5`
Total imports	`117`
C objects (32538)	`20`
Linker (32538)	`1`

Errors

Leave a comment

No comments yet.