Manalyze report for d0a4d06ef26660dc25c3cb46cdc5042fb72da2bb4b85679b01299df92b7b3ba8

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2026-Feb-08 15:38:38
TLS Callbacks	2 callback(s) detected.

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: .xdata`
Suspicious	The PE contains functions most legitimate programs don't use.	`Leverages the raw socket API to access the Internet: WSAStartup gethostname`
Malicious	VirusTotal score: 5/71 (Scanned on 2026-03-03 00:14:26)	`APEX: Malicious` `Bkav: W64.AIDetectMalware` `CrowdStrike: win/malicious_confidence_100% (D)` `Elastic: malicious (high confidence)` `Symantec: ML.Attribute.HighConfidence`

Hashes

MD5	`2ae07668178f053c253d300d120c7c15`
SHA1	`68407a61d1f65df6437658c88162a5175e6563a6`
SHA256	`d0a4d06ef26660dc25c3cb46cdc5042fb72da2bb4b85679b01299df92b7b3ba8`
SHA3	`84183e0b77a3f33f5c2fb7f8bce5af93b24574a14857c57067192aba25060680`
SSDeep	`192:ULfxjk4S1USz4MsyWjmoIcKZ+isXfNSsGNc1qh1M0LDt:UFj6z4MsyXKFNiNae11`
Imports Hash	`b3de9255d7e7868a4d9732639b6afca1`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`10`
TimeDateStamp	2026-Feb-08 15:38:38
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0x1a00`
SizeOfInitializedData	`0x3a00`
SizeOfUninitializedData	`0x200`
AddressOfEntryPoint	`0x0000000000001410 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0xc000`
SizeOfHeaders	`0x400`
Checksum	`0xdf14`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`68107c891911882b831914c67ae10e55`
SHA1	`34e3226187adcdf84afd1fc636b96893bd790e1c`
SHA256	`113885ce41755e149cb58d44a42556ef6d0de4560e5705b938ea61f4a8abc30b`
SHA3	`aa9c6076a43bfa897da445cb3b699dc2a2d74fd867c438e0695807b145f73f2b`
VirtualSize	`0x1918`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.90509`

.data

MD5	`515d9d8d9f5cc4694d7348be14cdfe84`
SHA1	`7452b57874a6a782fabd903f40df926567dc4959`
SHA256	`08da13673f20303a0b525ed28be650ee66acac091491f7f9e12166f5e6c37526`
SHA3	`4fc9f80db08c202e8b0c8269de2aed05c1456cab1de4386f1e64ae2a1c174540`
VirtualSize	`0xc0`
VirtualAddress	`0x3000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.36347`

.rdata

MD5	`e8c18fbcc594563f887ee13e97eeaea7`
SHA1	`a0558b8a7077a9f99f49eb035d85f331117570f4`
SHA256	`501b5d38d9f860604bae1a8bbcf4f6a5368ff5f4db6b7faa294b965fea28c4cd`
SHA3	`900658cebec7b68c5421789a5acdda0907212516bea2750fded264f9539ff064`
VirtualSize	`0x900`
VirtualAddress	`0x4000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x2000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.09785`

.pdata

MD5	`827258765545cffc339ebd4253358dfe`
SHA1	`6104de108e7a5d0f1e01d1e0d634708ab6180860`
SHA256	`7135fd92b7d3c9a432d826d013c350d961df80a2e288aa7efe9b5b230d949171`
SHA3	`ad41d3a3466f409d0a39323d0a4cb86fb7123c9a188df070e15b8bcd2e1ae071`
VirtualSize	`0x210`
VirtualAddress	`0x5000`
SizeOfRawData	`0x400`
PointerToRawData	`0x2a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.26785`

.xdata

MD5	`e9f3cb568a8c81b1832314e033764015`
SHA1	`1295b943f077dcf8351e0bb6aecde025fd059c2b`
SHA256	`06ad2ed56c1da5bcace67b204d7c0fc549b241fa58ad635aad50df6ef5720197`
SHA3	`79b1f17104e22396665f7757515c56226bf0d65b20f7869c134a3c97b1bf1dc1`
VirtualSize	`0x1e8`
VirtualAddress	`0x6000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.10898`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x180`
VirtualAddress	`0x7000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`285a927ccf54af3d8109dbeadbee1134`
SHA1	`ef5b34dfe6d21a0c3c1a10f28745212d27e6726c`
SHA256	`de2ea197348500c87d14ac07b7f3afe1243d6cba1163185cd4b1db0dd8d37b59`
SHA3	`9c3287f3aed81315b8134a688063f23f66f697f8f48658a8153af734d7d11e70`
VirtualSize	`0x654`
VirtualAddress	`0x8000`
SizeOfRawData	`0x800`
PointerToRawData	`0x3000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.25128`

.CRT

MD5	`b469b07e9cd6d61aa1c116e03c4e1f5a`
SHA1	`0e4f7c75721573ea6d1260f34d2f2bd334615dea`
SHA256	`226cd7d19f0dbffa11fe0d47abd6815c5e24535016a84eb3d26e259f39d9985e`
SHA3	`77a3ef7a72c21704c4a598bddfebdb44ca7ff39578782414a3710c992f972a08`
VirtualSize	`0x60`
VirtualAddress	`0x9000`
SizeOfRawData	`0x200`
PointerToRawData	`0x3800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.27951`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x10`
VirtualAddress	`0xa000`
SizeOfRawData	`0x200`
PointerToRawData	`0x3a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.reloc

MD5	`0b37d87d7de1ff6300430f75d40568ed`
SHA1	`ce738b0ea587ad91f04e85e1b3e503549e221307`
SHA256	`103a02f99f63b6e9ef554ead4d49cf3205fada5b05035e944cd7b8a8ec40f56a`
SHA3	`83fd87814824c8f924de6bee2c1973167291ff8bb101dbc83d43eabeeb7b4eec`
VirtualSize	`0x78`
VirtualAddress	`0xb000`
SizeOfRawData	`0x200`
PointerToRawData	`0x3c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.40714`

Imports

ADVAPI32.dll	`GetUserNameA`
KERNEL32.dll	`DeleteCriticalSection` `EnterCriticalSection` `GetLastError` `InitializeCriticalSection` `LeaveCriticalSection` `SetUnhandledExceptionFilter` `Sleep` `TlsGetValue` `VirtualProtect` `VirtualQuery`
msvcrt.dll	`__C_specific_handler` `__getmainargs` `__initenv` `__iob_func` `__set_app_type` `__setusermatherr` `_amsg_exit` `_cexit` `_commode` `_fmode` `_getcwd` `_initterm` `_onexit` `abort` `calloc` `exit` `fprintf` `free` `fwrite` `malloc` `memcpy` `signal` `strcmp` `strlen` `strncmp` `strrchr` `strstr` `vfprintf`
WS2_32.dll	`WSAStartup` `gethostname`

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData	`0x14000a000`
EndAddressOfRawData	`0x14000a008`
AddressOfIndex	`0x14000707c`
AddressOfCallbacks	`0x140009038`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x00000001400015C0` `0x0000000140001590`

Load Configuration

RICH Header

Errors

[*] Warning: Section .bss has a size of 0!

Leave a comment

No comments yet.