Manalyze report for e8616bc7bdf0de2141a75868b2f5aea2

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2022-May-30 15:40:53
Detected languages	English - United States

Plugin Output

Suspicious	The PE is possibly packed.	Unusual section name found: .CK` `Unusual section name found: .xm'` `Unusual section name found: .ri[`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Leverages the raw socket API to access the Internet: WSAGetLastError`
Malicious	VirusTotal score: 21/67 (Scanned on 2022-06-03 04:18:21)	`Elastic: malicious (high confidence)` `McAfee: Artemis!E8616BC7BDF0` `Malwarebytes: HackTool.Patcher` `K7AntiVirus: Trojan ( 0058c6741 )` `K7GW: Trojan ( 0058c6741 )` `CrowdStrike: win/malicious_confidence_90% (W)` `Symantec: Trojan.Gen.2` `tehtris: Generic.Malware` `ESET-NOD32: a variant of Win64/Packed.VMProtect.J suspicious` `APEX: Malicious` `McAfee-GW-Edition: BehavesLike.Win64.Trojan.wc` `Trapmine: malicious.high.ml.score` `FireEye: Generic.mg.e8616bc7bdf0de21` `Sophos: Mal/Generic-S` `Gridinsoft: Trojan.Heur!.022920A3` `Cynet: Malicious (score: 100)` `Cylance: Unsafe` `SentinelOne: Static AI - Malicious PE` `MaxSecure: Trojan.Malware.300983.susgen` `Fortinet: Riskware/Application` `Paloalto: generic.ml`

Hashes

MD5	`e8616bc7bdf0de2141a75868b2f5aea2`
SHA1	`045fba4451a708858a576e2b80d0657203b5b1d7`
SHA256	`27b558b982d95e0a394d4637bd09eba91eed3c834fa0493fea41179f0647b4c0`
SHA3	`a32ced05168413ccbf2167908f37f13db0471505e46d2e311c47e87ea3c6eb7b`
SSDeep	`196608:ZUKsrT5zqmCkYiJPEZdXyqHzisho1oherevLpE:ZfsrhqmCkPsZpiAoS`
Imports Hash	`0f02431584d54882b6dc0b6b68edc8c8`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`10`
TimeDateStamp	2022-May-30 15:40:53
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x58c00`
SizeOfInitializedData	`0x2e400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000B4974E (Section: .ri[)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xcd1000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x58ba0`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.rdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x21b0c`
VirtualAddress	`0x5a000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x672c`
VirtualAddress	`0x7c000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.pdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x429c`
VirtualAddress	`0x83000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

_RDATA

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xf4`
VirtualAddress	`0x88000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.CK`

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x4c8aaf`
VirtualAddress	`0x89000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.xm'

MD5	`c91f0e73ca3b61bc1b05a1dc19362814`
SHA1	`ffa3d2e4b78acf22c3991f46ceabd89ccdb876e0`
SHA256	`89b7e4ca4ea3ea495825a3c6bdbf1ed574e45e1a31790a16a172dd40e655d5b9`
SHA3	`1e39540937d43fa6ffa26e3c6093815c725ca0f36f8501ac38cd0abcdc66360d`
VirtualSize	`0x1e7c`
VirtualAddress	`0x552000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0717985`

.ri[

MD5	`d557bf233ac4351ed0ed480d2d73462a`
SHA1	`3531a9c5ac104fe41e58d1a394c59881866b1709`
SHA256	`afc27d718fe6ec867677b2ca7d2f5c20d7d1f2f75d69e48f1f73e8c26675044e`
SHA3	`10c8a0c1919e49a9cb986daa968f4a18104b50e95ff63ab30503c1e0915083ba`
VirtualSize	`0x77a088`
VirtualAddress	`0x554000`
SizeOfRawData	`0x77a200`
PointerToRawData	`0x2400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.94957`

.reloc

MD5	`639b7b9051de216c26b481b3c3dac3b9`
SHA1	`b739f09bfb6f1409a72e611de8ac513b3503ea67`
SHA256	`60ead099f3a466446b3d9a41d1deea482eb92b0dbf0685dc7fff3ca9bd1ea500`
SHA3	`2e6f732a68545b7530040326e7133529413f000ab5d8f27c95e18b70588c1073`
VirtualSize	`0xe8`
VirtualAddress	`0xccf000`
SizeOfRawData	`0x200`
PointerToRawData	`0x77c600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.19151`

.rsrc

MD5	`8d5821503a08115ac947ab298b4b2d19`
SHA1	`eb7fdfa1af86d352a1fc43c5b1a332d684f96b17`
SHA256	`e58b8750fdb921856c8488ef9b44df223da44812332e59d2eee3bb996c31326b`
SHA3	`64eab7f031f41d282a7cf4b10462fd184d5e7fb739375a24abc7b969f95c04d2`
VirtualSize	`0x1e0`
VirtualAddress	`0xcd0000`
SizeOfRawData	`0x200`
PointerToRawData	`0x77c800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.75615`

Imports

KERNEL32.dll	`VirtualAllocEx`
USER32.dll	`SetWindowPos`
SHELL32.dll	`SHGetFolderPathA`
WS2_32.dll	`WSAGetLastError`
d3d9.dll	`Direct3DCreate9`
KERNEL32.dll (#2)	`VirtualAllocEx`
USER32.dll (#2)	`SetWindowPos`
KERNEL32.dll (#3)	`VirtualAllocEx`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x188`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89623`
MD5	`b8e76ddb52d0eb41e972599ff3ca431b`
SHA1	`fc12d7ad112ddabfcd8f82f290d84e637a4d62f8`
SHA256	`165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8`
SHA3	`37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd`

Version Info

TLS Callbacks

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14007c1e0`

RICH Header

Errors

[!] Error: Could not read the exported DLL name.
[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .text has a size of 0!
[*] Warning: Section .rdata has a size of 0!
[*] Warning: Section .data has a size of 0!
[*] Warning: Section .pdata has a size of 0!
[*] Warning: Section _RDATA has a size of 0!
[*] Warning: Section .CK` has a size of 0!