Manalyze report for 07d2b057d2385a4cdf413e8d342305df

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-Feb-12 20:06:28
Detected languages	English - United States Korean - Korea
CompanyName	Microsoft Corporation
FileDescription	NetBT Unattend Generic Command
FileVersion	`10.0.10586.0 (th2_release.151029-1700)`
InternalName	netbtugc.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	netbtugc.exe.mui
ProductName	Microsoft® Windows® Operating System
ProductVersion	`10.0.10586.0`

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress LoadLibraryW` `Interacts with services: OpenServiceW`
Suspicious	The file contains overlay data.	`2478175 bytes of data starting at offset 0x1fc00.` `The overlay data has an entropy of 7.99992 and is possibly compressed or encrypted.` `Overlay data amounts for 95.0139% of the executable.`
Malicious	VirusTotal score: 16/69 (Scanned on 2019-09-09 02:06:54)	`Qihoo-360: HEUR/QVM202.0.C0D1.Malware.Gen` `McAfee: Trojan-HidCobra.a` `Cylance: Unsafe` `CrowdStrike: win/malicious_confidence_100% (W)` `Symantec: Trojan.Gen.MBT` `ESET-NOD32: a variant of Win64/NukeSped.AH` `Avast: FileRepMalware` `Sophos: Mal/Generic-S` `Invincea: heuristic` `McAfee-GW-Edition: Trojan-HidCobra.a` `Trapmine: malicious.high.ml.score` `Fortinet: W64/HidCobra.A!tr` `Microsoft: Trojan:Win32/Casdet!rfn` `MAX: malware (ai score=57)` `GData: Win64.Trojan.Agent.8S3OV5` `AVG: FileRepMalware`

Hashes

MD5	`07d2b057d2385a4cdf413e8d342305df`
SHA1	`1991e7797b2e97179b7604497f7f6c39eba2229b`
SHA256	`1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676`
SHA3	`46c327172363dd027ed5575cead3eb201c1a5db4f9c27e39cbe6f8bd0e9640c1`
SSDeep	`49152:2sn+T/ymkSsvc1vb+oNEOaPmztSWNz25hqhbR5C7kcaFZweRrjxQTgZdy:2sck5ojp+Ef25al5CyjwSJQMzy`
Imports Hash	`347c977c6137a340c7cc0fcd5b224aef`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2018-Feb-12 20:06:28
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`10.0`
SizeOfCode	`0x15c00`
SizeOfInitializedData	`0x9c00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000000D200 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x26000`
SizeOfHeaders	`0x400`
Checksum	`0x2f7c4`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`88425c71e7e293d43db9868e4693b365`
SHA1	`9f431d2a1310c94a56c874b70fa89d657054a650`
SHA256	`99a59dea8dddaedba1e03353a6f085c2ac885f3661b21da72f4d1f565b53d742`
SHA3	`df056d80fb42790e56570d593a928baaa5703a106cdde98bcd3877f4ae9d11e7`
VirtualSize	`0x15a2a`
VirtualAddress	`0x1000`
SizeOfRawData	`0x15c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.41552`

.rdata

MD5	`bb0048e4f3851ea07b365828ddf613f7`
SHA1	`316a8964c86629cf419d091651adb6d7422004e5`
SHA256	`cd8910806680273ff3bc53e23cda72e60b8fad8fd417be7b81dc8b0553ff983d`
SHA3	`66768674cd893fd72dcfefe6b527c23dbd1858e51cbda13037e0a7de17df0df6`
VirtualSize	`0x675e`
VirtualAddress	`0x17000`
SizeOfRawData	`0x6800`
PointerToRawData	`0x16000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.91225`

.data

MD5	`50e3efe1a6ea325c87f8e86e2fbd40b4`
SHA1	`591dde4f0c662fce2518a133e42ea31fdaad9a29`
SHA256	`e0380eba9d22035239fbfacbe3daf94cffb28947b0b2f2a2b0efd42a889443ea`
SHA3	`c7b3e6c968fdc288b4266c0f3e33197190c43170824d03457d9fb42b6e8b8710`
VirtualSize	`0x3e48`
VirtualAddress	`0x1e000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x1c800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.09364`

.pdata

MD5	`f56a65eb9562d6c6d607f867d1d0fd09`
SHA1	`f2b07cdc687bf0a2d8baa169b3b3b2112fbafb36`
SHA256	`709c5c5b497ffe8ffb0dbd1b60e9c821aa643c76ac321416cdf43f53805d9378`
SHA3	`e4a31caf4f6c29ed32a3eeb2a8abe81a3df798682ee7947afe194b8091537cf6`
VirtualSize	`0x1038`
VirtualAddress	`0x22000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x1de00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.72553`

.rsrc

MD5	`6a9a84d523e53e1d43c31b2cc069930c`
SHA1	`3603c3e372aa5ea2465ab1aa07f53e1ea6681ded`
SHA256	`b56c17c942b6966842cbe438d2d50093e7592bbb3f6cefbc179e60f8f03095f1`
SHA3	`c1ebec53c6d2f71c4b598c0904960586570f015ddc636fab86103182808c77cd`
VirtualSize	`0x5b0`
VirtualAddress	`0x24000`
SizeOfRawData	`0x600`
PointerToRawData	`0x1f000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.30815`

.reloc

MD5	`dab5e290c15de9634d93d8f592a44633`
SHA1	`48dacb8e8ef8492ea7f8782e5e753884a274bc43`
SHA256	`8be90ac5aac67f8b84929e6ba320e1b3540a229687b77e8780adb2d09146174f`
SHA3	`b9e13e9f03fd3448d356eb016946ed80e19165b576515d10cb8786466bf914dc`
VirtualSize	`0x4bc`
VirtualAddress	`0x25000`
SizeOfRawData	`0x600`
PointerToRawData	`0x1f600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.9126`

Imports

KERNEL32.dll	`GetCurrentProcess` `WriteFile` `WideCharToMultiByte` `ReadFile` `CreateFileW` `MultiByteToWideChar` `GetCurrentDirectoryW` `GetFileType` `CloseHandle` `MapViewOfFile` `SystemTimeToFileTime` `GetLastError` `GetLocalTime` `CreateFileMappingW` `GetCommandLineW` `MoveFileExW` `lstrlenW` `LocalAlloc` `DeleteFileW` `SetFilePointer` `DosDateTimeToFileTime` `LoadLibraryA` `UnmapViewOfFile` `GetProcAddress` `EncodePointer` `DecodePointer` `HeapFree` `HeapAlloc` `GetCommandLineA` `GetStartupInfoW` `TerminateProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `Sleep` `HeapSize` `GetModuleHandleW` `ExitProcess` `RtlUnwindEx` `HeapSetInformation` `GetVersion` `HeapCreate` `GetStdHandle` `GetModuleFileNameW` `RaiseException` `RtlPcToFileHeader` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSectionAndSpinCount` `FlsGetValue` `FlsSetValue` `FlsFree` `SetLastError` `GetCurrentThreadId` `FlsAlloc` `GetModuleFileNameA` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `SetHandleCount` `DeleteCriticalSection` `QueryPerformanceCounter` `GetTickCount` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `HeapReAlloc` `LoadLibraryW` `GetCPInfo` `GetACP` `GetOEMCP` `IsValidCodePage` `GetConsoleCP` `GetConsoleMode` `SetStdHandle` `FlushFileBuffers` `LCMapStringW` `GetStringTypeW` `SetEndOfFile` `GetProcessHeap` `WriteConsoleW`
ADVAPI32.dll	`ChangeServiceConfig2A` `OpenServiceW` `CloseServiceHandle` `StartServiceA`
SHELL32.dll	`CommandLineToArgvW`

Delayed Imports

1

Type	`RT_VERSION`
Language	Korean - Korea
Codepage	Latin 1 / Western European
Size	`0x3b4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.48995`
MD5	`4b8c12c16fc9b68247d1f0e624474779`
SHA1	`5348990e8ed4a7bbc7a8348a087538327e5226dc`
SHA256	`72cb64f9213b7a180bd6d3e58f650791c4e7c146800c739b6c061732fa8f29a8`
SHA3	`cc56204c7fad1726a0420402b78d06755fa334ff4c84ae68f358743d51d070c6`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.10586.0
ProductVersion	10.0.10586.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	NetBT Unattend Generic Command
FileVersion (#2)	10.0.10586.0 (th2_release.151029-1700)
InternalName	netbtugc.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	netbtugc.exe.mui
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	10.0.10586.0

Resource LangID	Korean - Korea

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x4c74ba8b`
Unmarked objects	`0`
152 (20115)	`2`
C++ objects (VS2010 build 30319)	`41`
C objects (VS2010 build 30319)	`118`
ASM objects (VS2010 build 30319)	`10`
Imports (VS2008 SP1 build 30729)	`9`
Total imports	`112`
175 (VS2010 build 30319)	`6`
Resource objects (VS2010 build 30319)	`1`
Linker (VS2010 build 30319)	`1`

07d2b057d2385a4cdf413e8d342305df

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors