da1035191f6f0fb90ae954f6abe5affe

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2021-Apr-02 13:18:55
Detected languages English - United States
German - Germany

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • api.minecraftservices.com
  • auth.xboxlive.com
  • cdn.falcun.net
  • falcun.net
  • gmail.com
  • http://auth.xboxlive.com
  • http://pixelspread.comThis
  • http://scripts.sil.org
  • http://scripts.sil.org/OFLRalewayItalicWeightItalicBold
  • http://scripts.sil.org/OFLRalewayRomanWeightItalicRoman
  • http://scripts.sil.org/OFLhttp
  • http://theleagueofmoveabletype.comhttp
  • https://api.minecraftservices.com
  • https://api.minecraftservices.com/authentication/login_with_xbox
  • https://api.minecraftservices.com/entitlements/mcstore
  • https://api.minecraftservices.com/minecraft/profile
  • https://cdn.falcun.net
  • https://cdn.falcun.net/launcher/
  • https://cdn.falcun.net/launcher/assets/assets.txt
  • https://cdn.falcun.net/launcher/assets/assets.zip
  • https://discord.gg
  • https://falcun.net
  • https://user.auth.xboxlive.com
  • https://user.auth.xboxlive.com/user/authenticate
  • https://xsts.auth.xboxlive.com
  • https://xsts.auth.xboxlive.com/xsts/authorize
  • minecraftservices.com
  • scripts.sil.org
  • user.auth.xboxlive.com
  • xboxlive.com
  • xsts.auth.xboxlive.com
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to SHA1
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryExW
  • GetProcAddress
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Can access the registry:
  • RegCloseKey
  • RegSetValueExW
  • RegCreateKeyExW
 Possibly launches other programs:
  • CreateProcessA
  • ShellExecuteA
 Has Internet access capabilities:
  • WinHttpOpen
  • WinHttpQueryDataAvailable
  • WinHttpConnect
  • WinHttpSetTimeouts
  • WinHttpSendRequest
  • WinHttpWriteData
  • WinHttpGetProxyForUrl
  • WinHttpGetIEProxyConfigForCurrentUser
  • WinHttpCloseHandle
  • WinHttpSetOption
  • WinHttpOpenRequest
  • WinHttpReadData
  • WinHttpQueryHeaders
  • WinHttpAddRequestHeaders
  • WinHttpReceiveResponse
  • WinHttpCrackUrl
 Leverages the raw socket API to access the Internet:
  • accept
  • bind
  • closesocket
  • listen
  • WSAStartup
  • send
  • socket
  • ntohs
  • getnameinfo
  • recv
  • htonl
  • WSAGetLastError
  • setsockopt
  • htons
 Manipulates other processes:
  • Process32First
  • Process32Next
 Reads the contents of the clipboard:
  • GetClipboardData
 Interacts with the certificate store:
  • CertOpenSystemStoreA
Malicious VirusTotal score: 31/70 (Scanned on 2021-04-14 07:58:14) MicroWorld-eScan: Trojan.GenericKD.46061122
McAfee: Artemis!DA1035191F6F
Malwarebytes: Malware.AI.1564591014
Zillya: Trojan.Agent.Win32.1946984
Alibaba: Trojan:Win32/Generic.a9855a04
Symantec: Trojan.Gen.MBT
Paloalto: generic.ml
Kaspersky: Trojan.Win32.Agent.xahjwf
BitDefender: Trojan.GenericKD.46061122
Avast: Win64:Malware-gen
Ad-Aware: Trojan.GenericKD.46061122
Emsisoft: Trojan.GenericKD.46061122 (B)
DrWeb: Trojan.MulDrop16.43165
McAfee-GW-Edition: BehavesLike.Win64.Dropper.th
FireEye: Trojan.GenericKD.46061122
Sophos: Mal/Generic-S
APEX: Malicious
GData: Trojan.GenericKD.46061122
Jiangmin: Trojan.Agent.dfwk
Avira: TR/Agent.yftdf
Arcabit: Trojan.Generic.D2BED642
AegisLab: Trojan.Win32.Agent.4!c
Microsoft: Trojan:Win32/Wacatac.B!ml
Cynet: Malicious (score: 100)
ALYac: Trojan.GenericKD.46061122
MAX: malware (ai score=88)
Rising: Trojan.Agent!8.B1E (CLOUD)
Ikarus: Trojan.Agent
AVG: Win64:Malware-gen
Panda: Trj/CI.A
Qihoo-360: Win32/Trojan.Generic.HgEASSYA

Hashes

MD5 da1035191f6f0fb90ae954f6abe5affe
SHA1 0de9d5352e430acfb2a73158e11c9ce2b93bddfa
SHA256 4531b467a76920b09ad79dcc2da52ae253dd035474b9529f1751902ba8d90e58
SHA3 c9a51840e406a2e87b2595f131ea9ee10a1197955636ba13ac9299a15a8c58fd
SSDeep 24576:afkjGhWPT3rWT+ippHcpf7WMLCNmblpXKsjJ3dnFzoRNpKHzMZf7fQCLRkgo:ieG8bbWTnpHct7ZWNKpX1DnFPHzMRQC
Imports Hash 35b863f805906870b39669a7581d1fb9

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x110

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2021-Apr-02 13:18:55
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0xd6600
SizeOfInitializedData 0xcf200
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000000000009ADEC (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x1aa000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 d965d48ab24b80385a3de7e4969a4fed
SHA1 1a966793bb3e339a054488bb2bea69da2a9d5ca3
SHA256 9681747dd1bd25f1c6c545dad8ac8724682346a00a78f21c45f252670d9053d4
SHA3 08eb25fba5f59502ab2c2827d5687dd0334808b65e5b747f6a639db2b37c9077
VirtualSize 0xd6418
VirtualAddress 0x1000
SizeOfRawData 0xd6600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.52036

.rdata

MD5 63b043a8e0539953fc315c299d282227
SHA1 1cb1ec79259f9545b0b14e62e6a5aae881e4e79e
SHA256 96da7bdc7a4186ca225cd91be419ee61900e8829a16ad535d81a7f304e9f9c60
SHA3 0245525e0214e6958cd56201c9756b4e0883b065fc36e263ec3b4c510fc63a1a
VirtualSize 0x31720
VirtualAddress 0xd8000
SizeOfRawData 0x31800
PointerToRawData 0xd6a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.85835

.data

MD5 09168977eec084d4a24def8215cb1cf6
SHA1 c8c729aad6ee56d19e79e68d1c8d1e96b21d1944
SHA256 d83de9ba7a1a3712486434e653b894d36980651dff23790f7b71304350e38650
SHA3 3d8ce289a05150af8c9a9cbb7927e61c627b21dd34d4594418765162eab84f96
VirtualSize 0x8fc2c
VirtualAddress 0x10a000
SizeOfRawData 0x57a00
PointerToRawData 0x108200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.45577

.pdata

MD5 c78635c64269ab11e888e3fc37d75078
SHA1 617d3f92109d32bf6924f933c3d120039af85875
SHA256 a823cca35b6772aa6d95bfc797d9ec211da6131ee7af12079e8043c7dac334d3
SHA3 295bbebb0383482ff20bec5d5749f99ecdb7df9a5a0ca8492baee93a5243eb3c
VirtualSize 0x83dc
VirtualAddress 0x19a000
SizeOfRawData 0x8400
PointerToRawData 0x15fc00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.06784

_RDATA

MD5 e80deb90d0cfb283206979b8aed78657
SHA1 1fa7f7fcfa1590b746fbea9476ede7bcd9ee8614
SHA256 116155a270d2d74987dc0c2805a989205b79dac03d00dae7aa8a418d66a365eb
SHA3 5154225f47e634dc9a33b18e9f25f51a62f3d97ed9a653b6a4675da1d2096db7
VirtualSize 0xf4
VirtualAddress 0x1a3000
SizeOfRawData 0x200
PointerToRawData 0x168000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.46652

.rsrc

MD5 20cc1b2f57b136a333c8cc1ceec94d27
SHA1 d800d0ad59f9129fa5ba5c597f6afbf97d523017
SHA256 8bed3fa94ef71550d0131d0ea5391c34cc2ce98d467130fe13a0f252bf53949d
SHA3 3ee69a47b9c1c04cc9f4a4d4e9f1e8b32067875086a52a5799e4cb514dacc0a0
VirtualSize 0x44c0
VirtualAddress 0x1a4000
SizeOfRawData 0x4600
PointerToRawData 0x168200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.22774

.reloc

MD5 af70a8ae85b0a64cecf96beee8fa0e7f
SHA1 7592765f5170b68fab2a482e93f0b6d13fea84e0
SHA256 c1559480b83ddd442b319ae16bdd4eb8ffe8c547ccb956f20573fbd211527124
SHA3 ee0ea7dca135477646b911931f27e8e0fd34ece4ad051ccd1745208a70225703
VirtualSize 0xf2c
VirtualAddress 0x1a9000
SizeOfRawData 0x1000
PointerToRawData 0x16c800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.3242

Imports

KERNEL32.dll CreateDirectoryW
GetModuleFileNameA
FindFirstFileW
GetFullPathNameW
FindNextFileW
RemoveDirectoryW
FindClose
GetFileAttributesW
GetFileInformationByHandle
DeleteFileW
GetCurrentDirectoryW
MoveFileExW
GlobalMemoryStatusEx
GetModuleHandleW
CopyFileW
CreateDirectoryExW
ReadFile
WriteFile
PeekNamedPipe
GetCurrentProcessId
WaitNamedPipeW
lstrlenW
GetModuleFileNameW
GetCommandLineW
Sleep
SetUnhandledExceptionFilter
Process32First
CreateToolhelp32Snapshot
Process32Next
GetNativeSystemInfo
CreateProcessA
SleepConditionVariableCS
EnterCriticalSection
WakeConditionVariable
LeaveCriticalSection
InitializeCriticalSection
InitializeConditionVariable
CreateThread
DeleteCriticalSection
lstrcmpiA
FormatMessageA
WriteConsoleW
HeapSize
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetOEMCP
GetACP
LocalFree
FindFirstFileExW
SetStdHandle
GetTimeZoneInformation
HeapReAlloc
GetFileSizeEx
GetConsoleOutputCP
FlushFileBuffers
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
WideCharToMultiByte
CompareStringW
GetTimeFormatW
GetDateFormatW
HeapFree
HeapAlloc
ReadConsoleW
GetConsoleMode
SetFilePointerEx
GetStdHandle
SystemTimeToFileTime
TzSpecificLocalTimeToSystemTime
SetFileTime
GetFileType
SetEndOfFile
CloseHandle
GetFileAttributesExW
GetLastError
FormatMessageW
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
QueryPerformanceCounter
VerifyVersionInfoW
FreeLibraryAndExitThread
ExitThread
GetModuleHandleExW
ExitProcess
LoadLibraryExW
FreeLibrary
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
SetLastError
CreateFileW
DeviceIoControl
IsValidCodePage
GlobalUnlock
RtlUnwindEx
GetCPInfo
GetStringTypeW
LCMapStringEx
RtlUnwind
DecodePointer
EncodePointer
GetExitCodeThread
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LCMapStringW
InitOnceExecuteOnce
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitializeCriticalSectionEx
TryEnterCriticalSection
WakeAllConditionVariable
SleepConditionVariableSRW
RtlPcToFileHeader
RaiseException
USER32.dll ReleaseCapture
GetClientRect
SetCursor
SetCapture
GetForegroundWindow
IsChild
ClientToScreen
GetCapture
ScreenToClient
LoadCursorA
UnregisterClassA
PeekMessageA
TranslateMessage
SetLayeredWindowAttributes
DefWindowProcA
ShowWindow
GetSystemMetrics
DestroyWindow
DispatchMessageA
SetForegroundWindow
GetWindowTextA
FindWindowExA
PostQuitMessage
GetClassNameA
GetKeyState
SetClipboardData
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
SetWindowPos
GetWindowRect
RegisterClassExA
SetCursorPos
GetCursorPos
CreateWindowExA
GetWindowThreadProcessId
ADVAPI32.dll RegCloseKey
RegSetValueExW
RegCreateKeyExW
SHELL32.dll SHGetSpecialFolderPathA
ShellExecuteA
CommandLineToArgvW
ole32.dll CoCreateInstance
CoUninitialize
PropVariantClear
CoInitialize
dwmapi.dll DwmExtendFrameIntoClientArea
IMM32.dll ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext
WINHTTP.dll WinHttpOpen
WinHttpQueryDataAvailable
WinHttpConnect
WinHttpSetTimeouts
WinHttpSendRequest
WinHttpWriteData
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpCloseHandle
WinHttpSetOption
WinHttpOpenRequest
WinHttpReadData
WinHttpQueryHeaders
WinHttpAddRequestHeaders
WinHttpReceiveResponse
WinHttpCrackUrl
d3d11.dll D3D11CreateDeviceAndSwapChain
WS2_32.dll accept
bind
closesocket
listen
WSAStartup
send
socket
ntohs
getnameinfo
recv
htonl
WSAGetLastError
setsockopt
htons
CRYPT32.dll CertFreeCertificateContext
CertCloseStore
CertFindCertificateInStore
CertOpenSystemStoreA

Delayed Imports

1

Type RT_ICON
Language German - Germany
Codepage UNKNOWN
Size 0x4228
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.04633
MD5 7b345eec92a755cc895ffe4a471f9296
SHA1 524eb12f95c54b936f654b8e19cf1cf6591baac6
SHA256 4c7299cc1bf4f4f786126ea58b770926904a8ef8d550b797aaed6314009b727a
SHA3 85d718b357d14f920b535f6612b72144f0b3b84243dac02dd8b5ef3fb1ac951e

LAUNCHER

Type RT_GROUP_ICON
Language German - Germany
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.91924
Detected Filetype Icon file
MD5 3e1d980f0dc747eec9d946c155cb1498
SHA1 15414ced0202f709d400c957d441a8856dde8479
SHA256 027e12c81d53ebb492d0e1ce8166c0c004e135274105fb79465b6b97bc6c71cd
SHA3 11e83c27ff3b8cca2c537273338202138c94fb4b10a6b2daf0f7d23d177cc049

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2021-Apr-02 13:18:55
Version 0.0
SizeofData 984
AddressOfRawData 0xf7c3c
PointerToRawData 0xf663c

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2021-Apr-02 13:18:55
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

StartAddressOfRawData 0x1400f8038
EndAddressOfRawData 0x1400f8040
AddressOfIndex 0x140162000
AddressOfCallbacks 0x1400d88e8
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x138
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x14010a010

RICH Header

XOR Key 0xdefe77f1
Unmarked objects 0
ASM objects (27412) 23
C++ objects (27412) 202
C++ objects (VS 2015/2017/2019 runtime 29804) 98
C objects (VS 2015/2017/2019 runtime 29804) 18
ASM objects (VS 2015/2017/2019 runtime 29804) 10
C++ objects (29912) 2
C objects (27412) 28
262 (27412) 1
Imports (27412) 25
Total imports 276
265 (29912) 26
Resource objects (29912) 1
151 1
Linker (29912) 1

Errors

<-- -->