Manalyze report for dc1926e90476c49859e8649f3b678f1c

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2023-Jan-17 20:20:18
Detected languages	English - United States
CompanyName	MrAntiFun.net
FileDescription	MrAntiFun Loader
FileVersion	`1.02`
InternalName	MrAntiFun
LegalCopyright	Copyrights MrAntiFun.net © 2013-2018
LegalTrademarks1	MrAntiFun
LegalTrademarks2	MrAntiFun.net
OriginalFilename	Trainer.exe
ProductName	MrAntiFun Loader
ProductVersion	`1.00`

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: MrAntiFun.net`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Manipulates other processes: Process32NextW Process32FirstW OpenProcess ReadProcessMemory WriteProcessMemory`
Malicious	VirusTotal score: 18/68 (Scanned on 2023-03-14 22:57:08)	`Lionic: Trojan.Win32.Agent.Y!c` `Cynet: Malicious (score: 100)` `McAfee: Artemis!DC1926E90476` `CrowdStrike: win/malicious_confidence_70% (W)` `APEX: Malicious` `Kaspersky: Trojan.Win64.Agent.qwidjl` `ViRobot: Trojan.Win.Z.Agent.216576.G` `Rising: Trojan.Agent!8.B1E (CLOUD)` `Zillya: Trojan.Agent.Win64.24233` `McAfee-GW-Edition: BehavesLike.Win64.BadFile.dh` `Trapmine: suspicious.low.ml.score` `Antiy-AVL: Trojan/Win64.Agent` `Gridinsoft: Ransom.Win64.Sabsik.sa` `ZoneAlarm: Trojan.Win64.Agent.qwidjl` `Google: Detected` `MaxSecure: Trojan.Malware.74412563.susgen` `Fortinet: Malicious_Behavior.SB` `Panda: Trj/Chgt.AD`

Hashes

MD5	`dc1926e90476c49859e8649f3b678f1c`
SHA1	`7d8d8af0dddf80d921b1d440a6ee3bbbd4e6b016`
SHA256	`ff0ffae4478f831cf64714f734a4f8fcf4d6c81ddfcf43e37aa026566970882a`
SHA3	`a6852b20ba85dab409d46f63ad36304435eb0294586929c030578a24f0841feb`
SSDeep	`3072:WAD+0yxRNhJFk4swBYCa4IMMgcjzc092Px0VgIV3hhgJlhavYchw90:W0ixpJWRwBYtfcRp03V3hhgJlhkBw`
Imports Hash	`ceb6f018622d2a5df2b9b9a07d0c4584`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x110`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2023-Jan-17 20:20:18
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xc800`
SizeOfInitializedData	`0x1f429400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000001740 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x1f43a000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`04d262966522ac9c81f0a838a9150a4e`
SHA1	`f24874200c830806e23a4f6c1b41739ae7a66583`
SHA256	`9f700a907adff96034e3b42fad5b6bb9da63e4f6a58b3af75ccde00d6629bab9`
SHA3	`16baf5da3686b69124fe1941b173df70b751c2fde196a4f48e7eda170f688439`
VirtualSize	`0xc690`
VirtualAddress	`0x1000`
SizeOfRawData	`0xc800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.43427`

.rdata

MD5	`940abd1154c43de75c4b7f7f6937325a`
SHA1	`f171c54d57e18936ca6c3be2306a0d1078a59ae5`
SHA256	`90fdc2b3b7e7a793bee4971c4d26eb44103fe145e183d2648ce67b864729aa73`
SHA3	`3ed96d4a4c3d9e0ba1f4902d050bc384ecd022ab1dccbfa96cfccce37a234aa8`
VirtualSize	`0x90de`
VirtualAddress	`0xe000`
SizeOfRawData	`0x9200`
PointerToRawData	`0xcc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.70779`

.data

MD5	`7863498cdb86db2e4688b6d1523550cc`
SHA1	`d9a497659fc24eb1fb55d6f9f566930b5f9c4803`
SHA256	`33411481ccbcbdc510f4aca05538f3ad085c3919369ad7d401377b98f76d7ae6`
SHA3	`758fd66ae5344d34967ca629d9647ac3bc16d8025c89fb6d2bac4ed4554425e2`
VirtualSize	`0x1f401c08`
VirtualAddress	`0x18000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x15e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.83274`

.pdata

MD5	`01f5dbaaf26bf25a569ebccd58d271cb`
SHA1	`2cde15372644977b133e98bf215ce5b699d15b03`
SHA256	`eac084eb47023b1c73f56741ce1aac2468f6728a8b376d93062d7d9b9e7185b4`
SHA3	`83574f703fc1e9e978a5994eb0f0508776a9a65a4c6d59eb68acbf61bb612b11`
VirtualSize	`0xd8c`
VirtualAddress	`0x1f41a000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x16a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.74567`

_RDATA

MD5	`3b94e870bdc55ade3ce3234d872f0d35`
SHA1	`02b03d56274f226c90d05d2a4825867ebf304a87`
SHA256	`b31b80e11bcfbb71525473b6e62fbe2e7550ed43c10c3bf698b2ec19270af47a`
SHA3	`7091530ab5b494fa6310b8c4e311f4a281a14742a737bafe4f7f19fb837424ae`
VirtualSize	`0x15c`
VirtualAddress	`0x1f41b000`
SizeOfRawData	`0x200`
PointerToRawData	`0x17800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.76421`

.rsrc

MD5	`fb1849693a32174cc0cb41526e89222c`
SHA1	`3fc23e5bbc01701d48afbce0e7d7439a6584183f`
SHA256	`8d747a45571f1738cd7d3bf87c21f8d62ca1c88b3d7713e9f36116845a1a7320`
SHA3	`3a946d050cb85f7965c8b849a579519fd95898bbfdfc46afa6b315e9eb076028`
VirtualSize	`0x1cb50`
VirtualAddress	`0x1f41c000`
SizeOfRawData	`0x1cc00`
PointerToRawData	`0x17a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.45902`

.reloc

MD5	`659bbf435510e45d5442ff3870ed6385`
SHA1	`696233e1b41bbdb40c7c131fd007483e5a5e1c7b`
SHA256	`1dac8960df85ea384793cc9f6caff3f722e06bbcdfa401b362e69d2fb4373425`
SHA3	`7352c95d1f9648a10bee605edd14c990849a1a563c5349f6aa57600b910b8b3e`
VirtualSize	`0x640`
VirtualAddress	`0x1f439000`
SizeOfRawData	`0x800`
PointerToRawData	`0x34600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.81556`

Imports

KERNEL32.dll	`CreateToolhelp32Snapshot` `Sleep` `Process32NextW` `Process32FirstW` `CloseHandle` `OpenProcess` `VirtualProtectEx` `DebugActiveProcess` `ReadProcessMemory` `Module32NextW` `VirtualQueryEx` `WriteConsoleW` `DebugActiveProcessStop` `GetCurrentProcess` `Module32FirstW` `WriteProcessMemory` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetStartupInfoW` `GetModuleHandleW` `RtlUnwindEx` `GetLastError` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `GetProcAddress` `LoadLibraryExW` `RaiseException` `GetStdHandle` `WriteFile` `GetModuleFileNameW` `ExitProcess` `GetModuleHandleExW` `GetCommandLineA` `GetCommandLineW` `HeapAlloc` `HeapFree` `FindClose` `FindFirstFileExW` `FindNextFileW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `MultiByteToWideChar` `WideCharToMultiByte` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableW` `SetStdHandle` `GetFileType` `GetStringTypeW` `CompareStringW` `LCMapStringW` `GetProcessHeap` `HeapSize` `HeapReAlloc` `FlushFileBuffers` `GetConsoleOutputCP` `GetConsoleMode` `SetFilePointerEx` `CreateFileW`
ADVAPI32.dll	`AdjustTokenPrivileges` `OpenProcessToken` `LookupPrivilegeValueW`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x13d55`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.93538`
Detected Filetype	PNG graphic file
MD5	`88f78fa633b7d89515b68b0429825fd8`
SHA1	`4480c27d82a4ac1f43676254ef45c49595a45133`
SHA256	`6458223b849613748cf33797badd64143f51958f52ad56329af635fee00d1447`
SHA3	`9e0f5b030c9ba08415aeabcd70c5ed6cb2a3bac1e77afdf236a374f473640287`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.48253`
MD5	`3411418d7a91bb9956859e80a5cdd947`
SHA1	`1670df89f8e084c586fe8268db2f8dfb0cfc2f40`
SHA256	`b00599d2b84b45b6f43f5ee00f7b2e9aa40d86fd3a2abb6ebff690d82438da22`
SHA3	`4d30866bbc482f8d27eb701624f37586e7f525f5bc312527437aaf0de2ab3bc8`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.6265`
MD5	`5501159220a40b373f14c9033418d21d`
SHA1	`3882995ee41ece800d34e6d2d95fd607fed63805`
SHA256	`49b88ca532d1e2236255e74b4a61a53afd16a96154789039cac2316ffe2ef8d1`
SHA3	`f016bfcdd03fafc3def6d68e8e4db945a1e907eebe71598c8af551be64ee45c6`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.15332`
MD5	`7e78a0408389643f1aead18a64379785`
SHA1	`65d68bdbbc9b5759670723dcbdf7eb112e7698e5`
SHA256	`7b34955d867625ec124495ceec310d598949e3c6c24f6d19ff4e6635812ccaa8`
SHA3	`0cca1c305e1b826e61d109edd28df407d6103a591e0db24a2ce7efa32cc3a342`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.32148`
MD5	`31cbec3dd1611205a82bca02a3744483`
SHA1	`d5d3ce84b13be85b4c1d3a56789726c74fc2eb6e`
SHA256	`9dae0d2b6c87dccb0df6c23538ae51dc88d5679c8c8c4ee97799fe89469c480a`
SHA3	`4f5ca7d136498089595a4ecf740178be56711389df67f40d7b9c81c69402239a`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.09128`
MD5	`09265941deb3d32d69155ba8add55059`
SHA1	`12030176993e7d2222d57fefc1788b77545fddc3`
SHA256	`d1e134b85b7d4d1a5419f779339bd1713562481c2339aaf37ec1337d2343543b`
SHA3	`82de862b18ac2ecb5cb051733834efaec1c4b256d2c9f549b36ef6f1588ef9f2`

MAINICON

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.8213`
Detected Filetype	Icon file
MD5	`673a3275cbebe19450d05290fe158a68`
SHA1	`2d6d767f8ffa673b7aabadafcd047cf7d92f45ad`
SHA256	`f9840de5f4e903b49f41bf42487ba73ab4ea710fcd200c3eaecc7068aa29bad4`
SHA3	`e8156c93d6d2538871fb9f0aa77b20f1a7693b2685280cd27b72adf8b2136fad`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x368`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.33961`
MD5	`0a26219717f97ceafb2cae985dd06d2c`
SHA1	`ba6514ca982e44f10cf8cd6724bfc7eba456a876`
SHA256	`5b047d90de6e1d8643f9bc1648bdb166adb407afb081da78d72da8003a9b7e06`
SHA3	`b28fab18a62a6012071cf9a1cc2a6264724b2c8e51ed69c9691d97a550db3e85`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x188`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89623`
MD5	`b8e76ddb52d0eb41e972599ff3ca431b`
SHA1	`fc12d7ad112ddabfcd8f82f290d84e637a4d62f8`
SHA256	`165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8`
SHA3	`37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.0
ProductVersion	1.0.0.0
FileFlags	`VS_FF_PRERELEASE` `VS_FF_PRIVATEBUILD`
FileOs	`(EMPTY)`
FileType	`VFT_APP`
Language	English - United States
CompanyName	MrAntiFun.net
FileDescription	MrAntiFun Loader
FileVersion (#2)	1.02
InternalName	MrAntiFun
LegalCopyright	Copyrights MrAntiFun.net © 2013-2018
LegalTrademarks1	MrAntiFun
LegalTrademarks2	MrAntiFun.net
OriginalFilename	Trainer.exe
ProductName	MrAntiFun Loader
ProductVersion (#2)	1.00

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2023-Jan-17 20:20:18
Version	`0.0`
SizeofData	`720`
AddressOfRawData	`0x15948`
PointerToRawData	`0x14548`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2023-Jan-17 20:20:18
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140018000`

RICH Header

XOR Key	`0xbf1e77c3`
Unmarked objects	`0`
C objects (27412)	`11`
ASM objects (27412)	`5`
C++ objects (27412)	`137`
C++ objects (VS 2015-2022 runtime 30818)	`38`
C objects (VS 2015-2022 runtime 30818)	`16`
ASM objects (VS 2015-2022 runtime 30818)	`9`
Imports (27412)	`5`
Total imports	`100`
C++ objects (LTCG) (VS2022 Update 1 (17.1.6) compiler 31107)	`1`
Resource objects (VS2022 Update 1 (17.1.6) compiler 31107)	`1`
151	`1`
Linker (VS2022 Update 1 (17.1.6) compiler 31107)	`1`

dc1926e90476c49859e8649f3b678f1c

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

_RDATA

.rsrc

.reloc

Imports

Delayed Imports

1

2

3

4

5

6

MAINICON

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_POGO

IMAGE_DEBUG_TYPE_ILTCG

TLS Callbacks

Load Configuration

RICH Header

Errors