Manalyze report for 2f65449c5e34255307ea070688111652ddf57b42deb868d44d690c149e787219

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Jan-01 00:00:00
Debug artifacts	Embedded COFF debugging symbols

Plugin Output

Suspicious	PEiD Signature:	`HQR data file`
Suspicious	The PE is possibly packed.	`Unusual section name found: .xdata` `Unusual section name found: .symtab`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryW LoadLibraryExW GetProcAddress` `Functions which can be used for anti-debugging purposes: SwitchToThread`
Info	The PE is digitally signed.	`Signer: www.walmart.com` `Issuer: GlobalSign ECC OV SSL CA 2018`
Malicious	VirusTotal score: 32/69 (Scanned on 2026-04-25 02:33:10)	`AVG: FileRepMalware [Misc]` `Avast: FileRepMalware [Misc]` `BitDefender: Trojan.Generic.39863017` `Bkav: W64.AIDetectMalware` `CTX: exe.trojan.agen` `CrowdStrike: win/malicious_confidence_70% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 99)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win64/GenKryptik_AGen.CKZ trojan` `Elastic: malicious (high confidence)` `Emsisoft: Trojan.Generic.39863017 (B)` `Fortinet: W64/Kryptik.PU!tr` `GData: Trojan.Generic.39863017` `Google: Detected` `Gridinsoft: Risk.Win64.Downloader.mz!c` `Ikarus: Trojan.WinGo.Crypt` `Kaspersky: Trojan.Win64.Agent.smgbvy` `Lionic: Trojan.Win64.Agent.4!c` `Malwarebytes: Trojan.MalPack.GO.Generic` `McAfeeD: ti!2F65449C5E34` `MicroWorld-eScan: Trojan.Generic.39863017` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Paloalto: generic.ml` `Rising: Backdoor.Gsb!8.1DB49 (CLOUD)` `Sangfor: Trojan.Win64.Kryptik.Vspk` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `TrellixENS: Artemis!71E8FBFD228B` `Varist: W64/ABTrojan.QZGZ-8673` `alibabacloud: Backdoor:Win/GenKryptik_AGen.CHP` `huorong: Trojan/Loader.qa`

Hashes

MD5	`71e8fbfd228bbc0aac527339d2445b95`
SHA1	`4d656911f3ec64b53bf3946631ee23928cc7e913`
SHA256	`2f65449c5e34255307ea070688111652ddf57b42deb868d44d690c149e787219`
SHA3	`7fc23f9c3b2cd7a27ecaf246d35b46d3d34f87d515a2820c3aeba8f69a9a158d`
SSDeep	`49152:wNfbi8xBL9Oo6aXNzIIdXm0QnmNmbhadi:wIMztxmbUQ`
Imports Hash	`d42595b695fc008ef2c56aabd8efd68e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0x8b`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0x1e2200`
NumberOfSymbols	`1949`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`3.0`
SizeOfCode	`0xeee00`
SizeOfInitializedData	`0x7200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000006C460 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`1.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x245000`
SizeOfHeaders	`0x600`
Checksum	`0x2065af`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`74f0482618fcdd9ca68a3fb35e4041a4`
SHA1	`fb997f787bf96ffccd1df7c764548e9955cb1648`
SHA256	`a4c7dabb2dba56563500957f431a138b850d7dc8c1e1e5e91d3d792fdbf65382`
SHA3	`ddba04128bb3f76dbba6ae0dc3a63154a258cbf1d4e421ca99f29bb1710246c1`
VirtualSize	`0xeed31`
VirtualAddress	`0x1000`
SizeOfRawData	`0xeee00`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.49809`

.rdata

MD5	`835a76a18fc2c43e816d9e21e999267c`
SHA1	`a221fc6a0853b153b12a6fcc6c28f6594dd5c7f8`
SHA256	`ea6f0466925b895b12d3aecf8d30ad70de49c749204132d87457add06733c39c`
SHA3	`ae8dc0b9c5ce98ef6d3a048eedcbefadd339104031b663a6c66625c9bc5a153b`
VirtualSize	`0xe5158`
VirtualAddress	`0xf0000`
SizeOfRawData	`0xe5200`
PointerToRawData	`0xef400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.34055`

.data

MD5	`9d0c0e115041a87be215680e936587ba`
SHA1	`79e4fa44dc9a36050017851b310a644fe07f8eea`
SHA256	`07c9a2cd59876943f7e75d9bf80e30d21dabef3d9007458c7316678c28e22d04`
SHA3	`0bc3e86fff9e341b939254acb6bbc4585e65746a4afc0e1f05368bc8dc64a8bd`
VirtualSize	`0x50228`
VirtualAddress	`0x1d6000`
SizeOfRawData	`0x7200`
PointerToRawData	`0x1d4600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.47121`

.pdata

MD5	`5c9a53ae689e7a8973fcc98d0cebbda6`
SHA1	`da74302903dc1a7831a09d55720bbce6fa716e0c`
SHA256	`41a2a05131bd8ff3d659c14b26f71ad0691d44035b77edd0b4cba49cfdb4bce1`
SHA3	`e860d17f377c2f7a8f0b0d436861cb9e2cc418081e4c5bfa73997527b5560516`
VirtualSize	`0x39fc`
VirtualAddress	`0x227000`
SizeOfRawData	`0x3a00`
PointerToRawData	`0x1db800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.17437`

.xdata

MD5	`3522b4fbcccc0352ed37806617d6e159`
SHA1	`d2a1bdfd03efb47ce1e3c1a60babb5d44faa54c5`
SHA256	`5b326f57e66ed01d192b0247c09a89c19c3ca25f8a1fdd7d80e049159e6df3dc`
SHA3	`d7036a9dbe37104d7a8a9fe155f48cf1c75a3cbc1eb59fd62f6ad2fa9463f1a2`
VirtualSize	`0xb4`
VirtualAddress	`0x22b000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1df200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.78711`

.idata

MD5	`7813e547ad548500716f9afcbe87d244`
SHA1	`a4452059345fe17af5acb4f73d66474e753032cf`
SHA256	`da7d1a5e0e210134eb27c0f84b519b5625a50286161f15f8d2a6eddbc7095a8c`
SHA3	`3eeb2d07c41deb0a4c103237881e87dfae99412472dcb7edc0d9e610c74c59e0`
VirtualSize	`0x53e`
VirtualAddress	`0x22c000`
SizeOfRawData	`0x600`
PointerToRawData	`0x1df400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.01449`

.reloc

MD5	`38bcae80da7c8366faa3485f02dac7af`
SHA1	`cb3ee323868b183e6477b00ebc146fffdfabeffd`
SHA256	`5eae2075cac4247306c49596d503d80a0baceec42ddc02170020e2cdaec2d855`
SHA3	`514d9a23fcc152300235d9e6ca6e7f44c6588adab1a82e00a437710584993a66`
VirtualSize	`0x27f0`
VirtualAddress	`0x22d000`
SizeOfRawData	`0x2800`
PointerToRawData	`0x1dfa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.42802`

.symtab

MD5	`12870c5a854292494c533eec6e68d8df`
SHA1	`65178d45a5cb6e9c0043c9b14aaea52752f082b7`
SHA256	`dcf6d6459fb7274d71e308d730f41439df24f0cbf7e39847f753230fada0eb3a`
SHA3	`29fcda85edae94ec48a3fb42d6eb0cf2827bdf162c2e80f3a4c1d493f680fba0`
VirtualSize	`0x14578`
VirtualAddress	`0x230000`
SizeOfRawData	`0x14600`
PointerToRawData	`0x1e2200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.04897`

Imports

kernel32.dll	`WriteFile` `WriteConsoleW` `WerSetFlags` `WerGetFlags` `WaitForMultipleObjects` `WaitForSingleObject` `VirtualQuery` `VirtualFree` `VirtualAlloc` `TlsAlloc` `SwitchToThread` `SuspendThread` `SetWaitableTimer` `SetProcessPriorityBoost` `SetEvent` `SetErrorMode` `SetConsoleCtrlHandler` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `ResumeThread` `RaiseFailFastException` `PostQueuedCompletionStatus` `LoadLibraryW` `LoadLibraryExW` `SetThreadContext` `GetThreadContext` `GetSystemInfo` `GetSystemDirectoryA` `GetStdHandle` `GetQueuedCompletionStatusEx` `GetProcessAffinityMask` `GetProcAddress` `GetErrorMode` `GetEnvironmentStringsW` `GetCurrentThreadId` `GetConsoleMode` `FreeEnvironmentStringsW` `ExitProcess` `DuplicateHandle` `CreateWaitableTimerExW` `CreateThread` `CreateIoCompletionPort` `CreateEventA` `CloseHandle` `AddVectoredExceptionHandler` `AddVectoredContinueHandler`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

Leave a comment

No comments yet.