Manalyze report for 0857e337064c236bc8d6fa42414a85f0

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2023-May-26 17:04:44
Detected languages	English - United States
Comments	9JErntmjT1qvCOlVor7dVkt9i9QjP3
CompanyName	Spotify Technology S.A.
FileDescription	Spotify Technology S.A. Product
FileVersion	`6,850,13,224`
InternalName	b9OSBI0lJo
LegalCopyright	Copyright Â© Spotify Technology S.A. All rights reserved.
LegalTrademarks	Trademark Â© Spotify Technology S.A.
OriginalFilename	6aqP1A0g
ProductName	FojM0t5U5bWp
ProductVersion	`6,850,13,224`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	The PE is possibly packed.	`Unusual section name found: .VMdVV`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Can access the registry: RegDeleteKeyA`
Suspicious	The file contains overlay data.	`2 bytes of data starting at offset 0x2d078.`
Malicious	The PE's digital signature is invalid.	`Signer: ESET` `Issuer: Entrust Extended Validation Code Signing CA - EVCS1` `The file was modified after it was signed.`
Malicious	VirusTotal score: 46/72 (Scanned on 2023-05-29 06:00:16)	`Bkav: W32.AIDetectMalware` `Lionic: Trojan.Win32.Generic.4!c` `Elastic: malicious (high confidence)` `DrWeb: Trojan.Siggen19.32857` `Cynet: Malicious (score: 99)` `McAfee: Artemis!0857E337064C` `Cylance: unsafe` `Sangfor: Trojan.Win32.Agent.V74u` `K7AntiVirus: Trojan ( 005a5f491 )` `BitDefender: Trojan.GenericKD.67249557` `K7GW: Trojan ( 005a5f491 )` `Cyren: W32/Kryptik.JXI.gen!Eldorado` `Symantec: ML.Attribute.HighConfidence` `ESET-NOD32: a variant of Win32/Kryptik.HTQF` `APEX: Malicious` `Kaspersky: HEUR:Trojan-Spy.Win32.Stealer.gen` `Alibaba: TrojanSpy:Win32/Stealer.8c69b519` `MicroWorld-eScan: Trojan.GenericKD.67249557` `Avast: Win32:CrypterX-gen [Trj]` `Rising: Backdoor.Agent!8.C5D (TFE:5:Npy7Ou96UxJ)` `Emsisoft: Trojan.GenericKD.67249557 (B)` `F-Secure: Trojan.TR/AD.Nekark.aexwh` `VIPRE: Trojan.GenericKD.67249557` `McAfee-GW-Edition: BehavesLike.Win32.Expiro.ch` `Trapmine: malicious.high.ml.score` `FireEye: Generic.mg.0857e337064c236b` `Sophos: Mal/Generic-S` `Ikarus: Trojan.Win32.Crypt` `Avira: TR/AD.Nekark.aexwh` `Antiy-AVL: Trojan/Win32.Kryptik` `Microsoft: Trojan:Win32/CerberCrypt.B!MTB` `Arcabit: Trojan.Generic.D4022595` `GData: Win32.Trojan.PSE.1DR8PBG` `Google: Detected` `AhnLab-V3: Trojan/Win.Generic.R582259` `ALYac: Trojan.GenericKD.67249557` `MAX: malware (ai score=88)` `VBA32: BScope.TrojanPSW.RedLine` `Malwarebytes: Spyware.RedLineStealer` `Panda: Trj/Genetic.gen` `TrendMicro-HouseCall: TROJ_GEN.R002H0DEQ23` `Tencent: Malware.Win32.Gencirc.10bee350` `Fortinet: MSIL/Disabler.DR!tr` `AVG: Win32:CrypterX-gen [Trj]` `DeepInstinct: MALICIOUS` `CrowdStrike: win/malicious_confidence_100% (W)`

Hashes

MD5	`0857e337064c236bc8d6fa42414a85f0`
SHA1	`e5c63ab089d0f4c39a87abdadd21f8d0901d4932`
SHA256	`41b492f156bf6ff8f4731b1231bf7bfa4486afe89e74ea60c35b03116530eff4`
SHA3	`7aedb3a2312f18758caf1d787732e2f37201b9b49e675ac47e91acbf3b312174`
SSDeep	`3072:5PkJry+eacs6XtKbPli6+GURy5mLvVZqUxO:5P+lcsoMi6dR6NQ`
Imports Hash	`f0ea3dd20c636e704dca117c1f251a95`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2023-May-26 17:04:44
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x1ea00`
SizeOfInitializedData	`0xb800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00006C42 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x21000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x2e000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`3eae0d164fbbacd5b834e13921d33cff`
SHA1	`73b44bf94babedea5fd0f33d20dbba86299bbf5c`
SHA256	`73f0c68b5480b9a017f4871372982f0758516960e5f879f3f40a8c93577319f0`
SHA3	`ee4485237c9881106cff9ac02d0faea215ca173db2e4673db533df6af8dabc48`
VirtualSize	`0x165bf`
VirtualAddress	`0x1000`
SizeOfRawData	`0x16600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.6537`

.VMdVV

MD5	`422577adb803de4cf0db84248a0fdd5f`
SHA1	`51e5cf879938829c88322280b1080418dc54e461`
SHA256	`2562033e1306127ec7271dca03a2be553cda8bb46c61908ec4665754686743f8`
SHA3	`33ce580b405f88d6ef601151bfd6b8b2f1af5fae1258317f5134278ace2092fa`
VirtualSize	`0x83ea`
VirtualAddress	`0x18000`
SizeOfRawData	`0x8400`
PointerToRawData	`0x16a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.13083`

.rdata

MD5	`9cdada54d67524ac121e5bdb4a17a5ca`
SHA1	`6a71411a885fb1f7f4617f4f02a6cfd753a4feb9`
SHA256	`4851ebea41eee75bac3019f499918dd02cce6aa5f8f5faf15c104895b1a36414`
SHA3	`b0509758177f2af76ca01833a2dea884f7563e1e89ecb60422260b0bf66b358f`
VirtualSize	`0x4b10`
VirtualAddress	`0x21000`
SizeOfRawData	`0x4c00`
PointerToRawData	`0x1ee00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.22375`

.data

MD5	`5173c2cdd6121e966eb5b25c2580cd6f`
SHA1	`ad763a8d7bb5a4b40b8012e59ccaf01de04d7bf6`
SHA256	`007efa680ef7769d8f128682b6318636729d370c1af55a0f27df7c1de43006d1`
SHA3	`8988b80ca2c0a84d3b956fa54688840fe6cafc0d07c88a3a0b1bb3624e22d1c9`
VirtualSize	`0x6388`
VirtualAddress	`0x26000`
SizeOfRawData	`0x4400`
PointerToRawData	`0x23a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.01097`

.rsrc

MD5	`1dce7262d2ed5977fb72865b8420fab4`
SHA1	`52744819375b6cf49f039aad17b04311a630ae6d`
SHA256	`e15426c768da6ddd6c3dbedf2c77040277d6f966f8537d93acbfc1d5fae743f5`
SHA3	`46d11b426b9603fabde71cbacb706e6484f4dd4ac12def7dad12eeb237afe956`
VirtualSize	`0x628`
VirtualAddress	`0x2d000`
SizeOfRawData	`0x800`
PointerToRawData	`0x27e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.38313`

Imports

KERNEL32.dll	`WriteConsoleW` `GetLocaleInfoW` `CreateFileA` `GetNativeSystemInfo` `GetModuleHandleA` `MultiByteToWideChar` `SetStdHandle` `GetProcAddress` `InterlockedIncrement` `InterlockedDecrement` `WideCharToMultiByte` `Sleep` `InterlockedExchange` `InitializeCriticalSection` `DeleteCriticalSection` `EnterCriticalSection` `LeaveCriticalSection` `RtlUnwind` `TerminateProcess` `GetCurrentProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `RaiseException` `GetCommandLineA` `GetLastError` `HeapFree` `GetCPInfo` `LCMapStringA` `LCMapStringW` `GetModuleHandleW` `TlsGetValue` `TlsAlloc` `TlsSetValue` `TlsFree` `SetLastError` `GetCurrentThreadId` `HeapAlloc` `ExitProcess` `WriteFile` `GetStdHandle` `GetModuleFileNameA` `FreeEnvironmentStringsA` `GetEnvironmentStrings` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `SetHandleCount` `GetFileType` `GetStartupInfoA` `HeapCreate` `VirtualFree` `QueryPerformanceCounter` `GetTickCount` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `VirtualAlloc` `HeapReAlloc` `GetConsoleCP` `GetConsoleMode` `FlushFileBuffers` `ReadFile` `SetFilePointer` `CloseHandle` `HeapSize` `GetACP` `GetOEMCP` `IsValidCodePage` `GetUserDefaultLCID` `GetLocaleInfoA` `EnumSystemLocalesA` `IsValidLocale` `GetStringTypeA` `GetStringTypeW` `LoadLibraryA` `InitializeCriticalSectionAndSpinCount` `WriteConsoleA` `GetConsoleOutputCP`
USER32.dll	`GetActiveWindow` `LoadCursorA` `MessageBoxA` `wsprintfA` `GetDlgItemTextA` `CheckDlgButton`
GDI32.dll	`GetStockObject` `DeleteObject` `SetBkMode` `SetTextColor` `CreateFontIndirectA` `SelectObject` `GetObjectA`
ADVAPI32.dll	`RegDeleteKeyA`

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x424`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.5853`
MD5	`51009826ebf1d087a15a14420f80ce72`
SHA1	`8caf9693a237c56bec40f5301524a41eec783d8a`
SHA256	`c16d0055087c756dffbfa96d17329c3e59e4e2e03093806e04825766262e86d2`
SHA3	`f64485a3f87f98999e35f2c2e66e854648425f8f7808eaa49dd9f78704bcd176`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.850.13.224
ProductVersion	6.850.13.224
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments	9JErntmjT1qvCOlVor7dVkt9i9QjP3
CompanyName	Spotify Technology S.A.
FileDescription	Spotify Technology S.A. Product
FileVersion (#2)	6,850,13,224
InternalName	b9OSBI0lJo
LegalCopyright	Copyright Â© Spotify Technology S.A. All rights reserved.
LegalTrademarks	Trademark Â© Spotify Technology S.A.
OriginalFilename	6aqP1A0g
ProductName	FojM0t5U5bWp
ProductVersion (#2)	6,850,13,224

Resource LangID	English - United States

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x4294d0`
SEHandlerTable	`0x424420`
SEHandlerCount	`28`

RICH Header

XOR Key	`0x817315f7`
Unmarked objects	`0`
ASM objects (VS2008 build 21022)	`21`
C++ objects (VS2008 build 21022)	`54`
C objects (VS2008 build 21022)	`132`
Imports (VS2012 build 50727 / VS2005 build 50727)	`6`
Imports (VS2003 (.NET) build 4035)	`3`
Total imports	`103`
C++ objects (VS2008 SP1 build 30729)	`1`
Linker (VS2008 build 21022)	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

Errors

[*] Warning: Raw bytes from section .text could not be obtained.