Manalyze report for dcec11af38add5b644c9a57a9d9c66323b1f47323d313437a0b27225f8769c11

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Dec-30 01:32:49
TLS Callbacks	3 callback(s) detected.

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Tries to detect virtualized environments: HARDWARE\DESCRIPTION\System HARDWARE\Description\System` `Looks for VMWare presence: VEN_15AD VMTools VMware hgfs.sys mhgfs.sys vmmemctl vmmouse vmtools vmx86` `Looks for VirtualBox presence: HARDWARE\ACPI\DSDT\VBOX__ HARDWARE\ACPI\FADT\VBOX__ HARDWARE\ACPI\RSDT\VBOX__ SOFTWARE\Oracle\VirtualBox Guest Additions VBoxGuest VBoxHook.dll VBoxMouse VBoxSF VBoxService VBoxTray VEN_80EE \\.\pipe\VBoxMiniRdDN \\.\pipe\VBoxTrayIPC` `Looks for Qemu presence: QEMU Qemu qemu` `May have dropper capabilities: CurrentControlSet\Services` `Accesses the WMI: ROOT\CIMV2` `Contains domain names: api.telegram.org https://api.ipapi.is https://api.ipapi.is/text telegram.org`
Suspicious	The PE is possibly packed.	`Unusual section name found: .xdata`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryW` `Functions which can be used for anti-debugging purposes: CheckRemoteDebuggerPresent CreateToolhelp32Snapshot` `Can access the registry: RegCloseKey RegEnumKeyExA RegOpenKeyExA RegQueryInfoKeyA RegQueryValueExA` `Can create temporary files: CreateFileA GetTempPathA` `Has Internet access capabilities: InternetCloseHandle InternetConnectA InternetOpenA InternetOpenUrlA InternetReadFile` `Interacts with services: EnumServicesStatusExA OpenSCManagerA` `Enumerates local disk drives: GetVolumeInformationA` `Manipulates other processes: OpenProcess Process32FirstW Process32NextW`
Suspicious	The file contains overlay data.	`30616 bytes of data starting at offset 0x107200.` `The overlay data has an entropy of 7.3328 and is possibly compressed or encrypted.`

Hashes

MD5	`524aede1cc986c713b892df84a7ebf09`
SHA1	`47833263df63bb4fe9c424b064351a643eb77b19`
SHA256	`dcec11af38add5b644c9a57a9d9c66323b1f47323d313437a0b27225f8769c11`
SHA3	`9a0337b3bdaf545f22fd67801a1120e660c701158369388d6641b3bc0efad558`
SSDeep	`24576:Qb2DsBwnLMBC+9Yz7d4ZPqRewjsHBmH+edIX:Qb2Dew0qB4sRewjs3edIX`
Imports Hash	`4a1cf9a68a2621a371c61ab390807489`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2017-Dec-30 01:32:49
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0xcf800`
SizeOfInitializedData	`0x37600`
SizeOfUninitializedData	`0xe00`
AddressOfEntryPoint	`0x0000000000001420 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x10d000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`14e4078ebfdc02f9d316997f00a97380`
SHA1	`820d1a9b23da9ab8601a465939100b6967e03cbf`
SHA256	`421f52dfe2c6c280ea1cedae4e7ac33843b4bdb2302c2c9d582475de39ba90fc`
SHA3	`a3d239ce9c26ef3ae83c89fbb912a6e1a087558e07e9e253261a55d3c3b464c2`
VirtualSize	`0xcf760`
VirtualAddress	`0x1000`
SizeOfRawData	`0xcf800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.17029`

.data

MD5	`be692f21402bb1989589a827efb7fdf3`
SHA1	`4f3de095d698e2adf3a333adb05fc984b4d67e26`
SHA256	`96fa5e32a048e3c2b7a0968972c00f9fbe19627448221c3f2eaea17ee4417c88`
SHA3	`fc350dc530b6c3f732da8396f762e4d9d61eb087f0c126f219f09967027ff201`
VirtualSize	`0x2410`
VirtualAddress	`0xd1000`
SizeOfRawData	`0x2600`
PointerToRawData	`0xcfc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.875623`

.rdata

MD5	`3401f09e524405ceea3d88749f02a7df`
SHA1	`36a4a752cba648167b7651469a731bedea544d47`
SHA256	`36950a20015dd2aa049f7a664b011a6f9e2510ba559ebe8d6cf413952cc70d49`
SHA3	`92cf1bfbc1673c0a28afab994625dbda855e6aa6cb5b7da479090aa7580d4c98`
VirtualSize	`0x172e0`
VirtualAddress	`0xd4000`
SizeOfRawData	`0x17400`
PointerToRawData	`0xd2200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.69701`

.pdata

MD5	`898a1b31096fe0ce2c58d4b82995ff47`
SHA1	`545a61e83f31969f2db0d1f61c73b1cc9f185cf5`
SHA256	`0607e06a49fb99543e85b1322c2921c1107980e4c9ea5d101e6f868f77dae17a`
SHA3	`09ed552fd248c0e53b8a3543447b70aa464f7f07e6aefb4151e814a70d8afc7a`
VirtualSize	`0xb148`
VirtualAddress	`0xec000`
SizeOfRawData	`0xb200`
PointerToRawData	`0xe9600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.97576`

.xdata

MD5	`75fff39aba05018715b56709e91036e4`
SHA1	`7e6f3f753da2a6a8750896d980dcb2801608285f`
SHA256	`64221591dd010b16b276ca0db41e4040ed700720a25b19b581fe291fb3311561`
SHA3	`7166910f25d25755b0cd42a7b51736cca3ca18209040b93e3e4af15782abf1a2`
VirtualSize	`0xeeb4`
VirtualAddress	`0xf8000`
SizeOfRawData	`0xf000`
PointerToRawData	`0xf4800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.9316`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xc30`
VirtualAddress	`0x107000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`7e78791d86752f8b0b7f8763d4d3d7f8`
SHA1	`96a60f1e1fe6cede0904daa7287ac90b42eb2412`
SHA256	`bad1d23aa62a6bb63eb7d7114755f6ca2f0b6b9494dba08be8705e4efa35aea3`
SHA3	`dc8d60b67b965ce60e5ebc4d0f802b81ef14055a0ba8cbc0835f8908ac863fd2`
VirtualSize	`0x1eb8`
VirtualAddress	`0x108000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x103800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.19459`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x20`
VirtualAddress	`0x10a000`
SizeOfRawData	`0x200`
PointerToRawData	`0x105800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.reloc

MD5	`2f834006f47ab8f3e0ac89f8a1455f13`
SHA1	`893e2cfc721c2e0054304cdbb198535691c5dc9b`
SHA256	`b0fb67cde01ca5b8c53513200f2c8ac76e0970f2b46be65c7f92fd0a009644f6`
SHA3	`1726425b5c93e0b50e364649ca962017cb376b8d1daa8cd470573407b895fa18`
VirtualSize	`0x16b8`
VirtualAddress	`0x10b000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x105a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.37456`

Imports

ADVAPI32.dll	`CloseEventLog` `CloseServiceHandle` `EnumServicesStatusExA` `GetNumberOfEventLogRecords` `OpenEventLogA` `OpenSCManagerA` `RegCloseKey` `RegEnumKeyExA` `RegOpenKeyExA` `RegQueryInfoKeyA` `RegQueryValueExA`
GDI32.dll	`GetDeviceCaps`
IPHLPAPI.DLL	`GetAdaptersInfo`
KERNEL32.dll	`BuildCommDCBAndTimeoutsA` `CheckRemoteDebuggerPresent` `CloseHandle` `CreateEventA` `CreateFileA` `CreateSemaphoreA` `CreateToolhelp32Snapshot` `DeleteCriticalSection` `DuplicateHandle` `EnterCriticalSection` `FindClose` `FindFirstFileA` `FindNextFileA` `FormatMessageA` `GetCPInfo` `GetComputerNameA` `GetCurrentProcess` `GetCurrentProcessId` `GetCurrentThread` `GetCurrentThreadId` `GetDiskFreeSpaceExA` `GetEnvironmentVariableA` `GetFileAttributesA` `GetLastError` `GetModuleHandleA` `GetProcAddress` `GetProcessAffinityMask` `GetStartupInfoA` `GetSystemDefaultLCID` `GetSystemInfo` `GetSystemPowerStatus` `GetSystemTimeAsFileTime` `GetTempPathA` `GetThreadContext` `GetThreadPriority` `GetTickCount` `GetTickCount64` `GetTimeZoneInformation` `GetUserDefaultUILanguage` `GetVolumeInformationA` `GlobalMemoryStatusEx` `InitializeCriticalSection` `IsDBCSLeadByte` `IsDebuggerPresent` `K32EnumDeviceDrivers` `K32GetDeviceDriverFileNameW` `LeaveCriticalSection` `LoadLibraryW` `LocalFree` `Module32FirstW` `Module32NextW` `MultiByteToWideChar` `OpenMutexA` `OpenProcess` `OutputDebugStringA` `Process32FirstW` `Process32NextW` `QueryFullProcessImageNameW` `QueryPerformanceCounter` `QueryPerformanceFrequency` `RaiseException` `ReleaseSemaphore` `ResetEvent` `ResumeThread` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlUnwindEx` `RtlVirtualUnwind` `SetEvent` `SetLastError` `SetProcessAffinityMask` `SetThreadContext` `SetThreadPriority` `SetUnhandledExceptionFilter` `Sleep` `SuspendThread` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TryEnterCriticalSection` `VirtualProtect` `VirtualQuery` `WaitForMultipleObjects` `WaitForSingleObject` `WideCharToMultiByte`
MFPlat.DLL	`MFShutdown` `MFStartup` `MFTEnumEx`
msvcrt.dll	`iswctype` `_assert` `__C_specific_handler` `___lc_codepage_func` `___mb_cur_max_func` `__getmainargs` `__initenv` `__iob_func` `__set_app_type` `__setusermatherr` `_acmdln` `_amsg_exit` `_beginthreadex` `_cexit` `_commode` `_endthreadex` `_errno` `_fmode` `_initterm` `_setjmp` `_setmode` `_time64` `_vscprintf` `_vsnprintf` `abort` `atexit` `calloc` `exit` `fclose` `fflush` `fopen` `fprintf` `fputc` `fputs` `free` `fwrite` `getenv` `localeconv` `longjmp` `malloc` `memchr` `memcmp` `memcpy` `memmove` `memset` `realloc` `setlocale` `setvbuf` `signal` `strchr` `strcmp` `strcoll` `strerror` `strftime` `strlen` `strncmp` `strtoul` `strxfrm` `towlower` `towupper` `vfprintf` `wcscoll` `wcsftime` `wcslen` `wcsxfrm` `_strdup` `_read` `_fileno`
ole32.dll	`CoCreateInstance` `CoInitializeEx` `CoInitializeSecurity` `CoSetProxyBlanket` `CoTaskMemFree` `CoUninitialize`
OLEAUT32.dll	`SysAllocString` `SysFreeString` `VariantClear` `VariantInit`
SETUPAPI.dll	`SetupDiDestroyDeviceInfoList` `SetupDiEnumDeviceInfo` `SetupDiGetClassDevsA`
USER32.dll	`EnumWindows` `GetCursorPos` `GetDC` `GetLastInputInfo` `GetSystemMetrics` `GetWindowTextA` `IsClipboardFormatAvailable` `IsWindowVisible` `ReleaseDC`
WININET.dll	`HttpOpenRequestA` `HttpSendRequestA` `InternetCloseHandle` `InternetConnectA` `InternetOpenA` `InternetOpenUrlA` `InternetReadFile`

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData	`0x14010a000`
EndAddressOfRawData	`0x14010a018`
AddressOfIndex	`0x14010707c`
AddressOfCallbacks	`0x1400eb2b0`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x0000000140019BA0` `0x0000000140019B80` `0x0000000140028C60`

Load Configuration

RICH Header

Errors

[*] Warning: Section .bss has a size of 0!
[!] Error: [plugin_virustotal] VirusTotal API request rate limit reached!

Leave a comment

No comments yet.