Manalyze report for fe1ae39baa5e8eab2519a8d093c20808

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Mar-13 03:24:34
Detected languages	English - United States

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: 2captcha.com example.com https://curl.se paint.net`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES` `Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryExW` `Functions which can be used for anti-debugging purposes: FindWindowW` `Code injection capabilities (process hollowing): WriteProcessMemory SetThreadContext ResumeThread` `Code injection capabilities (PowerLoader): FindWindowW GetWindowLongW` `Can access the registry: RegCloseKey RegOpenKeyExA RegQueryValueExA RegSetValueExA` `Uses Microsoft's cryptographic API: CryptImportKey CryptEncrypt CryptDestroyKey CryptDestroyHash CryptGenRandom CryptGetHashParam CryptReleaseContext CryptAcquireContextA CryptHashData CryptCreateHash CryptStringToBinaryA CryptDecodeObjectEx CryptQueryObject` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Leverages the raw socket API to access the Internet: getaddrinfo freeaddrinfo WSAResetEvent htonl ioctlsocket gethostname select __WSAFDIsSet WSAIoctl WSASetLastError ntohs getsockopt getsockname getpeername WSAWaitForMultipleEvents socket closesocket connect htons recv send sendto WSACleanup WSAGetLastError accept bind WSAEventSelect setsockopt WSACloseEvent WSACreateEvent recvfrom WSAEnumNetworkEvents listen WSAStartup` `Enumerates local disk drives: GetDriveTypeW` `Manipulates other processes: WriteProcessMemory ReadProcessMemory` `Can take screenshots: FindWindowW GetDC` `Reads the contents of the clipboard: GetClipboardData` `Interacts with the certificate store: CertOpenStore CertAddCertificateContextToStore`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`fe1ae39baa5e8eab2519a8d093c20808`
SHA1	`06ac8250c2207f20e0773e8b6fece63c34d274f5`
SHA256	`3325bf5a4599da6d07446cf7f721c5953f0ea2365b53ff3f92cc40574df6a31f`
SHA3	`9e6cf07325ccc7f9300698e6682c4b01d3a00ccf6a0ebd0ef5d05de50b7c385f`
SSDeep	`98304:es68Eirhxo5LMcHrTzRisFeEB6GR+9XS:P6bi1CFXHrv0sutC`
Imports Hash	`6c5d49b2def0597dd33f4d5453d588f1`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x130`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2025-Mar-13 03:24:34
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x10e000`
SizeOfInitializedData	`0x31f000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000C8888 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x433000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`ad6eed5ddce97a1340e79f93933d15bb`
SHA1	`a28344a8d39f638d2f860a6ff095d34cdd8d29c4`
SHA256	`0d7f1a3a1afa9d7336d1ededd3c1173703b30348f3d5631028b81d8b3b94254d`
SHA3	`fe8e7b668a3dedf459be467bccd28d73c3ff2e4da1cc0c28c62e787cd818ef95`
VirtualSize	`0x10de90`
VirtualAddress	`0x1000`
SizeOfRawData	`0x10e000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.54909`

.rdata

MD5	`b4bd66a104f7998813abad6fd05786e1`
SHA1	`89ec68c68d84d4dbfa98016cc1459b1bee82dd59`
SHA256	`ec17802a849f251ba91c07f001acd9eb7eeab65e8f96d8e8458290d36e79adbe`
SHA3	`c73b64ca680d4a3cf7b1ff37db794e8730fc0dec408b2cbc046aef9f8020556b`
VirtualSize	`0x3d4cc`
VirtualAddress	`0x10f000`
SizeOfRawData	`0x3d600`
PointerToRawData	`0x10e400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.67167`

.data

MD5	`d7553a8b5eb24c79e1375f09baf1a178`
SHA1	`a81b43997c3a1b065ac0ddd968587b6bc524ebcc`
SHA256	`85682b18753c72af87d92f392c9a1ef8768e43a59223c1c13e321dee83825a46`
SHA3	`6883918561f1082f095bde32e9352e41057b978f0e5c8480307e393ab5222cea`
VirtualSize	`0x2d2e4c`
VirtualAddress	`0x14d000`
SizeOfRawData	`0x225e00`
PointerToRawData	`0x14ba00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.78813`

.pdata

MD5	`bb9545bfa6d949a59caa332aa61fe0e3`
SHA1	`13703f70613182ad53f90cedae4e56f949e3db45`
SHA256	`325431664a54efd5369d90da75a386deec8879f945caf96e7a07c70e0a8d7e04`
SHA3	`ac14d370184637e744e8c260b7bba7e6cb270b9f9119d6c3563edc8be20bc604`
VirtualSize	`0xa6a4`
VirtualAddress	`0x420000`
SizeOfRawData	`0xa800`
PointerToRawData	`0x371800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.04672`

.detourc

MD5	`c152075b48b3e5357e1acbb7fb4338a4`
SHA1	`cfd5ad81bb66016bfda0d0f65a3778184e679615`
SHA256	`d19d4bcf8bccf40d4ce532f4e5b015261086b4e1c3a1d4925b20798fecb52c83`
SHA3	`c3aa8930c16d0353f1895e8246b0249bfc831eedc3ace0a2c60a27ea459297ea`
VirtualSize	`0x21f0`
VirtualAddress	`0x42b000`
SizeOfRawData	`0x2200`
PointerToRawData	`0x37c000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.17293`

.detourd

MD5	`edda25907019e5cc74c177f6952e5e4b`
SHA1	`7a4f78401ecb1ae9f682732465ae6077089ebb13`
SHA256	`67edb63255622d74f26750550ba3dd665fbccf95fd0ab08e4a26ba7d8ac3a162`
SHA3	`f4a44987a5bb73b0e511a980a6e46723e30252562c97bcd39a080b05991cde7d`
VirtualSize	`0x18`
VirtualAddress	`0x42e000`
SizeOfRawData	`0x200`
PointerToRawData	`0x37e200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.116115`

_RDATA

MD5	`8e1e48b2d8b22c306763a22ce79551a4`
SHA1	`2d18656e0f7d07c389d3357031fb6eb65cf974aa`
SHA256	`b640e24d33aec69c8eec569623877a6b1f6fadc79492eeffbf665ea819861df7`
SHA3	`20a256a15a7e83262a5d6ceb53d71c6381fc3e64a3ef6783747c851b48be967b`
VirtualSize	`0xf4`
VirtualAddress	`0x42f000`
SizeOfRawData	`0x200`
PointerToRawData	`0x37e400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.45792`

.rsrc

MD5	`b9c8bb766d7ff6738714683726140b72`
SHA1	`c353433456e45138c00dc92ea5bc3a8376db3e58`
SHA256	`8624f287f28e905fd1f2dafb167e10002785d42b826e1ee246234b4deba51635`
SHA3	`ff0d2ef73bc8d44e67d49e80fdcaa75437b50ed9f0d9fa790c0ebc30f39ba4f4`
VirtualSize	`0x1e0`
VirtualAddress	`0x430000`
SizeOfRawData	`0x200`
PointerToRawData	`0x37e600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.70855`

.reloc

MD5	`0a5155ce21c7d3257b5e50ab8c1e61cd`
SHA1	`1b2adb18b79f10c20606b27a451c564534f4a794`
SHA256	`d8594bdffb761be28d519629f166ec11f38b6d6c4f2e3f20e8c75a527a00e587`
SHA3	`90d075bf375c8e71d2a970c9730fabccdeea7cd0e885b651a67ba5d654c76bb8`
VirtualSize	`0x1898`
VirtualAddress	`0x431000`
SizeOfRawData	`0x1a00`
PointerToRawData	`0x37e800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.34719`

Imports

KERNEL32.DLL	`CreateEventW` `CreateFileMappingW` `MapViewOfFile` `GetProcAddress` `GetModuleHandleW` `GetModuleHandleA` `GetModuleFileNameA` `WriteProcessMemory` `ReadProcessMemory` `SuspendThread` `WriteConsoleW` `HeapSize` `DeleteFileW` `GetProcessHeap` `SetEnvironmentVariableW` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `GetCommandLineW` `GetCommandLineA` `GetOEMCP` `GetACP` `IsValidCodePage` `FindNextFileW` `FindFirstFileExW` `FindClose` `GetFullPathNameW` `GetCurrentDirectoryW` `SetEndOfFile` `SetStdHandle` `GetFileAttributesExW` `HeapReAlloc` `FlushFileBuffers` `GetTimeZoneInformation` `EnumSystemLocalesW` `GetUserDefaultLCID` `IsValidLocale` `GetLocaleInfoW` `LCMapStringW` `CompareStringW` `GetTimeFormatW` `GetDateFormatW` `HeapAlloc` `HeapFree` `GetConsoleOutputCP` `ReadConsoleW` `GetConsoleMode` `GetModuleFileNameW` `ExitProcess` `TerminateThread` `FileTimeToSystemTime` `SystemTimeToTzSpecificLocalTime` `GetFileInformationByHandle` `GetDriveTypeW` `LoadLibraryA` `FreeLibrary` `QueryPerformanceFrequency` `QueryPerformanceCounter` `CreateThread` `TerminateProcess` `GetCurrentProcessId` `GetCurrentProcess` `Sleep` `GetModuleHandleExW` `FreeLibraryAndExitThread` `VerSetConditionMask` `TlsFree` `SetLastError` `TlsGetValue` `TlsAlloc` `InterlockedFlushSList` `RtlUnwindEx` `RaiseException` `RtlPcToFileHeader` `GetCPInfo` `GetStringTypeW` `LCMapStringEx` `DecodePointer` `EncodePointer` `GetSystemTimeAsFileTime` `GetStartupInfoW` `IsDebuggerPresent` `InitializeSListHead` `ResetEvent` `AddVectoredExceptionHandler` `CloseHandle` `WriteFile` `GetFileAttributesA` `CreateFileW` `CreateDirectoryW` `GetTickCount64` `WideCharToMultiByte` `VirtualProtect` `GetLocalTime` `GetCurrentThreadId` `GetCurrentThread` `RtlUnwind` `WaitForSingleObject` `SetEvent` `LeaveCriticalSection` `EnterCriticalSection` `TlsSetValue` `GetLastError` `MultiByteToWideChar` `GlobalFree` `GlobalLock` `GlobalUnlock` `ExitThread` `GlobalAlloc` `InitializeCriticalSection` `SetFilePointerEx` `InitializeCriticalSectionAndSpinCount` `IsProcessorFeaturePresent` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `LoadLibraryExW` `VirtualQuery` `VirtualFree` `VirtualAlloc` `FlushInstructionCache` `SetThreadContext` `ReleaseSRWLockExclusive` `AcquireSRWLockExclusive` `FormatMessageW` `InitializeCriticalSectionEx` `DeleteCriticalSection` `SleepEx` `GetSystemDirectoryA` `GetTickCount` `MoveFileExA` `WaitForSingleObjectEx` `GetEnvironmentVariableA` `GetStdHandle` `GetFileType` `ReadFile` `PeekNamedPipe` `WaitForMultipleObjects` `VerifyVersionInfoW` `CreateFileA` `GetFileSizeEx` `ResumeThread` `GetThreadContext`
ADVAPI32.dll	`CryptImportKey` `CryptEncrypt` `CryptDestroyKey` `CryptDestroyHash` `CryptGenRandom` `CryptGetHashParam` `CryptReleaseContext` `CryptAcquireContextA` `CryptHashData` `RegCloseKey` `RegOpenKeyExA` `RegQueryValueExA` `RegSetValueExA` `CryptCreateHash`
CRYPT32.dll	`CertEnumCertificatesInStore` `CertCloseStore` `CertOpenStore` `CryptStringToBinaryA` `CertFreeCertificateContext` `PFXImportCertStore` `CryptDecodeObjectEx` `CertAddCertificateContextToStore` `CertFindExtension` `CertGetNameStringA` `CryptQueryObject` `CertFreeCertificateChainEngine` `CertGetCertificateChain` `CertFreeCertificateChain` `CertFindCertificateInStore` `CertCreateCertificateChainEngine`
d3d11.dll	`D3D11CreateDeviceAndSwapChain`
D3DCOMPILER_43.dll	`D3DCompile`
d3dx11_43.dll	`D3DX11CreateShaderResourceViewFromMemory`
GDI32.dll	`GetDeviceCaps`
IMM32.dll	`ImmSetCandidateWindow` `ImmAssociateContextEx` `ImmSetCompositionWindow` `ImmGetContext` `ImmReleaseContext`
Normaliz.dll	`IdnToAscii`
USER32.dll	`FindWindowW` `OpenClipboard` `CloseClipboard` `SetClipboardData` `GetClipboardData` `EmptyClipboard` `TrackMouseEvent` `DefWindowProcA` `GetDC` `ReleaseDC` `MessageBoxA` `wsprintfW` `UnregisterClassA` `RegisterClassExA` `SetTimer` `IsChild` `DestroyWindow` `SetLayeredWindowAttributes` `SetWindowPos` `BringWindowToTop` `SetFocus` `GetKeyState` `GetCapture` `SetCapture` `ReleaseCapture` `GetForegroundWindow` `SetWindowTextW` `GetClientRect` `AdjustWindowRectEx` `SetCursorPos` `SetCursor` `SetForegroundWindow` `CreateWindowExA` `PostMessageA` `ShowWindow` `GetCursorPos` `ClientToScreen` `ScreenToClient` `WindowFromPoint` `GetWindowLongW` `SetWindowLongA` `SetWindowLongW` `LoadCursorA` `MonitorFromWindow` `GetMonitorInfoA` `EnumDisplayMonitors` `SetProcessDPIAware` `TranslateMessage` `DispatchMessageA` `PeekMessageA` `PostQuitMessage` `UpdateWindow` `IsIconic` `CharUpperA`
WLDAP32.dll	`#217` `#301` `#200` `#30` `#79` `#35` `#33` `#32` `#27` `#26` `#22` `#41` `#50` `#45` `#60` `#211` `#46` `#143`
WS2_32.dll	`getaddrinfo` `freeaddrinfo` `WSAResetEvent` `htonl` `ioctlsocket` `gethostname` `select` `__WSAFDIsSet` `WSAIoctl` `WSASetLastError` `ntohs` `getsockopt` `getsockname` `getpeername` `WSAWaitForMultipleEvents` `socket` `closesocket` `connect` `htons` `recv` `send` `sendto` `WSACleanup` `WSAGetLastError` `accept` `bind` `WSAEventSelect` `setsockopt` `WSACloseEvent` `WSACreateEvent` `recvfrom` `WSAEnumNetworkEvents` `listen` `WSAStartup`

Delayed Imports

?ReflectiveLoader@@YA_KPEAX@Z

Ordinal	`1`
Address	`0x5160`

2

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

TLS Callbacks

StartAddressOfRawData	`0x18013e8f8`
EndAddressOfRawData	`0x18013e900`
AddressOfIndex	`0x18041d458`
AddressOfCallbacks	`0x18010fbc0`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x180370d08`

RICH Header

XOR Key	`0x5ebe7e4f`
Unmarked objects	`0`
C objects (27412)	`28`
ASM objects (27412)	`23`
C++ objects (27412)	`202`
C++ objects (VS 2015/2017/2019 runtime 29913)	`37`
ASM objects (VS 2015/2017/2019 runtime 29913)	`1`
253 (28518)	`7`
C++ objects (30034)	`87`
C objects (30034)	`17`
ASM objects (30034)	`10`
C++ objects (30154)	`3`
C objects (VS2019 Update 2 (16.2) compiler 27905)	`116`
Imports (27412)	`24`
Imports (21202)	`7`
Total imports	`357`
C++ objects (30157)	`54`
Exports (30157)	`1`
Resource objects (30157)	`1`
Linker (30157)	`1`

fe1ae39baa5e8eab2519a8d093c20808

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.detourc

.detourd

_RDATA

.rsrc

.reloc

Imports

Delayed Imports

?ReflectiveLoader@@YA_KPEAX@Z

2

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors