Manalyze report for ac396fb81faac83d86717226ce513ee5992b9bc448585367e8a69c0d3b91df31

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Dec-14 09:25:27
Detected languages	English - United States

Plugin Output

Suspicious	This PE is packed with Themida	`Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found: .themida` `Section .themida is both writable and executable.` `Unusual section name found: .boot`
Malicious	The PE contains functions mostly used by malware.	`Leverages the raw socket API to access the Internet: ioctlsocket` `Functions related to the privilege level: OpenProcessToken` `Interacts with the certificate store: CertAddCertificateContextToStore`
Malicious	VirusTotal score: 37/65 (Scanned on 2026-02-18 12:05:54)	`ALYac: Application.Generic.4721170` `APEX: Malicious` `AVG: Win64:MalwareX-gen [Misc]` `AhnLab-V3: Trojan/Win.Generic.R728493` `Antiy-AVL: Trojan/Win32.Kepavll` `Arcabit: Application.Generic.D480A12` `Avast: Win64:MalwareX-gen [Misc]` `Bkav: W64.AIDetectMalware` `CTX: exe.trojan.kepavll` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win64/Packed.Themida.Q suspicious application` `Elastic: malicious (high confidence)` `Emsisoft: Application.Generic.4721170 (B)` `Fortinet: Riskware/Application` `GData: Application.Generic.4721170` `Google: Detected` `K7AntiVirus: Unwanted-Program ( 005ce0bd1 )` `K7GW: Unwanted-Program ( 005ce0bd1 )` `Lionic: Trojan.Win32.Generic.4!c` `Malwarebytes: Malware.AI.1261282259` `McAfeeD: Real Protect-LS!E43F166228F5` `MicroWorld-eScan: Application.Generic.4721170` `Microsoft: Trojan:Win32/Kepavll!rfn` `Paloalto: generic.ml` `Sangfor: Suspicious.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Sophos: Generic Reputation PUA (PUA)` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.high.ml.score` `TrendMicro-HouseCall: TROJ_GEN.R002H01LJ25` `VIPRE: Application.Generic.4721170` `Varist: W64/Trojan.GKA.gen!Eldorado` `alibabacloud: VirTool:Win/Packed.Themida.Q` `tehtris: Generic.Malware`

Hashes

MD5	`e43f166228f57aff7d485eda3e13f247`
SHA1	`b5d0063b2474a72408e414c95249629d8932c3f1`
SHA256	`ac396fb81faac83d86717226ce513ee5992b9bc448585367e8a69c0d3b91df31`
SHA3	`ca7b2bb3e1ddf55d73ddd1a8646e1334b9f8416daf5cd7945388a2cb93821808`
SSDeep	`393216:wj7FNuzd75ZaqenWIuOMW1DUFyw04mqltoNJVhf:wjZk5kyOMW1Qy14mq0nDf`
Imports Hash	`31573d629106711dba21a31d097fca21`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x130`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`12`
TimeDateStamp	2025-Dec-14 09:25:27
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xbde00`
SizeOfInitializedData	`0x62800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000001258058 (Section: .boot)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x2116000`
SizeOfHeaders	`0x600`
Checksum	`0xf61f04`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

MD5	`b44a67bfd5e737df6bf72e46e8501b9f`
SHA1	`c4e4a0fb2980ee1af41e961763a8b9da2937c81b`
SHA256	`db25b2c7d8e2b073292d1a48e8bacaa5de9330a46904846faea2661c63fe30df`
SHA3	`f0863b9801cb578a25a9e1165c373c3ddf6976ea7f9bd574ac00d3d4abba6766`
VirtualSize	`0xbdd30`
VirtualAddress	`0x1000`
SizeOfRawData	`0x67200`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.96714`

(#2)

MD5	`e6421135b7aa99d1161791296e61c9e7`
SHA1	`04ce8c44c5b21ffc4eeb4e46f913c20f3b6ee173`
SHA256	`e482a65eff8721aebc3e1a6a8cce2431d3789a8c4151050b182c4c7101a6e87f`
SHA3	`8a89f8fae4250d29d19fc717459fab1d65b3d1c84f6b2ce4c3b48839affbee5d`
VirtualSize	`0x33536`
VirtualAddress	`0xbf000`
SizeOfRawData	`0x14e00`
PointerToRawData	`0x67800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.96424`

(#3)

MD5	`39cab9fc78cfee0a3fd4c0bcc2f9f3f2`
SHA1	`03a96d17412c176aa095c20a2760328f971a6aac`
SHA256	`c342064326584857a92107559886a1777a15a124d65e84d79b553b12f5235729`
SHA3	`6d443e388db34dfaa0a1c6bb32e5b1bd47b82b0682c114e27fc1f6c36b1f3c22`
VirtualSize	`0x26278`
VirtualAddress	`0xf3000`
SizeOfRawData	`0x1d000`
PointerToRawData	`0x7c600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.98296`

(#4)

MD5	`de62aefbcf252913cb788af5ae3e5535`
SHA1	`7623ab94c13ae86aadb4e32a264f36890dbcd45d`
SHA256	`341c0f6c93d273ad7025d3592673cbbb722a572b048b6fa043fad518c062c901`
SHA3	`e20e7f31229d9eecd4d76097103bde324e77997cc42cf0a1bd955d3a5e427f86`
VirtualSize	`0x8448`
VirtualAddress	`0x11a000`
SizeOfRawData	`0x5000`
PointerToRawData	`0x99600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.62072`

(#5)

MD5	`7ff20322ea9e59f96f5a6c12044e27c3`
SHA1	`5d88f6f1d3d0ca27b5fa3be45489e23538803b52`
SHA256	`099035f6df8393a93d1e55290bbd288d31d156ed3f8c342111ba6096e653cfbf`
SHA3	`3dc59a01f4ae01182657c2fe70902e0d2ec5c6604f3c57c497a6a98fd37f22b0`
VirtualSize	`0x1e8`
VirtualAddress	`0x123000`
SizeOfRawData	`0x200`
PointerToRawData	`0x9e600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.80442`

(#6)

MD5	`97936612b01405dd0fef6a7b283e579f`
SHA1	`5281e09021d3c032436f68dbe1435c7a90f73481`
SHA256	`8a8ad5f45fc36e3b58af846646a6e93347096bc67e23cacdd00dcca4e1065496`
SHA3	`bc52036dd0cf92a9e49575fd52b4e131e53ba08c07234acda197dc490a32c9e3`
VirtualSize	`0x5c4`
VirtualAddress	`0x124000`
SizeOfRawData	`0x400`
PointerToRawData	`0x9e800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`7.5955`

.idata

MD5	`19142778c92e9922c5ce7bf1bc9d5981`
SHA1	`7513d31695bc875fd754f34410ba2689d1e590d5`
SHA256	`0340cc69a90a8516a7a7fd6053be39de1300d9220a51d9907a748c081fd1b691`
SHA3	`cd85becd268878085adf3c2ecb880e01743f5cb4cb55d76d0b6be6ee296de806`
VirtualSize	`0x1000`
VirtualAddress	`0x125000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x9ec00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.65567`

.tls

MD5	`57ae3efe1e19ab507e68e77be1898f51`
SHA1	`4c4d477e8808fa25275651f6bfdb10578dddac8e`
SHA256	`aa5bfd1eed6d46ca29dd89972a4760c45679bce1ab190bc80f3694c6b498d045`
SHA3	`72e1a854b4fbec99bca07412a728317af71fda5d9b6b3f87484ee7375ca9c5a0`
VirtualSize	`0x1000`
VirtualAddress	`0x126000`
SizeOfRawData	`0x200`
PointerToRawData	`0x9f600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.284569`

.rsrc

MD5	`541ec69b100ce023887d88355a90b4ec`
SHA1	`ed454b60865e0da71f58729ef0112a64ae1cd6bd`
SHA256	`a076766fc0f650922d9a35774116664bc00a3c6959241141f0baf869b104a490`
SHA3	`4420808bd65f6a5915acf3332b3f494e73a1177615b243ae7cf756083de4c8cc`
VirtualSize	`0x1000`
VirtualAddress	`0x127000`
SizeOfRawData	`0x200`
PointerToRawData	`0x9f800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.77204`

.themida

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1130000`
VirtualAddress	`0x128000`
SizeOfRawData	`0`
PointerToRawData	`0x9fa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.boot

MD5	`be9d6bf9219312a8386d99322b21e092`
SHA1	`df2ed1ee73da2a8ce77212a209293d1990f50e91`
SHA256	`dbc63a34dfbd1f4ea27ff4ed03b6823bc9c7531d4899c178406e506114128c18`
SHA3	`0fad211fe2655a4c5d7a03a3db9e082ef7bf845743fc486698db8fece21c65c5`
VirtualSize	`0xebc600`
VirtualAddress	`0x1258000`
SizeOfRawData	`0xebc600`
PointerToRawData	`0x9fa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.88756`

.reloc

MD5	`c8e0e3b16757ed6aedfc9624785b9fc4`
SHA1	`1e3e102dde642b6e0c2680a50fd1685616f74c40`
SHA256	`8d6ffce72e5e839c0dc72da03b58b53e60fd47e3daa8b1dbc5a71aae7e2dec1b`
SHA3	`d9443259211334e8c3f90244638692018af70d88b5aad61b7eba83d866295c95`
VirtualSize	`0x1000`
VirtualAddress	`0x2115000`
SizeOfRawData	`0x10`
PointerToRawData	`0xf5c000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ`
Entropy	`2.4746`

Imports

kernel32.dll	`GetModuleHandleA`
WS2_32.dll	`ioctlsocket`
ADVAPI32.dll	`OpenProcessToken`
CRYPT32.dll	`CertAddCertificateContextToStore`
USER32.dll	`GetKeyState`
GDI32.dll	`GetDeviceCaps`
MSVCP140.dll	`?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z`
D3DCOMPILER_47.dll	`D3DCompile`
USERENV.dll	`UnloadUserProfile`
IMM32.dll	`ImmSetCandidateWindow`
dwmapi.dll	`DwmExtendFrameIntoClientArea`
d3d11.dll	`D3D11CreateDeviceAndSwapChain`
d3dx11_43.dll	`D3DX11CreateShaderResourceViewFromMemory`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
VCRUNTIME140.dll	`__current_exception_context`
api-ms-win-crt-stdio-l1-1-0.dll	`fwrite`
api-ms-win-crt-heap-l1-1-0.dll	`_callnewh`
api-ms-win-crt-filesystem-l1-1-0.dll	`_stat64`
api-ms-win-crt-runtime-l1-1-0.dll	`abort`
api-ms-win-crt-math-l1-1-0.dll	`fmodf`
api-ms-win-crt-string-l1-1-0.dll	`strlen`
api-ms-win-crt-convert-l1-1-0.dll	`strtoull`
api-ms-win-crt-locale-l1-1-0.dll	`localeconv`
api-ms-win-crt-environment-l1-1-0.dll	`getenv`
api-ms-win-crt-utility-l1-1-0.dll	`qsort`
api-ms-win-crt-time-l1-1-0.dll	`_time64`
api-ms-win-crt-multibyte-l1-1-0.dll	`_mbsnbcpy`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x188`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89623`
MD5	`b8e76ddb52d0eb41e972599ff3ca431b`
SHA1	`fc12d7ad112ddabfcd8f82f290d84e637a4d62f8`
SHA256	`165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8`
SHA3	`37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x71045f1`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`24`
Imports (21202)	`2`
Imports (2207)	`2`
253 (35403)	`5`
ASM objects (35403)	`4`
C objects (35403)	`10`
C++ objects (35403)	`37`
Imports (35403)	`6`
Total imports	`486`
Imports (33145)	`23`
C objects (VS2022 Update 4 (17.4.3-4) compiler 31937)	`82`
C++ objects (VS2022 Update 4 (17.4.3-4) compiler 31937)	`20`
C++ objects (LTCG) (35720)	`11`
ASM objects (35720)	`1`
Resource objects (35720)	`1`
Linker (35720)	`1`

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .themida has a size of 0!

Leave a comment

No comments yet.