Manalyze report for f4947ccab1c6c1b730375a2c8ab74ccd

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2023-Feb-20 07:30:43
Detected languages	English - United States
TLS Callbacks	2 callback(s) detected.
CompanyName	curl, https://curl.se/
FileDescription	The curl executable
FileVersion	`7.88.1`
InternalName	curl
OriginalFilename	curl.exe
ProductName	The curl executable
ProductVersion	`7.88.1`
LegalCopyright	© Daniel Stenberg, <daniel@haxx.se>.
License	https://curl.se/docs/copyright.html

Plugin Output

Info	Interesting strings found in the binary:	Contains domain names: birthpopuptypesapplyImagebeinguppernoteseveryshowsmeansextramatchtrackknownearlybegansuperpapernorthlearngivennamedendedTermspartsGroupbrandusingwomanfalsereadyaudiotakeswhile.com example.com genretrucklooksValueFrame.net http://www.C http://www.a http://www.css http://www.hortcut http://www.icon http://www.interpretation http://www.language http://www.style http://www.text-decoration http://www.w3.org http://www.w3.org/shortcut http://www.wencodeURIComponent http://www.years https://curl.se https://www.World https://www.recent libssh.org lysator.liu.se openssh.com openssl.org thing.org www.w3.org
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES` `Uses constants related to Blowfish` `Uses constants related to RC5 or RC6` `Uses known Diffie-Helman primes` `Microsoft's Cryptography API`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot FindWindowA` `Uses Microsoft's cryptographic API: CryptAcquireContextA CryptCreateHash CryptDestroyHash CryptGetHashParam CryptHashData CryptReleaseContext CryptDecodeObjectEx CryptQueryObject CryptStringToBinaryA` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` Leverages the raw socket API to access the Internet: WSACleanup WSACloseEvent WSACreateEvent WSAEnumNetworkEvents WSAEventSelect WSAGetLastError WSAIoctl WSAResetEvent WSASetEvent WSASetLastError WSAStartup WSAWaitForMultipleEvents __WSAFDIsSet accept bind closesocket connect freeaddrinfo getaddrinfo gethostbyaddr gethostbyname gethostname getpeername getservbyname getservbyport getsockname getsockopt htonl htons inet_addr inet_ntoa inet_ntop inet_pton ioctlsocket listen ntohs recv recvfrom select send sendto setsockopt shutdown socket `Enumerates local disk drives: GetVolumeInformationW` `Interacts with the certificate store: CertAddCertificateContextToStore CertOpenStore CertOpenSystemStoreA`
Info	The PE is digitally signed.	`Signer: curl-for-win Code Signing Authority` `Issuer: curl-for-win Root CA 2021`
Suspicious	VirusTotal score: 1/72 (Scanned on 2024-03-25 22:34:31)	`Bkav: W64.AIDetectMalware`

Hashes

MD5	`f4947ccab1c6c1b730375a2c8ab74ccd`
SHA1	`c633f99f31c9b09453e0bd1c70173b9a4565a31c`
SHA256	`e1b55572d1c75e8b63478c08d65ef2f6d92817692769058a5777dc92d5a6dbda`
SHA3	`4fdda46b52f79207e6c1d5bc627231ba325f8375a1ac4a7d31bef56f3e47ea34`
SSDeep	`98304:DL3hFZ2pCKJfgduEudrpoX+qrMQmCXag8+:DLTeH1poX7MlgX`
Imports Hash	`72a686573013f451cbb1b320bf4aa609`

DOS Header

e_magic	`MZ`
e_cblp	`0x78`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0`
e_ss	`0`
e_sp	`0`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x78`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2023-Feb-20 07:30:43
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x3f3200`
SizeOfInitializedData	`0x173c00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000014D0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x570000`
SizeOfHeaders	`0x400`
Checksum	`0x5764fe`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`f3e242a0bb0e690627915dd0660b2cf8`
SHA1	`88e084132a9264be48472fe37cc25388604a5be0`
SHA256	`7105e32b80120af110d82950235333d680dc252b7186d105466cd48873cdf4dd`
SHA3	`96828f8bea07df81925bac0802771a84b6492bb0ec967e4539e01754dbc33f4f`
VirtualSize	`0x3f3050`
VirtualAddress	`0x1000`
SizeOfRawData	`0x3f3200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.56898`

.rdata

MD5	`6d82e52cbc0c09ba5af0de407b4c80b8`
SHA1	`e0c6b629943e0d85c798a4a6e568b40de3a88f85`
SHA256	`47d33e0c7fa924e8e26b0b5c57753bcbeda02eab1857badba78337d84da2dd09`
SHA3	`9dd5bc8f60c1b1e4da5798e0d7db53a528039adf5782aa92c49d13bb0d4c3a9e`
VirtualSize	`0x1445d4`
VirtualAddress	`0x3f5000`
SizeOfRawData	`0x144600`
PointerToRawData	`0x3f3600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.86902`

.data

MD5	`6b21fb71abd8ff67ec3a9b29724e7502`
SHA1	`bb724170a70d9bf1d761387a0c30f198d764dbaa`
SHA256	`a83dda94b78a2b8bd8cb2172d4f3b0e261cfea62dab5989e97670f70bf9d7e1b`
SHA3	`8ae8eb586d5af29dcc09cde76a0d456b84dba95f8bd87a9dbeb2c32dca5b80af`
VirtualSize	`0xcd80`
VirtualAddress	`0x53a000`
SizeOfRawData	`0x8c00`
PointerToRawData	`0x537c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.83198`

.pdata

MD5	`8653d4cc79bf5a63c4cd73bfe6bf3ec0`
SHA1	`b1fec4c73f0e65f717856f6d30f329106ab71187`
SHA256	`3c221aecaf72a056097fb71e6d0377700d9a95d9a15eb38b773414677629c20e`
SHA3	`43af57485ae45258030dcdea32635c47e0cc64b124fa65c0e16e858c3f733cf3`
VirtualSize	`0x1ace8`
VirtualAddress	`0x547000`
SizeOfRawData	`0x1ae00`
PointerToRawData	`0x540800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.31985`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x10`
VirtualAddress	`0x562000`
SizeOfRawData	`0x200`
PointerToRawData	`0x55b600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`9b7ba62c4493d6eb7b88550a31663cba`
SHA1	`a18d768b828a1ef3e0eab6c7f35080ab44fbc8fe`
SHA256	`c023dbd032e001a0dfa8f3e62795bcf26bbe8826a39435d099b856e0b212792a`
SHA3	`db94d317ea52f108f5d3eb5c53046493778137ee6df1b416d652750f1b394dfe`
VirtualSize	`0x728`
VirtualAddress	`0x563000`
SizeOfRawData	`0x800`
PointerToRawData	`0x55b800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.32236`

.reloc

MD5	`27e3a3e9bb9d3b4c636f1755839d12e7`
SHA1	`20ff3a00edaa7c7b6a0badc062b44f0d2df27501`
SHA256	`6af036e265b79599972d3c6be4a0211b588341af02d53047fd07dc3415c19fac`
SHA3	`8a486393641627170418512230b34535072aa6c63cf8de17198275f8b78c1ccc`
VirtualSize	`0xb13c`
VirtualAddress	`0x564000`
SizeOfRawData	`0xb200`
PointerToRawData	`0x55c000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.45015`

Imports

ADVAPI32.dll	`CryptAcquireContextA` `CryptCreateHash` `CryptDestroyHash` `CryptGetHashParam` `CryptHashData` `CryptReleaseContext` `DeregisterEventSource` `RegisterEventSourceW` `ReportEventW`
bcrypt.dll	`BCryptGenRandom`
CRYPT32.dll	`CertAddCertificateContextToStore` `CertCloseStore` `CertCreateCertificateChainEngine` `CertEnumCertificatesInStore` `CertFindCertificateInStore` `CertFindExtension` `CertFreeCertificateChain` `CertFreeCertificateChainEngine` `CertFreeCertificateContext` `CertGetCertificateChain` `CertGetEnhancedKeyUsage` `CertGetIntendedKeyUsage` `CertGetNameStringA` `CertOpenStore` `CertOpenSystemStoreA` `CryptDecodeObjectEx` `CryptQueryObject` `CryptStringToBinaryA` `PFXImportCertStore`
KERNEL32.dll	`AcquireSRWLockExclusive` `AcquireSRWLockShared` `CancelIo` `CloseHandle` `CompareFileTime` `ConvertFiberToThread` `ConvertThreadToFiberEx` `CreateEventA` `CreateFiberEx` `CreateFileA` `CreateFileMappingA` `CreateToolhelp32Snapshot` `DeleteCriticalSection` `DeleteFiber` `EnterCriticalSection` `FindClose` `FindFirstFileW` `FindFirstVolumeW` `FindNextFileW` `FindNextVolumeW` `FindVolumeClose` `FormatMessageW` `FreeLibrary` `GetACP` `GetConsoleMode` `GetConsoleScreenBufferInfo` `GetCurrentProcessId` `GetCurrentThreadId` `GetDiskFreeSpaceExW` `GetEnvironmentVariableA` `GetEnvironmentVariableW` `GetFileInformationByHandle` `GetFileSizeEx` `GetFileTime` `GetFileType` `GetLastError` `GetModuleFileNameA` `GetModuleHandleA` `GetModuleHandleW` `GetOverlappedResult` `GetProcAddress` `GetStartupInfoA` `GetStdHandle` `GetSystemDirectoryA` `GetSystemInfo` `GetSystemTime` `GetSystemTimeAsFileTime` `GetTickCount` `GetTimeZoneInformation` `GetVersion` `GetVolumeInformationW` `InitializeCriticalSection` `InitializeCriticalSectionEx` `InitializeSRWLock` `LeaveCriticalSection` `LoadLibraryA` `MapViewOfFile` `Module32First` `Module32Next` `MoveFileExA` `MultiByteToWideChar` `PeekNamedPipe` `QueryPerformanceCounter` `QueryPerformanceFrequency` `ReadConsoleA` `ReadConsoleW` `ReadFile` `ReleaseSRWLockExclusive` `ReleaseSRWLockShared` `RtlVirtualUnwind` `SearchPathA` `SetConsoleCtrlHandler` `SetConsoleMode` `SetEndOfFile` `SetFilePointer` `SetFileTime` `SetHandleInformation` `SetLastError` `SetUnhandledExceptionFilter` `Sleep` `SleepEx` `SwitchToFiber` `SystemTimeToFileTime` `TlsAlloc` `TlsFree` `TlsGetValue` `TlsSetValue` `UnmapViewOfFile` `VerSetConditionMask` `VerifyVersionInfoW` `VirtualAlloc` `VirtualFree` `VirtualLock` `VirtualProtect` `VirtualQuery` `WaitForMultipleObjects` `WaitForSingleObjectEx` `WaitNamedPipeA` `WideCharToMultiByte` `WriteConsoleW` `WriteFile`
Normaliz.dll	`IdnToAscii`
api-ms-win-crt-conio-l1-1-0.dll	`_getch`
api-ms-win-crt-convert-l1-1-0.dll	`atoi` `mbrtowc` `strtod` `strtol` `strtoll` `strtoul` `wcrtomb` `wcstombs`
api-ms-win-crt-environment-l1-1-0.dll	`__p__environ` `__p__wenviron` `getenv`
api-ms-win-crt-filesystem-l1-1-0.dll	`_fstat64` `_stat64` `_unlink` `_mkdir` `_access`
api-ms-win-crt-heap-l1-1-0.dll	`_set_new_mode` `calloc` `free` `malloc` `realloc`
api-ms-win-crt-locale-l1-1-0.dll	`localeconv` `setlocale`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr` `_fdopen`
api-ms-win-crt-private-l1-1-0.dll	`__C_specific_handler` `memchr` `memcmp` `memcpy` `memmove` `strchr` `strrchr` `strstr` `wcsstr`
api-ms-win-crt-runtime-l1-1-0.dll	`_set_app_type` `__p___argc` `__p___argv` `__p___wargv` `__p__acmdln` `__sys_errlist` `__sys_nerr` `_beginthreadex` `_cexit` `_configure_narrow_argv` `_configure_wide_argv` `_crt_at_quick_exit` `_crt_atexit` `_errno` `_exit` `_initialize_narrow_environment` `_initialize_wide_environment` `_initterm` `_set_errno` `_set_invalid_parameter_handler` `abort` `exit` `raise` `signal` `strerror`
api-ms-win-crt-stdio-l1-1-0.dll	`__acrt_iob_func` `__p__commode` `__p__fmode` `__stdio_common_vfprintf` `__stdio_common_vfwprintf` `__stdio_common_vsprintf` `__stdio_common_vsscanf` `__stdio_common_vswprintf` `_fileno` `_get_osfhandle` `_lseeki64` `_telli64` `_wfopen` `_write` `fclose` `feof` `ferror` `fflush` `fgets` `fopen` `fputc` `fputs` `fread` `fseek` `ftell` `fwrite` `getc` `putchar` `puts` `rewind` `setvbuf` `_write` `_setmode` `_setmode` `_read` `_open` `_isatty` `_fileno` `_close`
api-ms-win-crt-string-l1-1-0.dll	`isspace` `memset` `strcat` `strcmp` `strcpy` `strcspn` `strlen` `strncmp` `strncpy` `strpbrk` `strspn` `strtok` `tolower` `wcscpy` `wcslen` `_stricmp` `_strdup` `_strdup`
api-ms-win-crt-time-l1-1-0.dll	`__daylight` `__timezone` `__tzname` `_difftime64` `_gmtime64` `_localtime64` `_time64` `_tzset` `strftime`
api-ms-win-crt-utility-l1-1-0.dll	`qsort`
USER32.dll	`FindWindowA` `GetProcessWindowStation` `GetUserObjectInformationW` `MessageBoxW` `SendMessageA`
WLDAP32.dll	`ber_free` `ldap_bind_s` `ldap_err2string` `ldap_first_attribute` `ldap_first_entry` `ldap_get_dn` `ldap_get_values_len` `ldap_init` `ldap_memfree` `ldap_msgfree` `ldap_next_attribute` `ldap_next_entry` `ldap_search_s` `ldap_set_option` `ldap_simple_bind_s` `ldap_sslinit` `ldap_unbind_s` `ldap_value_free_len`
WS2_32.dll	`WSACleanup` `WSACloseEvent` `WSACreateEvent` `WSAEnumNetworkEvents` `WSAEventSelect` `WSAGetLastError` `WSAIoctl` `WSAResetEvent` `WSASetEvent` `WSASetLastError` `WSAStartup` `WSAWaitForMultipleEvents` `__WSAFDIsSet` `accept` `bind` `closesocket` `connect` `freeaddrinfo` `getaddrinfo` `gethostbyaddr` `gethostbyname` `gethostname` `getpeername` `getservbyname` `getservbyport` `getsockname` `getsockopt` `htonl` `htons` `inet_addr` `inet_ntoa` `inet_ntop` `inet_pton` `ioctlsocket` `listen` `ntohs` `recv` `recvfrom` `select` `send` `sendto` `setsockopt` `shutdown` `socket`

Delayed Imports

1

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x360`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.40347`
MD5	`c486f86a193359d0b03c260d7156004e`
SHA1	`cc2d1fcb741fcf8ca7e786100cdfa6f5a2109169`
SHA256	`e5d0fcf4ce4ec01472fda4fb52436bb929d80d091b8f30a55b05e03edd3dd135`
SHA3	`09ff082fd4a2a3ecaa93de4358b4eef5b952a6f5ce19383b14b612f6df68934c`

1 (#2)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x325`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.31718`
MD5	`29a0dd569961ca48b57f8f6942d1c53d`
SHA1	`647460ce1889c916765a3098eab9fd6cc5c89dce`
SHA256	`561d6c7835d29f438f6fb1a40d5857077d490fa76ca99ad456d5e99b81317f85`
SHA3	`f68e1260a2b5b51f049f612d3d20744f9bb7ed043d3b0eb40cfaaac316915e9c`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	7.88.1.0
ProductVersion	7.88.1.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	curl, https://curl.se/
FileDescription	The curl executable
FileVersion (#2)	7.88.1
InternalName	curl
OriginalFilename	curl.exe
ProductName	The curl executable
ProductVersion (#2)	7.88.1
LegalCopyright	© Daniel Stenberg, <daniel@haxx.se>.
License	https://curl.se/docs/copyright.html

Resource LangID	UNKNOWN

TLS Callbacks

StartAddressOfRawData	`0x140562000`
EndAddressOfRawData	`0x140562008`
AddressOfIndex	`0x14054363c`
AddressOfCallbacks	`0x140515ae8`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`0x0000000140032BB0` `0x0000000140032B80`

Load Configuration

RICH Header

f4947ccab1c6c1b730375a2c8ab74ccd

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.tls

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors