Manalyze report for f5a9c634a6aa5fbd5b745b2eb7e474491295d3c0550b714d122a11baa3d6a00e

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2023-Jun-20 07:00:00
Detected languages	English - United States
LegalCopyright	https://github.com/YuZhouRen86/VxKex-NEXT
FileDescription	VxKex NEXT Setup and Maintenance Tool
FileVersion	`1.1.4.2085`
InternalName	KexSetup
OriginalFilename	KEXSETUP.EXE

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++ 8.0` `Microsoft Visual C++` `Microsoft Visual C++ v6.0`
Info	Interesting strings found in the binary:	`Contains domain names: github.com https://github.com`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress` `Possibly launches other programs: CreateProcessW` `Can create temporary files: CreateFileW GetTempPathW`
Malicious	The file contains overlay data.	`6245999 bytes of data starting at offset 0xae00.` `The file contains a 7-Zip compressed file after the PE data.` `Overlay data amounts for 99.2919% of the executable.`
Malicious	VirusTotal score: 42/68 (Scanned on 2026-05-30 11:01:11)	`ALYac: Gen:Variant.Tedy.968066` `APEX: Malicious` `AVG: Other:Malware-gen [Trj]` `AhnLab-V3: Malware/Win.Generic.R708420` `Alibaba: Trojan:Win32/MalwareX.6e963822` `Antiy-AVL: Trojan/Win32.Phonzy` `Arcabit: Trojan.Tedy.DEC582` `Avast: Other:Malware-gen [Trj]` `Avira: TR/Dropper.Gen` `BitDefender: Gen:Variant.Tedy.968066` `CAT-QuickHeal: Trojan.Phonzy` `CTX: exe.trojan.tedy` `CrowdStrike: win/malicious_confidence_60% (W)` `Cynet: Malicious (score: 99)` `Elastic: malicious (high confidence)` `Emsisoft: Gen:Variant.Tedy.968066 (B)` `F-Secure: Trojan.TR/Dropper.Gen` `Fortinet: W32/PossibleThreat` `GData: Win32.Trojan.Agent.BG3J5S` `Google: Detected` `Gridinsoft: Trojan.Win32.Gen.sa` `Ikarus: Trojan.Dropper` `Jiangmin: Trojan.Zenpak.pdh` `K7AntiVirus: Riskware ( 00584baa1 )` `K7GW: Riskware ( 00584baa1 )` `Kingsoft: Win32.Troj.suschil.v` `Lionic: Trojan.Win32.Zenpak.tssz` `Malwarebytes: Malware.AI.2383339346` `McAfeeD: ti!F5A9C634A6AA` `MicroWorld-eScan: Gen:Variant.Tedy.968066` `Microsoft: Trojan:Win32/Suschil!rfn` `Paloalto: generic.ml` `Sangfor: Trojan.Win32.Agent.Vkq9` `Sophos: Mal/Generic-S` `Symantec: Trojan.Gen.MBT` `TrellixENS: Artemis!C6CD55FDB985` `VBA32: BScope.Trojan.Deshacop` `VIPRE: Gen:Variant.Tedy.968066` `Varist: W32/ABTrojan.OYZH-3388` `ViRobot: Trojan.Win.Z.Tedy.6290543` `Webroot: W32.Trojan.Gen` `alibabacloud: Trojan[dropper]:Win/Suschil.Gen`

Hashes

MD5	`c6cd55fdb9850969171b6c221f1c7a21`
SHA1	`8037a423cec9b11327447cacd16405f5c12dc1d5`
SHA256	`f5a9c634a6aa5fbd5b745b2eb7e474491295d3c0550b714d122a11baa3d6a00e`
SHA3	`ee50221149ba62a7d57701399eee99396e07928aab85d11c5e73b22f0c6d5a0d`
SSDeep	`98304:6SD8iNALBO5nzm7RBQ8cBmRaET2e2DlV6yaWAP5X19PIotNakWaP/i8fvVGlR3fW:lPAk5zUPTcnETwV67pNPIorbi838P6x`
Imports Hash	`7a5e2524b66da5177b4ec46d305a3dd7`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2023-Jun-20 07:00:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x6e00`
SizeOfInitializedData	`0x3c00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00007B04 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0xf000`
SizeOfHeaders	`0x400`
Checksum	`0xb9fe`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`27189f2f9a9ba1e318a01410aa4c7ad8`
SHA1	`73f5a35ca1dd758cf7d07df929279201f25ac229`
SHA256	`2c6b2f34a4a12c0f965274b76d89007001600b0261126775340559757a3cec98`
SHA3	`fc2b17eab48b36e6a8b35c180584683e6dcc2a8c04975a50ef32a0dbcf6814af`
VirtualSize	`0x6c9c`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.58673`

.rdata

MD5	`8e31db5c36356408a9d72a74aae3ed17`
SHA1	`1689c00197e0dc3aa08ab9bb50b314f65a7ceea6`
SHA256	`db4bd2f77a0d2f9d1e54babbca242e2d727d2c74f869e8562d0d9d25c61bf701`
SHA3	`41a9f5a7ef45db63110fb31de29b4c6466520cea52fb2795f4bebba7b3cc3f60`
VirtualSize	`0x858`
VirtualAddress	`0x8000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x7200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.50466`

.data

MD5	`598e1aae6ecbd8237c4383f4be94b9f1`
SHA1	`ab4a6d7509b109b24572e011b0696647c7af25f0`
SHA256	`f60983e21c9cca08114b490d798ca0c0435a6857fd6176a2da8222694af0e852`
SHA3	`6a6b8c71015beef8a08636cc20b9dc37e55151b2ebf483b758e88d727edf68cb`
VirtualSize	`0x2050`
VirtualAddress	`0x9000`
SizeOfRawData	`0x200`
PointerToRawData	`0x7c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0203931`

.rsrc

MD5	`7813d7d703df4d4e6ac7a27049ba770c`
SHA1	`be4156709885dd938b2b462daccce883ef205b2f`
SHA256	`15f9efa5052e8dca6129352d4afc6617b399737092f7c0050e8870f64f14a858`
SHA3	`fa065834dbad83d1fc916302924b61d2c43aba9d546a65492f03dafde098317c`
VirtualSize	`0x2e8c`
VirtualAddress	`0xc000`
SizeOfRawData	`0x3000`
PointerToRawData	`0x7e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.3113`

Imports

USER32.dll	`MessageBoxA`
SHELL32.dll	`ShellExecuteExW`
MSVCRT.dll	`_controlfp` `_except_handler3` `__set_app_type` `__p__fmode` `__p__commode` `_adjust_fdiv` `__setusermatherr` `_initterm` `__getmainargs` `_acmdln` `exit` `_XcptFilter` `_exit` `memcpy` `free` `malloc` `wcscmp` `memcmp` `memmove` `strlen` `memset`
KERNEL32.dll	`GetCurrentDirectoryW` `GetStartupInfoA` `GetModuleHandleA` `GetSystemDirectoryW` `LoadLibraryExW` `GetModuleHandleW` `GetProcAddress` `GetVersion` `SetFilePointer` `WriteFile` `ReadFile` `CreateFileW` `DeleteFileW` `FindNextFileW` `RemoveDirectoryW` `FindFirstFileW` `FindClose` `GetModuleFileNameW` `GetCommandLineW` `GetTempPathW` `lstrlenW` `GetCurrentThreadId` `GetTickCount` `GetCurrentProcessId` `lstrcpyW` `GetExitCodeProcess` `WaitForSingleObject` `CloseHandle` `CreateProcessW` `SetCurrentDirectoryW` `SetFileAttributesW` `SetFileTime` `lstrcatW` `GetLastError` `CreateDirectoryW`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.36914`
MD5	`8a77ab745f2a931c4a0172dee36485be`
SHA1	`77397c499019a4ecab5159723139b84015aefab5`
SHA256	`242b9ae331082572e3d7624feb1eacf582d1a9159b201f2650968f0f0d21b3be`
SHA3	`5787a98768f81cdf2fd02d64e96236f27a116949cbecc49ce4ba35cc2beecc37`

1 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`6da8e7d5ae1d5d15e0230a67a7c16c6d`
SHA1	`678db52cbe5d617c33c6269bfd4b6d8d1a17f956`
SHA256	`6eb54801f91b6d8effccbfaefe6b2d7705a274a75940e6226e24e0d4ec58c396`
SHA3	`994fc217c7b8bc8008ac262ff58044403206de6eceafd424d4640ecad395eb2f`

1 (#3)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x59c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.64466`
MD5	`f0b38bdf60f002b41dfef96c7e0b3371`
SHA1	`b2e8212f4944a2918a0e5f511829c610b01ea89f`
SHA256	`17bc55e315931d293400c9ba10592c382a52522131ae53dae4ecf06a5e64e32d`
SHA3	`e7ec7e130fb3cd3b0e8625275ecf86706bd8ff0683f60a178fd1bbf657c1d20b`

1 (#4)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x201`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.04716`
MD5	`d8c691533b2030c51c5853bfb02aaf88`
SHA1	`586978ad69058657b6d14127968f438e684201b9`
SHA256	`b14001d080e6dc477a7e47b5a8c59c2e92d47ee98ffe64fa1ef71711602de3ed`
SHA3	`73af1443f864f494b656df0a4b3bfc13ac653e827f584137e7049a7b1e2500bc`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.1.4.2085
ProductVersion	0.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE`
FileType	`VFT_APP`
Language	English - United States
LegalCopyright	https://github.com/YuZhouRen86/VxKex-NEXT
FileDescription	VxKex NEXT Setup and Maintenance Tool
FileVersion (#2)	1.1.4.2085
InternalName	KexSetup
OriginalFilename	KEXSETUP.EXE

Resource LangID	UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x3b5f899c`
Unmarked objects	`0`
C objects (8047)	`11`
14 (7299)	`5`
Linker (8047)	`2`
Total imports	`63`
Imports (2179)	`7`
C objects (VS98 SP6 build 8804)	`19`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

Leave a comment

No comments yet.