f6631d229be28f67a8ce975142404e2e

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2023-Oct-07 13:30:55
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C# v7.0 / Basic .NET
.NET executable -> Microsoft
Suspicious Strings found in the binary may indicate undesirable behavior: Contains another PE executable:
  • This program cannot be run in DOS mode.
 Contains domain names:
  • http://www.videolan.org
  • http://www.videolan.org/x264.html
  • videolan.org
  • www.videolan.org
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Can access the registry:
  • RegOpenKeyExA
  • RegEnumValueA
  • RegCloseKey
 Possibly launches other programs:
  • CreateProcessA
  • ShellExecuteA
 Functions related to the privilege level:
  • OpenProcessToken
 Manipulates other processes:
  • Process32Next
  • Process32First
Suspicious The PE is possibly a dropper. Resource 53248 is possibly compressed or encrypted.
Resources amount for 92.2678% of the executable.
Malicious VirusTotal score: 39/71 (Scanned on 2024-02-12 06:57:27) ALYac: Gen:Variant.Fugrafa.302465
APEX: Malicious
AVG: FileRepMalware [Trj]
Arcabit: Trojan.Fugrafa.D49D81
Avast: FileRepMalware [Trj]
Avira: HEUR/AGEN.1317245
BitDefender: Gen:Variant.Fugrafa.302465
BitDefenderTheta: Gen:NN.ZexaF.36744.@xW@aeMgzTdi
Bkav: W32.AIDetectMalware
CrowdStrike: win/malicious_confidence_90% (W)
Cybereason: malicious.3e33fd
Cylance: unsafe
Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
Elastic: malicious (high confidence)
Emsisoft: Gen:Variant.Fugrafa.302465 (B)
F-Secure: Heuristic.HEUR/AGEN.1317245
FireEye: Generic.mg.f6631d229be28f67
GData: Gen:Variant.Fugrafa.302465
Jiangmin: Trojan.Shelma.kbc
Kaspersky: UDS:Trojan.Win32.GenericML.xnet
Kingsoft: Win32.Trojan.GenericML.xnet
Lionic: Trojan.Win32.GenericML.4!c
MAX: malware (ai score=81)
Malwarebytes: Generic.Malware/Suspicious
MaxSecure: Trojan.Malware.300983.susgen
McAfee: Artemis!F6631D229BE2
MicroWorld-eScan: Gen:Variant.Fugrafa.302465
Microsoft: Trojan:Win32/Wacatac.B!ml
Rising: Trojan.Generic@AI.100 (RDML:mbqcEC7KjdpWxFaXWAnLhw)
Sangfor: Trojan.Win32.Save.a
SentinelOne: Static AI - Malicious PE
Skyhigh: BehavesLike.Win32.Generic.tc
Sophos: Mal/Generic-S (PUA)
Symantec: ML.Attribute.HighConfidence
VBA32: Win32.Trojan.Cryptor.Heur
VIPRE: Gen:Variant.Fugrafa.302465
ZoneAlarm: UDS:Trojan.Win32.GenericML.xnet
tehtris: Generic.Malware

Hashes

MD5 f6631d229be28f67a8ce975142404e2e
SHA1 d10439b3e33fd8b7942333b6ae0a1a62a038b156
SHA256 cff976d15ba6c14c501150c63b69e6c06971c07f8fa048a9974ecf68ab88a5b6
SHA3 29f59e8a4d4d8fc2912cbe36e40e8dd281670d3ea3153342e4e16aa09d228e7f
SSDeep 98304:gluOXH4vTcIaOqZ/E4w0tLRF3XK1UURKIVknaIK5BFNgACChjwKxs53IdJK4QOi:eXH4TcIaOMI0z81UURKKlN1/hU4QOit
Imports Hash 3ec1a9a98069e62a9247fbc51b55936d

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2023-Oct-07 13:30:55
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x10000
SizeOfInitializedData 0x58c600
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001A1C (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x11000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x59f000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 1694d30270ed42a5c3232bc82b97ceee
SHA1 5565dd3abcd723f71b22613532c6eaa5b4504f7b
SHA256 355832d6e7b10cdf281a1e308062ef43bdc6f5d37582abd2ecdc1e96a2cfbf10
SHA3 b9182ff9ab560b6875ba95c88415ab63cb76d2b85d660eb4cce4dc91f869f7ad
VirtualSize 0xff93
VirtualAddress 0x1000
SizeOfRawData 0x10000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.59419

.rdata

MD5 bde3ededd44ee31c1d905654c63f50c2
SHA1 a5170bf524c74c048d3766dd1fb3e2df0d5b38d4
SHA256 fd09496d180eb7bfc1d28af4e2264a46a16f945608fa67e26af916f2debd474a
SHA3 f1b1e55f4ef0d8a4e161733f82ae2800fb7f2230eb0facbb53bde3522ef9bec3
VirtualSize 0x657e
VirtualAddress 0x11000
SizeOfRawData 0x6600
PointerToRawData 0x10400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.84661

.data

MD5 796ce1aecba4aecc97ad32f11c196fa1
SHA1 9908da721a7f0aabc95189a5deb875fd75e912bb
SHA256 eb533ac8b4d91c873ed2e42ae6c5c0c543d9fd0fb47e590cca883c3960c0d95c
SHA3 8067dd7fa4d8d1612844f2570ebcc1e7d54eec0fe02f875cdc75d8f83e8c7e74
VirtualSize 0x57cc4
VirtualAddress 0x18000
SizeOfRawData 0x57200
PointerToRawData 0x16a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.59263

.rsrc

MD5 f5f6b402241515b8e29c108f65fdf07e
SHA1 b34b5456454f6e1d27ff11ab7982af337611d889
SHA256 f9aca1617fe1ac833a5d33844aa381de53205217c19d6cbf153baa079e59e193
SHA3 66ef1c95ce3325bf7e0cfa2dd00839043035175de701d735038125f8e86a135a
VirtualSize 0x52ce40
VirtualAddress 0x70000
SizeOfRawData 0x52d000
PointerToRawData 0x6dc00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.99619

.reloc

MD5 8400330408d79844994f84b387ec26d3
SHA1 8b85ee2ebfa4dd48f75b550f7e7879bb7987ee4f
SHA256 d8baf4cfc57974adf257005156e83fe260783094a9bc42db236b59b391e7a68c
SHA3 66f59ed8300280d5490b3c5b4541ecf314da33ca3e8c262d4e29e45d887c6937
VirtualSize 0x10a8
VirtualAddress 0x59d000
SizeOfRawData 0x1200
PointerToRawData 0x59ac00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.34341

Imports

KERNEL32.dll Sleep
CopyFileA
GetLastError
LockResource
Process32Next
CloseHandle
FreeConsole
CreateToolhelp32Snapshot
LoadResource
GetProcAddress
CreateProcessA
WriteConsoleW
SetEndOfFile
HeapReAlloc
HeapSize
FindResourceA
GetCurrentProcess
Process32First
SizeofResource
GetSystemInfo
GetModuleFileNameA
ReadConsoleW
ReadFile
FlushFileBuffers
CreateFileW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetModuleHandleW
TerminateProcess
RtlUnwind
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
EncodePointer
RaiseException
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
HeapFree
GetConsoleOutputCP
GetConsoleMode
GetFileSizeEx
SetFilePointerEx
HeapAlloc
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetFileType
GetStringTypeW
CompareStringW
LCMapStringW
GetProcessHeap
DecodePointer
USER32.dll SendInput
SystemParametersInfoA
ADVAPI32.dll OpenProcessToken
RegOpenKeyExA
RegEnumValueA
GetTokenInformation
RegCloseKey
SHELL32.dll ShellExecuteA
NETAPI32.dll NetGetDCName
NetApiBufferFree

Delayed Imports

53248

Type RT_RCDATA
Language English - United States
Codepage UNKNOWN
Size 0x52cc1e
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.99632
MD5 95abd4c06d8d026aa0ca3b41ab33deda
SHA1 5688a49a3e393688ed6263efc13a9ea200cae3f7
SHA256 97b84f08312a3aad96e2cedd963e0b9c44dc79329cf5990801e5916f6f079a7e
SHA3 8d8a3848c12982c8205058f6d80c29f9fd07e49e3b770ec38363dd4fff2c53a1

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2023-Oct-07 13:30:55
Version 0.0
SizeofData 752
AddressOfRawData 0x1634c
PointerToRawData 0x1574c

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2023-Oct-07 13:30:55
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

Size 0xc0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x418040
SEHandlerTable 0x41615c
SEHandlerCount 10

RICH Header

XOR Key 0x1ace4767
Unmarked objects 0
ASM objects (30795) 10
C++ objects (30795) 148
C objects (30795) 20
C++ objects (VS 2015-2022 runtime 33030) 38
C objects (VS 2015-2022 runtime 33030) 18
ASM objects (VS 2015-2022 runtime 33030) 21
Imports (30795) 11
Total imports 105
C objects (LTCG) (33135) 1
Resource objects (33135) 1
151 1
Linker (33135) 1

Errors

<-- -->