Manalyze report for df1ef4b38026ad8234256145665879e1

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Jan-01 00:00:00

Plugin Output

Suspicious	PEiD Signature:	`HQR data file`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for Qemu presence: qEMu` `May have dropper capabilities: CurrentVersion\Run` `Contains domain names: api.ipify.org discord.com golang.org https://api.ipify.org https://api.ipify.org?format https://discord.com ipify.org`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES`
Malicious	This program may be a miner.	`Contains a valid Monero address: 41gNRUGsjHrBee885WffZmizqdTMD5qqa5AxsLcQw7yRer641pRJ2XnRtZHqb9dCoqMTfDyvAz2JaAVqWTfD35Ae9GfwmWx`
Suspicious	The PE is possibly packed.	`Unusual section name found: .xdata` `Unusual section name found: .symtab`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryW LoadLibraryExW GetProcAddress` `Functions which can be used for anti-debugging purposes: SwitchToThread`
Malicious	VirusTotal score: 35/71 (Scanned on 2024-04-20 05:37:17)	`ALYac: Gen:Variant.Lazy.374009` `AVG: FileRepMalware [Misc]` `Antiy-AVL: Trojan[Ransom]/Win32.Blocker` `Arcabit: Trojan.Lazy.D5B4F9` `Avast: FileRepMalware [Misc]` `Avira: HEUR/AGEN.1372123` `BitDefender: Gen:Variant.Lazy.374009` `Bkav: W64.AIDetectMalware` `Cylance: unsafe` `Cynet: Malicious (score: 99)` `DeepInstinct: MALICIOUS` `Elastic: malicious (high confidence)` `Emsisoft: Gen:Variant.Lazy.374009 (B)` `F-Secure: Heuristic.HEUR/AGEN.1372123` `FireEye: Gen:Variant.Lazy.374009` `Fortinet: W32/PossibleThreat` `GData: Gen:Variant.Lazy.374009` `Gridinsoft: Ransom.Win64.Blocker.sa` `Jiangmin: Trojan.Khalesi.bice` `Kaspersky: UDS:Trojan-Banker.Win32.ClipBanker.abon` `MAX: malware (ai score=84)` `Malwarebytes: Malware.AI.3629688006` `McAfee: Artemis!DF1EF4B38026` `MicroWorld-eScan: Gen:Variant.Lazy.374009` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Panda: Trj/Chgt.AD` `Sangfor: Trojan.Win32.Lazy.V2gi` `SentinelOne: Static AI - Malicious PE` `Skyhigh: BehavesLike.Win64.Sliver.th` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `TrendMicro: Ransom_Blocker.R002C0XDJ24` `TrendMicro-HouseCall: Ransom_Blocker.R002C0XDJ24` `VIPRE: Gen:Variant.Lazy.374009` `ZoneAlarm: UDS:Trojan-Banker.Win32.ClipBanker.abon`

Hashes

MD5	`df1ef4b38026ad8234256145665879e1`
SHA1	`74bbfb9c2dc534835836447725d0ea70f90abea5`
SHA256	`78a56251e6959d864f671369fbac693011f368c6d634dfb2dd531ae7be54dd44`
SHA3	`0896cb882ad6722752e5d0fc95c882fa4ddd0664f108c47bcb766c0241ea95e1`
SSDeep	`49152:MUSulFG1OWy1iCTpZqN+T3r7dHO9lWyyPT1qTnEZddmjt5EYla6nJObowvdoTuT:MXSuu1Tb5PT1q2dYEOYAGFRnX`
Imports Hash	`4f2f006e2ecf7172ad368f8289dc96c1`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0x8b`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0x5a5200`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`3.0`
SizeOfCode	`0x24e800`
SizeOfInitializedData	`0x47200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000680A0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`1.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x607000`
SizeOfHeaders	`0x600`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`18ae3e825b6e25d39c98320971a290a0`
SHA1	`c0f306669edb39f694efe4a036cf9a22f2e6bcd1`
SHA256	`d92e2b7df16cc26a0bff0184e8cf9088ac2f4f0fa23b1b5b41c6b74c4dc93ce2`
SHA3	`f6e9c77a4911f458a4b487660586f927724813c8fd7d5cf4bfa4b58526fc6d26`
VirtualSize	`0x24e637`
VirtualAddress	`0x1000`
SizeOfRawData	`0x24e800`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.22045`

.rdata

MD5	`10278b2f2fbcf9f01120b8001f9b06ac`
SHA1	`34cdcf003cc1917794927d25ebb286d4f91f586f`
SHA256	`b17827621aa1a5a4f6689f66b5984acac451d3b3db841ee85a514a10d6ff7cd0`
SHA3	`34026a02189fe8d12bbd5272459b70f327a11e4e7f179164fa1a47fe1b005793`
VirtualSize	`0x2f6730`
VirtualAddress	`0x250000`
SizeOfRawData	`0x2f6800`
PointerToRawData	`0x24ee00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.92092`

.data

MD5	`b811a07ebde28407d69d14f08127382e`
SHA1	`79d15ba4c34e63409e6c4e2254a947fa3a0afcdc`
SHA256	`53feba2a47e88fceb19ed45688d022f2519f7e2b87d9999b8231091a2348568e`
SHA3	`3d3b3412f95e97008ab0666a87d4c8baa697b0ab4b10b2180cbd5c21a3ebce48`
VirtualSize	`0xa3390`
VirtualAddress	`0x547000`
SizeOfRawData	`0x47200`
PointerToRawData	`0x545600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.76737`

.pdata

MD5	`1fe6f142301a99508f6e9a340c680a55`
SHA1	`2b64c99778c352403d9c2ad83b2d1c009f1f3036`
SHA256	`b925d6949aefe591a21867bd5f93d4fcfca7aab56593f2afd23c3891a4399238`
SHA3	`78a398291549b21f2bf316cdfcfe4df5d64ef6fcdc7e8813a2301e29a0f0f474`
VirtualSize	`0xd458`
VirtualAddress	`0x5eb000`
SizeOfRawData	`0xd600`
PointerToRawData	`0x58c800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.47901`

.xdata

MD5	`2a5152ffc3a52ca1d276acd572c41b9a`
SHA1	`93d684d0586af04bfa48b4a80baf60df47d126a9`
SHA256	`067f22b5fb7c0a4b3b02a1a08cfa2d20c0970e2c6d7278f9c644caf4da7be097`
SHA3	`c0198aa0d049e05872b21204a5c3aeec852b36f585d7bac10f4005747cee8018`
VirtualSize	`0xa8`
VirtualAddress	`0x5f9000`
SizeOfRawData	`0x200`
PointerToRawData	`0x599e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.63451`

.idata

MD5	`021a0a727428523962b86acadfc7e2e2`
SHA1	`79aa19f71f6c4dddd721ba112bef7d5a51abd6d1`
SHA256	`5f6153c5c510f2a6ec533335aea977cbf974e09c4972b4eee166fd6092b724cc`
SHA3	`eeb5fff8127e282129cc0b0ebfc0ea614410985c4f51188e1ae43ab8410ee562`
VirtualSize	`0x516`
VirtualAddress	`0x5fa000`
SizeOfRawData	`0x600`
PointerToRawData	`0x59a000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.91558`

.reloc

MD5	`15b3f9865ef85cc8a23950346c48d944`
SHA1	`aed91b99983cc9704f4344137cc981f74b43d0e7`
SHA256	`b81f7dee2fa691bc9d9c6adbb7d3bb4d26663f52d23c9202e548a58c6f54cc8f`
SHA3	`b11691caaa4affb388b44a68589e3f4b890e6d144fabc18f875d7ea35beeddcc`
VirtualSize	`0xab50`
VirtualAddress	`0x5fb000`
SizeOfRawData	`0xac00`
PointerToRawData	`0x59a600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.4229`

.symtab

MD5	`07b5472d347d42780469fb2654b7fc54`
SHA1	`943ae54f4818e52409fbbaf60ffd71318d966b0d`
SHA256	`3e67f4a7d14b832ff2a2433e9cf0f6f5720821f67148a87c0ee2595a20c96c68`
SHA3	`a70a3e18515c06557b62676f2a8eb6d7d41962d8c9c7c49f4641c429cc65b977`
VirtualSize	`0x4`
VirtualAddress	`0x606000`
SizeOfRawData	`0x200`
PointerToRawData	`0x5a5200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.0203931`

Imports

kernel32.dll	`WriteFile` `WriteConsoleW` `WerSetFlags` `WerGetFlags` `WaitForMultipleObjects` `WaitForSingleObject` `VirtualQuery` `VirtualFree` `VirtualAlloc` `TlsAlloc` `SwitchToThread` `SuspendThread` `SetWaitableTimer` `SetUnhandledExceptionFilter` `SetProcessPriorityBoost` `SetEvent` `SetErrorMode` `SetConsoleCtrlHandler` `ResumeThread` `RaiseFailFastException` `PostQueuedCompletionStatus` `LoadLibraryW` `LoadLibraryExW` `SetThreadContext` `GetThreadContext` `GetSystemInfo` `GetSystemDirectoryA` `GetStdHandle` `GetQueuedCompletionStatusEx` `GetProcessAffinityMask` `GetProcAddress` `GetErrorMode` `GetEnvironmentStringsW` `GetCurrentThreadId` `GetConsoleMode` `FreeEnvironmentStringsW` `ExitProcess` `DuplicateHandle` `CreateWaitableTimerExW` `CreateThread` `CreateIoCompletionPort` `CreateFileA` `CreateEventA` `CloseHandle` `AddVectoredExceptionHandler`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

df1ef4b38026ad8234256145665879e1

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.xdata

.idata

.reloc

.symtab

Imports

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors