Manalyze report for d36a5345ae88089eba6b5692ca43aadc

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2012-Dec-31 00:38:38
Detected languages	English - United States Russian - Russia
CompanyName
FileDescription
LegalCopyright
LegalTrademarks
InternalName
ProductName
OriginalFilename
FileVersion
ProductVersion
Comments
PrivateBuild
SpecialBuild

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Info	Interesting strings found in the binary:	`Contains domain names: http://sourceforge.net sourceforge.net`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress`
Suspicious	The file contains overlay data.	`1124488 bytes of data starting at offset 0x38000.` `The overlay data has an entropy of 7.99987 and is possibly compressed or encrypted.` `Overlay data amounts for 83.0577% of the executable.`
Malicious	VirusTotal score: 31/71 (Scanned on 2023-08-24 15:17:46)	`APEX: Malicious` `Bkav: W32.AIDetectMalware` `CAT-QuickHeal: Hacktool.Patcher` `ClamAV: Win.Trojan.Generic-9963875-0` `CrowdStrike: win/malicious_confidence_60% (W)` `Cylance: unsafe` `Cynet: Malicious (score: 100)` `Cyren: W32/ABRisk.JOQC-8889` `DeepInstinct: MALICIOUS` `DrWeb: Trojan.Siggen18.59522` `Elastic: malicious (moderate confidence)` `FireEye: Generic.mg.d36a5345ae88089e` `Fortinet: W32/PossibleThreat` `Google: Detected` `Gridinsoft: Ransom.Win32.Sabsik.oa!s2` `Jiangmin: Trojan.Fsysna.kjz` `K7AntiVirus: Trojan ( 0051918e1 )` `K7GW: Trojan ( 0051918e1 )` `Lionic: Trojan.Win32.Generic.4!c` `Malwarebytes: Generic.Malware.AI.DDS` `McAfee: GenericRXAA-AA!D36A5345AE88` `McAfee-GW-Edition: BehavesLike.Win32.Generic.tc` `Microsoft: HackTool:Win32/Patcher` `SUPERAntiSpyware: Trojan.Agent/Generic` `Sangfor: Trojan.Win32.Agent.V365` `Sophos: Generic Reputation PUA (PUA)` `Symantec: ML.Attribute.HighConfidence` `Webroot: W32.Trojan.Dropper` `Xcitium: Packed.Win32.MUPX.Gen@24tbus` `Zillya: Trojan.Agent.Win32.3655393` `tehtris: Generic.Malware`

Hashes

MD5	`d36a5345ae88089eba6b5692ca43aadc`
SHA1	`3b5c8a43e6d38ed31cb66c9544e0ed2e671e860d`
SHA256	`443daeec5f9500d18e03a631ef7cc74b3e1cc6c34cb6d0473a7ce7223a86abc3`
SHA3	`264c802ad4e92680262088a65ddb18d5b1e9db2077701b211e822b521fa8b3b8`
SSDeep	`24576:Lrr/9+9JpeSkiOMs25mI2rDc30x5tUewSFYndCfeI+GajylnGhj9Eirju:LH0LUSkOp50zxbUJndWeMln8Frq`
Imports Hash	`c1f9ea6d51ba4934aeaee8b1f7d283d7`

DOS Header

e_magic	`MZ`
e_cblp	`0x60`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x60`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2012-Dec-31 00:38:38
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`8.0`
SizeOfCode	`0xe000`
SizeOfInitializedData	`0x2b000`
SizeOfUninitializedData	`0x3f000`
AddressOfEntryPoint	`0x0004CF60 (Section: UPX1)`
BaseOfCode	`0x40000`
BaseOfData	`0x4e000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x79000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x3f000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`fe1d3cd7a627b5e9ceb1df9bd61c5a4c`
SHA1	`a0999288a610f770e3f8f3bbc3c6b85a60a29f91`
SHA256	`3b660b535031e6141338d0afc7cd28a65172457e668e0d19c790454665a51767`
SHA3	`170d82de001ca925b38db251a5250621dd5e3daa0a3731f818c8f523bed2919e`
VirtualSize	`0xe000`
VirtualAddress	`0x40000`
SizeOfRawData	`0xdc00`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.97814`

.rsrc

MD5	`5cd2f15926458bc330943fe17af6ba6b`
SHA1	`fbc0306041fd15edb4c18892065dbd0f8e76b43c`
SHA256	`ff82caa105e00a4ca811b9330196e19a43d7064cff35fca8e21597a121045de4`
SHA3	`fc88fc04f5d7134a8c70f37025e70261caf968d0de58a8ad83c6b2a42ab5008d`
VirtualSize	`0x2b000`
VirtualAddress	`0x4e000`
SizeOfRawData	`0x2a200`
PointerToRawData	`0xde00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.32227`

Imports

ADVAPI32.dll	`FreeSid`
COMCTL32.dll	`#17`
GDI32.dll	`DeleteDC`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
MSVCRT.dll	`free`
ole32.dll	`CoInitialize`
OLEAUT32.dll	`SysAllocString`
SHELL32.dll	`SHGetMalloc`
USER32.dll	`GetDC`

Delayed Imports

1

Type	`RT_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x668`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`7371e95ba5fa6610d14c061379672043`
SHA1	`b89b3859959484bf522a89e5fbb1f3b2f328c348`
SHA256	`b8883734e15688eb76e149e782b649a1cb93e3d651423484cc2b2a3594154aa8`
SHA3	`4d4a9ae220fbfcb549d40c2cc59ca08fe518cec24373667670031b6cd105ec1b`

2

Type	`RT_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`809457c05fe696f5d34ac5ac8768cdd4`
SHA1	`a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9`
SHA256	`1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be`
SHA3	`002d1b10f28d74c7572fc7c5b403eb32f2a0540c4958d7878ef67edfd17c8109`

3

Type	`RT_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x1e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.83036`
MD5	`94a2df7f7da994132a3678370f4fa22a`
SHA1	`c2c0d24281a59696dab3748931231abb3c643459`
SHA256	`feeea3387bf33e355500c9c00cdb9e5bc3fff3450f3cd8fda5178ffcc3cb4627`
SHA3	`9ac2afc73822a0d02ab788389a380a125664cd81f22e5dedfd11f0260dff8daf`

4

Type	`RT_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.2763`
MD5	`21f8507e7a2bab2de43530c82ceff66c`
SHA1	`47d4736feedbea349349d4e6c530a7382646b81a`
SHA256	`7a4a8a49b17a66bbb67e117aee35298bc40dbf4708c9d3b4cd57de7bfad4e27a`
SHA3	`ea00d7201fe3953734705721feda8a591b14567eafa7acf4d35f39b5d186d00d`

50

Type	`RT_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x1d81`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.90594`
Detected Filetype	PNG graphic file
MD5	`fb6eb61ab171add7c5cf9fd5fca42a90`
SHA1	`7635b50ab4631eced776f0320502a30083bee372`
SHA256	`2c8f597e64864f4a836b730ecc6fc9decdd87b9262ae00e5d950c73a09732b79`
SHA3	`d6153a1b208c7bb4cec74ca5d0a8ba2786922748bf814e32d6b36b0e5a289aaa`

51

Type	`RT_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.54785`
MD5	`9cadb7e96ea45c86dabc7da5a2d9e44b`
SHA1	`b545cdaab1361ef3746dad235f972e72e81abca0`
SHA256	`afd75627a28cf7d9cb364d9c74beca95fbe472b5c8835e01a267139377138efa`
SHA3	`fe0681b20e61a42a3550a515f880088f7294f1f58c6170b07ea73eaf0131cb34`

52

Type	`RT_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x94a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.87378`
MD5	`b31bc7b5aa707bbf6d48d28f7bb2753e`
SHA1	`892c7b9a239dae0815d1af6ad58d2909c95514d7`
SHA256	`f9e105bc060e33324dc54c67d5d0b660c83924f8abcfb01d6b6bd80fb9020409`
SHA3	`b2c5153ba058943557ca65c2a565f4b3469082aead9a7c9af6187cdb4514414d`

53

Type	`RT_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x5488`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.86285`
MD5	`f8443658a2359e71bd47147be6929725`
SHA1	`66c51b3737f9729d82694cdecd3ea7e9b36e0848`
SHA256	`b7c005db1581693445df800142effc816b59c668248a55e50851dbf69dafece3`
SHA3	`3e5804b4c3cdc2ab73a80851c4463caeb6f5e2fd63c8f03c08b81292d25d96a8`

54

Type	`RT_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.77144`
MD5	`67f6a8488c5e71d2bd0a00a968d1a046`
SHA1	`4996b197956927bda14f580bc9d55643afdd99fd`
SHA256	`3607780167a3b438693b431f8df10a9d18651dd5ce4722627bb62dd0944eb8d3`
SHA3	`f5b52984d21968cffac213f1aaf5d8cdae100a3e2b1594098309ace7e61209c9`

55

Type	`RT_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.12417`
MD5	`9f7c49c0cc294eaf12e6806aa7785b3d`
SHA1	`93e6343dca6017bb38a9a9d8cb6d0aad210182b9`
SHA256	`61a48b6e901d41f3259a8bda8416fc311c93b93bd27a9833213a1dbfc2d1b32b`
SHA3	`557e3bb200e1b0a3f38720eb6f3f302060925cca6a66072d173dd093f4e5ec32`

56

Type	`RT_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.16551`
MD5	`d340310351201703c8f5ed26ce052152`
SHA1	`ab0f5c16033d1047ab6a830e620fefcaeb8c4db8`
SHA256	`94234b4e352dbf52f5c9f9bf717d0b44d71dd2239c514e12d058c062c8ffeb8b`
SHA3	`c936dc8cd86fda9d2bcc1d4d9278d6caddd9f1941ebbb2936ae1ad08505a5330`

57

Type	`RT_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.61221`
MD5	`6af5d846fc51c667204d7da23823b7d6`
SHA1	`3f81a5eff5dd20a7d8562b61ec271f162fcd3f07`
SHA256	`b1a64c0161e012ee1b9cb99f11cad1e9fb4ce5e003ee6869fb10861d97a5fd3e`
SHA3	`f3a392ebaf1fb0e8e186feda61b0ee571ea54b23ed7a282d870f4c56d54f2ab0`

58

Type	`RT_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.92822`
MD5	`760a19cfe5117f48cf32b9af62eea5ba`
SHA1	`2f50be2a8b9ca6b78564ba355740f80157d47f38`
SHA256	`15dd5732a688c7942a55638221b21c29bdec6c614f24cee1ead33c27bec651cc`
SHA3	`bce0060d9f5e7c05a315572b3f380006b1c8b866a8d7c39cc36f8f478fd93fbf`

101

Type	`RT_GROUP_ICON`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x84`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.12345`
Detected Filetype	Icon file
MD5	`0a5abd9018d168ef813730eb07bd03c5`
SHA1	`cd3f0ad6909a24941e795eff0d1e556eef89806f`
SHA256	`5dfce8af58272837a2260fc492041592e528c6de56b0f908fe6a37288409592b`
SHA3	`552abf16a1177975b380255bbf817ae85a23c4a5c5da66b98c2cd7e07e500f54`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x2a4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.99141`
MD5	`0577c417a7a17980c7890d8659053f28`
SHA1	`ce686152a32a2fe09ec986a33c5f8fb6e2019be3`
SHA256	`7b74f8fc70a9f1569fc4078c963ae9ad2c551d1e7dc2385ab3ef7ca9f8ddbe60`
SHA3	`91c95fa199438ca8026b0b8978b99391e84edb8305d6f09f996b650b2aea2f70`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x346`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.23138`
MD5	`e32a5384ce1d3d6ce2f07bae63580af4`
SHA1	`ecd92eb0584dc4e5b87b9d87aac587c1fb5a3538`
SHA256	`e7c9872b3f255430bf4a174164305dfefbe2affd5b942c942b349047d9289297`
SHA3	`02ee32c8bcdd6cefb446c2a5d7f6073bc3f316daf7571f7befa4a3eb018c1315`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	0.0.0.0
ProductVersion	0.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_UNKNOWN`
Language	Russian - Russia
CompanyName
FileDescription
LegalCopyright
LegalTrademarks
InternalName
ProductName
OriginalFilename
FileVersion (#2)
ProductVersion (#2)
Comments
PrivateBuild
SpecialBuild

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!