Manalyze report for 7a37ab071f41cc27468f17b1c3c576d7

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2025-Jan-21 20:11:35
Detected languages	English - United States

Plugin Output

Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: ....0` `Unusual section name found: ....1` `Unusual section name found: ....2`
Suspicious	The PE contains functions most legitimate programs don't use.	`Possibly launches other programs: ShellExecuteA` `Uses Microsoft's cryptographic API: CryptQueryObject` `Has Internet access capabilities: URLDownloadToFileA` `Leverages the raw socket API to access the Internet: WSACloseEvent` `Manipulates other processes: ReadProcessMemory`
Malicious	VirusTotal score: 42/69 (Scanned on 2025-02-08 12:07:53)	`ALYac: Trojan.GenericKD.75581510` `APEX: Malicious` `AVG: Win64:Evo-gen [Trj]` `AhnLab-V3: Trojan/Win.Generic.R689523` `Alibaba: Packed:Win64/VMProtect.de59b35d` `Antiy-AVL: GrayWare/Win32.Wacapew` `Arcabit: Trojan.Generic.D4814846` `Avast: Win64:Evo-gen [Trj]` `BitDefender: Trojan.GenericKD.75581510` `Bkav: W64.AIDetectMalware` `CAT-QuickHeal: Trojan.Ghanarava.1738998940c576d7` `CTX: exe.trojan.vmprotect` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `ESET-NOD32: a variant of Win64/Packed.VMProtect.AC suspicious` `Elastic: malicious (high confidence)` `Emsisoft: Trojan.GenericKD.75581510 (B)` `FireEye: Generic.mg.7a37ab071f41cc27` `Fortinet: Riskware/Application` `GData: Trojan.GenericKD.75581510` `Google: Detected` `Gridinsoft: Trojan.Heur!.02212023` `Ikarus: PUA.VMProtect` `K7AntiVirus: Trojan ( 005aeb761 )` `K7GW: Trojan ( 005aeb761 )` `Lionic: Trojan.Win32.VMProtect.4!c` `Malwarebytes: Trojan.VMProtect` `McAfee: Artemis!7A37AB071F41` `McAfeeD: Real Protect-LS!7A37AB071F41` `MicroWorld-eScan: Trojan.GenericKD.75581510` `Microsoft: Program:Win32/Wacapew.C!ml` `Paloalto: generic.ml` `Rising: Trojan.Kryptik@AI.83 (RDML:QXH9RYmLpbQjcWPP0LxMag)` `SentinelOne: Static AI - Malicious PE` `Skyhigh: BehavesLike.Win64.Expiro.wc` `Sophos: Generic Reputation PUA (PUA)` `Symantec: ML.Attribute.HighConfidence` `Trapmine: suspicious.low.ml.score` `TrendMicro-HouseCall: TROJ_GEN.R002H09AR25` `VIPRE: Trojan.GenericKD.75581510` `Varist: W64/ABRisk.LKXX-7597` `alibabacloud: VirTool:Win/Wacapew.C9nj`

Hashes

MD5	`7a37ab071f41cc27468f17b1c3c576d7`
SHA1	`ca790aa4016487d61bdda6f391db9c9a45745e4b`
SHA256	`cd7bf22349ebcb6182e61ad5eaccaede7f4063893b5126e77e7cd14d16ec6bfa`
SHA3	`bfd16806412855312d9db225f79255ce4068c32aac815e0ad54cb8fe23eddfdb`
SSDeep	`393216:OtQwgOEyJhffv6EZCKsd8XyCSXkfG+H5:Ot7gOE2fqEZC4Xy0flH5`
Imports Hash	`00137465d8f498a81ef50bc451490cc3`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2025-Jan-21 20:11:35
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x121e00`
SizeOfInitializedData	`0x267400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000145387A (Section: ....2)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x1c7a000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x121db0`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.rdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x885ec`
VirtualAddress	`0x123000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1d1e40`
VirtualAddress	`0x1ac000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.pdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xbd30`
VirtualAddress	`0x37e000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

....0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x9105bc`
VirtualAddress	`0x38a000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

....1

MD5	`d89df56922fccfce8a36965809b5f44b`
SHA1	`f07ba44907a20417a113393ef48c64c7d4ae4ca3`
SHA256	`6819ce3243a501caa82d34f52317bc2216967961fc246a066e05076ac0c4fd92`
SHA3	`f132f45d692aad05a62572ecfae9f788d73765939bcc6616e4447ee1f2004daf`
VirtualSize	`0x270`
VirtualAddress	`0xc9b000`
SizeOfRawData	`0x400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.21534`

....2

MD5	`1ea4287835bdff40cc7394180611295e`
SHA1	`81662bedfcc69bc74d2633e7ddd4efe52cffe583`
SHA256	`5e428c4ed9cb25eb17b3bb917e22a138b5f0306267ae8d68b314c88455bf474b`
SHA3	`d79fb9734d2e99176e65113efe59329f00c87c85cd2162ec501cb5dfee1467bb`
VirtualSize	`0xfdb37c`
VirtualAddress	`0xc9c000`
SizeOfRawData	`0xfdb400`
PointerToRawData	`0x800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.85134`

.rsrc

MD5	`6a945de654e1d217c91d9404b4e02724`
SHA1	`9cae33a5f82aa15409a8302a649b5e49ef14675d`
SHA256	`ccc51531109346cc6e3a86d5009ef15cfda33595a2ab342719492d186e260876`
SHA3	`1bdd9458541da2477bca22ea4f5a192b7510e7a2cd35c788d7db2cf1feda12e3`
VirtualSize	`0x1e0`
VirtualAddress	`0x1c78000`
SizeOfRawData	`0x200`
PointerToRawData	`0xfdbc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.7749`

.reloc

MD5	`f0317379dde05210c3074a0ad1a74d18`
SHA1	`12d1ee685fd6b32fc7e02a30fec48fa9918179c7`
SHA256	`e521bd3996119cfbcb75f4537d41fc9b1a236a2063e32ca81c91df551a09f10f`
SHA3	`1e662570a0396defeb97ac845ebe5965c814a3e2c9bfb86a720c53e5a4a73642`
VirtualSize	`0x11c`
VirtualAddress	`0x1c79000`
SizeOfRawData	`0x200`
PointerToRawData	`0xfdbe00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.74266`

Imports

d3d11.dll	`D3D11CreateDeviceAndSwapChain`
D3DCOMPILER_43.dll	`D3DCompile`
dxgi.dll	`CreateDXGIFactory1`
KERNEL32.dll	`ReadProcessMemory`
USER32.dll	`OpenClipboard`
GDI32.dll	`DeleteObject`
ADVAPI32.dll	`GetTokenInformation`
SHELL32.dll	`ShellExecuteA`
ole32.dll	`CoInitialize`
MSVCP140.dll	`?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z`
IMM32.dll	`ImmReleaseContext`
dwmapi.dll	`DwmExtendFrameIntoClientArea`
VERSION.dll	`GetFileVersionInfoA`
ntdll.dll	`RtlLookupFunctionEntry`
USERENV.dll	`UnloadUserProfile`
urlmon.dll	`URLDownloadToFileA`
gdiplus.dll	`GdipSaveImageToFile`
bcrypt.dll	`BCryptGenRandom`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
VCRUNTIME140.dll	`_CxxThrowException`
api-ms-win-crt-stdio-l1-1-0.dll	`_lseeki64`
api-ms-win-crt-utility-l1-1-0.dll	`qsort`
api-ms-win-crt-string-l1-1-0.dll	`wcscpy_s`
api-ms-win-crt-heap-l1-1-0.dll	`free`
api-ms-win-crt-runtime-l1-1-0.dll	`_beginthreadex`
api-ms-win-crt-convert-l1-1-0.dll	`strtol`
api-ms-win-crt-math-l1-1-0.dll	`_fdopen`
api-ms-win-crt-time-l1-1-0.dll	`_time64`
api-ms-win-crt-filesystem-l1-1-0.dll	`_stat64i32`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`
api-ms-win-crt-environment-l1-1-0.dll	`_dupenv_s`
WS2_32.dll	`WSACloseEvent`
CRYPT32.dll	`CryptQueryObject`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x188`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89623`
MD5	`b8e76ddb52d0eb41e972599ff3ca431b`
SHA1	`fc12d7ad112ddabfcd8f82f290d84e637a4d62f8`
SHA256	`165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8`
SHA3	`37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd`

Version Info

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1401ac900`

RICH Header

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .text has a size of 0!
[*] Warning: Section .rdata has a size of 0!
[*] Warning: Section .data has a size of 0!
[*] Warning: Section .pdata has a size of 0!
[*] Warning: Section ....0 has a size of 0!