Manalyze report for 4d066706780432c1342099003fc0ac40f0a54561eea7b290c702f9523dd4e810

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Nov-02 06:49:02
TLS Callbacks	3 callback(s) detected.

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Tries to detect virtualized environments: HARDWARE\DESCRIPTION\System HARDWARE\Description\System` `Looks for VMWare presence: VEN_15AD VMTools VMware hgfs.sys mhgfs.sys vmmemctl vmmouse vmtools vmx86` `Looks for VirtualBox presence: HARDWARE\ACPI\DSDT\VBOX__ HARDWARE\ACPI\FADT\VBOX__ HARDWARE\ACPI\RSDT\VBOX__ SOFTWARE\Oracle\VirtualBox Guest Additions VBoxGuest VBoxHook.dll VBoxMouse VBoxSF VBoxService VBoxTray VEN_80EE \\.\pipe\VBoxMiniRdDN \\.\pipe\VBoxTrayIPC` `Looks for Qemu presence: QEMU Qemu qemu` `May have dropper capabilities: CurrentControlSet\Services` `Accesses the WMI: ROOT\CIMV2` `Contains domain names: api.telegram.org https://api.ipapi.is https://api.ipapi.is/text telegram.org`
Suspicious	The PE is possibly packed.	`Unusual section name found: .xdata`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryW` `Functions which can be used for anti-debugging purposes: CheckRemoteDebuggerPresent CreateToolhelp32Snapshot` `Can access the registry: RegCloseKey RegEnumKeyExA RegOpenKeyExA RegQueryInfoKeyA RegQueryValueExA` `Can create temporary files: CreateFileA GetTempPathA` `Has Internet access capabilities: InternetCloseHandle InternetConnectA InternetOpenA InternetOpenUrlA InternetReadFile` `Interacts with services: EnumServicesStatusExA OpenSCManagerA` `Enumerates local disk drives: GetVolumeInformationA` `Manipulates other processes: OpenProcess Process32FirstW Process32NextW`
Suspicious	The file contains overlay data.	`22624 bytes of data starting at offset 0xfee00.` `The overlay data has an entropy of 7.47259 and is possibly compressed or encrypted.`
Malicious	VirusTotal score: 10/69 (Scanned on 2026-06-12 16:11:58)	`APEX: Malicious` `Bkav: W32.Malware.F2DE97A5` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `Elastic: malicious (moderate confidence)` `McAfeeD: ti!4D0667067804` `SentinelOne: Static AI - Suspicious PE` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.moderate.ml.score`

Hashes

MD5	`dc8237479092ba3c36cf82d2f94cb378`
SHA1	`8628a19050a8c6deeb2b3ae6bc6d7d5504a1203d`
SHA256	`4d066706780432c1342099003fc0ac40f0a54561eea7b290c702f9523dd4e810`
SHA3	`52984a342e6d76c1208eea6e4b4cfb0fc2eeb66e6e2a7ff01496cacc3a465e02`
SSDeep	`24576:RxKPDHpuYLadHlK1V7kY15j613cHVdl8X6yHNRrm:RxKLHogfkCj613cHs6yHN5m`
Imports Hash	`4a1cf9a68a2621a371c61ab390807489`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2017-Nov-02 06:49:02
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0xc7800`
SizeOfInitializedData	`0x37200`
SizeOfUninitializedData	`0xe00`
AddressOfEntryPoint	`0x0000000000001420 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x105000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`0f73ab80e47eebbda4f12d70acc5b245`
SHA1	`10a9a1953f98e3ce662f3064683e8cef20da4de9`
SHA256	`c85f3a1d287c8cce95ebb51bad4d744e03ce26c59c47c0121e9a6db3bb737a24`
SHA3	`6a0aef323f8930a081bcdb745e93923d6ca7a156a042cde41c2af9eeb4c392dd`
VirtualSize	`0xc7620`
VirtualAddress	`0x1000`
SizeOfRawData	`0xc7800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.17401`

.data

MD5	`42b628ac49b742b996ab1a914b0cf9c6`
SHA1	`811bd9fe7ca41eb4b15df6f62e3d4e850503a23a`
SHA256	`19d56e88f65b8f4a80fa65d85075c3803dc4da6300afaeb1b93341288ea64297`
SHA3	`b009d3b415e3dcc58aee7cf410d430530eeb0f21bc84e4da1de2741bf7df63b0`
VirtualSize	`0x2410`
VirtualAddress	`0xc9000`
SizeOfRawData	`0x2600`
PointerToRawData	`0xc7c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.885019`

.rdata

MD5	`1c7150cde01d500d11aeff3c0f64f383`
SHA1	`62fc8025880ba17e4912987a072f05351ea1f7fe`
SHA256	`5fbbff00719b591ea117d0fcf8830ecc88f0d5c7c65a6067a42808959a3781db`
SHA3	`3e8b8a93e3261383bd13a710356105504d691975524693b972b1a0fe21e1e694`
VirtualSize	`0x17160`
VirtualAddress	`0xcc000`
SizeOfRawData	`0x17200`
PointerToRawData	`0xca200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.73923`

.pdata

MD5	`6f5f699b57c5f4bc072db158a62ec6d0`
SHA1	`a2ba026a948a2bdb730069246159874dddc7758f`
SHA256	`9a2fe93fe344b4c2a5ad8a7ceea1e221a6ec278063078cdfa07b1efbc1600799`
SHA3	`11e79d77aefaa26f45a212c261ec5f3c62954014bda6dc1c18c660068ad9491b`
VirtualSize	`0xb214`
VirtualAddress	`0xe4000`
SizeOfRawData	`0xb400`
PointerToRawData	`0xe1400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.92808`

.xdata

MD5	`1ed99ca15bb0362d94a7ed895a1a05cf`
SHA1	`06378dc086c2f139d7e0ee70c5c55f20718b79c6`
SHA256	`2bb97643ca34e98a975a0659a9e8a86e563b5b5b628b006b9fec1d97cd3eb707`
SHA3	`0ce2f8e84b7ee914dac19ed44d483b0c06329c9938b64a250422edc74cff5eb1`
VirtualSize	`0xeb60`
VirtualAddress	`0xf0000`
SizeOfRawData	`0xec00`
PointerToRawData	`0xec800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.91144`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xc30`
VirtualAddress	`0xff000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`03a8f9cd97d0dfcabe33afa4db923727`
SHA1	`cd3e2ead3c41c2f4cbfb2e400916980c16ae522b`
SHA256	`42fdbb2b9819777e5e443f7aae08736d0efcd97c88469a4a7b4e3d37e443db7d`
SHA3	`4549c46c29bed9041693582a6c5f4035365e4d8aec38beb675fa1fec0c016ab2`
VirtualSize	`0x1eb8`
VirtualAddress	`0x100000`
SizeOfRawData	`0x2000`
PointerToRawData	`0xfb400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.03397`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x20`
VirtualAddress	`0x102000`
SizeOfRawData	`0x200`
PointerToRawData	`0xfd400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.reloc

MD5	`dc35b271d24ba88f14c5ba8fddbe582f`
SHA1	`bcd9b0d97e6f80a66df1378f21484ef70e3f4c5c`
SHA256	`c690e370aacb2b444bcf528077493f262f9a5b9e3c750c96fe9a218e7ddfb355`
SHA3	`ebd7630fa3b3b9e733a63fb4a3098d0e918069eb88f8935746f5d9bf73571d48`
VirtualSize	`0x16d0`
VirtualAddress	`0x103000`
SizeOfRawData	`0x1800`
PointerToRawData	`0xfd600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.35604`

Imports

ADVAPI32.dll	`CloseEventLog` `CloseServiceHandle` `EnumServicesStatusExA` `GetNumberOfEventLogRecords` `OpenEventLogA` `OpenSCManagerA` `RegCloseKey` `RegEnumKeyExA` `RegOpenKeyExA` `RegQueryInfoKeyA` `RegQueryValueExA`
GDI32.dll	`GetDeviceCaps`
IPHLPAPI.DLL	`GetAdaptersInfo`
KERNEL32.dll	`BuildCommDCBAndTimeoutsA` `CheckRemoteDebuggerPresent` `CloseHandle` `CreateEventA` `CreateFileA` `CreateSemaphoreA` `CreateToolhelp32Snapshot` `DeleteCriticalSection` `DuplicateHandle` `EnterCriticalSection` `FindClose` `FindFirstFileA` `FindNextFileA` `FormatMessageA` `GetCPInfo` `GetComputerNameA` `GetCurrentProcess` `GetCurrentProcessId` `GetCurrentThread` `GetCurrentThreadId` `GetDiskFreeSpaceExA` `GetEnvironmentVariableA` `GetFileAttributesA` `GetLastError` `GetModuleHandleA` `GetProcAddress` `GetProcessAffinityMask` `GetStartupInfoA` `GetSystemDefaultLCID` `GetSystemInfo` `GetSystemPowerStatus` `GetSystemTimeAsFileTime` `GetTempPathA` `GetThreadContext` `GetThreadPriority` `GetTickCount` `GetTickCount64` `GetTimeZoneInformation` `GetUserDefaultUILanguage` `GetVolumeInformationA` `GlobalMemoryStatusEx` `InitializeCriticalSection` `IsDBCSLeadByte` `IsDebuggerPresent` `K32EnumDeviceDrivers` `K32GetDeviceDriverFileNameW` `LeaveCriticalSection` `LoadLibraryW` `LocalFree` `Module32FirstW` `Module32NextW` `MultiByteToWideChar` `OpenMutexA` `OpenProcess` `OutputDebugStringA` `Process32FirstW` `Process32NextW` `QueryFullProcessImageNameW` `QueryPerformanceCounter` `QueryPerformanceFrequency` `RaiseException` `ReleaseSemaphore` `ResetEvent` `ResumeThread` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlUnwindEx` `RtlVirtualUnwind` `SetEvent` `SetLastError` `SetProcessAffinityMask` `SetThreadContext` `SetThreadPriority` `SetUnhandledExceptionFilter` `Sleep` `SuspendThread` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TryEnterCriticalSection` `VirtualProtect` `VirtualQuery` `WaitForMultipleObjects` `WaitForSingleObject` `WideCharToMultiByte`
MFPlat.DLL	`MFShutdown` `MFStartup` `MFTEnumEx`
msvcrt.dll	`iswctype` `_assert` `__C_specific_handler` `___lc_codepage_func` `___mb_cur_max_func` `__getmainargs` `__initenv` `__iob_func` `__set_app_type` `__setusermatherr` `_acmdln` `_amsg_exit` `_beginthreadex` `_cexit` `_commode` `_endthreadex` `_errno` `_fmode` `_initterm` `_setjmp` `_setmode` `_time64` `_vscprintf` `_vsnprintf` `abort` `atexit` `calloc` `exit` `fclose` `fflush` `fopen` `fprintf` `fputc` `fputs` `free` `fwrite` `getenv` `localeconv` `longjmp` `malloc` `memchr` `memcmp` `memcpy` `memmove` `memset` `realloc` `setlocale` `setvbuf` `signal` `strchr` `strcmp` `strcoll` `strerror` `strftime` `strlen` `strncmp` `strtoul` `strxfrm` `towlower` `towupper` `vfprintf` `wcscoll` `wcsftime` `wcslen` `wcsxfrm` `_strdup` `_read` `_fileno`
ole32.dll	`CoCreateInstance` `CoInitializeEx` `CoInitializeSecurity` `CoSetProxyBlanket` `CoTaskMemFree` `CoUninitialize`
OLEAUT32.dll	`SysAllocString` `SysFreeString` `VariantClear` `VariantInit`
SETUPAPI.dll	`SetupDiDestroyDeviceInfoList` `SetupDiEnumDeviceInfo` `SetupDiGetClassDevsA`
USER32.dll	`EnumWindows` `GetCursorPos` `GetDC` `GetLastInputInfo` `GetSystemMetrics` `GetWindowTextA` `IsClipboardFormatAvailable` `IsWindowVisible` `ReleaseDC`
WININET.dll	`HttpOpenRequestA` `HttpSendRequestA` `InternetCloseHandle` `InternetConnectA` `InternetOpenA` `InternetOpenUrlA` `InternetReadFile`

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData	`0x140102000`
EndAddressOfRawData	`0x140102018`
AddressOfIndex	`0x1400ff07c`
AddressOfCallbacks	`0x1400e3130`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x0000000140011860` `0x0000000140011840` `0x0000000140020920`

Load Configuration

RICH Header

Errors

[*] Warning: Section .bss has a size of 0!

Leave a comment

No comments yet.