Manalyze report for 12c47860f91e80541f29be4688482cef

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2024-Mar-20 06:48:23

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE is packed with UPX	`Unusual section name found: .upx0` `Unusual section name found: .upx1` `Unusual section name found: .upx2`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW LoadLibraryA LoadLibraryW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Manipulates other processes: WriteProcessMemory`
Malicious	VirusTotal score: 16/70 (Scanned on 2024-04-25 06:21:36)	`APEX: Malicious` `Avira: HEUR/AGEN.1316159` `Bkav: W64.AIDetectMalware` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `Elastic: malicious (high confidence)` `F-Secure: Heuristic.HEUR/AGEN.1316159` `FireEye: Generic.mg.12c47860f91e8054` `Google: Detected` `Ikarus: Trojan.Win64.Krypt` `Microsoft: Trojan:Win32/Wacatac.H!ml` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Sophos: Generic ML PUA (PUA)` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.moderate.ml.score`

Hashes

MD5	`12c47860f91e80541f29be4688482cef`
SHA1	`f639f40d5740d4c44aacfab360acd95cffea4b94`
SHA256	`604fb5cd0d756f6a13d41df815ab7f2eef7d1dcf66bdee6e5f5b0fbecb814d60`
SHA3	`c86735dc73a44db2fbe17581d64c171f35a19cabfcf9f94435762212ddad2803`
SSDeep	`196608:4j1ocSKsX6VsA0V+FYo9jyg9ciJ5Y9WSLdEkrZZ5l8+4Rl5mKYa5bfm9fltW+wp:bocHVxq2DiJMNtZzN65mKcfaT`
Imports Hash	`1cbe06cbe78093149f5fefc4557f976b`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2024-Mar-20 06:48:23
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x11000`
SizeOfInitializedData	`0xd600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000007FB83B (Section: .upx2)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xb2d000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`3e4b08c4fee39cac1ce2e9c558e2e1e2`
SHA1	`d43c0551fbb44e67e7c2e28996f06e1ab5ab8f00`
SHA256	`971e889cbc962eb3047bc70a165663112b858b80a782b6d961606b4fc33317d1`
SHA3	`422f02b94f16553895dcce3f4667c4149c19f33cea74745ef90b09a4964178c1`
VirtualSize	`0x10fa0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x11000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.50682`

.rdata

MD5	`678bb493bfa49ac52759266ce2838f09`
SHA1	`1c83b7be871a2cab3ee1fa02f2905bfdfc31e9c3`
SHA256	`61de0ef499e7f6237536f1cb2c4dbedbe6cc6be8705cea55e168ba903676fc5a`
SHA3	`74944ed9cc651682652feae579a24e435d1ab4a17992c4460f99519840630380`
VirtualSize	`0x9a3a`
VirtualAddress	`0x12000`
SizeOfRawData	`0x9c00`
PointerToRawData	`0x11400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.95053`

.data

MD5	`25c374870d9ae64bbfe24929610d4924`
SHA1	`5bb3ce3365346cc029965080c52108047723354b`
SHA256	`e299f9784c893452ae8a774ae49a0fd6ff6e78762c4358db9fd4c8e9de92ebbc`
SHA3	`01bfc7bf89f16481c7548d6960cb9686cab755215ef350c141ded15fb354247e`
VirtualSize	`0x1ce0`
VirtualAddress	`0x1c000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x1b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.09115`

.pdata

MD5	`09e72a73f826c9eca2a11d4423e53c4b`
SHA1	`bee1e118717c1627e42f63211b1b4707e3537672`
SHA256	`0da08cbf57b7452b3b7d77b9198765720752f60724e2afa8152521a06f4d407f`
SHA3	`bd950459efe2c82bd22253718d442e49117d99353ba7d6486e3528d0db558f71`
VirtualSize	`0x114c`
VirtualAddress	`0x1e000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x1bc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.83848`

_RDATA

MD5	`dabdd7f0a3e291d6e18bf37c673d11e9`
SHA1	`f4f743bfc94905581416a7b93a41c2a5f860f2b8`
SHA256	`3b780ab639a73e83de6c53b469e9a971b4cca06bedcf2b867090309bbc557763`
SHA3	`0b56885512c669067fe8e3b58359de4557798c4c69756a899ebb2c3e1aedd58c`
VirtualSize	`0x1f4`
VirtualAddress	`0x20000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1ce00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.67633`

.upx0

MD5	`f3c635e99e41a4f97ad161ab8605b2ae`
SHA1	`7beced8b62512fdc73f4156f45e0b2cca9afcd9e`
SHA256	`234c2ad6adba2f6db0be6b67349121e26eaca094eff4e2ba9fa49ab5b77410b1`
SHA3	`b2211b92c93dcbffb7f1f8f065f2c883fa5ac01e15605c84e574f9d28a69c54c`
VirtualSize	`0x5c62df`
VirtualAddress	`0x21000`
SizeOfRawData	`0x5c6400`
PointerToRawData	`0x1d000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.75078`

.upx1

MD5	`f06385e30bbb11df8c45673ce1d1bc19`
SHA1	`24496bbfa35622b3d4f09f5799f3b055e0634e9c`
SHA256	`98d371988a1332874ca523a5ad196a7e31f721da61b2cbd21741b73123a058fd`
SHA3	`5efd4ecb0f57a0e641f0311abe13ead781342e6d0e37890c358b98111cb745c8`
VirtualSize	`0x940`
VirtualAddress	`0x5e8000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x5e3400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.31117`

.upx2

MD5	`cea901887a2af22f5c27ca3311560cad`
SHA1	`3b7ea4c03c81ac0e4fb3c4a012c7a088781e2adf`
SHA256	`50b1140b6ca6db658fd64c7bbbf32fc351575af66f5122385f1787f89a657735`
SHA3	`da37a28e5697e08cf464dc0da5d3316155e063ac0416ea35aa8a3e4f6fbc9ab9`
VirtualSize	`0x542214`
VirtualAddress	`0x5e9000`
SizeOfRawData	`0x542400`
PointerToRawData	`0x5e3e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.74281`

.reloc

MD5	`ca46537d96a19c8f5870c96b57282745`
SHA1	`5312f870ce4b4aa82a468d484b277b87f5e08e26`
SHA256	`7b33759e5a1f497abbc1072e59f6dd9eb6f7ef1fae33164cd3400d21377b3505`
SHA3	`00838e6b26fd14a69f57e5f4ab10f27086aaecac2d06f88a657fe55b3de46168`
VirtualSize	`0xa58`
VirtualAddress	`0xb2c000`
SizeOfRawData	`0xc00`
PointerToRawData	`0xb26200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.06097`

Imports

KERNEL32.dll	`RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetStartupInfoW` `GetModuleHandleW` `WriteConsoleW` `RtlUnwindEx` `GetLastError` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `GetProcAddress` `LoadLibraryExW` `EncodePointer` `RaiseException` `RtlPcToFileHeader` `GetStdHandle` `WriteFile` `GetModuleFileNameW` `ExitProcess` `GetModuleHandleExW` `GetCommandLineA` `GetCommandLineW` `HeapAlloc` `HeapFree` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `CompareStringW` `LCMapStringW` `GetFileType` `GetFileSizeEx` `SetFilePointerEx` `FindClose` `FindFirstFileExW` `FindNextFileW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `MultiByteToWideChar` `WideCharToMultiByte` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableW` `SetStdHandle` `GetStringTypeW` `GetProcessHeap` `FlushFileBuffers` `GetConsoleOutputCP` `GetConsoleMode` `HeapSize` `HeapReAlloc` `CloseHandle` `ReadFile` `ReadConsoleW` `CreateFileW` `RtlUnwind`
KERNEL32.dll (#2)	`RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetStartupInfoW` `GetModuleHandleW` `WriteConsoleW` `RtlUnwindEx` `GetLastError` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `GetProcAddress` `LoadLibraryExW` `EncodePointer` `RaiseException` `RtlPcToFileHeader` `GetStdHandle` `WriteFile` `GetModuleFileNameW` `ExitProcess` `GetModuleHandleExW` `GetCommandLineA` `GetCommandLineW` `HeapAlloc` `HeapFree` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `CompareStringW` `LCMapStringW` `GetFileType` `GetFileSizeEx` `SetFilePointerEx` `FindClose` `FindFirstFileExW` `FindNextFileW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `MultiByteToWideChar` `WideCharToMultiByte` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableW` `SetStdHandle` `GetStringTypeW` `GetProcessHeap` `FlushFileBuffers` `GetConsoleOutputCP` `GetConsoleMode` `HeapSize` `HeapReAlloc` `CloseHandle` `ReadFile` `ReadConsoleW` `CreateFileW` `RtlUnwind`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14001c040`

RICH Header

12c47860f91e80541f29be4688482cef

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

_RDATA

.upx0

.upx1

.upx2

.reloc

Imports

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors