Manalyze report for fd9577953e1aebebb2a8381b6975063a18cda449a5813c67e7afcbc555c46193

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Oct-03 14:34:12
Detected languages	English - United States

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to security software: nUI.exe rshell.exe` `Accesses the WMI: ROOT\CIMV2` `Miscellaneous malware strings: cmd.exe` `Contains domain names: https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to SHA256` `Uses constants related to AES`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Possibly launches other programs: ShellExecuteW` `Leverages the raw socket API to access the Internet: WSAStartup WSACleanup` `Enumerates local disk drives: GetDriveTypeW GetLogicalDriveStringsW` `Manipulates other processes: OpenProcess`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`ed8fd19ae7b1fa56088ce6605473fa37`
SHA1	`3d7c4ebf8dac1bc27d30fc4a142ca447d4481bc1`
SHA256	`fd9577953e1aebebb2a8381b6975063a18cda449a5813c67e7afcbc555c46193`
SHA3	`f8f49b59eed823f04d8ac82d5ba89d18ffa0bafe36f70cfd9a1bbf1c9fa86e89`
SSDeep	`24576:2pHxFRXDoK4aVRkNRjd2PyOPED2V/U2i:MXRXDUUkNRjd26OPN/ri`
Imports Hash	`f89d971f855e5743dd4d1e73a5da5699`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x110`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2025-Oct-03 14:34:12
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xcd200`
SizeOfInitializedData	`0x3d600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000008E228 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x111000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`17ce5eb408f79398375c4223d75113b0`
SHA1	`bb0b3a57f112ca955b0f28c06091e22a51d67890`
SHA256	`2a9cf56a08abcbd9d768f4c0e8d548ecedaf1c96680097001ce1f81cc0d0396a`
SHA3	`6108b80b27f6335a0574cb8c6218c2e94bd010df85b2797834e56e05d5168a72`
VirtualSize	`0xcd10e`
VirtualAddress	`0x1000`
SizeOfRawData	`0xcd200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.45247`

.rdata

MD5	`7243f8771fa574030ee81bfefe41ee8e`
SHA1	`9b399ff396a425dcf2f4aeffa14bdc37d4608a23`
SHA256	`9614765fcca1385173204136c20ddd4a62637979debcc894c1bec8027fbd85ef`
SHA3	`6f4973d5b701b825deda9676f68f656acd15f255fbfc543c7de6e66f33b183c3`
VirtualSize	`0x297ba`
VirtualAddress	`0xcf000`
SizeOfRawData	`0x29800`
PointerToRawData	`0xcd600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.19588`

.data

MD5	`d348f38b00bc11af352b86c5ef5a86e5`
SHA1	`249cda90ab86c8674714517449407f1c864a22d9`
SHA256	`e8eb973f50cf9f134279b4ed7c144217d715104697052a0068c5a32c733bd6e9`
SHA3	`2ce34080d0eacfe55fae6add292cd3f1b78f51fb160035cba247d8d64f9cf181`
VirtualSize	`0xa20c`
VirtualAddress	`0xf9000`
SizeOfRawData	`0x8400`
PointerToRawData	`0xf6e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.99474`

.pdata

MD5	`66a3357e0f1dbaf799d9b8da73415d71`
SHA1	`97b220292c8472a2cac738ad36335922ff6da399`
SHA256	`993bb313d6b3798e1aaf07c47fe384743ef0034b72d51be56486e3baedddd887`
SHA3	`862c14d5e944eaa8f82673672af6c3c39a94d819397098d2d8bb42bb6dc9e455`
VirtualSize	`0x8100`
VirtualAddress	`0x104000`
SizeOfRawData	`0x8200`
PointerToRawData	`0xff200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.98358`

_RDATA

MD5	`0efbcb76733adaa28a95801b46a7759c`
SHA1	`eb82b1f82acef4c2aeb1be926b8d81a2270091b0`
SHA256	`6ace9395e477503b147060fadd85453e1ff35ef40a698384830c57412d360d48`
SHA3	`f4a1f8abc6c0d57c6343958464737867f181b04bb1ec00a239f06edb853b806f`
VirtualSize	`0x15c`
VirtualAddress	`0x10d000`
SizeOfRawData	`0x200`
PointerToRawData	`0x107400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.19443`

.rsrc

MD5	`764584972f1d38313e1dadcd47fd83d9`
SHA1	`2746654930476c60dd8f2e6a22b8b8bf5b39b52c`
SHA256	`f2315aae66e9b565bc0ac31e3e892bdea36ce519777ee3dd59bb363ff89551ce`
SHA3	`41211999ee5f7b3f7456f6320a709df3258fc0309a172a51b7abcf1cf1e5785c`
VirtualSize	`0x1e0`
VirtualAddress	`0x10e000`
SizeOfRawData	`0x200`
PointerToRawData	`0x107600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.71768`

.reloc

MD5	`dacfa55cced4b503769a9e6862180909`
SHA1	`784dd1cd8c95b8d0e14c18cefec2ab49f95aced3`
SHA256	`53a294f895795fdcd76aafe5c7b9bac732b6116505556ffd75feedc8a774df30`
SHA3	`5441d9e73e7f856fbe96e778d3f5168313b18bc9939249ea5d35aec6c686d937`
VirtualSize	`0x138c`
VirtualAddress	`0x10f000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x107800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.40355`

Imports

KERNEL32.dll	`EnterCriticalSection` `WaitForMultipleObjects` `LeaveCriticalSection` `WaitForSingleObject` `PostQueuedCompletionStatus` `GetLastError` `SetEvent` `TerminateThread` `TlsAlloc` `CloseHandle` `QueueUserAPC` `LocalFree` `DeleteCriticalSection` `TlsFree` `FormatMessageA` `ReadFile` `GetFileSizeEx` `SetWaitableTimer` `TlsSetValue` `SetLastError` `WriteFile` `InitializeCriticalSectionAndSpinCount` `GetQueuedCompletionStatus` `GetCurrentThreadId` `CreateEventW` `SetFileInformationByHandle` `DeleteFileW` `CancelIoEx` `SleepEx` `TlsGetValue` `CreateIoCompletionPort` `CreateFileW` `GetFileAttributesW` `SetFileAttributesW` `GetDriveTypeW` `GetConsoleScreenBufferInfo` `SetConsoleTextAttribute` `GetCommandLineW` `GetStdHandle` `WriteConsoleA` `GetDynamicTimeZoneInformation` `Sleep` `GetConsoleMode` `GetFileAttributesA` `GetSystemInfo` `GetCurrentProcessId` `GetCurrentProcess` `GetProcessId` `OpenProcess` `ResetEvent` `GetLogicalDriveStringsW` `MultiByteToWideChar` `WideCharToMultiByte` `SetEndOfFile` `WriteConsoleW` `SetStdHandle` `GetProcessHeap` `SetEnvironmentVariableW` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `GetCommandLineA` `GetOEMCP` `GetACP` `IsValidCodePage` `GetTimeZoneInformation` `ReadConsoleW` `GetConsoleOutputCP` `FlushFileBuffers` `SetFilePointerEx` `GetFileType` `EnumSystemLocalesW` `GetUserDefaultLCID` `IsValidLocale` `GetLocaleInfoW` `LCMapStringW` `CompareStringW` `GetTimeFormatW` `GetDateFormatW` `HeapFree` `HeapSize` `HeapReAlloc` `GetLocaleInfoEx` `RtlPcToFileHeader` `RaiseException` `CreateDirectoryW` `FindClose` `FindFirstFileW` `FindFirstFileExW` `FindNextFileW` `GetFileAttributesExW` `AreFileApisANSI` `GetModuleHandleW` `GetProcAddress` `GetFileInformationByHandleEx` `QueryPerformanceCounter` `QueryPerformanceFrequency` `ReleaseSRWLockExclusive` `AcquireSRWLockExclusive` `TryAcquireSRWLockExclusive` `InitializeConditionVariable` `WakeConditionVariable` `WakeAllConditionVariable` `SleepConditionVariableSRW` `GetStringTypeW` `WaitForSingleObjectEx` `GetExitCodeThread` `InitializeCriticalSectionEx` `GetSystemTimeAsFileTime` `EncodePointer` `DecodePointer` `LCMapStringEx` `CompareStringEx` `GetCPInfo` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `IsDebuggerPresent` `GetStartupInfoW` `InitializeSListHead` `RtlUnwindEx` `FreeLibrary` `LoadLibraryExW` `CreateThread` `ExitThread` `FreeLibraryAndExitThread` `GetModuleHandleExW` `ExitProcess` `GetModuleFileNameW` `HeapAlloc` `RtlUnwind`
SHELL32.dll	`CommandLineToArgvW` `ShellExecuteW`
ole32.dll	`CoCreateInstance` `CoUninitialize` `CoInitializeEx` `CoSetProxyBlanket`
OLEAUT32.dll	`VariantClear` `SysAllocString` `SysFreeString` `VariantInit`
WS2_32.dll	`WSAStartup` `WSACleanup`
SHLWAPI.dll	`PathIsNetworkPathW`
MPR.dll	`WNetGetConnectionW`
WTSAPI32.dll	`WTSEnumerateProcessesW` `WTSFreeMemory`
RstrtMgr.DLL	`RmShutdown` `RmStartSession` `RmEndSession` `RmRegisterResources` `RmGetList`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2025-Oct-03 14:34:12
Version	`0.0`
SizeofData	`1008`
AddressOfRawData	`0xea014`
PointerToRawData	`0xe8614`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2025-Oct-03 14:34:12
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

StartAddressOfRawData	`0x1400ea428`
EndAddressOfRawData	`0x1400ea444`
AddressOfIndex	`0x1401020b0`
AddressOfCallbacks	`0x1400cf780`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1400fa368`

RICH Header

XOR Key	`0xf6913746`
Unmarked objects	`0`
ASM objects (27412)	`6`
C objects (27412)	`19`
C++ objects (27412)	`181`
C objects (CVTCIL) (27412)	`1`
C objects (VS 2015-2022 runtime 32533)	`16`
ASM objects (VS 2015-2022 runtime 32533)	`10`
C++ objects (VS2022 Update 7 (17.7.0-3) compiler 32822)	`3`
C objects (VS2022 Update 7 (17.7.0-3) compiler 32822)	`23`
C++ objects (VS 2015-2022 runtime 32533)	`100`
Imports (27412)	`19`
Total imports	`206`
C++ objects (LTCG) (VS2022 Update 7 (17.7.0-3) compiler 32822)	`9`
Resource objects (VS2022 Update 7 (17.7.0-3) compiler 32822)	`1`
Linker (VS2022 Update 7 (17.7.0-3) compiler 32822)	`1`

Errors

Leave a comment

No comments yet.