Manalyze report for 092abc141580ca0a0681b27676e3bc5cf00484ff9d268a0bca03566580c12067

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
Compilation Date	2024-Dec-07 09:05:44
Debug artifacts	https://imgur.com/a/TGGy9QZ

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: Taskmgr.exe` `May have dropper capabilities: CurrentControlSet\Services` `Contains domain names: Internals.com https://imgur.com imgur.com`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256`
Suspicious	The PE contains functions most legitimate programs don't use.	`Functions which can be used for anti-debugging purposes: ZwQuerySystemInformation` `Uses Windows's Native API: ZwQuerySystemInformation ZwCreateFile ZwClose ZwOpenDirectoryObject NtQueryInformationThread ZwUnloadDriver ZwWriteFile ZwFlushBuffersFile`
Info	The PE is digitally signed.	`Signer: Microsoft Windows Hardware Compatibility Publisher` `Issuer: Microsoft Windows Third Party Component CA 2014`
Safe	VirusTotal score: 0/72 (Scanned on 2025-01-27 13:08:26)	`All the AVs think this file is safe.`

Hashes

MD5	`baec87727196a23ab366d57bcf46afe8`
SHA1	`44e05e3889f9f8658a9ad4ed410ee61998e7fb40`
SHA256	`092abc141580ca0a0681b27676e3bc5cf00484ff9d268a0bca03566580c12067`
SHA3	`38ae3b621409b06f8b8a37a70cf63a5c594187b9a35a4bfb4d2f3cfa6a226818`
SSDeep	`98304:bqp/gy1OBwsFEmbl9DYho6VWXJw9DMCndzzY59mMy7U2yxu+9:bqpYkOBzFEmbl9DYS6VWXeJMIi9mbYN9`
Imports Hash	`8b0f9a4a3a6bfdcf2c764b12550554f5`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2024-Dec-07 09:05:44
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x120f400`
SizeOfInitializedData	`0x3da00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000001201020 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`A.0`
Win32VersionValue	`0`
SizeOfImage	`0x1251000`
SizeOfHeaders	`0x400`
Checksum	`0x1282ade`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`f325a0316aa52a349ac3bad9eabd3323`
SHA1	`27d6286c531481f3e254200f180097b6aa2be9c0`
SHA256	`525b62cdcba69a890efba7f2accb930477022a1b2c46e0cf1fc7410358f43bf1`
SHA3	`45c4e4f950bda9f46df859d03d5ba546115df9427474983df02a37c9f06009f2`
VirtualSize	`0x120eb81`
VirtualAddress	`0x1000`
SizeOfRawData	`0x120ec00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`5.27169`

.rdata

MD5	`4ac5aea1dca22b79ea840f4846091da7`
SHA1	`e96371cb1446f52ede3c15710f03f587d9922dfa`
SHA256	`6d8df8b662b98fd8a2dbde0e9cb21a542713e0347298d9d0a5267cc4c2e22d8e`
SHA3	`bdc81e89e95a89f3d4ed8247fa2bf1767b66db8bad4be4603714b3bd7361f61d`
VirtualSize	`0xdb8`
VirtualAddress	`0x1210000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x120f000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`4.62632`

.data

MD5	`b77c0777b1d4bea4c9693b04745406d2`
SHA1	`840542cd70517ef459f93e3ccf8033a7de7b37d4`
SHA256	`c9a9b1a66bb2ee03439464468ef02211ee4138af603b2abaedc5e2d2801bb212`
SHA3	`0013111c5325accce4c5e2fdd514ac7a2f08bdf4a1fb3c0251d824b1047f0597`
VirtualSize	`0x3c509`
VirtualAddress	`0x1211000`
SizeOfRawData	`0x3c400`
PointerToRawData	`0x120fe00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.696504`

.pdata

MD5	`801b4d7668bd8908d62177a09891a486`
SHA1	`fb65791057a0712d59165272c111c451194800b8`
SHA256	`f298c54e8cff0467394794d41aac69cbaf45503639798adb3ae1967c5f1b6497`
SHA3	`631d23d5a970a21ed663285e66ea5d441460896946e146d93b0e9a9b6ea9e0f2`
VirtualSize	`0x3fc`
VirtualAddress	`0x124e000`
SizeOfRawData	`0x400`
PointerToRawData	`0x124c200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`5.13346`

INIT

MD5	`7bc5aff3b22f210ea6f24dda454537a7`
SHA1	`d2a1be89876d1e0f66075cb0086c9208bb661690`
SHA256	`63234fa5e471433348bf88df9dab388e36b65c89c1a2819a899be52d81088f7c`
SHA3	`85338961bb3d68b0fd0c56e18da5c9fdffc208d1cae2f36b2c2146ae58337fd5`
VirtualSize	`0x6de`
VirtualAddress	`0x124f000`
SizeOfRawData	`0x800`
PointerToRawData	`0x124c600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`4.55956`

.reloc

MD5	`aae1110c762915794852ef21df29c8ef`
SHA1	`d533ef0b5be23491340f6858ac10794008351b1e`
SHA256	`8c4e23d25a8cb8e5ab6c3451313572dc3d06f84578089e9870782386a7ed4a15`
SHA3	`bd76e82a2c7ca02e288112b8716d11af888d022b58d2f2a891ec9c1188643f66`
VirtualSize	`0x48`
VirtualAddress	`0x1250000`
SizeOfRawData	`0x200`
PointerToRawData	`0x124ce00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.05256`

Imports

ntoskrnl.exe	`ExFreePoolWithTag` `MmMapIoSpace` `MmUnmapIoSpace` `MmGetPhysicalAddress` `ZwQuerySystemInformation` `__chkstk` `wcsstr` `RtlGetVersion` `IoGetCurrentProcess` `PsGetProcessId` `PsLookupProcessByProcessId` `strstr` `KeGetCurrentIrql` `MmHighestUserAddress` `RtlInitUnicodeString` `MmGetSystemRoutineAddress` `RtlInitAnsiString` `ObReferenceObjectByHandle` `ObfDereferenceObject` `ZwCreateFile` `ZwClose` `MmIsAddressValid` `PsLookupThreadByThreadId` `ObOpenObjectByPointer` `ZwOpenDirectoryObject` `NtQueryInformationThread` `_vsnprintf` `PsThreadType` `MmCopyMemory` `RtlRandomEx` `MmMapLockedPagesSpecifyCache` `IofCompleteRequest` `ZwUnloadDriver` `IoGetRequestorProcessId` `ZwWriteFile` `ZwFlushBuffersFile` `KeDelayExecutionThread` `KeWaitForSingleObject` `PsCreateSystemThread` `IoCreateDevice` `IoCreateSymbolicLink` `IoDeleteDevice` `IoDeleteSymbolicLink` `IoRegisterShutdownNotification` `ObRegisterCallbacks` `ObUnRegisterCallbacks` `ObGetFilterVersion` `PsSetLoadImageNotifyRoutine` `PsRemoveLoadImageNotifyRoutine` `PsProcessType` `RtlCompareString` `RtlImageNtHeader` `__C_specific_handler`

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2024-Dec-07 09:05:44
Version	`0.0`
SizeofData	`52`
AddressOfRawData	`0x1210500`
PointerToRawData	`0x120f500`
Referenced File	https://imgur.com/a/TGGy9QZ

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2024-Dec-07 09:05:44
Version	`0.0`
SizeofData	`348`
AddressOfRawData	`0x1210534`
PointerToRawData	`0x120f534`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14124d230`
GuardCFCheckFunctionPointer	`5387649544`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xb23b4c7c`
Unmarked objects	`0`
Unmarked objects (#2)	`1`
Imports (30795)	`2`
ASM objects (30795)	`8`
C objects (30795)	`8`
Imports (40310)	`2`
Imports (33523)	`3`
Total imports	`75`
ASM objects (33523)	`1`
C objects (33523)	`1`
C++ objects (33523)	`17`
Linker (33523)	`1`

Errors

[*] Warning: Yara callback received an unhandled message (6).

Leave a comment

No comments yet.