Manalyze report for 0f9d0b03254830714654c2ceb11a7f5d

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2016-Jul-20 19:20:25
Detected languages	English - United States

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Miscellaneous malware strings: cmd.exe`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Possibly launches other programs: CreateProcessA`
Malicious	VirusTotal score: 45/69 (Scanned on 2019-10-06 23:27:17)	`MicroWorld-eScan: Trojan.Agent.CNUW` `FireEye: Trojan.Agent.CNUW` `McAfee: RDN/Generic BackDoor.lm` `Zillya: Backdoor.Agent.Win64.319` `Alibaba: Backdoor:Win64/Tarply.52e24f1c` `K7GW: Riskware ( 0040eff71 )` `K7AntiVirus: Riskware ( 0040eff71 )` `Symantec: Backdoor.Trojan` `APEX: Malicious` `Avast: Win64:Malware-gen` `Kaspersky: HEUR:Backdoor.Multi.RGDoor.gen` `BitDefender: Trojan.Agent.CNUW` `NANO-Antivirus: Trojan.Win64.Generic.euotfy` `Paloalto: generic.ml` `AegisLab: Trojan.Multi.RGDoor.4!c` `Tencent: Win32.Backdoor.Rgdoor.Jcv` `Endgame: malicious (high confidence)` `Emsisoft: Trojan.Agent.CNUW (B)` `F-Secure: Backdoor.BDS/Agent.xdjbk` `DrWeb: BackDoor.Siggen2.2328` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: BKDR64_RGDOOR.ZIFB-A` `McAfee-GW-Edition: RDN/Generic BackDoor.lm` `Fortinet: W64/Agent.MW!tr.bdr` `Sophos: Troj/Agent-AYHV` `Jiangmin: Backdoor.Agent.bdb` `Avira: BDS/Agent.xdjbk` `MAX: malware (ai score=100)` `Antiy-AVL: Trojan[Backdoor]/Win64.Agent` `Arcabit: Trojan.Agent.CNUW` `ZoneAlarm: HEUR:Backdoor.Multi.RGDoor.gen` `Microsoft: Backdoor:Win64/Tarply.A!dha` `AhnLab-V3: Backdoor/Win64.Agent.C2338465` `ALYac: Trojan.Agent.CNUW` `VBA32: Backdoor.Win64.Agent` `Cylance: Unsafe` `ESET-NOD32: Win64/Agent.DO` `TrendMicro-HouseCall: BKDR64_RGDOOR.ZIFB-A` `Yandex: Backdoor.Agent!/5uwqBoxk50` `Ikarus: Backdoor.Win64.Agent` `MaxSecure: Trojan.Malware.11994605.susgen` `GData: Trojan.Agent.CNUW` `Ad-Aware: Trojan.Agent.CNUW` `AVG: Win64:Malware-gen` `Qihoo-360: Win32/Trojan.a36`

Hashes

MD5	`0f9d0b03254830714654c2ceb11a7f5d`
SHA1	`5447283518473ea8b9d35424532a94e2966f7a90`
SHA256	`497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3`
SHA3	`fb378b6da7df87296dd48152fcc4ca803af8ba057969aa8a8fe42ff4f64114fc`
SSDeep	`3072:poH3MMEGgM4oNQKdUspuJLTzg2sFWf2CyrIx4niY+fbXOGEsYxnl5a0WgSuNH:i32PRoysgTzvsFcyMUmk`
Imports Hash	`47cb127aad6c7c9954058e61a2a6429a`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2016-Jul-20 19:20:25
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`12.0`
SizeOfCode	`0x1fe00`
SizeOfInitializedData	`0x16e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000000A474 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x3a000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`b1413a27b9e92d9ad28b4dc11f6a8cb3`
SHA1	`1ce80c60290110e97e2ddd251fb88bb4ef75874b`
SHA256	`170f569742fc46622933e8eea0e38b5d3013b6c9f9fb5e5491ced79fa4314885`
SHA3	`555ddb809ff3d310b1d948437fd4acbc798e480a5789042279c04d5d99c8ccce`
VirtualSize	`0x1fd70`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1fe00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.43573`

.rdata

MD5	`8efb2ac9b0ae86caf7c546c768791593`
SHA1	`18cae4ee94648685413483b6cf24453339287246`
SHA256	`f23da5f885973b8970c87efc7dd9a608762074ce50196c8d1d5b61a80a3d8f19`
SHA3	`39109663700c36355313437bf555cd21152fc527ce1861635a0fd09c95329b12`
VirtualSize	`0xf2fe`
VirtualAddress	`0x21000`
SizeOfRawData	`0xf400`
PointerToRawData	`0x20200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.42287`

.data

MD5	`a443b47634399fd527ee0e0e4c337da3`
SHA1	`d1badefc39971c6a8a518f3d26097542a4979dc7`
SHA256	`b1dcec05763a64260d00c83f516f23ae63e7ff7687ec5877ce87cf52a3023ac2`
SHA3	`1e4962e138644dabbd9dfd67705891d072a35cc744ca088038fb1940eecf060b`
VirtualSize	`0x4ca0`
VirtualAddress	`0x31000`
SizeOfRawData	`0x2400`
PointerToRawData	`0x2f600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.50979`

.pdata

MD5	`c3395b3152c3a4bf61a3956041c2aa5f`
SHA1	`1797e5dae3999308f5d22515a1ea299f69ca54f3`
SHA256	`077ffad5bad1596d8210177d0bf6f1bda11b05522b22f6ad4bff1a1083514f0f`
SHA3	`649ec7e5aa6c501286761074dfcc9f60f43171f0930c2a230477193a83f0c790`
VirtualSize	`0x1c44`
VirtualAddress	`0x36000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x31a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.01653`

.rsrc

MD5	`e2ebc81a484ea879c728689e6b49933e`
SHA1	`354deca0e3645b22756c52fa7b9e087590d3156b`
SHA256	`39c42cfeb4b4d0cc270dadd07b5afc2c197a8a20c0969d76e25fa32b1c719097`
SHA3	`47695194333d5831a25c650862be819dec5199adc6ea1b60f1958f41f87419b8`
VirtualSize	`0x1e0`
VirtualAddress	`0x38000`
SizeOfRawData	`0x200`
PointerToRawData	`0x33800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.71935`

.reloc

MD5	`3f2c227a3328a6dc15467f5216ebb24e`
SHA1	`611b36d15541288f5a1c78da8555daad3fb018a3`
SHA256	`2583a84129bb7879f15f43401a5e131e807610532f2dfc4146bccc72f6b2b2ea`
SHA3	`86f8216caf599c17f1cd285f2873dab539c0e03e6ee4f27ae972be56e245a9f2`
VirtualSize	`0xaac`
VirtualAddress	`0x39000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x33a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.18415`

Imports

KERNEL32.dll	`OutputDebugStringA` `DebugBreak` `EncodePointer` `DecodePointer` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `WideCharToMultiByte` `MultiByteToWideChar` `GetStringTypeW` `GetLastError` `HeapFree` `CloseHandle` `DuplicateHandle` `GetCurrentProcess` `CreateProcessA` `IsDebuggerPresent` `IsProcessorFeaturePresent` `GetCommandLineA` `GetCurrentThreadId` `RtlPcToFileHeader` `RaiseException` `RtlLookupFunctionEntry` `RtlUnwindEx` `HeapAlloc` `GetCPInfo` `RtlCaptureContext` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `SetLastError` `InitializeCriticalSectionAndSpinCount` `Sleep` `TerminateProcess` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `GetStartupInfoW` `GetModuleHandleW` `GetProcAddress` `CompareStringW` `LCMapStringW` `GetLocaleInfoW` `IsValidLocale` `GetUserDefaultLCID` `EnumSystemLocalesW` `GetStdHandle` `GetFileType` `GetProcessHeap` `ExitProcess` `GetModuleHandleExW` `AreFileApisANSI` `WaitForSingleObject` `GetExitCodeProcess` `CreatePipe` `ReadFile` `SetFilePointerEx` `FlushFileBuffers` `WriteFile` `GetConsoleCP` `GetConsoleMode` `IsValidCodePage` `GetACP` `GetOEMCP` `HeapSize` `GetModuleFileNameA` `QueryPerformanceCounter` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetModuleFileNameW` `HeapReAlloc` `LoadLibraryExW` `GetFileAttributesExW` `SetStdHandle` `ReadConsoleW` `WriteConsoleW` `OutputDebugStringW` `CreateFileW` `SetEnvironmentVariableA` `SetEndOfFile`

Delayed Imports

RegisterModule

Ordinal	`1`
Address	`0x3320`

2

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

TLS Callbacks

Load Configuration

Size	`0x70`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1800318a8`

RICH Header

XOR Key	`0xf6a15252`
Unmarked objects	`0`
ASM objects (20806)	`12`
C++ objects (20806)	`69`
C objects (20806)	`214`
Imports (VS2008 SP1 build 30729)	`3`
Total imports	`93`
229 (VS2013 UPD4 build 31101)	`1`
Exports (VS2013 UPD4 build 31101)	`1`
Resource objects (VS2013 build 21005)	`1`
Linker (VS2013 UPD4 build 31101)	`1`

0f9d0b03254830714654c2ceb11a7f5d

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

RegisterModule

2

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors