Manalyze report for 0066de7f554a0dea9fe7b55230846e6e

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-Oct-16 16:59:54
Detected languages	English - United States

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Uses Microsoft's cryptographic API: CryptGenKey` `Has Internet access capabilities: URLDownloadToFileA` `Leverages the raw socket API to access the Internet: #16` `Can take screenshots: BitBlt GetDC`
Info	The PE's resources present abnormal characteristics.	`Resource 103 is possibly compressed or encrypted.`
Malicious	VirusTotal score: 44/70 (Scanned on 2019-02-13 18:57:57)	`MicroWorld-eScan: Generic.Malware.SFH.B12A1375` `CAT-QuickHeal: Trojan.Mauvaise.SL1` `ALYac: Generic.Malware.SFH.B12A1375` `Zillya: Trojan.Agent.Win32.997310` `TheHacker: Posible_Worm32` `K7GW: Spyware ( 0053ffbb1 )` `K7AntiVirus: Spyware ( 0053ffbb1 )` `Arcabit: Generic.Malware.SFH.B12A1375` `Invincea: heuristic` `Cyren: W32/Trojan.GBLP-5815` `Symantec: ML.Attribute.HighConfidence` `TrendMicro-HouseCall: TROJ_GEN.R011C0PJQ18` `Avast: Win32:Adware-gen [Adw]` `BitDefender: Generic.Malware.SFH.B12A1375` `Paloalto: generic.ml` `Tencent: Win32.Trojan.Generic.Chi` `Ad-Aware: Generic.Malware.SFH.B12A1375` `Emsisoft: Generic.Malware.SFH.B12A1375 (B)` `Comodo: Malware@#3oaz1il2gd44a` `F-Secure: Trojan.TR/Spy.Agent.bcosm` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: TROJ_GEN.R011C0PJQ18` `McAfee-GW-Edition: BehavesLike.Win32.SpyLydra.pc` `Sophos: Mal/Generic-S` `Ikarus: Trojan-Spy.Agent` `Avira: TR/Spy.Agent.bcosm` `Fortinet: W32/Agent.PNW!tr.spy` `Antiy-AVL: Trojan/Win32.Fuery` `Endgame: malicious (moderate confidence)` `Microsoft: Trojan:Win32/Skeeyah.A!bit` `AhnLab-V3: Malware/Win32.Generic.C2832976` `Acronis: suspicious` `McAfee: RDN/Generic PWS.y` `Cylance: Unsafe` `ESET-NOD32: Win32/Spy.Agent.PNW` `Rising: Spyware.Agent!8.C6 (CLOUD)` `Yandex: TrojanSpy.Agent!+DF+Jc/rAlI` `SentinelOne: static engine - malicious` `GData: Generic.Malware.SFH.B12A1375` `AVG: Win32:Adware-gen [Adw]` `Cybereason: malicious.f554a0` `Panda: Trj/GdSda.A` `CrowdStrike: malicious_confidence_90% (W)` `Qihoo-360: HEUR/QVM11.1.BD31.Malware.Gen`

Hashes

MD5	`0066de7f554a0dea9fe7b55230846e6e`
SHA1	`2848ac48a098bc5bb19632944ef864e19c6a93d3`
SHA256	`f9b92656ff26783b868f6285165319e380582d32ecfff3fd629adb3753703463`
SHA3	`aebd7d24e1ac76382dfaac5793702ad37e27bef41a7d8e5b3833d8aefd7910de`
SSDeep	`768:Si376IARqE0zxyahrbIYy/6k/XrONfcJkP+FPnRxuwyhg1SApLMHjzKop:Si3w0ZzNh2ESJkPgnWwyhSSoIH3D`
Imports Hash	`c615963b9ed490334f5c0889ace7aa1d`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2018-Oct-16 16:59:54
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0xb000`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0x17000`
AddressOfEntryPoint	`0x000229E0 (Section: UPX1)`
BaseOfCode	`0x18000`
BaseOfData	`0x23000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x24000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x17000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`f975286aac1a1691af3f65aacffb460c`
SHA1	`3b4694dc46c7b5b1e26a047cbd4a3a849d8478a5`
SHA256	`9ab033dd64264558415730dcb01a2fcf7bd40591c2fea3a3abde3ad3540a15ec`
SHA3	`3dc0a30d0078b2d26f7b199518c97615c26b76aaefadf82b45b72c32aefa2072`
VirtualSize	`0xb000`
VirtualAddress	`0x18000`
SizeOfRawData	`0xae00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.87274`

.rsrc

MD5	`72c9b957f1bc73068146e69854b5bada`
SHA1	`ee86ae54267c24056c7279c7de6346e29cfaf7e9`
SHA256	`2ad39314f48cc373051464a8b157f86f6ef2aa5c7838dd40bb0e257797799b78`
SHA3	`7cfa56a52ead3a31dc3aaf7ea692f9eeaf134fe3b58638eeb3d2649082e0e2f2`
VirtualSize	`0x1000`
VirtualAddress	`0x23000`
SizeOfRawData	`0xa00`
PointerToRawData	`0xb200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.07953`

Imports

ADVAPI32.dll	`CryptGenKey`
api-ms-win-crt-convert-l1-1-0.dll	`strtol`
api-ms-win-crt-filesystem-l1-1-0.dll	`_lock_file`
api-ms-win-crt-heap-l1-1-0.dll	`free`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr`
api-ms-win-crt-runtime-l1-1-0.dll	`exit`
api-ms-win-crt-stdio-l1-1-0.dll	`fread`
api-ms-win-crt-string-l1-1-0.dll	`wcsspn`
api-ms-win-crt-time-l1-1-0.dll	`_time64`
GDI32.dll	`BitBlt`
gdiplus.dll	`GdiplusStartup`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
MSVCP140.dll	`_Stat`
SHELL32.dll	`CommandLineToArgvW`
SHLWAPI.dll	`PathFindExtensionA`
urlmon.dll	`URLDownloadToFileA`
USER32.dll	`GetDC`
VCRUNTIME140.dll	`memchr`
WS2_32.dll	`#16`

Delayed Imports

109

Type	`RT_MENU`
Language	English - United States
Codepage	UNKNOWN
Size	`0x4a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.78365`
MD5	`f7ae0d3b92878bdac2efac459996c6fe`
SHA1	`3998ce5f1c2036270e7e724c777f93a2e32d1a71`
SHA256	`2ca134e891fff84cdd0b6c59284591401e4cb5c708ddd7fd1f7984951b1d8a9f`
SHA3	`f99bbc421a32f66422f81891d546a592225bcf1e4bc8d4532196db569fb30842`

103

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x144`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.29442`
MD5	`31a484961203e358f1d8ac63a9096ded`
SHA1	`6cb065370e66af46dbbdb3e23c33bc6c8dafa0f7`
SHA256	`722fa78af0763ec069bc5e63ac5a514e62615f0f58b46d7d30cd504e2f1605d7`
SHA3	`58c4efe4bf58046569730524e85822172588cc978d9d1761caf4ec0a85f9cf83`

7

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0x34`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.14237`
MD5	`5dbf14ea05dbdf86aaf87d2ba084d872`
SHA1	`0f1496a33148e3570e321f3ef8973755e9ae8c6a`
SHA256	`3731e620f6930f7217a929f130ccd946f27ccc7abc780c8edcc69a141609b27b`
SHA3	`b426cd544a5a4836e3c37c7c2b6b53895f006e760ac16a2ce6b8c6a9053508fc`

109 (#2)

Type	`RT_ACCELERATOR`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4`
MD5	`f5fd34404b3976add1d70c8c4f3eb40c`
SHA1	`dce7b4c3c5f3ddd071687affe0f7654fb264f105`
SHA256	`299c3e2e9f56f820e3ea9a736fdbde62495950bf97505fe1af8d604391082039`
SHA3	`11ca1e993cdf03b2a874155cbc67ecc1cdaafca333e939a267d01f4448e7ba2c`

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

TLS Callbacks

Load Configuration

Size	`0xa0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x41b00c`
SEHandlerTable	`0x417360`
SEHandlerCount	`59`

RICH Header

XOR Key	`0x1ae6d52b`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`18`
263 (VS2015/2017 runtime 25711)	`1`
ASM objects (VS 2015/2017 runtime 26706)	`4`
C objects (VS 2015/2017 runtime 26706)	`12`
C++ objects (VS 2015/2017 runtime 26706)	`31`
Imports (VS 2015/2017 runtime 26706)	`4`
C objects (VS2015/2017 runtime 25711)	`2`
Imports (VS2015/2017 runtime 25711)	`23`
Total imports	`320`
265 (VS2017 v15.8.5-8 compiler 26730)	`3`
Resource objects (VS2017 v15.8.5-8 compiler 26730)	`1`
151	`1`
Linker (VS2017 v15.8.5-8 compiler 26730)	`1`

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section UPX0 has a size of 0!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!