Manalyze report for 091c0b750a819b2ec7f8ec959a2385f17f3651b7ce5c688dcf0231f5396bfa77

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Aug-30 21:28:34

Plugin Output

Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .RLD0` `Unusual section name found: .RLD1`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress LoadLibraryExW` `Uses Microsoft's cryptographic API: CryptDestroyKey CryptVerifySignatureA CryptAcquireContextA CryptCreateHash CryptHashData CryptDestroyHash CryptReleaseContext CryptImportKey` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect`
Suspicious	The file contains overlay data.	`1028 bytes of data starting at offset 0x45800.` `The overlay data has an entropy of 7.82156 and is possibly compressed or encrypted.`
Malicious	VirusTotal score: 8/72 (Scanned on 2026-03-15 06:18:38)	`Bkav: W64.AIDetectMalware` `Cynet: Malicious (score: 100)` `Paloalto: generic.ml` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win64.Infected.dh` `Sophos: Generic ML PUA (PUA)` `TrellixENS: Artemis!C82CB4BF2BFE` `TrendMicro-HouseCall: Trojan.Win32.Gen.TL0101C926ZT`

Hashes

MD5	`c82cb4bf2bfe61d2fa1960d154620104`
SHA1	`bb9c6c20b03c7f4861fe6748f7cf24e6c1e3008d`
SHA256	`091c0b750a819b2ec7f8ec959a2385f17f3651b7ce5c688dcf0231f5396bfa77`
SHA3	`aefd6487140514a436b23a038ce9e84a3f4dbf010f4ee88673633ad2ecdf6cdb`
SSDeep	`6144:hUd2M4frqnXNkP12ImuAf/1ryFo38qLo92pJmdVvTxgNL:hUU1frqnC1/RAf8FWLwSJmdgl`
Imports Hash	`daa46de0d7452b492f5635a49aec91b4`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2017-Aug-30 21:28:34
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xc400`
SizeOfInitializedData	`0xbe00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000003C20 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x4a000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`e6a47909591768616e3c20ad8d5fa834`
SHA1	`9c60ce0957dfa1b737c4b8c70ae595cd4701e321`
SHA256	`d1b0652a5718b33241ee7f194d3a6e2be873b127e348decb84fb5571c74b57e2`
SHA3	`70ace331c6864905afd8fe3c27cf55f360abaa38bc9d548873220edcef7f9234`
VirtualSize	`0xc320`
VirtualAddress	`0x1000`
SizeOfRawData	`0xc400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.49853`

.rdata

MD5	`ea974173a6474e5f65b1f4edce7c11e1`
SHA1	`14cd1ff77e31519c81b1f2dfbc9aed0c81364757`
SHA256	`b0189726ccb2fbd979d9cab08aa54f56ee9d06fe15204f0bc3d30e686dae2fc6`
SHA3	`4919f8e61933a60b59bbfc8f07ba462830bfc50d4c8b09d10d2f483f2e4e3184`
VirtualSize	`0x8bbe`
VirtualAddress	`0xe000`
SizeOfRawData	`0x8c00`
PointerToRawData	`0xc800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.7465`

.data

MD5	`29ae0d12cb0ed614f9aa2419df2d3236`
SHA1	`62a4039c13e0e90f429357044bbdbd9165892c7b`
SHA256	`0d15a7bda5d66bf547787eca39e7e02ceacc3ad269c8f5ae2f178d0717a1a69b`
SHA3	`5eff29cde8a67f264a23f25038945fcf123cb4661bde1783ad8503de1771d64f`
VirtualSize	`0x1b58`
VirtualAddress	`0x17000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x15400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.1733`

.pdata

MD5	`69ead7aeaf9e7c033a9ca57362c5c2a8`
SHA1	`119ae3c3319a11509d78fd1564c791f380ae2b34`
SHA256	`384cb7eafbdbb6ce30f00e2c2e99dbfc8ce9d4de1bd19b3696e1932eb46c307a`
SHA3	`7422aca6ce9b9011190e7b8d8011899a872bc2ec73ac18a638c98dafd337b67b`
VirtualSize	`0xd50`
VirtualAddress	`0x19000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x15e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.6652`

.RLD0

MD5	`4f8def3d1161a6e827eadbdbb4a0f2cd`
SHA1	`e1179c65361179f8a1add15538214e3a593f811c`
SHA256	`080b565991ad59f9c9a1380766d714ceb3d5befe26be34bc01919998db14068b`
SHA3	`9366c0aa95140fede44bdcf09082491675aac26d90e174b0883c817e4a2697dc`
VirtualSize	`0x610`
VirtualAddress	`0x1a000`
SizeOfRawData	`0x800`
PointerToRawData	`0x16c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.31368`

.RLD1

MD5	`6a571440a2e56211e6eec95f4d1e6589`
SHA1	`463266b22e1c9eb3cacca23178c81066991570a0`
SHA256	`297308909072c2b07e509c23f364229c7a563ae84afb43cde9f8ef254f2d24cb`
SHA3	`0ee9a667f37e872f14aef6ce21c9afebec00b9d3f569b3fc1c1b537556adc9ae`
VirtualSize	`0x2d900`
VirtualAddress	`0x1b000`
SizeOfRawData	`0x2da00`
PointerToRawData	`0x17400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.96353`

.reloc

MD5	`439e605b28de50276f50edb47f26d4ef`
SHA1	`cb497118b970f8063a35fcbe2061128a1e3da10f`
SHA256	`bdf9a86c073bcc54f08b6f968758b6fbe4176408b6d784c812b52cba1ec345a5`
SHA3	`4c7376fc2587f0f1ab65d62d4f580420b95c77aa670308d3f70f917fb787dc47`
VirtualSize	`0x8e4`
VirtualAddress	`0x49000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x44e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.36629`

Imports

KERNEL32.dll	`GetModuleHandleA` `VirtualAlloc` `VirtualProtect` `LoadLibraryA` `VirtualFree` `GetModuleFileNameA` `WriteConsoleW` `ReadFile` `GetFileSizeEx` `WriteFile` `FindNextFileA` `FindClose` `GetLastError` `CreateFileA` `CloseHandle` `SetFilePointerEx` `HeapFree` `EnterCriticalSection` `LeaveCriticalSection` `RaiseException` `GetSystemInfo` `HeapAlloc` `GetProcessHeap` `VirtualQuery` `MultiByteToWideChar` `WideCharToMultiByte` `QueryPerformanceCounter` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetStartupInfoW` `GetModuleHandleW` `RtlUnwindEx` `InterlockedFlushSList` `SetLastError` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `GetProcAddress` `LoadLibraryExW` `ExitProcess` `GetModuleHandleExW` `LCMapStringW` `FindFirstFileExA` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `GetCommandLineA` `GetCommandLineW` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetStdHandle` `GetFileType` `GetStringTypeW` `HeapSize` `HeapReAlloc` `SetStdHandle` `FlushFileBuffers` `GetConsoleCP` `GetConsoleMode` `CreateFileW`
ADVAPI32.dll	`CryptDestroyKey` `CryptVerifySignatureA` `CryptAcquireContextA` `CryptCreateHash` `CryptHashData` `CryptDestroyHash` `CryptReleaseContext` `CryptImportKey`

Delayed Imports

Ordinal	`1`
Address	`0x1000`

(#2)

Ordinal	`2`
Address	`0x2430`

Version Info

TLS Callbacks

Load Configuration

Size	`0xf8`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x180017008`

RICH Header

Errors

Leave a comment

No comments yet.