Manalyze report for ebadf71aae5b81097f02003b13f3b2dd

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2024-Feb-18 15:39:17
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Code injection capabilities: CreateRemoteThread OpenProcess VirtualAlloc VirtualAllocEx WriteProcessMemory` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Manipulates other processes: OpenProcess WriteProcessMemory Process32First Process32Next`
Suspicious	VirusTotal score: 1/63 (Scanned on 2024-07-08 05:01:50)	`Symantec: ML.Attribute.HighConfidence`

Hashes

MD5	`ebadf71aae5b81097f02003b13f3b2dd`
SHA1	`aa5618e281250014dc61bafe4bcc202e3938451c`
SHA256	`51e742a6997dbf7ca191d63bfc7e04e80ac8c41f5ea0505efd9df1014eff9c95`
SHA3	`bda85d06088ce25bea53065cb47e72261aa959e75233fc575901e5cf32ad7821`
SSDeep	`384:2Km9UjiGHAbFafKIGydTzDlLXuvSkF4RIDzbkOfDu3a30i:Z/JpSvS7qkQ30`
Imports Hash	`402dc02642be1924dd591a8a4dd61cd1`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2024-Feb-18 15:39:17
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2800`
SizeOfInitializedData	`0x2e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000002C18 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xb000`
SizeOfHeaders	`0x400`
Checksum	`0x772b`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`40f0c079ae0ca13a8ff8320b20e95525`
SHA1	`693ef2ce0c7fc03512cff0a502180f05bbdcaa68`
SHA256	`66f9ec032a1bce58d052fb49b85f39379ca57101b9bcb0fa295d7748e9a7c9b8`
SHA3	`8b44263c876b664945bd47523ba952ba338db46d27d2dbd73d23a000ea13e172`
VirtualSize	`0x273c`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.98271`

.rdata

MD5	`2badcf270a9975caa8f405e3e008b9f9`
SHA1	`2683249bb507b54ea49ac1b66f76c7aae7bca60a`
SHA256	`c7fce4271696c693f24e802cb3bf560c5a943a26b110987e4505aafdac0a0f10`
SHA3	`1214d9c5f9f39d6724d36c09221a0d9c6f88eaf83b93db96e7e2293288e0f51c`
VirtualSize	`0x2212`
VirtualAddress	`0x4000`
SizeOfRawData	`0x2400`
PointerToRawData	`0x2c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.37613`

.data

MD5	`1c5e60595b6f4d6226f1e1154da60dc4`
SHA1	`a2c0e6c5f51e8ae5467c1e8ace94b4e8a8bd8672`
SHA256	`3618d8aed33b6847f94585828071e41f9a17c50d1be5c2f4b0cec01ff4acdfb7`
SHA3	`98b3418e059603f4375c2b4054586788f0eefb1a90532869040f1a8b597bd471`
VirtualSize	`0x6e0`
VirtualAddress	`0x7000`
SizeOfRawData	`0x200`
PointerToRawData	`0x5000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.99065`

.pdata

MD5	`ed745a180f6f316cd560eaf8a3669bf7`
SHA1	`722eba363846a2f0a37d7d28a110dfe94743ddc0`
SHA256	`91529e6fe8c6413b9c9b3ad5c8375cbe323e86714941b68635693cb266b4c973`
SHA3	`105b1a8a5ebf236404bc812853ecaf324c3da0b0bf6b3be961d85bd9f4611c1e`
VirtualSize	`0x390`
VirtualAddress	`0x8000`
SizeOfRawData	`0x400`
PointerToRawData	`0x5200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.79159`

.rsrc

MD5	`c188ffe548402f44efb1973cddd1169d`
SHA1	`88e6cb562d3c3b90f5ead9a8f578ab0419d99884`
SHA256	`b58c6ad6785b17208c810c3a5717f5c16e1a2950663984a54421723a4f4cc1ca`
SHA3	`77233db5639b473698e1bc1ff48db75489191dea48944ca7e3aec4cc0ca020a6`
VirtualSize	`0x1b4`
VirtualAddress	`0x9000`
SizeOfRawData	`0x200`
PointerToRawData	`0x5600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.09798`

.reloc

MD5	`0fb56441d28c895f6f415b28c0aabf50`
SHA1	`c03eb2134fe4e0cd16ffeedfa2c1c743c55cfd90`
SHA256	`e46109fec3ce8fca135aa0cb95341e144b32886265b22d641c6463e5a47d83ae`
SHA3	`5f45fcbab616b978de8a601251be542bbdbe435bf73c8f611a184b1a2850def8`
VirtualSize	`0x58`
VirtualAddress	`0xa000`
SizeOfRawData	`0x200`
PointerToRawData	`0x5800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.19882`

Imports

KERNEL32.dll	`ReadFile` `CloseHandle` `GetLastError` `WaitForSingleObject` `CreateRemoteThread` `GetExitCodeThread` `OpenProcess` `VirtualAlloc` `VirtualFree` `VirtualAllocEx` `WriteProcessMemory` `GetFileSize` `GetProcAddress` `LoadLibraryA` `Sleep` `GetCurrentProcess` `GetNativeSystemInfo` `IsWow64Process` `LocalFree` `FormatMessageA` `CreateToolhelp32Snapshot` `Process32First` `Process32Next` `GetFileAttributesA` `CreateFileA` `VirtualFreeEx` `GetFullPathNameA` `IsDebuggerPresent` `InitializeSListHead` `GetSystemTimeAsFileTime` `GetCurrentThreadId` `GetCurrentProcessId` `QueryPerformanceCounter` `IsProcessorFeaturePresent` `TerminateProcess` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `GetModuleHandleW`
ADVAPI32.dll	`AdjustTokenPrivileges` `OpenProcessToken` `LookupPrivilegeValueA`
MSVCP140.dll	`?_Xlength_error@std@@YAXPEBD@Z` `?_Xout_of_range@std@@YAXPEBD@Z` `?_Xinvalid_argument@std@@YAXPEBD@Z`
VCRUNTIME140.dll	`memset` `__C_specific_handler` `__current_exception_context` `__current_exception` `__std_exception_copy` `__std_exception_destroy` `_CxxThrowException` `memcpy` `memmove`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
api-ms-win-crt-runtime-l1-1-0.dll	`_c_exit` `_cexit` `_get_initial_narrow_environment` `__p___argv` `__p___argc` `_register_onexit_function` `_crt_atexit` `terminate` `_seh_filter_exe` `_errno` `_invalid_parameter_noinfo_noreturn` `_exit` `exit` `_register_thread_local_exe_atexit_callback` `_initterm_e` `_initialize_narrow_environment` `_configure_narrow_argv` `_initialize_onexit_table` `_set_app_type` `_initterm`
api-ms-win-crt-string-l1-1-0.dll	`_stricmp` `isdigit`
api-ms-win-crt-stdio-l1-1-0.dll	`__acrt_iob_func` `_set_fmode` `puts` `__stdio_common_vfprintf` `__p__commode`
api-ms-win-crt-convert-l1-1-0.dll	`strtoul`
api-ms-win-crt-heap-l1-1-0.dll	`free` `_set_new_mode` `malloc` `_callnewh`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2024-Feb-18 15:39:17
Version	`0.0`
SizeofData	`680`
AddressOfRawData	`0x4e58`
PointerToRawData	`0x3a58`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140007008`

RICH Header

XOR Key	`0xb30ceb8`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`14`
C++ objects (32420)	`27`
C objects (32420)	`10`
ASM objects (32420)	`3`
Imports (32420)	`6`
Imports (30795)	`5`
Total imports	`96`
C++ objects (VS2022 Update 6 (17.6.4) compiler 32537)	`3`
Linker (VS2022 Update 6 (17.6.4) compiler 32537)	`1`

ebadf71aae5b81097f02003b13f3b2dd

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors