fde7c9a168fdfdb878efc9abe704baa30363873ae1b92201ca9e840b92a5711c

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2023-Feb-03 07:20:22
TLS Callbacks 1 callback(s) detected.
Debug artifacts Embedded COFF debugging symbols

Plugin Output

Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
The PE only has 6 import(s).
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Suspicious The file contains overlay data. 45111 bytes of data starting at offset 0x16000.
Malicious VirusTotal score: 10/71 (Scanned on 2026-03-28 14:39:34) Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
Fortinet: W32/PossibleThreat
Google: Detected
Gridinsoft: Trojan.Win64.Agent.oa!s2
Ikarus: Trojan.Win64.Agent
Malwarebytes: Malware.AI.4258764690
McAfeeD: ti!FDE7C9A168FD
Paloalto: generic.ml
TrellixENS: Artemis!DCE21265E822

Hashes

MD5 dce21265e8228b4d5cf566bb7a325a30
SHA1 9ffa266139c2466d914fee6f2c5b1395911fc003
SHA256 fde7c9a168fdfdb878efc9abe704baa30363873ae1b92201ca9e840b92a5711c
SHA3 61e5d7e4f0afe2a11bddfd1e40c0b0bdf0cff9aecd560122cfcb189429245044
SSDeep 3072:lxBqV+ZPJLHwKaUpcC8NffCL9CKAmMxFa1ZLV2+k:5qUZPV/yZfe9Xz60Zs+k
Imports Hash 46b46c65b6051ad93bb5ba975f99dffc

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 3
TimeDateStamp 2023-Feb-03 07:20:22
PointerToSymbolTable 0x35000
NumberOfSymbols 2066
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_LINE_NUMS_STRIPPED

Image Optional Header

Magic PE32+
LinkerVersion 2.0
SizeOfCode 0x16000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0x2e000
AddressOfEntryPoint 0x0000000000044300 (Section: UPX1)
BaseOfCode 0x2f000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 5.2
Win32VersionValue 0
SizeOfImage 0x46000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x200000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x2e000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 2fa7eebb34003509c808c1fc39bb0f2d
SHA1 4daab7da7202a17f9a0bcebd28aa34a0b6080a94
SHA256 11e3efee7dfe112887ad3a87f04bf75d1aca0ad00f5fb3d267d3c8beac775751
SHA3 6c65650954a6498c60a32085fccb33fe0d1839ac34b67771f82c9ab80c21f1fa
VirtualSize 0x16000
VirtualAddress 0x2f000
SizeOfRawData 0x15600
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.89132

.rsrc

MD5 01e5184cb4bdc47b15b92cacadac191e
SHA1 1ab05dfa8c6ba872a5eb305912d5ad8a66d919f3
SHA256 70e635e8946f323d56a531570bd9b2b885096b554b2fced71504be94e8ba8dbb
SHA3 30b86291e6ef54c34e531d3a8dad80eb51cbccdc1f9848164fa8bda388b1c54c
VirtualSize 0x1000
VirtualAddress 0x45000
SizeOfRawData 0x800
PointerToRawData 0x15800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.51603

Imports

KERNEL32.DLL LoadLibraryA
ExitProcess
GetProcAddress
VirtualProtect
libcurl-4.dll curl_easy_init
msvcrt.dll exit

Delayed Imports

1

Type RT_MANIFEST
Language UNKNOWN
Codepage UNKNOWN
Size 0x48f
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.13793
MD5 5aa04ce935e78505e230765e85c34355
SHA1 6c93b8c5fde8be4b2231dca6b8ec513cdc82c991
SHA256 a73f26a8d504043f785d7360e8febf2eeb8522ec873a0d4dd5d1d4bfd1e67d3d
SHA3 149467cafc03ba34b33cd8076fc2771413760822357952de205dbae2b5cb8059

Version Info

TLS Callbacks

StartAddressOfRawData 0x1400445b0
EndAddressOfRawData 0x1400445b8
AddressOfIndex 0x14000e06c
AddressOfCallbacks 0x1400445b8
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks 0x0000000140044560

Load Configuration

RICH Header

Errors

[!] Error: Could not read a COFF symbol. [*] Warning: Section UPX0 has a size of 0!
Leave a comment

No comments yet.