b826ab20bd8373dc5211e1a06706d18a6034db718dd561b7d0318d447de2a56c

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2025-Apr-27 14:04:05

Plugin Output

Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Suspicious The PE is possibly packed. Unusual section name found: .fptable
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryExW
  • GetProcAddress
 Possibly launches other programs:
  • CreateProcessW
 Can create temporary files:
  • GetTempPathW
  • CreateFileW
 Functions related to the privilege level:
  • OpenProcessToken
 Enumerates local disk drives:
  • GetDriveTypeW
Suspicious The file contains overlay data. 7193841 bytes of data starting at offset 0x84200.
The overlay data has an entropy of 7.99814 and is possibly compressed or encrypted.
Overlay data amounts for 93.0035% of the executable.
Malicious VirusTotal score: 28/72 (Scanned on 2025-06-02 17:07:59) APEX: Malicious
AVG: FileRepMalware [Misc]
Antiy-AVL: RiskWare/Win32.Kryptik.a
Avast: FileRepMalware [Misc]
CAT-QuickHeal: Trojan.Ghanarava.1747776899da8052
CTX: exe.trojan.xegumumune
CrowdStrike: win/malicious_confidence_60% (W)
Cylance: Unsafe
DeepInstinct: MALICIOUS
ESET-NOD32: a variant of Generik.FMGKJWR
Fortinet: PossibleThreat.RF
GData: Win64.Trojan.Agent.NU63YH
Google: Detected
Ikarus: Trojan.SuspectCRC
K7AntiVirus: Trojan ( 005c6cb91 )
K7GW: Trojan ( 005c6cb91 )
Kaspersky: Trojan-Spy.Win64.Xegumumune.fyu
Lionic: Trojan.Win32.Xegumumune.l!c
MaxSecure: Trojan.Malware.347608258.susgen
McAfeeD: ti!B826AB20BD83
Sangfor: Trojan.Win64.Agent.Veh8
SentinelOne: Static AI - Suspicious PE
Skyhigh: BehavesLike.Win64.Trojan.wc
Sophos: Mal/Generic-S
Symantec: Trojan.Gen.MBT
Tencent: Win64.Trojan-Spy.Xegumumune.Gplw
Zillya: Tool.DDoS.Script.1
alibabacloud: Trojan[spy]:Win/Xegumumune.fgr

Hashes

MD5 70a6606f2be0ddd7993de81e87da8052
SHA1 3f6bfee9d8309085249db79611bddc315cf83332
SHA256 b826ab20bd8373dc5211e1a06706d18a6034db718dd561b7d0318d447de2a56c
SHA3 edc6d3bff66b3e32e087541cc2b25d64af0109669edd22b543fef925458a4aaa
SSDeep 196608:Z4LqXMCHGLLc54i1wN+aV0cSXl74w4Uqbn81zeL6:ZUqXMCHWUjCVg74w0bF6
Imports Hash 33742414196e45b8b306a928e178f844

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x108

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2025-Apr-27 14:04:05
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x2ba00
SizeOfInitializedData 0x58400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000000000000C380 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x8d000
SizeOfHeaders 0x400
Checksum 0x76ce15
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x1e8480
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 6d644ec07349d1b7351e734f7b04810a
SHA1 3dd6ef84fc6c20d528965389245b00f50aadf18f
SHA256 57eb55521320737fa91641e6c05ad400c58cf9776519655f92dcbacaf899a79e
SHA3 6a53e66c377fa16e3f634aa8339df1d32343c3069fbe0095ad0c70e34884d9a5
VirtualSize 0x2b900
VirtualAddress 0x1000
SizeOfRawData 0x2ba00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.49408

.rdata

MD5 2ee0b1656d31a1cb56b956f842f6b39e
SHA1 d97020838024add0138aceccd75582de4bc337a0
SHA256 133c6479bf58143213a23b1cb8dabcc1017eae1066d5eee7700c91cf9c981bb0
SHA3 7bf9c2730bd9ec42ac7699da7279a23721307c767d54702dff7b9a100452991e
VirtualSize 0x12b3a
VirtualAddress 0x2d000
SizeOfRawData 0x12c00
PointerToRawData 0x2be00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.78179

.data

MD5 00758321c33e3c09a8243e456b9d5dd5
SHA1 605c145f0cbecc5b37ece68977e96d51b16e8988
SHA256 b2374b1484461f38ce10b8a704a9e56659cf8958a407d388dab844cfe1adc47f
SHA3 e3509318a66c18cbed1f835d68307b9eb4d37332ff62c9ac874bc88f090e4f67
VirtualSize 0x5350
VirtualAddress 0x40000
SizeOfRawData 0xe00
PointerToRawData 0x3ea00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.81742

.pdata

MD5 3990af19e92fb26a3d66e33c73f15c04
SHA1 9ed57c048a6c4d5abfd3c72fde6afc234e8b9c7e
SHA256 0e5ec3b091f12af870892edcffe5d55317656914d1fbe49c7b730223c02f94fa
SHA3 b9610f19705da9ddeb417caba26024a9aaefc9429f32a21cc797ab1487e28233
VirtualSize 0x22e0
VirtualAddress 0x46000
SizeOfRawData 0x2400
PointerToRawData 0x3f800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.34213

.fptable

MD5 bf619eac0cdf3f68d496ea9344137e8b
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
SHA3 622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59
VirtualSize 0x100
VirtualAddress 0x49000
SizeOfRawData 0x200
PointerToRawData 0x41c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.rsrc

MD5 a90841edf7e1de434b2bcf0cc16255fd
SHA1 e6562e14b30f84c4e7cc370130c7b295d6f1a258
SHA256 2e0b5fb758f321e1de1938cf02c9843eb3e9ac92dfe0fee176b23784e725030a
SHA3 7fdff62a3e07eccd671ebef714fa2b1b574684c627e69fbedc7609a9ef2e092c
VirtualSize 0x41a34
VirtualAddress 0x4a000
SizeOfRawData 0x41c00
PointerToRawData 0x41e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.37453

.reloc

MD5 8f4ea7da830ab1e489c40c02cebb698d
SHA1 13f4c06cca72f3babd32ec78035cef2f67ccf3fc
SHA256 c9ce5f6b1f4a953e70e998828cc4ba3831e2c48db1600bf89a5fb6fcdb5e2e18
SHA3 25701df9c4e6c5670c0e3739cd1fa933a4a0fc3709f43c9cb44369110841d40d
VirtualSize 0x76c
VirtualAddress 0x8c000
SizeOfRawData 0x800
PointerToRawData 0x83a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.26636

Imports

USER32.dll TranslateMessage
ShutdownBlockReasonCreate
GetWindowThreadProcessId
SetWindowLongPtrW
GetWindowLongPtrW
MsgWaitForMultipleObjects
ShowWindow
DestroyWindow
CreateWindowExW
RegisterClassW
DefWindowProcW
PeekMessageW
DispatchMessageW
GetMessageW
KERNEL32.dll GetTimeZoneInformation
GetProcessHeap
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
GetStringTypeW
FormatMessageW
GetLastError
GetModuleFileNameW
LoadLibraryExW
SetDllDirectoryW
CreateSymbolicLinkW
GetProcAddress
CreateDirectoryW
GetCommandLineW
GetEnvironmentVariableW
ExpandEnvironmentStringsW
DeleteFileW
FindClose
FindFirstFileW
FindNextFileW
HeapSize
RemoveDirectoryW
GetTempPathW
CloseHandle
QueryPerformanceCounter
QueryPerformanceFrequency
WaitForSingleObject
Sleep
GetCurrentProcess
GetCurrentProcessId
TerminateProcess
GetExitCodeProcess
CreateProcessW
GetStartupInfoW
FreeLibrary
LocalFree
SetConsoleCtrlHandler
GetConsoleWindow
K32EnumProcessModules
K32GetModuleFileNameExW
CreateFileW
FindFirstFileExW
GetFinalPathNameByHandleW
MultiByteToWideChar
WideCharToMultiByte
GetFileAttributesExW
HeapReAlloc
WriteConsoleW
SetEndOfFile
GetDriveTypeW
GetModuleHandleW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
RaiseException
RtlPcToFileHeader
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
ReadFile
GetFullPathNameW
SetStdHandle
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
GetCommandLineA
HeapFree
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleOutputCP
GetFileSizeEx
HeapAlloc
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
InitializeCriticalSectionEx
VirtualProtect
CompareStringW
LCMapStringW
GetCurrentDirectoryW
FlushFileBuffers
SetEnvironmentVariableW
ADVAPI32.dll ConvertSidToStringSidW
GetTokenInformation
OpenProcessToken
ConvertStringSecurityDescriptorToSecurityDescriptorW

Delayed Imports

1

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x41428
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.34973
MD5 349b118a5a96d4276c27232894fe687a
SHA1 8a36a2e5b7b3351651558a6cc0da89c676acd1e4
SHA256 76babc741ee589581c79e2d989fb41ab74562e2e62e189fb57e967999594cdec
SHA3 2f309c78556ee0a7494144212a55a4aa5387b20daa747ef1c4c09c0bad5bf80b

1 (#2)

Type RT_GROUP_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.01924
Detected Filetype Icon file
MD5 a41a06be00ec855eace74cf211ea30b4
SHA1 ab8135d601d44775d933159ad7053382836a701b
SHA256 7efd5b87a511312bcfd31b856c8b939928f17ef64a959a057f26f3ee414c58ff
SHA3 651474142ffce4044922ce3d9c918320ef40ef696ccc7d1dd9bee3212bd4d7c3

1 (#3)

Type RT_MANIFEST
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x50d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.25791
MD5 84da8dee6b319ea0b10b6de5489c6aae
SHA1 5f8991f3e065fd95614859a293f88b9c70e4bb23
SHA256 abf8f2022f12f350789d961aceaf9ccfd53e7ec58d8c9934cfce77779b4eac11
SHA3 08f0562915b54bedce5a84e9d32cb2efcc538268785103b1852338e20a3b4606

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2025-Apr-27 14:04:05
Version 0.0
SizeofData 816
AddressOfRawData 0x3c580
PointerToRawData 0x3b380

TLS Callbacks

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140040040
GuardCFCheckFunctionPointer 5368894480
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0xd05a49e1
Unmarked objects 0
C++ objects (33140) 182
C objects (33140) 12
ASM objects (33140) 8
253 (34321) 2
ASM objects (34321) 9
C objects (34321) 17
C++ objects (34321) 40
Imports (33140) 7
Total imports 140
C objects (34808) 25
Linker (34808) 1

Errors

Leave a comment

No comments yet.