Manalyze report for 0d07363187dcda999e1a6e750ed7a57a

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Jul-04 18:19:53
Detected languages	English - United States
Debug artifacts	C:\Users\W7\Downloads\kur\Redir\Bin\Loader.pdb

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	PEiD Signature:	`HQR data file`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to internet browsers: chrome.exe firefox.exe iexplore.exe` `May have dropper capabilities: CurrentVersion\Run`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress LoadLibraryExW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Code injection capabilities: OpenProcess VirtualAllocEx WriteProcessMemory CreateRemoteThread VirtualAlloc` `Can access the registry: RegCloseKey RegSetValueExW RegCreateKeyExW` `Functions related to the privilege level: OpenProcessToken AdjustTokenPrivileges` `Manipulates other processes: Process32First Process32Next OpenProcess WriteProcessMemory`
Malicious	The PE is possibly a dropper.	`Resource 129 detected as a PE Executable.` `Resource 132 detected as a PE Executable.` `Resources amount for 76.3407% of the executable.`
Malicious	VirusTotal score: 49/65 (Scanned on 2018-11-09 01:40:02)	`MicroWorld-eScan: Gen:Win32.ExplorerHijack.BuW@aagEb4bi` `CAT-QuickHeal: Trojan.Mauvaise.SL1` `McAfee: Artemis!0D07363187DC` `Cylance: Unsafe` `VIPRE: Trojan.Win32.Generic!BT` `SUPERAntiSpyware: Trojan.Agent/Gen-Injector` `K7GW: Spyware ( 0050847d1 )` `K7AntiVirus: Spyware ( 0050847d1 )` `Invincea: heuristic` `F-Prot: W32/Heuristic-KPP!Eldorado` `Symantec: Trojan.Pandex` `TrendMicro-HouseCall: TSPY_URSNIF_GG3109CE.UVPM` `Avast: Win32:Malware-gen` `ClamAV: Win.Trojan.Loader-6327977-0` `Kaspersky: Trojan.Win32.Agent.ikhw` `BitDefender: Gen:Win32.ExplorerHijack.BuW@aagEb4bi` `NANO-Antivirus: Trojan.Win64.Mlw.eqtngq` `Paloalto: generic.ml` `Tencent: Win32.Trojan.Agent.Eyh` `Endgame: malicious (high confidence)` `Emsisoft: Gen:Win32.ExplorerHijack.BuW@aagEb4bi (B)` `DrWeb: Trojan.PWS.Papras.2833` `TrendMicro: TSPY_URSNIF_GG3109CE.UVPM` `McAfee-GW-Edition: BehavesLike.Win32.Generic.gh` `TheHacker: Trojan/Spy.Ursnif.ax` `Ikarus: Trojan-Spy.Agent` `Cyren: W32/Heuristic-KPP!Eldorado` `Webroot: W32.Trojan.Gen` `Avira: HEUR/AGEN.1030721` `Fortinet: W32/Generic.AP.EB410!tr` `Antiy-AVL: Trojan/Win32.Agent` `Arcabit: Gen:Win32.ExplorerHijack.ED52DE` `ZoneAlarm: Trojan.Win32.Agent.ikhw` `Microsoft: TrojanSpy:Win32/Ursnif` `Sophos: Mal/Generic-S` `AhnLab-V3: Malware/Win32.Generic.C1575536` `VBA32: Trojan.Agent` `MAX: malware (ai score=100)` `Ad-Aware: Gen:Win32.ExplorerHijack.BuW@aagEb4bi` `ESET-NOD32: a variant of Win32/Spy.Ursnif.AX` `Rising: Spyware.Ursnif!8.1DEF (TFE:5:HKLQVK9oOmK)` `Yandex: TrojanSpy.Ursnif!KTWbTIb/usQ` `SentinelOne: static engine - malicious` `GData: Gen:Win32.ExplorerHijack.BuW@aagEb4bi` `AVG: Win32:Malware-gen` `Cybereason: malicious.187dcd` `Panda: Trj/Genetic.gen` `CrowdStrike: malicious_confidence_100% (W)` `Qihoo-360: Win32/Sorter.AVE.CryptLocker.BS`

Hashes

MD5	`0d07363187dcda999e1a6e750ed7a57a`
SHA1	`9617aa7821b406fa05d17c35032c5042b0a0b0fc`
SHA256	`b8057cc930c2a8c54123d6c6a90db8ddd87af227eef5d9ddf24a15fb0c2c15dc`
SHA3	`503ba0fda6a49c63878b3368cce740c3c952eac969f1234f5bc004b359faf22d`
SSDeep	`6144:WoYJZScfatSHc/K4Ei+AQB78rf/4hbnop6q6yQ8h/uJR5TI4Zt6rrPbr0Wu:WfSqhWEzgrf/4hzop6qhQNg4W`
Imports Hash	`4f9a1b151e9e33915dff4c4ef5ac0a41`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2017-Jul-04 18:19:53
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`12.0`
SizeOfCode	`0x10200`
SizeOfInitializedData	`0x5f200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00003ED3 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x12000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x73000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`c9a2389500e31a80d23f2368729135fa`
SHA1	`63a783ed96a7d54f26701afd1974ae34c1bfd753`
SHA256	`20e69c76f87778ea683ee8bb9d77e66e024b5815df4167f9e8fb4d8a063fce1b`
SHA3	`de20d127bd85181a697123254670804fb9d611f815e4d7ea3118ec2243d546ba`
VirtualSize	`0x1011d`
VirtualAddress	`0x1000`
SizeOfRawData	`0x10200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.66546`

.rdata

MD5	`698122f476f18491cdf10299a2ed6c78`
SHA1	`9d754d7d3ed67539e2e562f3b73e16b208995fbe`
SHA256	`4cbe9a5ae71006dbb9c48acb4fc0139e45fbbc74127e50468b9254b6ef97f89b`
SHA3	`2a256d4d2a03d375367d9ac5c2f1277b556518965fc3d3dd29b954b1f7db1e21`
VirtualSize	`0x6aba`
VirtualAddress	`0x12000`
SizeOfRawData	`0x6c00`
PointerToRawData	`0x10600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.75613`

.data

MD5	`e89391ca2ca579463f0e1dea020e79ac`
SHA1	`61917fdef80fd753264a77cdc9f129756e106c9b`
SHA256	`f716fd425e31179048b2e4cad7d3ef3f8b47204548ca02b66521feef8b2f4522`
SHA3	`c8f02148e8f79b81d1e64e91c56e4610b23b164dbd7782fc1e6e4314b06e5621`
VirtualSize	`0x34dc`
VirtualAddress	`0x19000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x17200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.83185`

.rsrc

MD5	`619d7a694d4304c52046e9e20a9ca55f`
SHA1	`58fa6ff69445c2e0b9abefbb242388dfc939ac9b`
SHA256	`5ef94075f829ff57e101735218271eeedbc044ae399be8359a043cd93ae67e96`
SHA3	`c47528fe56de2a9d04ef2836a10b935f2eafea378f97e2e04a20d9aec0439665`
VirtualSize	`0x53a60`
VirtualAddress	`0x1d000`
SizeOfRawData	`0x53c00`
PointerToRawData	`0x18800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.34935`

.reloc

MD5	`34a63a896f1cb5dbeeabd1a1fbedfb76`
SHA1	`93177b42bf92776659ce22560fd2a179c1a8bbbc`
SHA256	`9ba8fc02a3af7b272e041f35d251729a51df0efd13f2e567cd38bd88320cb3e5`
SHA3	`a11baafc712c12634785a7100c4ca5414f5e6c6b752fff0cb06e065b1981127d`
VirtualSize	`0x132c`
VirtualAddress	`0x71000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6c400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.42862`

Imports

SHLWAPI.dll	`PathRemoveFileSpecA`
KERNEL32.dll	`GetStringTypeW` `GetModuleFileNameA` `FindResourceA` `SizeofResource` `LoadResource` `LockResource` `WriteFile` `CloseHandle` `GetModuleFileNameW` `CreateMutexA` `GetLastError` `GetModuleHandleA` `GetConsoleCP` `LoadLibraryA` `GetProcAddress` `GetNativeSystemInfo` `CreateToolhelp32Snapshot` `Process32First` `Process32Next` `OpenProcess` `VirtualAllocEx` `WriteProcessMemory` `CreateRemoteThread` `WaitForSingleObject` `GetExitCodeThread` `GetCurrentProcess` `ResetEvent` `CreateThread` `VirtualAlloc` `SetLastError` `VirtualFree` `FlushInstructionCache` `ResumeThread` `GetConsoleMode` `SetFilePointerEx` `FlushFileBuffers` `SetStdHandle` `WriteConsoleW` `Sleep` `GetModuleHandleExW` `LCMapStringW` `EncodePointer` `DecodePointer` `ExitProcess` `CreateFileW` `MultiByteToWideChar` `WideCharToMultiByte` `IsDebuggerPresent` `IsProcessorFeaturePresent` `GetCommandLineA` `RaiseException` `RtlUnwind` `HeapFree` `HeapAlloc` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `InitializeCriticalSectionAndSpinCount` `TerminateProcess` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `GetStartupInfoW` `GetModuleHandleW` `GetStdHandle` `LoadLibraryExW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `HeapSize` `GetCurrentThreadId` `GetProcessHeap` `GetFileType` `QueryPerformanceCounter` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `OutputDebugStringW` `HeapReAlloc`
ADVAPI32.dll	`LookupPrivilegeValueA` `OpenProcessToken` `RegCloseKey` `RegSetValueExW` `RegCreateKeyExW` `AdjustTokenPrivileges`

Delayed Imports

129

Type	`BINARY`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25800`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.53771`
Detected Filetype	PE Executable
MD5	`80ee12ce46ee791be58d222802b5a7c7`
SHA1	`5a620626aaf15d016967b96025623627f08fd350`
SHA256	`7db5023eb5a21bae40d12d90a888b586931feea2a63702886a74f73b2f91ae93`
SHA3	`bdc9509414d37c4d4201eab48f7f0889d13c157b4524505958784d5a3271ef56`

132

Type	`BINARY`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2e000`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.07324`
Detected Filetype	PE Executable
MD5	`7b9d79b35571b614c32e39fc9c1643f4`
SHA1	`34691ceae73b0316aa53311a283a70365435034a`
SHA256	`ac784e5af306a91fc2ec9207ec68f5bd0bb0bb47a8116c80d5b3a54efe0e1ffe`
SHA3	`0eb2b002ca40f27ad1bdf29eed70213d7e6b50d0b5cbc82004789737f2293637`

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2017-Jul-04 18:19:53
Version	`0.0`
SizeofData	`71`
AddressOfRawData	`0x177e8`
PointerToRawData	`0x15de8`
Referenced File	C:\Users\W7\Downloads\kur\Redir\Bin\Loader.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2017-Jul-04 18:19:53
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x17830`
PointerToRawData	`0x15e30`

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x419008`
SEHandlerTable	`0x417b90`
SEHandlerCount	`8`

RICH Header

XOR Key	`0xcbf096b8`
Unmarked objects	`0`
ASM objects (20806)	`24`
C objects (20806)	`118`
C++ objects (20806)	`45`
Imports (VS2008 SP1 build 30729)	`13`
Total imports	`121`
229 (VS2013 build 21005)	`4`
Resource objects (VS2013 build 21005)	`1`
151	`1`
Linker (VS2013 build 21005)	`1`

0d07363187dcda999e1a6e750ed7a57a

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

129

132

1

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_VC_FEATURE

TLS Callbacks

Load Configuration

RICH Header

Errors