Manalyze report for dd6f38d7712832a07308f44057f5d29c

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-Apr-16 21:59:10

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .didata`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryW LoadLibraryA` `Functions which can be used for anti-debugging purposes: SwitchToThread NtQueryInformationProcess` `Code injection capabilities: VirtualAlloc WriteProcessMemory OpenProcess` `Can access the registry: RegSetValueExW RegQueryInfoKeyW RegUnLoadKeyW RegSaveKeyW RegReplaceKeyW RegCreateKeyExW RegEnumKeyExW RegLoadKeyW RegDeleteKeyW RegOpenKeyExW RegDeleteValueW RegFlushKey RegEnumValueW RegQueryValueExW RegCloseKey RegRestoreKeyW` `Possibly launches other programs: CreateProcessW` `Uses Microsoft's cryptographic API: CryptDestroyHash CryptReleaseContext CryptGetHashParam CryptAcquireContextA CryptHashData CryptCreateHash` `Can create temporary files: GetTempPathW CreateFileW` `Memory manipulation functions often used by packers: VirtualProtectEx VirtualAlloc` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Manipulates other processes: ReadProcessMemory WriteProcessMemory OpenProcess`
Malicious	VirusTotal score: 37/72 (Scanned on 2024-02-23 00:17:03)	`ALYac: Application.Generic.3572878` `AVG: FileRepMalware [Misc]` `Arcabit: Application.Generic.D36848E` `Avast: FileRepMalware [Misc]` `BitDefender: Application.Generic.3572878` `Bkav: W64.AIDetectMalware` `Cylance: unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: a variant of Win64/HackTool.Loader.B potentially unsafe` `Elastic: malicious (moderate confidence)` `Emsisoft: Application.Generic.3572878 (B)` `FireEye: Application.Generic.3572878` `Fortinet: Riskware/Loader` `GData: Application.Generic.3572878` `Google: Detected` `Gridinsoft: Trojan.Win64.Zpevdo.dd!s1` `Ikarus: PUA.HackTool.Loader` `K7AntiVirus: Unwanted-Program ( 005956cd1 )` `K7GW: Unwanted-Program ( 005956cd1 )` `Lionic: Hacktool.Win32.Loader.3!c` `MAX: malware (ai score=72)` `Malwarebytes: HackTool.Loader` `MaxSecure: Trojan.Malware.230155059.susgen` `McAfee: RDN/Generic PUP.z` `MicroWorld-eScan: Application.Generic.3572878` `Microsoft: PUA:Win32/Puwaders.C!ml` `Rising: Hacktool.Loader!8.1EA2 (CLOUD)` `Sangfor: Hacktool.Win32.Loader.V93i` `Skyhigh: BehavesLike.Win64.Injector.cm` `Sophos: Generic Reputation PUA (PUA)` `Symantec: ML.Attribute.HighConfidence` `TrendMicro-HouseCall: TROJ_GEN.R002H06LU23` `VIPRE: Application.Generic.3572878` `Varist: W64/ABRisk.SQVH-3000` `Webroot: W32.Malware.Gen` `Zillya: Tool.Loader.Win64.3`

Hashes

MD5	`dd6f38d7712832a07308f44057f5d29c`
SHA1	`7192d8c77aa0f0083152df79d9a7be7a2b5bb6df`
SHA256	`66472a50d13d39d1c1bfbbc98d6d89da7facf67326c043dae860484e5249f494`
SHA3	`2a6376186cd9f2f5c878c9fdc8f1b0229af6b8cb15bddff2e7864bd4e6700335`
SSDeep	`1536:nwP4t4rdo/d4iZDN953/dQEgXPX29RzvIwoKJWe6SzjIq5OWlxsDSGgD69Eih/sL:nmdoV4iUSAb58bZ9B3VzfSuHf`
Imports Hash	`b013fd210d1dffc048412e0244cbcede`

DOS Header

e_magic	`MZ`
e_cblp	`0x50`
e_cp	`0x2`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0xf`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0x1a`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`11`
TimeDateStamp	2018-Apr-16 21:59:10
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`8.2`
SizeOfCode	`0x25200`
SizeOfInitializedData	`0xb000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000022120 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`5.2`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x3f000`
SizeOfHeaders	`0x400`
Checksum	`0x39829`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x4000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x2000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`62bacdec2eba311ac5610fbb011523d6`
SHA1	`91d27b646b81ca457a40f07329b2db3abe2bc4dc`
SHA256	`312205b54b8edfa50f288325ab684f67bbff58e498ea5dd31f317c723cef1a4b`
SHA3	`619c2c9c34fced6b80be249b97b4d68bb2fd79144fea0f10fdb390aa5997268a`
VirtualSize	`0x25034`
VirtualAddress	`0x1000`
SizeOfRawData	`0x25200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.76346`

.data

MD5	`3ac0b981c6e47db2bbec3d51bc113caa`
SHA1	`bb981d21301831c51da58571ad20cedb7f9fce42`
SHA256	`f1a8344d1810eb1b68f989198e64d1db9a422a09171faffeb48538cdce154164`
SHA3	`08c65ef7f75fc8869b7d61a1eb6b520691fe71d65e275dd5ec3829ed1fe8fc23`
VirtualSize	`0x3ea0`
VirtualAddress	`0x27000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x25600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.20534`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x6a68`
VirtualAddress	`0x2b000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`cbd3bec543725c3d522283ad1a6f37aa`
SHA1	`8a6523571d714aff7e7a9d77fbb9a11c76e2ac23`
SHA256	`59c89224b32f3db243d1250c875fea16b79db6cea954764cdd00c05b03b0d0ca`
SHA3	`5ac4dab029497784865e0a4b21de6a480e2a4051158bace2b9982832b7b65547`
VirtualSize	`0x14ba`
VirtualAddress	`0x32000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x29600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.06817`

.didata

MD5	`b45f6561de84eabee092093beff228a9`
SHA1	`34858eb62646fb5bae287a5816dbe683deff7c5a`
SHA256	`474806bdaab9541f84d8b7e7e2f044fa67afe0029354daaad817f84e4a84488a`
SHA3	`266a8cafce4e7d18a8e595472d3b6280e89a7496e0a5ff43630a5483c2b71420`
VirtualSize	`0x228`
VirtualAddress	`0x34000`
SizeOfRawData	`0x400`
PointerToRawData	`0x2ac00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.53452`

.edata

MD5	`eb4397f868b87770f2a72cc50cd3c582`
SHA1	`84335b88a3e7ed0e1dc0bb25ccb82c2146a73cc0`
SHA256	`3707a0fa75a8a977e2fe832e94b0f5521ec8b02f2859b88e820d0207dd727cd2`
SHA3	`e60606316c444dd6c489b6756c78478991206cd25d5bdf4712a2e8afde89fc43`
VirtualSize	`0x71`
VirtualAddress	`0x35000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.33834`

.tls

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x224`
VirtualAddress	`0x36000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rdata

MD5	`32def711e2932818691c3231d5038e23`
SHA1	`1131b6d95ca7619e794e11300a97a800b1301ef0`
SHA256	`8698e22d8eb136603d3ef8e4b94369bc1cd4ce183babd775549ab9b8c4d08200`
SHA3	`9049f7f1dd89a7ae830f5cfc0961517b6162f50dd8b5716f980a605234b432f7`
VirtualSize	`0x6d`
VirtualAddress	`0x37000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2b200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.36906`

.reloc

MD5	`80e6062d93370f257418b6abee468b98`
SHA1	`bcfae73daf29d3dffa7e1a1c8377c4700c95c020`
SHA256	`e873e1607dbc888a8e75bcb20b13813a27998c29a38e664b8e1f7e6f0b101144`
SHA3	`64342191dfd629ffb719cda2274aac4283e10d79bd5caba647249eb2f4409c0b`
VirtualSize	`0x1634`
VirtualAddress	`0x38000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x2b400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.93758`

.pdata

MD5	`efb1bf2fcf041e777fd76c97dc4c08e8`
SHA1	`8867eb1460df52f23e95d2c5e692c86dd8009ea8`
SHA256	`e4042f44fccebb79f1a6e9f287c96c20bf4a2141e0e63ca26bbcd3c9217bfc09`
SHA3	`7eb117425901bcd236ab7e43f1a1f037669846da514460d3cec7a9c18aa61224`
VirtualSize	`0x231c`
VirtualAddress	`0x3a000`
SizeOfRawData	`0x2400`
PointerToRawData	`0x2cc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.20152`

.rsrc

MD5	`b4c06b0f78166fa2e2e17865e783357b`
SHA1	`8de1655673fbba1c3542f25b4c83f1110a67a038`
SHA256	`1051e3cbda00b9cc09b06f12543fa496f42f89f6c874114f1aa19dd32b07bb13`
SHA3	`5fe4a3e18735764b3fd54b089c602d293b89a600a17339558d50e962ffe278c1`
VirtualSize	`0x154c`
VirtualAddress	`0x3d000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x2f000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.96314`

Imports

kernel32.dll	`SetFileAttributesW` `GetFileType` `RtlUnwindEx` `GetACP` `SetFilePointer` `LoadResource` `CloseHandle` `LocalFree` `SizeofResource` `VirtualProtectEx` `GetTickCount` `ReadProcessMemory` `GetFullPathNameA` `GetThreadContext` `SetThreadContext` `VirtualFree` `GetFileSize` `GetStartupInfoW` `ExitProcess` `InitializeCriticalSection` `ContinueDebugEvent` `GetCurrentProcess` `VirtualAlloc` `WriteProcessMemory` `RtlUnwind` `GetTempPathW` `GetCommandLineW` `GetSystemInfo` `GetProcAddress` `GetStdHandle` `GetVersionExA` `GetVersionExW` `GetModuleHandleW` `FreeLibrary` `GetWindowsDirectoryW` `ReadFile` `FindFirstFileW` `CreateProcessW` `GetConsoleOutputCP` `UnmapViewOfFile` `GetConsoleCP` `GetLastError` `GetModuleFileNameW` `FindResourceW` `CompareStringW` `SetEndOfFile` `WideCharToMultiByte` `MapViewOfFile` `FindClose` `MultiByteToWideChar` `LoadLibraryW` `LoadLibraryA` `MulDiv` `WaitForDebugEvent` `CreateFileW` `FreeResource` `GetVersion` `RaiseException` `IsDBCSLeadByteEx` `OpenProcess` `SwitchToThread` `WriteFile` `CreateFileMappingW` `OpenThread` `DeleteCriticalSection` `TlsGetValue` `ExpandEnvironmentStringsW` `TlsSetValue` `LockResource` `LocalAlloc` `GetCurrentThreadId` `UnhandledExceptionFilter` `VirtualQuery` `Sleep` `SetThreadLocale`
shell32.dll	`SHGetSpecialFolderLocation` `SHGetPathFromIDListW`
psapi.dll	`GetMappedFileNameA`
ole32.dll	`CoTaskMemFree`
version.dll	`GetFileVersionInfoSizeW` `VerQueryValueW` `GetFileVersionInfoW`
user32.dll	`UnregisterClassW` `MoveWindow` `CreateWindowExW` `SendMessageW` `TranslateMessage` `PeekMessageW` `LoadIconW` `GetActiveWindow` `GetSystemMetrics` `DefWindowProcW` `MessageBoxA` `MessageBoxW` `GetWindowTextW` `GetWindowTextLengthW` `EnableWindow` `DestroyWindow` `RegisterClassW` `DispatchMessageW`
oleaut32.dll	`SysAllocStringLen` `SysFreeString` `SysReAllocStringLen`
advapi32.dll	`RegSetValueExW` `RegConnectRegistryW` `GetUserNameA` `CryptDestroyHash` `RegQueryInfoKeyW` `RegUnLoadKeyW` `CryptReleaseContext` `CryptGetHashParam` `RegSaveKeyW` `RegReplaceKeyW` `RegCreateKeyExW` `CryptAcquireContextA` `RegEnumKeyExW` `RegLoadKeyW` `AdjustTokenPrivileges` `RegDeleteKeyW` `LookupPrivilegeValueW` `RegOpenKeyExW` `OpenProcessToken` `FreeSid` `AllocateAndInitializeSid` `RegDeleteValueW` `RegFlushKey` `RegEnumValueW` `RegQueryValueExW` `CryptHashData` `RegCloseKey` `CryptCreateHash` `RegRestoreKeyW`
gdi32.dll	`CreateFontW` `GetTextExtentPoint32W` `RestoreDC` `DeleteObject` `SelectObject` `DeleteDC` `SaveDC` `GetTextExtentPointW` `CreateCompatibleDC`
ntdll.dll	`NtQueryInformationProcess`
kernel32.dll (delay-loaded)	`SetFileAttributesW` `GetFileType` `RtlUnwindEx` `GetACP` `SetFilePointer` `LoadResource` `CloseHandle` `LocalFree` `SizeofResource` `VirtualProtectEx` `GetTickCount` `ReadProcessMemory` `GetFullPathNameA` `GetThreadContext` `SetThreadContext` `VirtualFree` `GetFileSize` `GetStartupInfoW` `ExitProcess` `InitializeCriticalSection` `ContinueDebugEvent` `GetCurrentProcess` `VirtualAlloc` `WriteProcessMemory` `RtlUnwind` `GetTempPathW` `GetCommandLineW` `GetSystemInfo` `GetProcAddress` `GetStdHandle` `GetVersionExA` `GetVersionExW` `GetModuleHandleW` `FreeLibrary` `GetWindowsDirectoryW` `ReadFile` `FindFirstFileW` `CreateProcessW` `GetConsoleOutputCP` `UnmapViewOfFile` `GetConsoleCP` `GetLastError` `GetModuleFileNameW` `FindResourceW` `CompareStringW` `SetEndOfFile` `WideCharToMultiByte` `MapViewOfFile` `FindClose` `MultiByteToWideChar` `LoadLibraryW` `LoadLibraryA` `MulDiv` `WaitForDebugEvent` `CreateFileW` `FreeResource` `GetVersion` `RaiseException` `IsDBCSLeadByteEx` `OpenProcess` `SwitchToThread` `WriteFile` `CreateFileMappingW` `OpenThread` `DeleteCriticalSection` `TlsGetValue` `ExpandEnvironmentStringsW` `TlsSetValue` `LockResource` `LocalAlloc` `GetCurrentThreadId` `UnhandledExceptionFilter` `VirtualQuery` `Sleep` `SetThreadLocale`

Delayed Imports

Attributes	`0x1`
Name	`kernel32.dll`
ModuleHandle	`0x34080`
DelayImportAddressTable	`0x340a0`
DelayImportNameTable	`0x340e8`
BoundDelayImportTable	`0x34130`
UnloadDelayImportTable	`0x34160`
TimeStamp	`1970-Jan-01 00:00:00`

dbkFCallWrapperAddr

Ordinal	`1`
Address	`0x311c0`

__dbk_fcall_wrapper

Ordinal	`2`
Address	`0x10440`

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.26657`
MD5	`a78f875c29113f416d89ac5140ef7b48`
SHA1	`324513e2f9ae98c4842f784ba125760bcb9907f0`
SHA256	`685d35a98bf970d06331b2ce0b187c5ae806cb3392928d8f505715180d7c4df9`
SHA3	`7454856931e11d68f7c262f383ab142df3e356f478723039c8b1f3aa406e047e`

DATA

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x50`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.29351`
MD5	`0bc2646d0fb0c763de59150dd1608267`
SHA1	`ac059972918e054866c1f0e220e2f50ccf82de6b`
SHA256	`78553f7e1d146e2c260bb75292dbee66b030862315b8c6bfdb051ca9c1d1f532`
SHA3	`d7aa9568d26506f5cf328261eb078562378cc5d827715d63660a619854d66c12`

MAINICON

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.5789`
Detected Filetype	Icon file
MD5	`50e9b5a9229883dc9d98f8b2dba232f9`
SHA1	`6976b08c3105ba811288259c741f54e792f3b038`
SHA256	`2884f078e5a13080cabfa34c1d3fb8cc2d7511d7761f67808dd741d232a56a44`
SHA3	`78444f31a7960940bb8fd70d50bf23907974d43a283aafe4f4fd82989afd8606`

1 (#2)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2f3`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.09702`
MD5	`fd0c12f2d34a5f292be6d7b56131bb0f`
SHA1	`5689323b65b21961ab3328cdd9f9f1646120c72e`
SHA256	`ef5e3f966d8dac170f799988ae04be725703d99a83a27dbe51e9379484ea5756`
SHA3	`9ac6158c775dcf0eebdab0a3a6a9fadfea2936969459eeb7416b86b858506576`

Version Info

TLS Callbacks

StartAddressOfRawData	`0x436000`
EndAddressOfRawData	`0x436224`
AddressOfIndex	`0x4291a0`
AddressOfCallbacks	`0x437020`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`(EMPTY)`

Load Configuration

RICH Header

Errors

[*] Warning: Section .bss has a size of 0!
[*] Warning: Section .tls has a size of 0!