43a9c213898b8954c4426cf29aa37a6b0b35c22699abd277b48159b276418b31

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2026-Jun-22 00:49:39
TLS Callbacks 2 callback(s) detected.

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to security software:
  • rshell.exe
 Miscellaneous malware strings:
  • cmd.exe
 Contains domain names:
  • https://files.catbox.moe
  • https://files.catbox.moe/5z0529.mp3
Suspicious The PE is possibly packed. Unusual section name found: .xdata
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Can access the registry:
  • RegCloseKey
  • RegOpenKeyExA
  • RegQueryValueExA
 Manipulates other processes:
  • OpenProcess
  • Process32FirstW
  • Process32NextW
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 b4d53a0109e05b0289b8bc73d142e669
SHA1 2f6a6a3e120d44073da999bf707ae4c7a0210f19
SHA256 43a9c213898b8954c4426cf29aa37a6b0b35c22699abd277b48159b276418b31
SHA3 1ab8afc3ff6774767385a18a9f8babef00cf22eca30a5c45e80b35782b40f004
SSDeep 1536:dAYzLTs7csugaLA4RU25WqNrKqHA7Ee3bCMqM1m7JLTyr8DCOXsW:dAYzLUcRgaLhf5WcrKqmfLJ1m7tTyr8
Imports Hash c9d74f62774b201839cbb0adf554fdab

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 10
TimeDateStamp 2026-Jun-22 00:49:39
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED

Image Optional Header

Magic PE32+
LinkerVersion 2.0
SizeOfCode 0xae00
SizeOfInitializedData 0x5800
SizeOfUninitializedData 0xae00
AddressOfEntryPoint 0x00000000000013E0 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 5.2
Win32VersionValue 0
SizeOfImage 0x21000
SizeOfHeaders 0x400
Checksum 0x13239
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x200000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 b89b84eacea4bfa5c22c3bd67b7d9a84
SHA1 f45cf63507c04019839e1ac5cb033540d742baee
SHA256 40deb51d9b5a9626d48ea1bd03627fa5d037b8f3b380d3c1e34676ce17729ec0
SHA3 2c322c977d67ee7ef81f38288741a8d55fc84f7bddfbc706827b66a9fe838955
VirtualSize 0xad80
VirtualAddress 0x1000
SizeOfRawData 0xae00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.32188

.data

MD5 8c2057329e2d23647f598c7d9de3cf02
SHA1 4802f95bea414ce5a911cee6e3abf8f2c510f655
SHA256 d81b0ad7dd0b8d4ef7d4217b9b3f5764b59e154645925a18bc131bf598a8d648
SHA3 2e79704e1e7185b345c6a80f055eacdd6e1bd201a2bbfbc009b608b695a217df
VirtualSize 0x70
VirtualAddress 0xc000
SizeOfRawData 0x200
PointerToRawData 0xb200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.457769

.rdata

MD5 e5f44392782b7b4a7c063837134ba09f
SHA1 42d3c2fb3158b222ec9dc9af24028c84eb5c53e5
SHA256 ebb7a20dd9ded211ed01e5bb2ed37b4fcf71822bd7238ca91eaea30a84989910
SHA3 fbba5dad37763497fe6731fc8fad76daff92e42fc36938f2438150e8c4c4d269
VirtualSize 0x2f38
VirtualAddress 0xd000
SizeOfRawData 0x3000
PointerToRawData 0xb400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.61455

.pdata

MD5 6901688ca814cba084fc78b0715f2ece
SHA1 26b1d8478ec20cf3ac900533de78ea807e31fc36
SHA256 18be077338571f633ec2101fe3431b534393329e5791d49f26b0b443a82bb1fa
SHA3 d23c6732375648a3a2e3ea9ca4975d2e8cff773385695b143546ac1c0f5c7597
VirtualSize 0x45c
VirtualAddress 0x10000
SizeOfRawData 0x600
PointerToRawData 0xe400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.55145

.xdata

MD5 4045a6409852e0cb515b9a3e5f121b96
SHA1 cea0944b133fdfe42140e2b0c43fa961c36b0004
SHA256 4e65ef3b4792698c06f2118c75b724a6719f731c76003b08dff653069e782865
SHA3 6276fbd585e81efeaf1557e5acd5b3126d308d4e52aace867a7292c03362b0cb
VirtualSize 0x40c
VirtualAddress 0x11000
SizeOfRawData 0x600
PointerToRawData 0xea00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.28288

.bss

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0xac20
VirtualAddress 0x12000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata

MD5 b956c206540e7222ab2ae34f20eaba44
SHA1 1827a35e31981550f1c7e7127591afd1eaa27ffe
SHA256 c33d59dbf2769daa88744c92b543de802e8b28d17fc4e8aa9cd58f7b5dc8a740
SHA3 0bed6019c89fcbfa58d69c62a0c61e9587dd2637cd4e4f38e4508df088940c79
VirtualSize 0xf60
VirtualAddress 0x1d000
SizeOfRawData 0x1000
PointerToRawData 0xf000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.48058

.tls

MD5 bf619eac0cdf3f68d496ea9344137e8b
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
SHA3 622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59
VirtualSize 0x10
VirtualAddress 0x1e000
SizeOfRawData 0x200
PointerToRawData 0x10000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.rsrc

MD5 9d3e2c0d5977fc65bac788ca9c666713
SHA1 3258ec03fc6315a87594de229609b3dfb0485a43
SHA256 55599d3f7a24e026197893101405b1543c07018cd5c0c6b2848e3328e482a248
SHA3 1f68c2aebc70f92ec776c416bee3635222cf00b3a3c8c06dc46dfe3fa106fa1b
VirtualSize 0x4e8
VirtualAddress 0x1f000
SizeOfRawData 0x600
PointerToRawData 0x10200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.78258

.reloc

MD5 4a743ee4f8f3c1f4e294d2fecac5199d
SHA1 d0b0bd0264345718845764889522ed042a0aada7
SHA256 df4487311005168402f35af610ef167a7a49dcd33bf8db2a67009c5e568d4a8b
SHA3 0fa3a04a8377c690ade85785ebad846aee0983ae1b18ec0bedd601abcbc9679a
VirtualSize 0x5c
VirtualAddress 0x20000
SizeOfRawData 0x200
PointerToRawData 0x10800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 1.212

Imports

ADVAPI32.dll RegCloseKey
RegOpenKeyExA
RegQueryValueExA
KERNEL32.dll AddVectoredExceptionHandler
AllocConsole
CloseHandle
CreateFileA
CreateFileMappingA
CreateToolhelp32Snapshot
CreateWaitableTimerW
DeleteCriticalSection
EnterCriticalSection
GetConsoleMode
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetFileSize
GetLastError
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetStdHandle
GetSystemInfo
GetSystemTimeAsFileTime
GetThreadContext
GetTickCount
GetTickCount64
GlobalMemoryStatusEx
HeapAlloc
HeapFree
HeapReAlloc
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
MapViewOfFile
MultiByteToWideChar
OpenProcess
Process32FirstW
Process32NextW
QueryPerformanceCounter
QueryPerformanceFrequency
ReadConsoleA
ReadFile
RemoveVectoredExceptionHandler
SetConsoleMode
SetConsoleTitleA
SetUnhandledExceptionFilter
SetWaitableTimer
Sleep
TlsGetValue
UnmapViewOfFile
VirtualFree
VirtualProtect
VirtualQuery
WideCharToMultiByte
WriteConsoleA
__C_specific_handler
msvcrt.dll ___lc_codepage_func
___mb_cur_max_func
__getmainargs
__initenv
__iob_func
__set_app_type
__setusermatherr
_amsg_exit
_cexit
_commode
_errno
_fmode
_initterm
_stricmp
abort
atexit
calloc
exit
fprintf
fputc
free
localeconv
malloc
memcmp
memcpy
memmove
signal
strerror
strlen
strncmp
strrchr
strstr
vfprintf
wcslen
USER32.dll DispatchMessageW
EnumWindows
GetClassNameA
GetCursorPos
GetLastInputInfo
MsgWaitForMultipleObjects
PeekMessageW
TranslateMessage

Delayed Imports

1

Type RT_MANIFEST
Language UNKNOWN
Codepage UNKNOWN
Size 0x48f
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.13793
MD5 5aa04ce935e78505e230765e85c34355
SHA1 6c93b8c5fde8be4b2231dca6b8ec513cdc82c991
SHA256 a73f26a8d504043f785d7360e8febf2eeb8522ec873a0d4dd5d1d4bfd1e67d3d
SHA3 149467cafc03ba34b33cd8076fc2771413760822357952de205dbae2b5cb8059

Version Info

TLS Callbacks

StartAddressOfRawData 0x14001e000
EndAddressOfRawData 0x14001e008
AddressOfIndex 0x14001c14c
AddressOfCallbacks 0x14000ff10
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks 0x0000000140004290
0x0000000140004270

Load Configuration

RICH Header

Errors

[*] Warning: Section .bss has a size of 0!
Leave a comment

No comments yet.