File information

Malware score

23/344 heuristic rules

98%


malware score

Status: static.suspected.ml.gen

16.1
Suspect Score

0
Legit Score

14
Crypted Score

13
Packed Score

Static Analysis Indicators static.suspected.ml.gen

PE Markers anomalies check

Fields Values

Rich signature

found

Digital signature

not found

Overlay

not found

Subsystem

Console

Compiler

X {8s

Is .NET Image

Image is Native

Important PE Header Values suspect

Headers Hashes (MD5/SHA256/SSDEEP) Size

IMAGE_DOS_HEADERS

0x40

IMAGE_NT_HEADER

0x108

IMAGE_OPTIONAL_HEADERS

0xf0
ImageFileHeader Field Additional info Value Common

ImageFileHeader.Machine

0x8664

True

ImageFileHeader.TimeDataStamp

0x4efff660

True

ImageFileHeader.Characteristics

0x222e

True

ImageFileHeader.SizeOfOptionalHeader

0xf0

True

ImageOptionalHeader Field Additional info Value Common

ImageOptionalHeader.EntryPoint

0x1330

False

ImageOptionalHeader.ImageBase

0x70c00000

True

ImageOptionalHeader.Checksum

0x6c475

False

ImageOptionalHeader.LinkerVersion

2.31

True

Resources anomalies check suspect

Risk Structure

0%

VersionInfo not found

0%

Manifest not found

0%

Message Table not found

0%

Strings Table not found

0%

RCDATA not found

0%

Icon not found

0%

Icon Group not found

0%

Cursor not found

0%

Accelerator not found

Frequency anomalies check suspect

Risk Anomalies Information

0%

File Entropy

6.1095108646873

0%

File Entropy (without zeros)

6.1095128

0%

Zero Value Frequency

0.038748259591584

0%

0xFF Bytes Frequency

1.6060102

0%

Chi-Square Distribution

137387.71226335

0%

Monte Carlo Pi Value

3.4820519514424

0%

Monte Carlo Pi Error Rate

10.837156034967

0%

Packed percent

3

Entropy status:  Packed  | Zero Value Frequency:  Not Packed

PE Sections Info valid

Name VA RVA Characteristics Virtual Size Aligned Raw Size Size Of Raw Data Pointer To Raw Data

.text

0x1000

0x70c01000

0x60600060

0x62478

0x62600

0x62600

0x400

.data

0x64000

0x70c64000

0xc0600040

0xd0

0x200

0x200

0x62a00

.rdata

0x65000

0x70c65000

0x40600040

0x5e0

0x600

0x600

0x62c00

.pdata

0x66000

0x70c66000

0x40300040

0x414

0x600

0x600

0x63200

.xdata

0x67000

0x70c67000

0x40300040

0x394

0x400

0x400

0x63800

.bss

0x68000

0x70c68000

0xc0600080

0x920

0x0

0x0

0x0

.edata

0x69000

0x70c69000

0x40300040

0x326

0x400

0x400

0x63c00

.idata

0x6a000

0x70c6a000

0xc0300040

0x928

0xa00

0xa00

0x64000

.CRT

0x6b000

0x70c6b000

0xc0400040

0x58

0x200

0x200

0x64a00

.tls

0x6c000

0x70c6c000

0xc0400040

0x10

0x200

0x200

0x64c00

.reloc

0x6d000

0x70c6d000

0x42300040

0x64

0x200

0x200

0x64e00

Total Number Of Sections (NumberOfSections): 11

PE Sections Statistics valid

Name Entropy Zero freq Ratio Hashes

.text

6.0909156765766

0.023884212198221

97.642679900744%

.data

0.96646758556379

0.89257813

0.12406947890819%

.rdata

2.232881465452

0.7421875

0.37220843672457%

.pdata

3.491129894034

0.54882813

0.37220843672457%

.xdata

3.690090351375

0.28417969

0.24813895781638%

.bss

0

0

0%

.edata

4.5496593484687

0.36035156

0.24813895781638%

.idata

4.1349610083183

0.4390625

0.62034739454094%

.CRT

0.20058190743984

0.97851563

0.12406947890819%

.tls

0

1

0.12406947890819%

.reloc

1.1358895402498

0.859375

0.12406947890819%

Total Number Of Sections (NumberOfSections): 11

PE imported functions suspect

| Function name: CreateThread | RVA: 1892066364 | HINT: 238 |
| Function name: DeleteCriticalSection | RVA: 1892066380 | HINT: 269 |
| Function name: EnterCriticalSection | RVA: 1892066404 | HINT: 305 |
| Function name: FreeLibrary | RVA: 1892066428 | HINT: 428 |
| Function name: GetComputerNameA | RVA: 1892066442 | HINT: 477 |
| Function name: GetComputerNameExA | RVA: 1892066462 | HINT: 478 |
| Function name: GetCurrentProcess | RVA: 1892066484 | HINT: 536 |
| Function name: GetCurrentProcessId | RVA: 1892066504 | HINT: 537 |
| Function name: GetCurrentThreadId | RVA: 1892066526 | HINT: 541 |
| Function name: GetLastError | RVA: 1892066548 | HINT: 610 |
| Function name: GetNativeSystemInfo | RVA: 1892066564 | HINT: 647 |
| Function name: GetProcAddress | RVA: 1892066586 | HINT: 690 |
| Function name: GetProcessHeap | RVA: 1892066604 | HINT: 695 |
| Function name: GetSystemTimeAsFileTime | RVA: 1892066622 | HINT: 747 |
| Function name: GetThreadLocale | RVA: 1892066648 | HINT: 768 |
| Function name: GetTickCount | RVA: 1892066666 | HINT: 775 |
| Function name: HeapAlloc | RVA: 1892066682 | HINT: 836 |
| Function name: HeapFree | RVA: 1892066694 | HINT: 842 |
| Function name: InitializeCriticalSection | RVA: 1892066706 | HINT: 864 |
| Function name: IsBadReadPtr | RVA: 1892066734 | HINT: 882 |
| Function name: LeaveCriticalSection | RVA: 1892066750 | HINT: 952 |
| Function name: LoadLibraryA | RVA: 1892066774 | HINT: 955 |
| Function name: QueryPerformanceCounter | RVA: 1892066790 | HINT: 1094 |
| Function name: RtlAddFunctionTable | RVA: 1892066816 | HINT: 1180 |
| Function name: RtlCaptureContext | RVA: 1892066838 | HINT: 1181 |
| Function name: RtlLookupFunctionEntry | RVA: 1892066858 | HINT: 1188 |
| Function name: RtlVirtualUnwind | RVA: 1892066884 | HINT: 1195 |
| Function name: SetLastError | RVA: 1892066904 | HINT: 1291 |
| Function name: SetUnhandledExceptionFilter | RVA: 1892066920 | HINT: 1347 |
| Function name: Sleep | RVA: 1892066950 | HINT: 1361 |
| Function name: TerminateProcess | RVA: 1892066958 | HINT: 1376 |
| Function name: TlsGetValue | RVA: 1892066978 | HINT: 1396 |
| Function name: UnhandledExceptionFilter | RVA: 1892066992 | HINT: 1410 |
| Function name: VirtualAlloc | RVA: 1892067020 | HINT: 1437 |
| Function name: VirtualFree | RVA: 1892067036 | HINT: 1440 |
| Function name: VirtualProtect | RVA: 1892067050 | HINT: 1443 |
| Function name: VirtualQuery | RVA: 1892067068 | HINT: 1445 |
| Function name: lstrlenA | RVA: 1892067084 | HINT: 1554 |
| Function name: __iob_func | RVA: 1892067096 | HINT: 84 |
| Function name: _amsg_exit | RVA: 1892067110 | HINT: 121 |
| Function name: _initterm | RVA: 1892067124 | HINT: 284 |
| Function name: _lock | RVA: 1892067136 | HINT: 386 |
| Function name: _unlock | RVA: 1892067144 | HINT: 712 |
| Function name: _wcsnicmp | RVA: 1892067154 | HINT: 785 |
| Function name: abort | RVA: 1892067166 | HINT: 900 |
| Function name: bsearch | RVA: 1892067174 | HINT: 915 |
| Function name: calloc | RVA: 1892067184 | HINT: 917 |
| Function name: free | RVA: 1892067194 | HINT: 956 |
| Function name: fwrite | RVA: 1892067202 | HINT: 968 |
| Function name: malloc | RVA: 1892067212 | HINT: 1014 |
| Function name: mbstowcs | RVA: 1892067222 | HINT: 1017 |
| Function name: memcpy | RVA: 1892067234 | HINT: 1022 |
| Function name: memset | RVA: 1892067244 | HINT: 1024 |
| Function name: qsort | RVA: 1892067254 | HINT: 1038 |
| Function name: realloc | RVA: 1892067262 | HINT: 1042 |
| Function name: signal | RVA: 1892067272 | HINT: 1052 |
| Function name: strcmp | RVA: 1892067282 | HINT: 1066 |
| Function name: strlen | RVA: 1892067292 | HINT: 1073 |
| Function name: strncmp | RVA: 1892067302 | HINT: 1076 |
| Function name: strtol | RVA: 1892067312 | HINT: 1086 |
| Function name: vfprintf | RVA: 1892067322 | HINT: 1107 |
| Function name: wcstombs | RVA: 1892067334 | HINT: 1142 |

Total Number of Imported Functions:  62  | Total Number of Libraries:  2  | Total Number of Blacklisted Functions:  24

PE Exported functions valid

# Function RVA Offset

1

MemoryCallEntryPoint

0x2bfe

0x70c02bfe

2

MemoryDefaultAlloc

0x1f62

0x70c01f62

3

MemoryDefaultFree

0x1fa0

0x70c01fa0

4

MemoryDefaultFreeLibrary

0x203f

0x70c0203f

5

MemoryDefaultGetProcAddress

0x2011

0x70c02011

6

MemoryDefaultLoadLibrary

0x1fd8

0x70c01fd8

7

MemoryFindResource

0x2c53

0x70c02c53

8

MemoryFindResourceEx

0x30ff

0x70c030ff

9

MemoryFreeLibrary

0x2a90

0x70c02a90

10

MemoryGetProcAddress

0x27e1

0x70c027e1

11

MemoryLoadLibrary

0x2063

0x70c02063

12

MemoryLoadLibraryEx

0x20c4

0x70c020c4

13

MemoryLoadResource

0x32e9

0x70c032e9

14

MemoryLoadString

0x3330

0x70c03330

15

MemoryLoadStringEx

0x3370

0x70c03370

16

MemorySizeofResource

0x32b6

0x70c032b6

17

base64_decode

0x6122c

0x70c6122c

18

decode_func

0x61524

0x70c61524

19

dummyfunc1

0x617fa

0x70c617fa

20

getComputerName

0x615ab

0x70c615ab

21

getDomainName

0x6161c

0x70c6161c

22

internal_crc32

0x61715

0x70c61715

23

payload_bin

0x3780

0x70c03780

24

payload_bin_len

0x64040

0x70c64040

25

rc4_crypt

0x363d

0x70c0363d

26

rc4_init

0x34a0

0x70c034a0

27

upper_string

0x61695

0x70c61695

Total Number of Exported Functions: 27 | Total Number of Blacklisted Exported Functions: 0

PE Opcodes Frequency & Anomalies Analyzer suspect

# Opcode Quantity of instruction Frequency of instruction Byte

2

AND

14

1.2121212%

-)

3

CALL

50

4.3290043%

-)

4

CDQE

4

0.34632036%

-)

5

CMP

30

2.5974026%

-)

6

DIV

1

0.08658009%

-)

7

JAE

1

0.08658009%

-)

8

JB

2

0.17316018%

-)

9

JBE

2

0.17316018%

-)

10

JL

2

0.17316018%

-)

11

JLE

1

0.08658009%

-)

12

JMP

47

4.0692639%

-)

13

JNS

1

0.08658009%

-)

14

JNZ

31

2.6839826%

-)

15

JZ

17

1.4718615%

-)

16

LEA

20

1.7316017%

-)

17

MOV

679

58.78788%

-)

18

MOVSXD

7

0.60606062%

-)

19

MOVZX

23

1.9913419%

-)

20

NEG

2

0.17316018%

-)

21

NOP

24

2.0779221%

-)

22

OR

5

0.43290043%

-)

23

POP

20

1.7316017%

-)

24

PUSH

21

1.8181819%

-)

25

RET

21

1.8181819%

-)

26

SETNZ

2

0.17316018%

-)

27

SETZ

1

0.08658009%

-)

28

SHL

1

0.08658009%

-)

29

SHR

3

0.25974026%

-)

30

SUB

20

1.7316017%

-)

31

TEST

31

2.6839826%

-)

Load more

Total Number Of Opcodes: 1155

Opcodes Frequency Chart

PE Dumped Strings suspect

# String Common

5

onPEd

Yes

12

e8Pr

Yes

15

Pefffr

Yes

18

A9M8d

Yes

23

D9Tl

Yes

24

nnsI0

Yes

27

s90EMT

Yes

37

T fE

Yes

38

oxuLT

Yes

39

PPHd

Yes

43

PeDPr0Hd

Yes

45

I8P3

Yes

47

MelIles

Yes

53

ssL9l

Yes

57

P8lo

Yes

59

oL9n

Yes

61

DAPt

Yes

63

fnuD

Yes

68

I0Hr

Yes

71

oIlps

Yes

82

dxosLut

Yes

83

nfHl

Yes

84

lfPL

Yes

89

pf H

Yes

95

f8DE

Yes

96

dpEe

Yes

100

xsAtH

Yes

101

dDn3toePd

Yes

108

u88M

Yes

111

HInDs

Yes

112

n d3

Yes

113

p9eo

Yes

116

D8rdn

Yes

120

EIHf

Yes

121

DoIH3

Yes

124

t8xp

Yes

126

InMT

Yes

130

I999r

Yes

135

usLTHtIAe8P

Yes

138

PpEL8u

Yes

139

sLA n

Yes

140

DpLp

Yes

141

tMtl

Yes

143

Heft

Yes

146

roHl

Yes

151

D9pT

Yes

154

PHuP

Yes

157

DTt8M

Yes

161

nsA0

Yes

164

xArt8rA

Yes

Load more

Total Number of Strings: 2100 |  Common strings: 2093 | Danger strings: 7

Bytes Frequency Chart