Manalyze report for d1aa5f2504839fc52dce7e10fa5239c39e8f36f3e091eaf5a4eaa86033f14fac

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1992-Jun-19 22:22:17

Plugin Output

Suspicious	PEiD Signature:	`PECompact v2.xx`
Suspicious	The PE is possibly packed.	`Section CODE is both writable and executable.` `Section .rsrc is both writable and executable.`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can access the registry: RegSetValueExA`
Info	The PE's resources present abnormal characteristics.	`Resource MAIN is possibly compressed or encrypted.` `Resource DATA is possibly compressed or encrypted.`
Malicious	VirusTotal score: 39/72 (Scanned on 2026-04-20 16:12:25)	`APEX: Malicious` `AVG: Win32:MalwareX-gen [Misc]` `Antiy-AVL: HackTool/Win32.Patcher` `Avast: Win32:MalwareX-gen [Misc]` `Avira: TR/AVI.Agent.ysjtt` `Bkav: W32.AIDetectMalware` `CTX: exe.trojan.patcher` `CrowdStrike: win/grayware_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win32/HackTool.Patcher.ED potentially unsafe application` `Elastic: malicious (high confidence)` `F-Secure: Trojan.TR/AVI.Agent.ysjtt` `Fortinet: Riskware/Patcher` `GData: Win32.Trojan.Agent.MXW77Q` `Google: Detected` `K7AntiVirus: Hacktool ( 005d69e71 )` `K7GW: Hacktool ( 005d69e71 )` `Lionic: Hacktool.Win32.Patcher.3!c` `Malwarebytes: Patcher.Trojan.HackTool.DDS` `MaxSecure: Trojan.Malware.109195707.susgen` `McAfeeD: ti!D1AA5F250483` `Microsoft: PUA:Win32/Presenoker` `Paloalto: generic.ml` `Rising: HackTool.Patcher!8.2DD (TFE:4:3hvB3tiJqZS)` `Sangfor: PUP.Win32.Patcher.Vkap` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win32.Dropper.tc` `Sophos: Mal/Generic-S` `Symantec: Trojan Horse` `TrellixENS: Artemis!D1283216EE4C` `VBA32: TrojanBanker.Convagent` `Varist: W32/ABTrojan.ORNK-6010` `Xcitium: Malware@#tdbsi4c3nr4k` `Yandex: Trojan.Igent.bVcXjm.30` `Zillya: Tool.Patcher.Win32.34555` `alibabacloud: Hacktool:Win/Patcher` `tehtris: Generic.Malware`

Hashes

MD5	`d1283216ee4cb9d74a973f0b4830ef24`
SHA1	`c77011773862a9671aed52ac30fd9da1005b7d89`
SHA256	`d1aa5f2504839fc52dce7e10fa5239c39e8f36f3e091eaf5a4eaa86033f14fac`
SHA3	`5a40f82652f965c1a2f461a33d55e8f5246d002234d842c83a1058d1fdaafab2`
SSDeep	`24576:xRG5wN3HJRP5jRR5+Ih7+iwvBiQ5na3Dvd0ezBwaKC9:ow5LP5n5iitdzdVdwL`
Imports Hash	`88760cdb093b2de36b6d33781ba5abe4`

DOS Header

e_magic	`MZ`
e_cblp	`0x50`
e_cp	`0x2`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0xf`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0x1a`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`2`
TimeDateStamp	1992-Jun-19 22:22:17
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_BYTES_REVERSED_HI` `IMAGE_FILE_BYTES_REVERSED_LO` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x1e200`
SizeOfInitializedData	`0x1bf400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0001E7B4 (Section: CODE)`
BaseOfCode	`0x1000`
BaseOfData	`0x20000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x1ea000`
SizeOfHeaders	`0x400`
Checksum	`0x111a6f`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x4000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

CODE

MD5	`3de36d86abd8f1607c6a63e5430651cd`
SHA1	`be4b9af490e8b4152ca8f1b0b1a8d935aaaa685f`
SHA256	`23b9327fa9bbef38b9d4b896af07f806d0a9240bc6d09fe4c2c8ce857949319f`
SHA3	`d7087b7d59e1d2c22d2e4f281033dcaae84c5132b05e1f68654c67642590d6e2`
VirtualSize	`0x1e3000`
VirtualAddress	`0x1000`
SizeOfRawData	`0xffc00`
PointerToRawData	`0x400`
PointerToRelocations	`0x32434550`
PointerToLineNumbers	`0x4f80`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99982`

.rsrc

MD5	`a6469c6b40aedad521d7a10feb4fdfb7`
SHA1	`c7af08b8d63a4e889bea4192c7dc4ec1a4561353`
SHA256	`498a645e9bf91b97ba6d0a1b501b0ed01a9cb3ef061c6b8e596e66c3a80e1e80`
SHA3	`c843f93c898a3febb8e834781b4f760f505d6458f4392d6eee4483490ba0a8dd`
VirtualSize	`0x6000`
VirtualAddress	`0x1e4000`
SizeOfRawData	`0x5800`
PointerToRawData	`0x100000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.94261`

Imports

kernel32.dll	`LoadLibraryA` `GetProcAddress` `VirtualAlloc` `VirtualFree`
user32.dll	`CharNextA`
oleaut32.dll	`SysFreeString`
advapi32.dll	`RegSetValueExA`
version.dll	`VerQueryValueA`
gdi32.dll	`SetTextColor`
msimg32.dll	`AlphaBlend`
ole32.dll	`CoTaskMemFree`
shell32.dll	`SHGetPathFromIDListA`
comdlg32.dll	`GetSaveFileNameA`
IMAGEHLP.DLL	`CheckSumMappedFile`
winmm.dll	`sndPlaySoundA`

Delayed Imports

50

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.34411`
MD5	`82bd8c7929b7d3394d7276d7d52eed3d`
SHA1	`7a688f271244074f45ad44566196766df8d04235`
SHA256	`7ee69637ba5cec56c5058d4dd82f8e1fb17f71bab7c277609102186140216ab6`
SHA3	`3ed98f88c2f8566d96ed6e4343a759a961c34b7566f938191e95f07e78381384`

MAIN

Type	`RT_DIALOG`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x358`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.77248`
MD5	`b873358b14857e7450073555cc337a7e`
SHA1	`3a683b154f9d93fdaa2cdcedd60fd311e0b30831`
SHA256	`9ab48f25b833095afd686d6d8c9443f8400287f48ad124370b0c849e7e3fbf58`
SHA3	`e2acda22660df6b74b253cb592c56c27eda5d3cd548c306346fdc94ae93d2d97`

DATA

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xdc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.02303`
MD5	`4c9f6610c2c8f024eb4067ba042f5a92`
SHA1	`ac13014713889cf0e1b17865c6fd4baccc5de5f9`
SHA256	`657c9a7d10f3fd464d13a08ccccb4a91e5b07c7af887a25ad9e1307bcf27ef2e`
SHA3	`2cff11cf266d8770a3059d0dcc29ad74f4abff725e350c316f1f386ba7142b97`

INFO

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xa7`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.81314`
MD5	`5ca80111d8605d06c38148b0a790f0ec`
SHA1	`7f3976cf66f01cfb5be3ba5e686937afd37df814`
SHA256	`1612cf6d2d07a45a1003362a492cc3db905978b98a5a83b8b8da1e2aaf3d361e`
SHA3	`cc9f9b3162a6b48818c06a3ccc0d9230cd5a26b0109db01645aac4184e694110`

MAINICON

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.1815`
Detected Filetype	Icon file
MD5	`2dbdba8edd9b91f841055e0ef9b0b7a2`
SHA1	`8439ea0be3f3c90c223610906986f6f02e1a3d42`
SHA256	`c8e7628cce11ffd26e7725efc60bfe6e01e2b16fea9baac084b1c9785f584b77`
SHA3	`6da502044b6f483e5f5f6778af6954d782476f35967357859f157ac88b5befc7`

1

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2f3`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.09702`
MD5	`fd0c12f2d34a5f292be6d7b56131bb0f`
SHA1	`5689323b65b21961ab3328cdd9f9f1646120c72e`
SHA256	`ef5e3f966d8dac170f799988ae04be725703d99a83a27dbe51e9379484ea5756`
SHA3	`9ac6158c775dcf0eebdab0a3a6a9fadfea2936969459eeb7416b86b858506576`

Version Info

TLS Callbacks

StartAddressOfRawData	`0x5e97fc`
EndAddressOfRawData	`0x5e9804`
AddressOfIndex	`0x5e97f4`
AddressOfCallbacks	`0x5e97f8`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`(EMPTY)`

Load Configuration

RICH Header

Errors

[*] Warning: Ignored an invalid IMAGE_RESOURCE_DATA_ENTRY

Leave a comment

No comments yet.