Manalyze report for 02711a0d6eb7b925ef6a05e0a042eab4c71321375e4b0962087b185a298d27ca

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2009-Aug-25 14:06:30
Detected languages	English - United States Serbian - Serbia (Latin)

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `The PE only has 7 import(s).`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Possibly launches other programs: ShellExecuteA` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc`
Suspicious	The PE is possibly a dropper.	`Resources amount for 80.3016% of the executable.`
Malicious	VirusTotal score: 12/72 (Scanned on 2024-10-08 21:21:39)	`Antiy-AVL: Trojan/Win32.BTSGeneric` `Bkav: W32.AIDetectMalware` `ClamAV: Win.Trojan.Injecter-241` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `Google: Detected` `Gridinsoft: Ransom.Win32.Occamy.oa!s2` `Jiangmin: TrojanDownloader.Injecter.aiz` `Rising: Malware.Undefined!8.C (CLOUD)` `Tencent: Win32.Trojan.Malware.Szfl` `Trapmine: malicious.moderate.ml.score` `VBA32: Backdoor.Plite`

Hashes

MD5	`100091398ebb3083ff24d8caaad59879`
SHA1	`337b6cf369a990c9e8d41f6fafe0b7839656874d`
SHA256	`02711a0d6eb7b925ef6a05e0a042eab4c71321375e4b0962087b185a298d27ca`
SHA3	`a00919ad1b88a4fd0c140cd0bbc24697e1c891ac8d1f85aea943490e33b70acb`
SSDeep	`1536:9kNv09g7GVHCoeBpjXwyy9yyyyCFYgiSt6PivGcpK:KNv09SGBw1/p4PiuQK`
Imports Hash	`8fa3bfbee376a470d7a9d5794558993e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2009-Aug-25 14:06:30
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x5000`
SizeOfInitializedData	`0x16000`
SizeOfUninitializedData	`0x1d000`
AddressOfEntryPoint	`0x00022740 (Section: UPX1)`
BaseOfCode	`0x1e000`
BaseOfData	`0x23000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x39000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1d000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`323862e32f31cf1afb87084d365e6db1`
SHA1	`f0f7e7185839bc85a7eb94c7e75b2ea4939d083f`
SHA256	`494243107b229697528b3ce67175a65afe0c42c2f324de3b5fe3d53513c5d2cf`
SHA3	`9daa136f6e4d37522ea917f4ac2240886c104568697b4df4f64fc4d1b43c73f6`
VirtualSize	`0x5000`
VirtualAddress	`0x1e000`
SizeOfRawData	`0x4a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.85192`

.rsrc

MD5	`b0a06d23e3643c8c63569a7a01db0ee3`
SHA1	`c405e0f57ec5e70c95c1fd903320664c17306b65`
SHA256	`7c9c293cebcff0b6e9b1129ac74ad3162c1db586a09976ee53beead87ad9a9f6`
SHA3	`3baa29e7fc0046700e439f2e4074c7d326f9d758ddeacb92274bfb509033e3da`
VirtualSize	`0x16000`
VirtualAddress	`0x23000`
SizeOfRawData	`0x15200`
PointerToRawData	`0x4e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.49709`

Imports

KERNEL32.DLL	`LoadLibraryA` `GetProcAddress` `VirtualProtect` `VirtualAlloc` `VirtualFree` `ExitProcess`
SHELL32.dll	`ShellExecuteA`

Delayed Imports

1

Type	`RT_ICON`
Language	Serbian - Serbia (Latin)
Codepage	Latin 1 / Western European
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.39246`
MD5	`493561d189e994f3de77945d38fdfe69`
SHA1	`fd59efa2a55778e7c8343999c9a572519bd7b904`
SHA256	`21cb4ff30250f6cd26425df13498a655a7c46d139222d977143953ee78ba6fe9`
SHA3	`88217f532c3553007ea403c75d476f95f534f79cc947fc3af062b88704ee7b82`

2

Type	`RT_ICON`
Language	Serbian - Serbia (Latin)
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.64367`
MD5	`5c65f1fd619d709db404d7425c338484`
SHA1	`b52c69e37fd8bc632dc4f1b83f57e07872edded2`
SHA256	`79478f5fb69b8e0fa7b712b50d63f54d97147cf42f6ffe9b4629d4253ba55133`
SHA3	`31c26593f51d8262169a0ff6fd3aa402dfa210b5dfdfb3bfa5a83b2ede98f9e4`

3

Type	`RT_ICON`
Language	Serbian - Serbia (Latin)
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.62551`
MD5	`8baf218cd0074dda6738ffd3b4532bd0`
SHA1	`4fd1331ee1a11e7698318576372508877efc2e7e`
SHA256	`022423b54afec3498b4054fe4b2b5cf0452e79e8e02c73c40042585c925810e0`
SHA3	`11ae729c4ce401c457fea4263c6cd13c82446f006253ce64790d0cacc4c66ba8`

4

Type	`RT_ICON`
Language	Serbian - Serbia (Latin)
Codepage	Latin 1 / Western European
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.68845`
MD5	`85614176b4c241df975c52f35d83dec0`
SHA1	`dcb26037da34a58db70c95a4d963293b587f2903`
SHA256	`97d821bec5f518e4f84a6b434b10fec5ecf3fcf393aed1d2f80f1fa3b9923c19`
SHA3	`0220e32ca8bfe85e5a6b759c427c088790dadf4c8ea4c1a9c728edf488eb8ce8`

5

Type	`RT_ICON`
Language	Serbian - Serbia (Latin)
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.71149`
MD5	`6d36ec186de50351630b6c7509c587fd`
SHA1	`ac96af5f3d38829ee0b4b38723b008cdb077691e`
SHA256	`788ab8a957869525ab44ecd6b7210549c3d92f21e26a28e84f7df08e8b1ffda2`
SHA3	`cd9a1c67cd5f945c89a6caa2cb2383ef41487d55fd6c08314889f407c9831dab`

101

Type	`RT_GROUP_ICON`
Language	Serbian - Serbia (Latin)
Codepage	Latin 1 / Western European
Size	`0x4c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.82914`
Detected Filetype	Icon file
MD5	`c62e4326f13737ebb0dd8d2b02e29e09`
SHA1	`cac8590e075edcc745d8844b102a4c627eeeb992`
SHA256	`7ace846a023515beb38870fa999c239f47c5bec78b18b7d81763df0def21036d`
SHA3	`1b80fca6cb1002d82fb3cb07e1de3e0e37a7cf5760188aa081d74bb16369a5cf`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x40a000`
SEHandlerTable	`0x409300`
SEHandlerCount	`3`

RICH Header

XOR Key	`0x6d2bc55`
Unmarked objects	`0`
ASM objects (VS2008 build 21022)	`16`
C objects (VS2008 build 21022)	`75`
Imports (VS2012 build 50727 / VS2005 build 50727)	`5`
Total imports	`78`
C++ objects (VS2008 build 21022)	`29`
Linker (VS2008 build 21022)	`1`
Resource objects (VS2008 build 21022)	`1`

Errors

[*] Warning: Section UPX0 has a size of 0!

Leave a comment

No comments yet.