Manalyze report for 4c4a6bcf322478a982878d31e5028a61ed69235c6e09cbc9b29d4cf69e9111bc

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2022-Jan-17 14:54:39
Detected languages	English - United States

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: crl.symauth.com http://pki-crl.symauth.com http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl07 http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0 http://pki-ocsp.symauth.com0 pki-crl.symauth.com symauth.com`
Suspicious	This PE is packed with Themida	`Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found: .exports` `Unusual section name found: .imports` `Unusual section name found: .themida` `Section .themida is both writable and executable.` `Unusual section name found: .boot` `Unusual section name found: .taggant` `The PE only has 4 import(s).`
Malicious	VirusTotal score: 36/72 (Scanned on 2026-04-09 02:17:10)	`APEX: Malicious` `Antiy-AVL: Trojan[Packed]/Win64.Themida` `Bkav: W64.AIDetectMalware` `CAT-QuickHeal: Trojan.Ghanarava.176829210127ba31` `CTX: dll.trojan.themida` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win64/Packed.Themida.KX trojan` `Elastic: malicious (high confidence)` `Fortinet: W32/PossibleThreat` `Google: Detected` `Gridinsoft: Trojan.Heur!.032120A2` `K7AntiVirus: Riskware ( 005ce0301 )` `K7GW: Riskware ( 005ce0301 )` `Lionic: Trojan.Win32.Themida.4!c` `Malwarebytes: Malware.Heuristic.2123` `MaxSecure: Trojan.Malware.300983.susgen` `McAfeeD: ti!4C4A6BCF3224` `Microsoft: PUA:Win32/Packunwan` `Paloalto: generic.ml` `Panda: PUP/Generic` `Sangfor: Suspicious.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win64.Trojan.wc` `Sophos: Mal/Generic-S` `Symantec: Trojan.Gen.MBT` `Trapmine: malicious.high.ml.score` `TrellixENS: Artemis!EE929A30E440` `TrendMicro: Trojan.Win32.PACKUNWAN.USBLLI25` `TrendMicro-HouseCall: Trojan.Win32.PACKUNWAN.USBLLI25` `Varist: W64/Agent.BIID-2506` `Yandex: Trojan.Igent.bXktc5.23` `Zillya: Trojan.Themida.Win64.4091` `alibabacloud: VirTool:Win/Packunwan.Gen`

Hashes

MD5	`ee929a30e4406d61ec8c42d5b627ba31`
SHA1	`4c9051a509d63cd97aea2c9601284045549694cb`
SHA256	`4c4a6bcf322478a982878d31e5028a61ed69235c6e09cbc9b29d4cf69e9111bc`
SHA3	`631eb04451cfef904c981656f7aa0db33914feef6e5069e2fba0a111d900f719`
SSDeep	`98304:67wDrzX4HqSn05Jccu9uYlIwD2CW2j4Se:6yrzoR0W95lIhC9e`
Imports Hash	`ce3444aa179aed34d862382462f5939c`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`12`
TimeDateStamp	2022-Jan-17 14:54:39
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x1200`
SizeOfInitializedData	`0x2600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000759000 (Section: .taggant)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x75c000`
SizeOfHeaders	`0x400`
Checksum	`0x306bf0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

MD5	`b552cc6f42ae6952360a9594b52da01e`
SHA1	`dbf2af14d9fadbbefc1b28f87f92967c752f4b3f`
SHA256	`ce19ac69867c30b78bc3201bda0584fe935bef8cd5131769f37d4b10055cdee7`
SHA3	`22f8bd4e4eb8e671da44d873ac875a09c1b6b4424bbf6d3412dcd7c3c40f9301`
VirtualSize	`0x11c8`
VirtualAddress	`0x1000`
SizeOfRawData	`0xb2d`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.89042`

(#2)

MD5	`94da0cef0c072579a621e5c8ea1465b5`
SHA1	`0438bce33d07b494b5f79ccb2333186d8e4aee07`
SHA256	`d9895420c5bdb105be110719e715279a6ee0040d2645e0d9bfbeea34732fe491`
SHA3	`9f1de0e1c4f08de9051c4cef0d3520db43d720f62900d5daecdcfd0501362210`
VirtualSize	`0x14da`
VirtualAddress	`0x3000`
SizeOfRawData	`0x66c`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.79541`

(#3)

MD5	`e640925c66bd7ce15e59b76f7fc6c905`
SHA1	`2c3fb242e1c95eaa1eb9a9bedaa7aa38b34c2666`
SHA256	`9271c662af7d2b0aa97cca82d1139e602e648fab35eee71d74dfe4b82c8b9c21`
SHA3	`fa69acfa56db7f23a4feb800dec73fa5757e9bb81f7d40b956d184237dd52c96`
VirtualSize	`0x6e8`
VirtualAddress	`0x5000`
SizeOfRawData	`0x74`
PointerToRawData	`0x1800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.17678`

(#4)

MD5	`090852796faae9150d25fcca5a1012f9`
SHA1	`b9273438ca75771eabad2b379036e01604ef52b2`
SHA256	`120b6ead0a56eb20efe3a7b3c733fe23fda93522c6743773ad4a15cbdac306ff`
SHA3	`e40d0104ea6fefc662e9111154b78ad3c62c73084d3db3ce662e2c0a42664b09`
VirtualSize	`0x210`
VirtualAddress	`0x6000`
SizeOfRawData	`0x119`
PointerToRawData	`0x1a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.91929`

(#5)

MD5	`7ddaae0d7fb80120fbc1191d90fb2169`
SHA1	`74e369a5e4bfc076b677c9c3f45f88cd7773eb6f`
SHA256	`8f6a11bf27cc15146744e70d0d1f0948ce9c2baefe64aa58fac4e4e67f284810`
SHA3	`c2fde77d6e5073917a2b2644f22d4c74e6e19c0b2b209e4ab90884e54b119cb5`
VirtualSize	`0xf8`
VirtualAddress	`0x7000`
SizeOfRawData	`0x9e`
PointerToRawData	`0x1c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.72914`

(#6)

MD5	`0b8c2567c22a6027e8b5a17889e806fd`
SHA1	`8653286036b6fcbd5d14640657926953b23f3c00`
SHA256	`7532e4da973a7a48b7756fb2bd58d07d5421790657c1371ae09fbd6dd582a458`
SHA3	`a73546b1a5639ff2889a059a5c655a2b9bbeaf54b27120b14620f866f3dc644f`
VirtualSize	`0x4c`
VirtualAddress	`0x8000`
SizeOfRawData	`0x50`
PointerToRawData	`0x1e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.71531`

.exports

MD5	`3a40c54bcc84acc1959c39bda1389e14`
SHA1	`9c2233489ab1b7a471df80dc00967bf58667e98d`
SHA256	`66da20583ea936b014fe34bbc5090446fc66a4fc3126ee733e25038323026538`
SHA3	`62c43a3a4ee8193a659c49176f8e7f07fbbd6fc3971cbd3742afe534f2428a6e`
VirtualSize	`0x1000`
VirtualAddress	`0x9000`
SizeOfRawData	`0x400`
PointerToRawData	`0x2000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.75587`

.imports

MD5	`ecd16775370b3cb9abe1b56224f67af7`
SHA1	`515ce86eb2898f9ea993aca190bfe5630c666a3a`
SHA256	`581104fdbf44d4346d25f734ec903765e25ae5127529c51d03bf559a0751e504`
SHA3	`c4eb413c7f24a2ccd28ddba03945e8859e25b3d02b63e756011259fc660887fa`
VirtualSize	`0x1000`
VirtualAddress	`0xa000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.67468`

.rsrc

MD5	`d656608b5ab89e4c1620c60a1d8d3464`
SHA1	`a9db77cd690cfe5b1ab7098554bd2d8059dae74a`
SHA256	`0fc7c31144ea401363a0222954fc829aa369bec0dd98f93a0b5c187617c82664`
SHA3	`9a62a07d3a0eb29568d05b849240a90c475c2896841053b255f1be6fd579fbba`
VirtualSize	`0x1000`
VirtualAddress	`0xb000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.51196`

.themida

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x44c000`
VirtualAddress	`0xc000`
SizeOfRawData	`0`
PointerToRawData	`0x2800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.boot

MD5	`45c2620cd836bda890f7dead90965b24`
SHA1	`18e7554336d9fac64f4e5de323c2f29b02498b7c`
SHA256	`d36d122b94e138e2294f9ddae2c2e7eff4e76f0f8bd0a8edcebe84088d8c5510`
SHA3	`79e9e8c3a00467cf362ec0480bd69c8788d009cd3faf20b29f0989d105e410ae`
VirtualSize	`0x300400`
VirtualAddress	`0x458000`
SizeOfRawData	`0x300400`
PointerToRawData	`0x2800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.94843`

.taggant

MD5	`61b315cd5422cd402eb0e59c4ec4fb33`
SHA1	`aa35f98f04722b9e27a70731a99baca73be38c8e`
SHA256	`5c9bfbeb29c895e1d2b870c74e67c1cec0e9cc83c7404c4d4981da85dd3aa808`
SHA3	`282e00ab5c8dbc0991619eea0ac1ca8b4ae8473fa90cd06d07ddf4726507fbb8`
VirtualSize	`0x2200`
VirtualAddress	`0x759000`
SizeOfRawData	`0x2014`
PointerToRawData	`0x302c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`3.88067`

Imports

kernel32.dll	`GetModuleHandleA`
VCRUNTIME140.dll	`__std_exception_destroy`
api-ms-win-crt-runtime-l1-1-0.dll	`_execute_onexit_table`
api-ms-win-crt-heap-l1-1-0.dll	`free`

Delayed Imports

NalpGetErrorMsg

Ordinal	`1`
Address	`0x11a0`

NalpLibClose

Ordinal	`2`
Address	`0x11a0`

NalpLibOpen

Ordinal	`3`
Address	`0x11a0`

NSAAppStart

Ordinal	`4`
Address	`0x1010`

NSAAppStop

Ordinal	`5`
Address	`0x11a0`

NSAFeatureStart

Ordinal	`6`
Address	`0x1010`

NSAFeatureStop

Ordinal	`7`
Address	`0x11a0`

NSAGetPrivacy

Ordinal	`8`
Address	`0x11a0`

NSASendCache

Ordinal	`9`
Address	`0x11b0`

NSASetPrivacy

Ordinal	`10`
Address	`0x1010`

NSASysInfo

Ordinal	`11`
Address	`0x1010`

NSAValidateLibrary

Ordinal	`12`
Address	`0x11a0`

NSLCheckCredentials

Ordinal	`13`
Address	`0x1010`

NSLCheckoutFeature

Ordinal	`14`
Address	`0x1020`

NSLClearCredentials

Ordinal	`15`
Address	`0x11a0`

NSLFree

Ordinal	`16`
Address	`0x1010`

NSLGetDeactivationCertReq

Ordinal	`17`
Address	`0x1010`

NSLGetFeatureStatus

Ordinal	`18`
Address	`0x1070`

NSLGetLeaseExpDate

Ordinal	`19`
Address	`0x1120`

NSLGetLeaseExpSec

Ordinal	`20`
Address	`0x1150`

NSLGetLicense

Ordinal	`21`
Address	`0x1010`

NSLGetLicenseInfo

Ordinal	`22`
Address	`0x1130`

NSLGetLicenseStatus

Ordinal	`23`
Address	`0x1190`

NSLGetMaintExpDate

Ordinal	`24`
Address	`0x1120`

NSLGetMaintExpSec

Ordinal	`25`
Address	`0x1150`

NSLGetSubExpDate

Ordinal	`26`
Address	`0x1120`

NSLGetSubExpSec

Ordinal	`27`
Address	`0x1150`

NSLGetTrialExpDate

Ordinal	`28`
Address	`0x1120`

NSLGetTrialExpSec

Ordinal	`29`
Address	`0x1150`

NSLGetUDFValue

Ordinal	`30`
Address	`0x1170`

NSLReturnFeature

Ordinal	`31`
Address	`0x1010`

NSLReturnLicense

Ordinal	`32`
Address	`0x1010`

NSLTestConnection2

Ordinal	`33`
Address	`0x1010`

NSLSetCredentials

Ordinal	`34`
Address	`0x1010`

2

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x91`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.8858`
MD5	`f7ad1eab748bc07570a57ec87787cf90`
SHA1	`0b1608da9fef218386e825db575c65616826d9f4`
SHA256	`d2952e57023848a37fb0f21f0dfb38c9000f610ac2b00c2f128511dfd68bde04`
SHA3	`6c9541b36948c19ae507d74223621875b3af4064f7cd8200bdb97e15a047e96a`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x6f7c931c`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`4`
Imports (30034)	`3`
C++ objects (30034)	`15`
C objects (30034)	`8`
ASM objects (30034)	`3`
Imports (VS2017 v14.15 compiler 26715)	`2`
Total imports	`39`
C++ objects (LTCG) (VS2019 Update 10 (16.10.2) compiler 30038)	`2`
Exports (VS2019 Update 10 (16.10.2) compiler 30038)	`1`
Resource objects (VS2019 Update 10 (16.10.2) compiler 30038)	`1`
Linker (VS2019 Update 10 (16.10.2) compiler 30038)	`1`

Errors

[*] Warning: Section .themida has a size of 0!

Leave a comment

No comments yet.