Manalyze report for 6f29c9669dd80270df246f02e629f9cc8d92de3b05896fe9e375e12abdd2f6ed

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	1970-Jan-01 00:00:00
TLS Callbacks	3 callback(s) detected.

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: .xdata`
Suspicious	The PE contains functions most legitimate programs don't use.	`Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Uses Windows's Native API: NtReadFile NtWriteFile` `Manipulates other processes: OpenProcess Process32FirstW Process32NextW ReadProcessMemory WriteProcessMemory`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`7221f0becdce60882afae08bcea17e43`
SHA1	`1a2e81a9e6174c07eeb71a577de9f063fa9ea28a`
SHA256	`6f29c9669dd80270df246f02e629f9cc8d92de3b05896fe9e375e12abdd2f6ed`
SHA3	`98b0a3177e3547ee4fef1fea4cf52935429ba6af706cc76443918b8aa097567f`
SSDeep	`6144:icYNN9Xy3Q0ueYppkkZqRx5BpO9NgFfj5:icw32QpqkZqRxnpO9NC`
Imports Hash	`89e8eea239cd0117af3bc265e1c8f5d4`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0x35400`
SizeOfInitializedData	`0x11200`
SizeOfUninitializedData	`0x200`
AddressOfEntryPoint	`0x0000000000001440 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x4e000`
SizeOfHeaders	`0x400`
Checksum	`0x490a8`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`12f02b46195868be0f1c10ab87c36062`
SHA1	`cec7b93f306eeff96411a60bdf5849489a573961`
SHA256	`f6f883527339c2881e3df577820278d802bdb3f69967a800e920b50c63210ebd`
SHA3	`e16f0b09ad229876e9c16cc3bcbdd2b9de346ccb0ee2b055d44d926dcb7cca14`
VirtualSize	`0x35310`
VirtualAddress	`0x1000`
SizeOfRawData	`0x35400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.33876`

.data

MD5	`0e37e175d233e917523bb93a9702f6df`
SHA1	`17bd0eed1713a8dc2f404b993f2df33aadac2746`
SHA256	`68bf7abbf015d8c6c933ffc9aa63d6e21a1817c7818eac84dc7e67a10b53c9fa`
SHA3	`5a600e960c91121bc58f41b5547055f5eb67e8706e407a4afd66acc76749dfa7`
VirtualSize	`0x9a0`
VirtualAddress	`0x37000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x35800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.135748`

.rdata

MD5	`12c421cfe7e91b756f0c1ce4b265fabc`
SHA1	`2bd73bcdce7dacb0d1f1b2e475062eda70412004`
SHA256	`ecffb84059f1bf8f913770df422911514a279e4fdbe97cf08d227a64ca43e211`
SHA3	`e3e289a72c033b0d892da924e71586960500638c75e08f6421acc19e87bb6ac1`
VirtualSize	`0xb228`
VirtualAddress	`0x38000`
SizeOfRawData	`0xb400`
PointerToRawData	`0x36200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.52209`

.pdata

MD5	`4d81f7ebcf4f3a618d3af68363af2708`
SHA1	`317da8fe20e3e00f94817426efdeef81e3e33adf`
SHA256	`fb8468f673d309e922bfcb9e87bc1e239ff267f2b473820e819cef29cf4130bd`
SHA3	`3d0afb2c509db4ea4b630434ff9e3870369b45c3e52e62b98ba1bba03a6f42a9`
VirtualSize	`0x135c`
VirtualAddress	`0x44000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x41600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.33597`

.xdata

MD5	`8070f74b1c0a975ac7cced36c1c8fb3c`
SHA1	`2ff62106536d23b3fc8b024a52186e435ecea760`
SHA256	`5540175a35316b60b8fc45728b3842f10d98cf9e3efe8642c77298f31cc30a58`
SHA3	`ebfe052777e2ea489e1cfc88126c96c53e656a5fb1592b7b2d710b84a20338a7`
VirtualSize	`0x276c`
VirtualAddress	`0x46000`
SizeOfRawData	`0x2800`
PointerToRawData	`0x42a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.47716`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1e0`
VirtualAddress	`0x49000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`7278e2b438e5a58da90cb407d81cf738`
SHA1	`0996bce9441aac0b5eba8e236ee2d45d11be0df8`
SHA256	`de5b71189034d7e7368199f8231bd5a1eaca25ea10ebbf0c87d5a1b05530be4a`
SHA3	`30cbc8cc12973679369256acd8bc943c1127aba296b51115f078c2113a41e522`
VirtualSize	`0x10ec`
VirtualAddress	`0x4a000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x45200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.09869`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x10`
VirtualAddress	`0x4c000`
SizeOfRawData	`0x200`
PointerToRawData	`0x46400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.reloc

MD5	`7812b28a53cade473936bef5438f3918`
SHA1	`4028cdad6d8afa536cb4e705081bbf868194d6fe`
SHA256	`86aa4a4710a150a880be6f0de12d3f5d218cd0c3f2c817ebfe241ed3a9a4f533`
SHA3	`d9e9da5a4e95559fb5e0763db4e0365d736bea8784305abab10e9d720dbb70eb`
VirtualSize	`0x2ec`
VirtualAddress	`0x4d000`
SizeOfRawData	`0x400`
PointerToRawData	`0x46600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.43223`

Imports

api-ms-win-core-synch-l1-2-0.dll	`WaitOnAddress` `WakeByAddressAll` `WakeByAddressSingle`
KERNEL32.dll	`DeleteCriticalSection` `EnterCriticalSection` `InitializeCriticalSection` `LeaveCriticalSection` `RaiseException` `RtlUnwindEx` `VirtualProtect` `VirtualQuery` `__C_specific_handler`
msvcrt.dll	`__getmainargs` `__initenv` `__iob_func` `__set_app_type` `__setusermatherr` `_amsg_exit` `_cexit` `_commode` `_fmode` `_fpreset` `_initterm` `abort` `atexit` `calloc` `exit` `fflush` `fprintf` `free` `malloc` `memcmp` `memcpy` `memmove` `memset` `setvbuf` `signal` `strlen` `strncmp` `vfprintf`
kernel32.dll	`AddVectoredExceptionHandler` `CloseHandle` `CreateFileMappingA` `CreateFileW` `CreateToolhelp32Snapshot` `CreateWaitableTimerExW` `DuplicateHandle` `FindClose` `FindFirstFileExW` `FormatMessageW` `GetConsoleMode` `GetConsoleOutputCP` `GetConsoleWindow` `GetCurrentDirectoryW` `GetCurrentProcess` `GetCurrentThread` `GetCurrentThreadId` `GetEnvironmentVariableW` `GetExitCodeProcess` `GetFileInformationByHandle` `GetFileInformationByHandleEx` `GetFullPathNameW` `GetLastError` `GetModuleHandleA` `GetModuleHandleW` `GetProcAddress` `GetProcessHeap` `GetStdHandle` `GetSystemTimePreciseAsFileTime` `HeapAlloc` `HeapFree` `HeapReAlloc` `InitOnceBeginInitialize` `InitOnceComplete` `MapViewOfFile` `Module32FirstW` `Module32NextW` `MultiByteToWideChar` `OpenProcess` `Process32FirstW` `Process32NextW` `QueryPerformanceCounter` `QueryPerformanceFrequency` `ReadProcessMemory` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `SetFileInformationByHandle` `SetFileTime` `SetLastError` `SetThreadStackGuarantee` `SetUnhandledExceptionFilter` `SetWaitableTimer` `Sleep` `TlsAlloc` `TlsFree` `TlsGetValue` `TlsSetValue` `UnmapViewOfFile` `WaitForSingleObject` `WriteConsoleW` `WriteProcessMemory`
ntdll.dll	`NtReadFile` `NtWriteFile` `RtlNtStatusToDosError`
user32.dll	`ShowWindow`

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData	`0x14004c000`
EndAddressOfRawData	`0x14004c008`
AddressOfIndex	`0x14004911c`
AddressOfCallbacks	`0x1400431f8`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x0000000140011690` `0x0000000140035170` `0x0000000140035150`

Load Configuration

RICH Header

Errors

[*] Warning: Section .bss has a size of 0!

Leave a comment

No comments yet.