Manalyze report for da365c7716c8d8e078f4e34bd43c48ce

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2020-Apr-21 06:30:08
Detected languages	English - United States

Plugin Output

Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	This PE is packed with VMProtect	`Unusual section name found: .vmp0` `Unusual section name found: .vmp1`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Uses Microsoft's cryptographic API: CryptDestroyKey` `Leverages the raw socket API to access the Internet: #9`
Suspicious	The file contains overlay data.	`83 bytes of data starting at offset 0x6e9800.`
Malicious	VirusTotal score: 16/73 (Scanned on 2020-05-14 20:56:37)	`FireEye: Generic.mg.da365c7716c8d8e0` `CAT-QuickHeal: Trojan.Wacatac` `Invincea: heuristic` `APEX: Malicious` `Avast: Win64:Malware-gen` `Endgame: malicious (high confidence)` `F-Secure: Heuristic.HEUR/AGEN.1110460` `McAfee-GW-Edition: BehavesLike.Win64.Generic.vc` `Trapmine: malicious.moderate.ml.score` `Avira: HEUR/AGEN.1110460` `Webroot: W32.Adware.Gen` `Microsoft: Trojan:Win32/Wacatac.D!ml` `Ikarus: Trojan.Win64.Vmprotect` `MaxSecure: Trojan.Malware.300983.susgen` `AVG: Win64:Malware-gen` `CrowdStrike: win/malicious_confidence_70% (D)`

Hashes

MD5	`da365c7716c8d8e078f4e34bd43c48ce`
SHA1	`7a7339f27bfe80d5b493a25c14615cfd3c62110b`
SHA256	`1c21a5f065f1317cd4a7bcbbc18b277ee31b965774ef83b165c839b3c1034b23`
SHA3	`c20d0aecad4b0ee216cb5d12d38128bef9fd7989c42eec3c169053d81981f3ce`
SSDeep	`196608:pB+PRIebgebf4uZwSTak2MAHnhJxnoC03w3:p4uebgCf5Ll2MAzxny8`
Imports Hash	`649513767063c54363173e7ac192abfc`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	2020-Apr-21 06:30:08
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x8e200`
SizeOfInitializedData	`0x9ba00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000005EAF31 (Section: .vmp1)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xcb7000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x8e1bc`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.rdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x5d35c`
VirtualAddress	`0x90000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x38010`
VirtualAddress	`0xee000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.pdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x588c`
VirtualAddress	`0x127000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.vmp0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x49eb0b`
VirtualAddress	`0x12d000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

.vmp1

MD5	`eb4e5481d8a905c9346319556db5d032`
SHA1	`84b7c58a4f6b3769a48022d560eaff260d34a54b`
SHA256	`d691c9aa265bf8b27bf96ed08493731c18ffdbe291133324348d01254913234a`
SHA3	`95f61c24408e793418a930f370a9a0bbde2f3a42b6f76789d311cd3790b9267a`
VirtualSize	`0x6e8fb0`
VirtualAddress	`0x5cc000`
SizeOfRawData	`0x6e9000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.94063`

.reloc

MD5	`6f84b47cca02e3e7b2ca6684d0ab9902`
SHA1	`209da3dcc4700d87758fd47c49b9f38302a825bc`
SHA256	`d001e55ea8dbf1256191f6d5d64b0ede69ab949d290948be9c43e3990fd3673c`
SHA3	`a4c7b311fb69f1dc75eab5018dac89161a6df7c805fe9df4a2b60cce6bfb25ac`
VirtualSize	`0xc8`
VirtualAddress	`0xcb5000`
SizeOfRawData	`0x200`
PointerToRawData	`0x6e9400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.93133`

.rsrc

MD5	`6cdea106c71874a826a5ff99a56c6a31`
SHA1	`280f7fa0a0b85a47370cfeedc083cb0871f48d98`
SHA256	`621ea003a0b237ad41eeb0ba9ff7ba5d438a353180c53cf200943bc13842ef60`
SHA3	`45b27e69b86e1db70a212ba396f0b74f383eab3d29854aeca7744f622b76f0fe`
VirtualSize	`0x1dc`
VirtualAddress	`0xcb6000`
SizeOfRawData	`0x200`
PointerToRawData	`0x6e9600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.76554`

Imports

WS2_32.dll	`#9`
WLDAP32.dll	`#211`
CRYPT32.dll	`CertFreeCertificateContext`
IMM32.dll	`ImmSetCompositionWindow`
d3d9.dll	`Direct3DCreate9`
KERNEL32.dll	`IsProcessorFeaturePresent`
USER32.dll	`GetSystemMenu`
GDI32.dll	`SelectObject`
ADVAPI32.dll	`CryptDestroyKey`
MSVCP140.dll	`?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z`
XINPUT1_4.dll	`#2`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
VCRUNTIME140.dll	`strstr`
api-ms-win-crt-runtime-l1-1-0.dll	`_register_thread_local_exe_atexit_callback`
api-ms-win-crt-stdio-l1-1-0.dll	`__acrt_iob_func`
api-ms-win-crt-math-l1-1-0.dll	`pow`
api-ms-win-crt-time-l1-1-0.dll	`_time64`
api-ms-win-crt-heap-l1-1-0.dll	`realloc`
api-ms-win-crt-string-l1-1-0.dll	`strncmp`
api-ms-win-crt-utility-l1-1-0.dll	`srand`
api-ms-win-crt-convert-l1-1-0.dll	`strtol`
api-ms-win-crt-filesystem-l1-1-0.dll	`_unlock_file`
api-ms-win-crt-environment-l1-1-0.dll	`getenv`
api-ms-win-crt-multibyte-l1-1-0.dll	`_mbsnbcpy`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`
WTSAPI32.dll	`WTSSendMessageW`
KERNEL32.dll (#2)	`IsProcessorFeaturePresent`
USER32.dll (#2)	`GetSystemMenu`
KERNEL32.dll (#3)	`IsProcessorFeaturePresent`
USER32.dll (#3)	`GetSystemMenu`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x184`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91862`
MD5	`3250787fdcd75aa2587529b89c7738b2`
SHA1	`622b5627941ecee9cfe6179c3017bbf7b43fffaa`
SHA256	`8b0de2e560d8476fb0013b44f1e10c2789ae71e0353866890dc5f9c57fb1f44a`
SHA3	`6bf4f0eaf6795c219d4d808caa895dcb53f7fe9c81e92ce03da1db7841bfcd3d`

Version Info

TLS Callbacks

Load Configuration

Size	`0x108`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1400ee0e8`

RICH Header

Errors

[!] Error: Could not read the exported DLL name.
[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .text has a size of 0!
[*] Warning: Section .rdata has a size of 0!
[*] Warning: Section .data has a size of 0!
[*] Warning: Section .pdata has a size of 0!
[*] Warning: Section .vmp0 has a size of 0!