Manalyze report for f12bba19049c650b6768e7f0f91b3ccd3910293b5faa580d2eea3dbb17702260

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2020-Jan-05 12:15:27

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW LoadLibraryA` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Leverages the raw socket API to access the Internet: ntohl` `Enumerates local disk drives: GetDriveTypeW`
Suspicious	The file contains overlay data.	`1890658 bytes of data starting at offset 0x61400.` `The overlay data has an entropy of 7.99913 and is possibly compressed or encrypted.` `Overlay data amounts for 82.5978% of the executable.`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`972c1038b1955288c7c3cff8a3a33da1`
SHA1	`b017187ac2931460a55f32d91306486ea2852393`
SHA256	`f12bba19049c650b6768e7f0f91b3ccd3910293b5faa580d2eea3dbb17702260`
SHA3	`61b8d8392e955a431e9667d9eea2a80bd149c4d5c7b0276386b7dd32eec80e21`
SSDeep	`49152:7aTv4tL2h7wDvj7NCeSyNueVht8qYxyHWN+bdxJZ6GBD:7U4tL2SDvMjouer2UTh`
Imports Hash	`7aa1951517b3b8d38b12f874b66196c9`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2020-Jan-05 12:15:27
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x21600`
SizeOfInitializedData	`0x3fa00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000008B14 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x74000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`bc76aa9332c27788b891bf46421d2261`
SHA1	`686c80d3a8c6ec573a5c6ffec549cad4bb0a678a`
SHA256	`cb7cce6853729802c59d8b2371573b1d807180eb07dc52cabe8bdce46d6bbccb`
SHA3	`65a7d369a5d960b36a306c893e459eb1db6966cef5ace4dcf57206437e94db47`
VirtualSize	`0x214d0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x21600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.45785`

.rdata

MD5	`ffb1fcb4e358028e22b7048afa07095b`
SHA1	`02ddad3a50d506a6c99e5b3dc6a07c74f19c58d7`
SHA256	`15a56cb31592fb28a104e40d74875614919201e4df622e9498f4eae25f55f3c0`
SHA3	`8785d12699279c3006f73dd1c859f98ec357ce28002baab673d347c3b47a9480`
VirtualSize	`0xf49e`
VirtualAddress	`0x23000`
SizeOfRawData	`0xf600`
PointerToRawData	`0x21a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.83487`

.data

MD5	`e001c48c58a83fc36b1ec29411188fa4`
SHA1	`5203faefd2291bfaffc2738d35c00d2fb6da126b`
SHA256	`9882f044a326f172e5819392d47e875664b0b6e27fa8e727491b11610869260d`
SHA3	`7830e8f91b5192569c0285f2617b20c96c86f56e8e04d49bdc2b822a59b35fda`
VirtualSize	`0xf108`
VirtualAddress	`0x33000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x31000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.84757`

.pdata

MD5	`2d86c7785fa4cdbeee10fa69a2e2d271`
SHA1	`625726f93f714083cc036be0032c9831c09a5e0a`
SHA256	`af4c7f89891ee7a467a0e3667c1d65a994cfa9e381481107a0a73df865adbf81`
SHA3	`77171c94d107898995ee3fd39d2b5a3cd1bc847f86a549d6c81c7be9b652a37f`
VirtualSize	`0x1d10`
VirtualAddress	`0x43000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x31c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.22925`

.gfids

MD5	`4ca521d659f21e53989de742d2577e62`
SHA1	`ab0eeab214975ac81307258033a40b34f277929e`
SHA256	`b2325b63a1da49ed3306a132e879fb2ad3dd3ca7bc3d024b361f322287b3679c`
SHA3	`929ef5c35d504b513bee15816bd5069061ea9de82e77270018884c2a36b03f68`
VirtualSize	`0xac`
VirtualAddress	`0x45000`
SizeOfRawData	`0x200`
PointerToRawData	`0x33a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.72035`

.rsrc

MD5	`3292c5376aeff7d18c4673a8427886c3`
SHA1	`9490fa6fc2bf5b9b7d13ba32da594bb15eadafaf`
SHA256	`2494e2d0e6740a45e9e9af12a4f88c49c104cc4b7f43cc8468ea55ff209408b6`
SHA3	`32fd8ecc372290929b60d73e72e8a209f07d32954806fd48c468337712e8a7bb`
VirtualSize	`0x2ce08`
VirtualAddress	`0x46000`
SizeOfRawData	`0x2d000`
PointerToRawData	`0x33c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.7813`

.reloc

MD5	`7df6f38c84844da9738fba2d2a443f7f`
SHA1	`09b4da2d7f37b424aeb8df0b7632a1c8594c96b7`
SHA256	`cb41bb86c2112e09afbc8136608737abb0546f4114d4afc43569cbab15e1a7e9`
SHA3	`1c398c095d035089b5c1ddc3d8c79ae6690ea575e50ec72207e8f7dd97a8c21e`
VirtualSize	`0x690`
VirtualAddress	`0x73000`
SizeOfRawData	`0x800`
PointerToRawData	`0x60c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.9923`

Imports

KERNEL32.dll	`GetModuleFileNameW` `GetProcAddress` `GetCommandLineW` `GetEnvironmentVariableW` `SetEnvironmentVariableW` `ExpandEnvironmentStringsW` `GetTempPathW` `WaitForSingleObject` `Sleep` `SetDllDirectoryW` `CreateProcessW` `GetStartupInfoW` `LoadLibraryExW` `CreateDirectoryW` `GetShortPathNameW` `FormatMessageW` `LoadLibraryA` `MultiByteToWideChar` `WideCharToMultiByte` `GetExitCodeProcess` `GetLastError` `SetEndOfFile` `HeapReAlloc` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetModuleHandleW` `RtlUnwindEx` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `GetCommandLineA` `ReadFile` `CreateFileW` `GetDriveTypeW` `GetFileType` `CloseHandle` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `GetFullPathNameW` `GetFullPathNameA` `RemoveDirectoryW` `FindClose` `FindFirstFileExW` `FindNextFileW` `SetStdHandle` `SetConsoleCtrlHandler` `DeleteFileW` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `GetACP` `HeapFree` `HeapAlloc` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleCP` `CompareStringW` `LCMapStringW` `GetCurrentDirectoryW` `FlushFileBuffers` `SetEnvironmentVariableA` `GetFileAttributesExW` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetStringTypeW` `GetProcessHeap` `WriteConsoleW` `GetTimeZoneInformation` `HeapSize` `RaiseException`
ADVAPI32.dll	`ConvertStringSecurityDescriptorToSecurityDescriptorW`
WS2_32.dll	`ntohl`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x5309`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.97359`
Detected Filetype	PNG graphic file
MD5	`e30fc66585b424856c0f983e4d16cdd2`
SHA1	`c336b95f3685d608bd19d4d02f97efe81384fa19`
SHA256	`61681f423e185014ed6e3048b1b33d6e53870b3fd15a326c4788a5457e60123a`
SHA3	`c875aec755ff17da26b6ce4b908fa9632d2ac57d874ae593c1b8a03716a3048d`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.55939`
MD5	`0162e37e58e3e58668bed3b7c363c183`
SHA1	`3db7861c5841d47579020db2fcaf43141a4fec3f`
SHA256	`1c1941ab3b2ac63fc62f6565d7432dfdf03eb0beb18705c0870278426ab77ccf`
SHA3	`c9f981dccb1b1f37060fde0c5f24e5706505d6dfaf99b23c8a0c342fe65f4e32`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x94a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.03706`
MD5	`ef688cd769ddabc7b6565889ee191183`
SHA1	`c80c746d04b3dea776493153bf49f5c164f68a6f`
SHA256	`d07a75a41d383d23e76d40ddace95df6a5998f5135397a2a4e09b641d9a4a79e`
SHA3	`626b5fed77dcfe8d0bac99cf53ba28ea42b2ee0956a496de69da69be74be0cd7`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x5488`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.01515`
MD5	`974aa97fabae886288f4f0d821fd906e`
SHA1	`e9af9230b1f2d6865db465a5290881203a953070`
SHA256	`be42efe6095473f9ca3d66e035935288b1687706c83932408b09ffce54809d84`
SHA3	`af07492ac894755a2f1c14fe4852c01787cc07814f4afc91deec2f5478567af0`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.86551`
MD5	`db07cabcb0dad5f23d81a4d11541ecab`
SHA1	`c6c9a0a563167bb3c51c0c7b562233c88d6342b6`
SHA256	`3fefeabcb63f9faec84330ffde7dfda064c3b32024a53262f0aa9abbd9ebee66`
SHA3	`b0dd018c125511c27cca0ece5f261682913c538520885be355208421aff5c6d1`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.31237`
MD5	`0c8b5fa2cfdbbf3e2ad942584c79413c`
SHA1	`4a95e7344fb812199d7652649542ad6de207f216`
SHA256	`5523014479ae5f32c754f4c49a0f73f73aa55ca5ecfb68a0856c74b7084a319f`
SHA3	`df0c9091bf0b09c05ba1c81a8a44dfad255d2cc0d39e91f8175d14bc60ae60f5`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.35232`
MD5	`86d87c5e70df355488dfd68e0c822904`
SHA1	`3cd080b99ed23c2b0a9c8a132f75366d7dcded67`
SHA256	`7c661751745054a30bb556fe0b4d52979b7f9361e2479b935034a5ae0ac2493f`
SHA3	`ba1e07f42cb065909386ea7f5ecef48b97af469fcb63eecd73bc4068b11d69fd`

8

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.73845`
MD5	`3b354458d0977be0e2f73a10a0a46442`
SHA1	`880c0df2bf98a5a9761b1545d6bb7656b2ff18ac`
SHA256	`679aacf923de2a104d2b2fa00fed18026c65014e2c14cf6e9b61f7c80e0d34d1`
SHA3	`c2f1ebaca9d205638ea1047a40ebd566f3713626152f313c660a616657d609d4`

9

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.88163`
MD5	`ea0343502d5d078ed2016c7fa3e8c5fa`
SHA1	`a72c3a27f690ae7f82ea2b02bb737c4cc26a8ab1`
SHA256	`e208a213d43066d3f8d55338b8d8ce54516b3ec50fa7a2e4a6052624740e21ee`
SHA3	`7df8d7839dded0f8857580522c47f07198e17d7d7fe5575324cefb88450a10b3`

0

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x84`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.01007`
Detected Filetype	Icon file
MD5	`36bb4d8746f7a121836c488a3f08d726`
SHA1	`0a889d8c669659ce2ea953e9e234c3a991893925`
SHA256	`41aab68cebe6095e37f0b4131b91c1c957ea121f3a29813448f5458fc9b32183`
SHA3	`ec27d42be42c92375194411ca13c392735bc82aabc7fdcbcc2df75ff7b82c906`

101

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.71858`
Detected Filetype	Icon file
MD5	`d06bb5f499a7e63fdebdde478b53af68`
SHA1	`f4b46ca808dc838d436be1d2c13a40d51bdd8f4f`
SHA256	`038506ab04814afcdce660ffc0de198ebe40a5b0d8e090799549e208c689fed5`
SHA3	`af3d6a80a0ad9e117953a9e1466a44d29b3d32a19a456a9297995e94ead2efd7`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2020-Jan-05 12:15:27
Version	`0.0`
SizeofData	`720`
AddressOfRawData	`0x2fab8`
PointerToRawData	`0x2e4b8`

TLS Callbacks

Load Configuration

Size	`0x94`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140033010`

RICH Header

XOR Key	`0x86ac5c9d`
Unmarked objects	`0`
241 (40116)	`7`
243 (40116)	`169`
242 (40116)	`13`
ASM objects (VS2015 UPD3 build 24123)	`7`
C++ objects (VS2015 UPD3 build 24123)	`28`
C objects (VS2015 UPD3 build 24123)	`19`
Imports (65501)	`7`
Total imports	`115`
C objects (VS2015 UPD3 build 24210)	`17`
Resource objects (VS2015 UPD3 build 24210)	`1`
Linker (VS2015 UPD3 build 24210)	`1`

Errors

[*] Warning: Raw bytes from section .rsrc could not be obtained.

Leave a comment

No comments yet.