Manalyze report for 0a0f1c66ae9df9a16d667833e5b5ea08

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2015-Sep-24 04:27:55
Detected languages	Russian - Russia
FileVersion	`1, 23, 19, 125`
CreateCopyright	SecInc
ProductVersion	`1, 23, 19, 129`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 7.1` `Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++ v7.0` `Microsoft Visual C++ v7.1 EXE` `Microsoft Visual C++ 7.0 MFC`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryW LoadLibraryA` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect`
Info	The PE is digitally signed.	`Signer: "IKO-PROF"` `Issuer: COMODO RSA Code Signing CA`
Malicious	VirusTotal score: 22/57 (Scanned on 2015-09-27 10:07:18)	`MicroWorld-eScan: Gen:Variant.Adware.Strictor.85078` `ALYac: Gen:Variant.Adware.Strictor.85078` `K7GW: Trojan ( 004cfc0f1 )` `K7AntiVirus: Trojan ( 004cfc0f1 )` `Kaspersky: not-a-virus:Downloader.Win32.LMN.ajz` `BitDefender: Gen:Variant.Adware.Strictor.85078` `Ad-Aware: Gen:Variant.Adware.Strictor.85078` `Sophos: Generic PUA BD (PUA)` `F-Secure: Gen:Variant.Adware.Strictor` `DrWeb: Trojan.LoadMoney.958` `VIPRE: Trojan.Win32.Generic!BT` `Emsisoft: Gen:Variant.Adware.Strictor.85078 (B)` `Antiy-AVL: RiskWare[Downloader:not-a-virus]/Win32.LMN` `Arcabit: Trojan.Adware.Strictor.D14C56` `GData: Gen:Variant.Adware.Strictor.85078` `AVware: Trojan.Win32.Generic!BT` `VBA32: Signed-Downware.LMN` `Rising: PE:Malware.Obscure!1.9C59[F1]` `Ikarus: Trojan.Win32.Crypt` `AVG: Generic.E9C` `Panda: Generic Suspicious` `Qihoo-360: Win32/Virus.Downloader.d68`

Hashes

MD5	`0a0f1c66ae9df9a16d667833e5b5ea08`
SHA1	`13f39650f136bac0cf877e97cbb9ba4da70ce707`
SHA256	`23145ec76c624c5491f127e28cb851fc13591b0374ec1365f9042789ce809958`
SHA3	`46320952f20746b3ec24e07d658ee1cac6831fdc58c8041ef477e4472e4b67bb`
SSDeep	`12288:xunduIVkYhgOtBtAssaAzJFngBp2Dsbdj:xmdxVk0gJFgv2Dsbdj`
Imports Hash	`81bc47809a3fe4b09bce4f9494caea3e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2015-Sep-24 04:27:55
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`7.0`
SizeOfCode	`0x7000`
SizeOfInitializedData	`0x93000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000021C2 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x9d000`
SizeOfHeaders	`0x1000`
Checksum	`0xa0eb8`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`99b64cb32258537250f605d7c6a115db`
SHA1	`0a95a588975d8269cf3754ffac91722a8411628d`
SHA256	`ad82d046a8a3f530cce055306b2adc646e7e12a87bdf7d0ffc6a7ea5c246e064`
SHA3	`7790cebd409b460651fc23945757a419d1b0fdc875b3e22647bee8ddc644c21f`
VirtualSize	`0x60e8`
VirtualAddress	`0x1000`
SizeOfRawData	`0x7000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.52944`

.rdata

MD5	`2120eca464cf2939af597a0484b92b42`
SHA1	`44120851ee908e57ed93bb13de03d33e3055c420`
SHA256	`a8905dae32688c6b0f5d0b747e7c72d10bfa43bb8759daeb992915d4de812bc6`
SHA3	`0c33d277d4b9af5cf437bec1dcfd32d92163f8a143fbf280a0abf9b7e03c6e5d`
VirtualSize	`0x21dca`
VirtualAddress	`0x8000`
SizeOfRawData	`0x22000`
PointerToRawData	`0x8000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.26156`

.data

MD5	`f5a4c1ff5bf90acb3cbea9aa869e1550`
SHA1	`cf70366d4418a6c286b11edc1714be71015f06d6`
SHA256	`b2ee0b7a102fba85d4465cb961d6dc1f977dfbb92533e73d82706b7495b4e4a7`
SHA3	`1e77c5a5caf0c2c6bd966e5df868c0385e95bc609d8f4858e4afb6b560abd333`
VirtualSize	`0x6c378`
VirtualAddress	`0x2a000`
SizeOfRawData	`0x6b000`
PointerToRawData	`0x2a000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.89517`

.rsrc

MD5	`3ba5dc64b0424e716b31898962928105`
SHA1	`6f3946ee534fa23c5edd9ea65d12e709fcf1dcbe`
SHA256	`2841d2d6ddeceb44664fc528d223d769b616fc8445441005b3ebddb23e66cc7d`
SHA3	`e63b61eeff02d68bd14dcb22d2d1bb8499951e210eb9b9b95455892feb0d05cf`
VirtualSize	`0x565c`
VirtualAddress	`0x97000`
SizeOfRawData	`0x6000`
PointerToRawData	`0x95000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.42489`

Imports

KERNEL32.dll	`OpenEventW` `SystemTimeToFileTime` `CreateThread` `GetLocalTime` `OpenMutexA` `CreateEventA` `OpenSemaphoreW` `GetProcAddress` `LoadLibraryW` `GetModuleHandleW` `GetModuleHandleA` `ExitProcess` `VirtualFree` `VirtualAlloc` `GetCurrentProcess` `TerminateProcess` `DeleteCriticalSection` `InitializeCriticalSection` `GetSystemInfo` `VirtualProtect` `GetLocaleInfoA` `SetStdHandle` `GetStringTypeW` `GetStringTypeA` `LCMapStringW` `MultiByteToWideChar` `LCMapStringA` `HeapSize` `GetSystemTimeAsFileTime` `GetCurrentProcessId` `GetStartupInfoA` `GetCommandLineA` `GetVersionExA` `WriteFile` `GetStdHandle` `GetModuleFileNameA` `UnhandledExceptionFilter` `FreeEnvironmentStringsA` `GetEnvironmentStrings` `FreeEnvironmentStringsW` `WideCharToMultiByte` `GetLastError` `GetEnvironmentStringsW` `SetHandleCount` `GetFileType` `HeapDestroy` `HeapCreate` `HeapFree` `HeapAlloc` `LoadLibraryA` `GetACP` `GetOEMCP` `GetCPInfo` `HeapReAlloc` `RtlUnwind` `InterlockedExchange` `VirtualQuery` `FlushFileBuffers` `SetFilePointer` `QueryPerformanceCounter` `GetTickCount` `GetCurrentThreadId` `CloseHandle`
USER32.dll	`DestroyWindow` `EnableWindow` `GetThreadDesktop` `PostMessageW` `SendMessageA` `LoadCursorW`
SHELL32.dll	`#195`
ole32.dll	`CoInitialize` `CoUninitialize`

Delayed Imports

4

Type	`RT_CURSOR`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x130`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.79374`
MD5	`ff7e9fe89dbd05c0cd23b920c8aff667`
SHA1	`6f2c2a74f02d921b3bc99fc070fab67fce8745ca`
SHA256	`572c98ed888f394ec0453f0547d1f5d7c8cffa162a59e16b8c85fd8b69dad32e`
SHA3	`b43c84bad3fa525d4a138b853cae57c459648e0202900d66d05c29945031413d`

5

Type	`RT_CURSOR`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.3051`
MD5	`1be43ce770619b975c4d39674eec3a03`
SHA1	`05d60f4378a24db6a37d38552da4c3b38c3873e6`
SHA256	`6e2878fbed1a02c7db60fdbcfedc0cad31a28e0523b69a8a2aea92df2e125897`
SHA3	`8475d2d345aa045401af7ca057d93bf7fbc26da28d398c103c80f0e119d60a6b`

1

Type	`RT_ICON`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.49129`
MD5	`21c99e23af7df1a74bd0ebad3c4a39d4`
SHA1	`24fa1aff15a9017640e27ea52a761c7c7f76796e`
SHA256	`8d29f87dc33e77077b49285e9b5cb2adef094c310151f6193496644658d99cb7`
SHA3	`353987a9a0a98696633cb6bfe53bc2246265c3eb6d9e4ceb04f9d7a1cdd808dd`

2

Type	`RT_ICON`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.32516`
MD5	`e2e46c3a3b0c420e097e734fe026b0eb`
SHA1	`883db45c29fe7f19184e1da67a1851a7dc23517b`
SHA256	`75b17f40de675faee28e04142a3a92f3a7ac7cc11e588a9584db767c79a66177`
SHA3	`1bc9fd6840e5b1b959b52ab9619e5afb79821f4a196efee791b1d2f92875224d`

3

Type	`RT_ICON`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.74372`
MD5	`88bd98a348138ad37ed931c4d99f1cf9`
SHA1	`3e4b2c24f9f2cb93c2d6c622d15d4ec3c7ae0c76`
SHA256	`3b552594370c7f903784700f477170a9d2cc01ca4940ba350753700ec581a888`
SHA3	`bea6545dfaa69b525c72c18e4d2cb720081ca83115293519c5e6ce953595164c`

1417

Type	`RT_GROUP_CURSOR`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x22`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.44477`
Detected Filetype	Icon file
MD5	`8f377ad2e836a046a4f9778f5f838fc9`
SHA1	`7edb8c7f74c5848f855385a56b3fd13ef4dae86d`
SHA256	`4e88581919f5e22d9b5fedf64f18ec29346c4b6c18f39641717a88f490fa3d16`
SHA3	`e0b7920a96f3f166a04e7b7eb8adfe3229a5882abc35b00f5d4ca56d6907087a`

17

Type	`RT_GROUP_ICON`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x30`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.45849`
Detected Filetype	Icon file
MD5	`1ec6a7b3300970378c29695a6cc13d36`
SHA1	`99ce74251d19d800608e30bed6e0d793931da56e`
SHA256	`77a1efb6136f52dd2372987b13bf486aa75baeacb93bad009aa3e284c57b8694`
SHA3	`7a94ba315b3ab461cec9dad3048599d32b0e597047f9655159bd6dfdc694e4a3`

817

Type	`RT_GROUP_ICON`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x30`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.58557`
Detected Filetype	Icon file
MD5	`12884617d22c4fbf0a542297151eb63a`
SHA1	`2ca3886499ef1e9e1b9e363b7e548ce5a2b6f308`
SHA256	`9440128a08d4c06d26476428e988fe810d7b53f8597dd43857213b3c00590f8e`
SHA3	`018c35f1613c80ee7ad6b4d42263805876acbd0799499bd50df148536f0cddbe`

1 (#2)

Type	`RT_VERSION`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x198`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.27082`
MD5	`22b55e53f146c4dbd2cc9688db78d072`
SHA1	`4285dc9802ade9adcf360aeb5ff4e610fbe6e747`
SHA256	`1a16c8a2834f6e5135735cf9d195025403bcb8485f65238f5f8e1406d130fb4d`
SHA3	`7f64775f974ee84fcb533773b44294aa0d0781519d038b90523043f521df361c`

1 (#3)

Type	`RT_MANIFEST`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x44e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.35`
MD5	`82ab5c417503d734227ea5e3c946f0b6`
SHA1	`582bad46355d5febf680f445071d59bcbfa0f752`
SHA256	`c0e60be57ab472c229f7479625408d05608d402e94b7c1b46da96419dd296750`
SHA3	`dfbeb58d3ceecd0663c9d132d36f6d395cc1f4d4638e519b0d5a56c33a8be84f`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.19.125
ProductVersion	1.0.19.125
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS16` `VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS_OS232_PM32` `VOS__PM32` `VOS__WINDOWS16` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	Russian - Russia
FileVersion (#2)	1, 23, 19, 125
CreateCopyright	SecInc
ProductVersion (#2)	1, 23, 19, 129

Resource LangID	Russian - Russia

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xb7fd2d47`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 3077)	`59`
ASM objects (VS2003 (.NET) build 3077)	`12`
Imports (9210)	`2`
Imports (2067)	`2`
Imports (2179)	`5`
Total imports	`73`
C++ objects (VS2003 (.NET) build 3077)	`4`
94 (VS2003 (.NET) build 3052)	`1`
Linker (VS2003 (.NET) build 3077)	`1`

Errors

[!] Error: Could not locate RT_ICON with ID 4!
[*] Warning: Resource 1417 is empty!