dd47c97b44408e0a5ecd8f482fcd0dbc
Hash
- MD5: dd47c97b44408e0a5ecd8f482fcd0dbc
- SHA1: 2acb22d5edc73db031d94ec7224c33ff649aef39
- SHA256: 1d8e50ec756e88025c5248cfaa6ee707348310b38671ab05b27d9194a609f96d
- First Seen: 2026-05-27
- Last Seen: 2026-05-27
-
2
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "1d8e50ec756e88025c5248cfaa6ee707348310b38671ab05b27d9194a609f96d",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/1d8e50ec756e88025c5248cfaa6ee707348310b38671ab05b27d9194a609f96d"
},
"attributes": {
"tlsh": "T1F984B20766EC3CE6D0368234A77747C1E72EFC214661D65E06E042669E3F6937D2ABE0",
"type_extension": "dll",
"crowdsourced_ids_stats": {
"high": 0,
"medium": 0,
"low": 1,
"info": 0
},
"trid": [
{
"file_type": "Win64 Executable (generic)",
"probability": 37.0
},
{
"file_type": "Win16 NE executable (generic)",
"probability": 28.6
},
{
"file_type": "OS/2 Executable (generic)",
"probability": 11.5
},
{
"file_type": "Generic Win/DOS Executable",
"probability": 11.3
},
{
"file_type": "DOS Executable (generic)",
"probability": 11.3
}
],
"last_analysis_stats": {
"malicious": 52,
"suspicious": 0,
"undetected": 20,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 4
},
"meaningful_name": "localfile~",
"vhash": "135076655d555515155018z5fnz11z2az1",
"last_analysis_date": 1774343476,
"first_seen_itw_date": 1772187067,
"type_tags": [
"executable",
"windows",
"win32",
"pe",
"pedll"
],
"type_tag": "pedll",
"last_submission_date": 1772162351,
"names": [
"localfile~",
"sksztksc.dat",
"tscnpqth.dat",
"wuuywfao.dat",
"to53z.exe"
],
"sandbox_verdicts": {
"Zenbox": {
"category": "harmless",
"malware_classification": [
"CLEAN"
],
"sandbox_name": "Zenbox",
"confidence": 97
},
"C2AE": {
"category": "undetected",
"malware_classification": [
"UNKNOWN_VERDICT"
],
"sandbox_name": "C2AE"
},
"Dr.Web vxCube": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "Dr.Web vxCube"
}
},
"type_description": "Win32 DLL",
"first_submission_date": 1772162351,
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "f4143907bd6e32636e7bc2f3b4f1fca7dde5ff6787f10a17b360a798f52c6357",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Uncommon Svchost Command Line Parameter",
"rule_description": "Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.\nThis could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.\n",
"rule_author": "Liran Ravich",
"match_context": [
{
"values": {
"CommandLine": "%WINDIR%\\system32\\svchost.exe",
"Image": "C:\\Windows\\system32\\svchost.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "c0cdd12b4805f2aebecbc0415332f2594acf1ae6d8d82da086eeac9a84bf0c37",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Regsvr32 DLL Execution With Uncommon Extension",
"rule_description": "Detects a \"regsvr32\" execution where the DLL doesn't contain a common file extension.",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"CommandLine": "%WINDIR%\\system32\\regsvr32.exe",
"Image": "C:\\Windows\\system32\\regsvr32.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "e13498937de9343f50c1e8f315ce602aa238e37e21f3dbb15d3403c25afafe3e",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Files With System Process Name In Unsuspected Locations",
"rule_description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n",
"rule_author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"TargetFilename": "%windir%\\system32\\regsvr32.EXE"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"CommandLine": "%WINDIR%\\system32\\windowspowershell\\v1.0\\powershell.exe",
"Image": "C:\\Windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
}
],
"md5": "dd47c97b44408e0a5ecd8f482fcd0dbc",
"size": 398336,
"crowdsourced_ids_results": [
{
"rule_category": "Potentially Bad Traffic",
"alert_severity": "low",
"rule_msg": "ET INFO DYNAMIC_DNS Query to a *.serverpit .com Domain",
"rule_id": "1:2039938",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert dns $HOME_NET any -> any any (msg:\"ET INFO DYNAMIC_DNS Query to a *.serverpit .com Domain\"; dns.query; content:\".serverpit.com\"; fast_pattern; nocase; endswith; reference:url,freedns.afraid.org/domain/registry/; classtype:bad-unknown; sid:2039938; rev:2; metadata:attack_target Client_and_Server, created_at 2022_11_28, deployment Perimeter, performance_impact Low, confidence High, signature_severity Informational, updated_at 2023_03_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1568, mitre_technique_name Dynamic_Resolution;)",
"rule_references": [
"https://freedns.afraid.org/domain/registry/"
],
"alert_context": [
{
"dest_ip": "8.8.4.4",
"dest_port": 53
}
]
}
],
"sha256": "1d8e50ec756e88025c5248cfaa6ee707348310b38671ab05b27d9194a609f96d",
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 1,
"medium": 2,
"low": 1
}
},
"creation_date": 1771546682,
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "2.0.0.1",
"engine_update": "20260323",
"category": "malicious",
"result": "W64.AIDetectMalware"
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan.Win32.Kimsuky.4!c"
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260324",
"category": "malicious",
"result": "Gen:Variant.Lazy.672641"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260323",
"category": "malicious",
"result": "Trojan.Agent"
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260323",
"category": "malicious",
"result": "BehavesLike.Win64.NetLoader.fm"
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan.Agent.644608A"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.214",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan.Agent"
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260323",
"category": "malicious",
"result": "Gen:Variant.Lazy.672641"
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260323",
"category": "malicious",
"result": "Trojan.Win32.Save.a"
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.43.58973",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan ( 006db4aa1 )"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260324",
"category": "malicious",
"result": "Gen:Variant.Lazy.672641"
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.43.58974",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan ( 006db4aa1 )"
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "malicious",
"result": "win/malicious_confidence_100% (W)"
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan.Lazy.DA4381"
},
"Baidu": {
"method": "blacklist",
"engine_name": "Baidu",
"engine_version": "1.0.0.2",
"engine_update": "20190318",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1171",
"engine_update": "20260323",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260324",
"category": "malicious",
"result": "Backdoor.Cobalt"
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.253",
"engine_update": "20260323",
"category": "malicious",
"result": "malicious (high confidence)"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260324",
"category": "malicious",
"result": "Win64/Kimsuky.BW trojan"
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.761",
"engine_update": "20260322",
"category": "malicious",
"result": "Malicious"
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260324",
"category": "malicious",
"result": "generic.ml"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan.Win64.Agent.smfqqp"
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "malicious",
"result": "Trojan:Win64/Kimsuky.f9d93278"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260323",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260324",
"category": "malicious",
"result": "Malware.Win32.Gencirc.14aa5f80"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.3.1.0",
"engine_update": "20260323",
"category": "malicious",
"result": "Mal/Generic-S"
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1774339258",
"engine_update": "20260324",
"category": "malicious",
"result": "Detected"
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan.MulDrop36.5342"
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5568",
"engine_update": "20260323",
"category": "malicious",
"result": "Trojan.Kimsuky.Win64.126"
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260324",
"category": "malicious",
"result": "TROJ_FRS.VSNTCI26"
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14148",
"engine_update": "20260324",
"category": "malicious",
"result": "ti!1D8E50EC756E"
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.5.3.1",
"engine_update": "20251224",
"category": "malicious",
"result": "Static AI - Suspicious PE"
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.10.0",
"engine_update": "20260224",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260324",
"category": "malicious",
"result": "dll.trojan.kimsuky"
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260324",
"category": "malicious",
"result": "Gen:Variant.Lazy.672641 (B)"
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan.Win64.Kimsuky"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260323",
"category": "undetected",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260324",
"category": "malicious",
"result": "W64/ABTrojan.BHJS-5810"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan/Win32.GenericML"
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260323",
"category": "malicious",
"result": "Win32.Trojan.GenericML.xnet"
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.241.174",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan.Win64.Wacatac.sa"
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38509",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26010.1",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan:Win32/Wacatac.B!ml"
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan.Win.Z.Lazy.398336"
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.23-113519113",
"engine_update": "20260323",
"category": "undetected",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.43969AVA:64.30897",
"engine_update": "20260324",
"category": "malicious",
"result": "Gen:Variant.Lazy.672641"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260324",
"category": "malicious",
"result": "Malicious (score: 100)"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.29.3.10609",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan/Win.Generic.C5852579"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.5.1",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan.Wacatac"
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-03-24.02",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260323",
"category": "malicious",
"result": "MALICIOUS"
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260323",
"category": "malicious",
"result": "Unsafe"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260323",
"category": "undetected",
"result": null
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260324",
"category": "malicious",
"result": "TROJ_FRS.VSNTCI26"
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan.Kryptik/x64!1.12B76 (CLASSIC)"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260323",
"category": "malicious",
"result": "Artemis!DD47C97B4440"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "8a2a32b:8a2a32b:9b50884:9b50884",
"engine_update": "20260323",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260324",
"category": "malicious",
"result": "Trojan.Malware.326501924.susgen"
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.30.0",
"engine_update": "20260324",
"category": "malicious",
"result": "W64/Kimsuky.BW!tr"
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260322",
"category": "malicious",
"result": "Win32:Kimsuky-AA [Trj]"
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260322",
"category": "malicious",
"result": "Win32:Kimsuky-AA [Trj]"
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan:Win/Kimsuky.BI"
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260324",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20251216",
"category": "type-unsupported",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260323-00",
"engine_update": "20260323",
"category": "type-unsupported",
"result": null
}
},
"sigma_analysis_stats": {
"critical": 0,
"high": 1,
"medium": 2,
"low": 1
},
"ssdeep": "12288:zRhzxiIhdlNamxAzIczPN+aqaTwl9yPb:zRhtdWJ1f0l98b",
"reputation": -1,
"last_modification_date": 1774350690,
"pe_info": {
"timestamp": 1771546682,
"imphash": "42db43782f89f9c2d6f82d1c8df7f636",
"machine_type": 34404,
"entry_point": 16876,
"resource_details": [
{
"lang": "ENGLISH US",
"chi2": 1428.08,
"filetype": "XML",
"entropy": 4.885799884796143,
"sha256": "d2952e57023848a37fb0f21f0dfb38c9000f610ac2b00c2f128511dfd68bde04",
"type": "RT_MANIFEST"
}
],
"resource_langs": {
"ENGLISH US": 1
},
"resource_types": {
"RT_MANIFEST": 1
},
"sections": [
{
"name": ".text",
"chi2": 590870.56,
"virtual_address": 4096,
"flags": "rx",
"raw_size": 101888,
"entropy": 6.52,
"virtual_size": 101544,
"md5": "09395de9631e2ded992b6b92a2b487fc"
},
{
"name": ".rdata",
"chi2": 2834789.0,
"virtual_address": 106496,
"flags": "r",
"raw_size": 51200,
"entropy": 4.75,
"virtual_size": 50924,
"md5": "29b06984c4678d8c989814d319153dfa"
},
{
"name": ".data",
"chi2": 5439019.5,
"virtual_address": 159744,
"flags": "rw",
"raw_size": 235008,
"entropy": 5.52,
"virtual_size": 240360,
"md5": "dde475decb68f77a7d0475c9e75c2199"
},
{
"name": ".pdata",
"chi2": 222087.55,
"virtual_address": 401408,
"flags": "r",
"raw_size": 6144,
"entropy": 5.18,
"virtual_size": 6096,
"md5": "b9ee4cf76be81ad42832f01ccfbb658a"
},
{
"name": "_RDATA",
"chi2": 38550.0,
"virtual_address": 409600,
"flags": "r",
"raw_size": 512,
"entropy": 3.71,
"virtual_size": 500,
"md5": "a7a7f8a888e39a0e1aa1e976acac0011"
},
{
"name": ".rsrc",
"chi2": 61549.0,
"virtual_address": 413696,
"flags": "r",
"raw_size": 512,
"entropy": 2.53,
"virtual_size": 248,
"md5": "3ab71d1dbb2ac9f7ddf9689f9a043410"
},
{
"name": ".reloc",
"chi2": 17190.25,
"virtual_address": 417792,
"flags": "r",
"raw_size": 2048,
"entropy": 5.26,
"virtual_size": 1880,
"md5": "d1d998dd697809d180bbe5c18dcb09f0"
}
],
"exports": [
"DllRegisterServer"
],
"compiler_product_versions": [
"[---] Unmarked objects (old) count=1",
"[ C ] VS2022 v17.9.0 pre 1.0 build 33218 count=14",
"[ASM] VS2022 v17.9.0 pre 1.0 build 33218 count=18",
"[C++] VS2022 v17.9.0 pre 1.0 build 33218 count=75",
"[---] Unmarked objects count=146",
"id: 0x103, version: 30795 count=5",
"id: 0x105, version: 30795 count=175",
"id: 0x104, version: 30795 count=16",
"id: 0x101, version: 30795 count=19",
"id: 0x109, version: 33523 count=8",
"id: 0x100, version: 33523 count=1",
"id: 0xff, version: 33523 count=1",
"id: 0x102, version: 33523 count=1"
],
"rich_pe_header_hash": "5fd1bf0480b79f31642f466a15c1b4f6",
"import_list": [
{
"library_name": "KERNEL32.dll",
"imported_functions": [
"AcquireSRWLockExclusive",
"CloseHandle",
"CompareStringW",
"CreateFileW",
"CreateThread",
"DecodePointer",
"DeleteCriticalSection",
"DeleteFileW",
"EncodePointer",
"EnterCriticalSection",
"ExitProcess",
"FindClose",
"FindFirstFileExW",
"FindNextFileW",
"FlsAlloc",
"FlsFree",
"FlsGetValue",
"FlsSetValue",
"FlushFileBuffers",
"FreeEnvironmentStringsW",
"FreeLibrary",
"GetACP",
"GetCommandLineA",
"GetCommandLineW",
"GetConsoleMode",
"GetConsoleOutputCP",
"GetCPInfo",
"GetCurrentProcess",
"GetCurrentProcessId",
"GetCurrentThreadId",
"GetEnvironmentStringsW",
"GetFileSizeEx",
"GetFileType",
"GetLastError",
"GetModuleFileNameW",
"GetModuleHandleExW",
"GetModuleHandleW",
"GetOEMCP",
"GetProcAddress",
"GetProcessHeap",
"GetStartupInfoW",
"GetStdHandle",
"GetStringTypeW",
"GetSystemTimeAsFileTime",
"HeapAlloc",
"HeapFree",
"HeapReAlloc",
"HeapSize",
"InitializeCriticalSectionAndSpinCount",
"InitializeCriticalSectionEx",
"InitializeSListHead",
"InterlockedFlushSList",
"IsBadReadPtr",
"IsDebuggerPresent",
"IsProcessorFeaturePresent",
"IsValidCodePage",
"LCMapStringW",
"LeaveCriticalSection",
"LoadLibraryA",
"LoadLibraryExW",
"lstrcatW",
"lstrlenW",
"MultiByteToWideChar",
"QueryPerformanceCounter",
"RaiseException",
"ReadConsoleW",
"ReadFile",
"ReleaseSRWLockExclusive",
"RtlCaptureContext",
"RtlLookupFunctionEntry",
"RtlPcToFileHeader",
"RtlUnwindEx",
"RtlVirtualUnwind",
"SetEndOfFile",
"SetEnvironmentVariableW",
"SetErrorMode",
"SetFilePointerEx",
"SetLastError",
"SetStdHandle",
"SetUnhandledExceptionFilter",
"Sleep",
"SleepConditionVariableSRW",
"TerminateProcess",
"TlsAlloc",
"TlsFree",
"TlsGetValue",
"TlsSetValue",
"UnhandledExceptionFilter",
"VirtualAlloc",
"VirtualFree",
"VirtualProtect",
"WakeAllConditionVariable",
"WideCharToMultiByte",
"WriteConsoleW",
"WriteFile"
]
},
{
"library_name": "WININET.dll",
"imported_functions": [
"InternetCanonicalizeUrlW",
"InternetCrackUrlW"
]
},
{
"library_name": "WINHTTP.dll",
"imported_functions": [
"WinHttpAddRequestHeaders",
"WinHttpCloseHandle",
"WinHttpConnect",
"WinHttpOpen",
"WinHttpOpenRequest",
"WinHttpQueryDataAvailable",
"WinHttpReadData",
"WinHttpReceiveResponse",
"WinHttpSendRequest",
"WinHttpSetOption"
]
},
{
"library_name": "bcrypt.dll",
"imported_functions": [
"BCryptGenRandom"
]
},
{
"library_name": "IPHLPAPI.DLL",
"imported_functions": [
"GetAdaptersInfo"
]
},
{
"library_name": "USER32.dll",
"imported_functions": [
"wsprintfW"
]
},
{
"library_name": "ADVAPI32.dll",
"imported_functions": [
"RegGetValueA"
]
}
]
},
"tags": [
"pedll",
"spreader",
"idle",
"detect-debug-environment",
"64bits",
"long-sleeps"
],
"total_votes": {
"harmless": 0,
"malicious": 1
},
"unique_sources": 1,
"filecondis": {
"raw_md5": "0350041e27cfbf9dbaa4602446311a8d",
"dhash": "787e3e3c0e192800"
},
"times_submitted": 1,
"popular_threat_classification": {
"popular_threat_name": [
{
"value": "kimsuky",
"count": 10
},
{
"value": "lazy",
"count": 7
},
{
"value": "genericml",
"count": 2
}
],
"suggested_threat_label": "trojan.kimsuky/lazy",
"popular_threat_category": [
{
"value": "trojan",
"count": 28
}
]
},
"authentihash": "5ce221bcf7cf60b25340d6256e4a204ac3cda76b7c3382d95f2f28705cd87759",
"magic": "PE32+ executable (DLL) (GUI) x86-64, for MS Windows",
"magika": "PEBIN",
"sha1": "2acb22d5edc73db031d94ec7224c33ff649aef39",
"detectiteasy": {
"filetype": "PE64",
"values": [
{
"info": "LTCG/C++",
"version": "19.36.33523",
"type": "Compiler",
"name": "Microsoft Visual C/C++"
},
{
"version": "14.36.33523",
"type": "Linker",
"name": "Microsoft Linker"
},
{
"version": "2022 version 17.6",
"type": "Tool",
"name": "Visual Studio"
}
]
}
}
}
}