Manalyze report for 170b3a9108687b26da2d8901c6948a18

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2005-Apr-28 15:31:22
Detected languages	English - United Kingdom

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Tries to detect virtualized environments: System\CurrentControlSet\Enum\IDE b3 eb 36 e4 4f 52 ce 11 9f 53 00 20 af 0b a7 70 d1 29 06 e3 e5 27 ce 11 87 5d 00 60 8c b7 80 66` `May have dropper capabilities: CurrentControlSet\Services` `Contains another PE executable: This program cannot be run in DOS mode.` `Contains domain names: http://www.rockstargames.com http://www.rockstargames.com/sanandreas http://www.rockstarnorth.com rockstargames.com rockstarnorth.com sysinternals.com www.rockstargames.com www.rockstarnorth.com www.sysinternals.com`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to DES`
Suspicious	The PE is possibly packed.	`Unusual section name found: _rwcseg` `Unusual section name found: _TEXT_HA` `Unusual section name found: _rwdseg` `Section .text is both writable and executable.` `Unusual section name found: .init` `Section .init is both writable and executable.` `Section .data is both writable and executable.` `Unusual section name found: .HOODLUM` `Section .HOODLUM is both writable and executable.`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: FindWindowA` `Code injection capabilities (PowerLoader): GetWindowLongA FindWindowA` `Can access the registry: RegCloseKey RegCreateKeyExA RegOpenKeyExA RegQueryValueExA RegOpenKeyA RegSetValueExA` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Leverages the raw socket API to access the Internet: recv send closesocket htons inet_addr connect WSAGetLastError WSAStartup WSACleanup socket` `Enumerates local disk drives: GetVolumeInformationA GetDriveTypeA GetLogicalDriveStringsA`
Suspicious	VirusTotal score: 1/66 (Scanned on 2021-11-14 19:17:58)	`APEX: Malicious`

Hashes

MD5	`170b3a9108687b26da2d8901c6948a18`
SHA1	`185b73fbceaa05d66452691fc0d15c8d61b92a7e`
SHA256	`a559aa772fd136379155efa71f00c47aad34bbfeae6196b0fe1047d0645cbd26`
SHA3	`b05ca467b59dea3f5cf750baca6471c1b598d420f7cf0cfa521de7d515709ec9`
SSDeep	`196608:KYQnnDbxRXCeeVJGfp/N+AYqyL3TTrbJvvAi80JFCC:KXnDbnyeeVJGfJN+n1r`
Imports Hash	`97c0acc7717323e03943bee18f652be7`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`11`
TimeDateStamp	2005-Apr-28 15:31:22
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`7.0`
SizeOfCode	`0xac8000`
SizeOfInitializedData	`0x6ae000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00424570 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x458000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x1177000`
SizeOfHeaders	`0x400`
Checksum	`0xdc5bea`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x200000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`76f9572522fc348f24cc136329ac0cef`
SHA1	`7ede51ab4cf04ffe3c0b2ad3e320b8dcdc245c2a`
SHA256	`1cbdeb7e11dd974fd68eedfb07643c09ece57eb50646af623543a2a7182814fd`
SHA3	`d1f3e7c911093c385d013a944757307690170e1acae95ca8a6801ece45880db1`
VirtualSize	`0x456000`
VirtualAddress	`0x1000`
SizeOfRawData	`0x455e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.66255`

_rwcseg

MD5	`a86c1b35283e7b4d5f8d69777c4bb599`
SHA1	`cfeac2376ba7f1c1b2ff650fbd1b8ddc9e8af03e`
SHA256	`11c9db23ac4d303d9bffebc6d6ed5dbfa67a98bbcad6fc9a91439b2975961000`
SHA3	`e7022c8f15f408dff7066e42d55c82fdf885bb2caa100ab39e8872534bdac71d`
VirtualSize	`0x1000`
VirtualAddress	`0x457000`
SizeOfRawData	`0x600`
PointerToRawData	`0x456200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`4.33031`

.rdata

MD5	`caca487cdf7fb0319ae995b84f2aaae4`
SHA1	`7cbbd31989eec969b817fe4dfb10cbc0c673cb0e`
SHA256	`6e363a6430a3483a042992a79a1045c2086cd30db5fb60e748387cb41586d0ab`
SHA3	`1198a2bee2ee5ae4d228af41ad230a78070bd795fd48dea4b883dec0fedae4dc`
VirtualSize	`0x4c000`
VirtualAddress	`0x458000`
SizeOfRawData	`0x4b400`
PointerToRawData	`0x456800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.58848`

.data

MD5	`7b210411fb6c89c75287142bbe4ef9ce`
SHA1	`cfc2d4fff53eeffdddb35ef187e587b348310721`
SHA256	`7b449afcfb860daebb4f12c39c738a6046e8add22f8571f50814194cf3423e37`
SHA3	`42f95507d682f32e26fe62ca1dd556c395c7647af6dfed4f6001c7d6671141ce`
VirtualSize	`0x3fa000`
VirtualAddress	`0x4a4000`
SizeOfRawData	`0x40000`
PointerToRawData	`0x4a1c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.72214`

_TEXT_HA

MD5	`a2fdc91161b917557de825350688d316`
SHA1	`72fed0b57f196a9f4b53158aec159cbb24493b31`
SHA256	`ae87a6e60cc06476f916b83616118621b34037cad4038d362aacf003f47dc75f`
SHA3	`36b71dec2f75f6fc334acb338daa062446bd81f49e0647e88a7b29170301df9d`
VirtualSize	`0x11000`
VirtualAddress	`0x89e000`
SizeOfRawData	`0x10c00`
PointerToRawData	`0x4e1c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.60973`

_rwdseg

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x1000`
VirtualAddress	`0x8af000`
SizeOfRawData	`0x200`
PointerToRawData	`0x4f2800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`6731c9547c09b236f038033e1b029b92`
SHA1	`6839cbfed6d80f73bf5eb79369a7be54268d1c30`
SHA256	`67ead89284964a6f2afc12d962302be3ca71868a947e0268ca76117d843b39f0`
SHA3	`83e0e7ab11cbe3a747434a0591fffa402b1fbd5e3ce763fd5616ba3d8b13bcd4`
VirtualSize	`0x1000`
VirtualAddress	`0x8b0000`
SizeOfRawData	`0x600`
PointerToRawData	`0x4f2a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.46474`

.text (#2)

MD5	`b4530a07003914d3c090920b4341a476`
SHA1	`787ae9f000252808bba480c70d3f0eae6352da02`
SHA256	`bafa1f60be727ed82b2f7bacb6b5c940bb81d9cac8579401b1b0037c978c787b`
SHA3	`8820c67027b0c0df788a9ba2506d04983e17ef9e430c4f3cf3201762238d08e4`
VirtualSize	`0x64a000`
VirtualAddress	`0x8b1000`
SizeOfRawData	`0x649c00`
PointerToRawData	`0x4f3000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.44892`

.init

MD5	`1b2869de1c6fb568abd36068a3b6cc53`
SHA1	`d0fc686928073266fd66c8617e47428b687c758c`
SHA256	`e7d7cd7fffba88bdfda883d09ad4fa0e9e2ca4f9316ec2f726ce0cd210b84dd7`
SHA3	`f76bf360fc5a92fdb382e89fc00cd7652dea502d4bd3289cd3c4f98bffcfa896`
VirtualSize	`0x6000`
VirtualAddress	`0xefb000`
SizeOfRawData	`0x5a00`
PointerToRawData	`0xb3cc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.17747`

.data (#2)

MD5	`b2ea96ad0ebd1e02251403e2d7c704ba`
SHA1	`f35aa124d353bde88e793721917a51706c30c99a`
SHA256	`11d2650b52131750d127e149435ffdb08d72053e27f836050956de5670c7241f`
SHA3	`76e270aa9a3a55583ca3ae41cd15bfc3fca0ccbb2fda166f973a0e73eb059a11`
VirtualSize	`0x255000`
VirtualAddress	`0xf01000`
SizeOfRawData	`0x254400`
PointerToRawData	`0xb42600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.97073`

.HOODLUM

MD5	`b281bdb378ef1226efe7c7d7e8638d96`
SHA1	`611cda3d3d5aa7ffbb8c6891de22db0b992fa4eb`
SHA256	`a09c4b3d784da29019b26cd75cdda144cadcc109b61ca1ed2a3754e56458d9d8`
SHA3	`b455c1ec2103fc763579b736feab58ff2c19272cc21ae5cba6ece1f8ddb450b3`
VirtualSize	`0x21000`
VirtualAddress	`0x1156000`
SizeOfRawData	`0x21000`
PointerToRawData	`0xd96a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.43977`

Imports

WINMM.dll	`timeEndPeriod` `timeGetTime` `timeBeginPeriod` `timeGetDevCaps`
vorbisfile.dll	`ov_open_callbacks` `ov_clear` `ov_time_total` `ov_time_tell` `ov_read` `ov_info` `ov_time_seek`
WS2_32.dll	`recv` `send` `closesocket` `htons` `inet_addr` `connect` `WSAGetLastError` `WSAStartup` `WSACleanup` `socket`
EAX.DLL	`#6`
KERNEL32.dll	`VirtualProtect` `GetOEMCP` `GetACP` `IsBadCodePtr` `IsBadReadPtr` `GetStringTypeW` `GetStringTypeA` `IsValidCodePage` `IsValidLocale` `EnumSystemLocalesA` `GetLocaleInfoA` `GetCPInfo` `GetDateFormatA` `VirtualQuery` `GetTickCount` `GetModuleHandleA` `GetProcAddress` `LoadLibraryA` `GetFileSize` `CloseHandle` `LocalFree` `WaitForSingleObjectEx` `GetOverlappedResult` `WaitForSingleObject` `ReleaseSemaphore` `SetFilePointer` `GetLastError` `ReadFile` `SetLastError` `CreateFileA` `ResumeThread` `SetThreadPriority` `GetThreadPriority` `GetCurrentThread` `CreateThread` `LocalAlloc` `CreateSemaphoreA` `GetDiskFreeSpaceA` `Sleep` `QueryPerformanceCounter` `InterlockedIncrement` `InterlockedDecrement` `lstrcpyA` `lstrcatA` `lstrlenA` `DeleteCriticalSection` `SuspendThread` `LeaveCriticalSection` `EnterCriticalSection` `InitializeCriticalSection` `MultiByteToWideChar` `DeleteFileA` `TerminateThread` `FindClose` `FindNextFileA` `GetFileAttributesA` `FindFirstFileA` `FreeLibrary` `QueryPerformanceFrequency` `OutputDebugStringA` `GetLocalTime` `CreateDirectoryA` `GetUserDefaultLCID` `SetStdHandle` `CreateEventA` `GetVolumeInformationA` `GetDriveTypeA` `GetLogicalDriveStringsA` `SetErrorMode` `GlobalMemoryStatus` `GetVersionExA` `GetCommandLineA` `GetFullPathNameA` `WideCharToMultiByte` `lstrcmpiA` `GetSystemInfo` `IsProcessorFeaturePresent` `LockResource` `LoadResource` `SizeofResource` `FindResourceA` `FindResourceW` `MapViewOfFile` `CreateFileMappingA` `CreateFileW` `UnmapViewOfFile` `ReleaseMutex` `CreateMutexA` `GetCurrentProcessId` `GetSystemDirectoryA` `GetModuleFileNameA` `FreeEnvironmentStringsA` `UnhandledExceptionFilter` `IsBadWritePtr` `VirtualAlloc` `VirtualFree` `HeapCreate` `HeapDestroy` `GetFileType` `GetStdHandle` `SetHandleCount` `FlushFileBuffers` `LCMapStringW` `LCMapStringA` `WriteFile` `FatalAppExitA` `SetUnhandledExceptionFilter` `HeapSize` `TlsAlloc` `TlsGetValue` `TlsSetValue` `GetCurrentThreadId` `TlsFree` `GetStartupInfoA` `HeapReAlloc` `HeapAlloc` `HeapFree` `GetSystemTimeAsFileTime` `GetCurrentProcess` `TerminateProcess` `ExitProcess` `RtlUnwind` `RaiseException` `InterlockedExchange` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `SetConsoleCtrlHandler` `GetTimeFormatA` `CompareStringA` `CompareStringW` `SetEnvironmentVariableA` `GetTimeZoneInformation` `SetEndOfFile` `GetLocaleInfoW` `GetCurrentDirectoryA` `GetSystemDefaultLCID` `SetCurrentDirectoryA` `GetEnvironmentStrings`
USER32.dll	`wsprintfA` `IsIconic` `GetWindowLongA` `GetMenu` `AdjustWindowRectEx` `SystemParametersInfoA` `DestroyWindow` `SetWindowLongA` `ShowWindow` `LoadIconA` `LoadCursorA` `RegisterClassA` `ReleaseCapture` `GetWindowPlacement` `SetTimer` `ClipCursor` `PostQuitMessage` `SetCursor` `SetCapture` `DefWindowProcA` `MapVirtualKeyA` `UpdateWindow` `GetKeyState` `FindWindowA` `SetForegroundWindow` `PeekMessageA` `DispatchMessageA` `TranslateMessage` `GetKeyboardLayout` `DialogBoxParamA` `EndDialog` `GetDlgItem` `SetFocus` `SendMessageA` `SetWindowPos` `AdjustWindowRect` `CreateWindowExA` `ShowCursor` `GetWindowRect` `MessageBoxA` `SetWindowTextA` `ClientToScreen` `SetCursorPos` `GetClientRect`
GDI32.dll	`DeleteObject`
ADVAPI32.dll	`RegCloseKey` `RegCreateKeyExA` `RegOpenKeyExA` `RegQueryValueExA` `RegOpenKeyA` `RegSetValueExA`
ole32.dll	`CoCreateInstance` `CoInitialize` `CoUninitialize`
d3d9.dll (delay-loaded)	`Direct3DCreate9`

Delayed Imports

Attributes	`0x1`
Name	`d3d9.dll`
ModuleHandle	`0x89a6bc`
DelayImportAddressTable	`0x4e3ed4`
DelayImportNameTable	`0x4a1f9c`
BoundDelayImportTable	`0x4a1fe4`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

1

Type	`RT_ICON`
Language	English - United Kingdom
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.26682`
MD5	`fc68ba237e908cf829e29de0836713bc`
SHA1	`ded3095a8dce64c5a8bbe44d505d4c0c44cb836f`
SHA256	`55f26b64c0b072c8b33b6e250b1a13e6e351f46fef2975f93542ff7c2b94d1e6`
SHA3	`89c60cddf73385b46656eca556a9e9e1e796334b131487dcdc13d34529dc74b4`

104

Type	`RT_DIALOG`
Language	English - United Kingdom
Codepage	UNKNOWN
Size	`0x12e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.32954`
MD5	`9a220443f92ca143da52daff6743e1ea`
SHA1	`d2b0c16297f12df274916292df88e97545dd02cb`
SHA256	`6a28cb628647fced9f6031d2211da974063bb2142af4c7bac05a49cd8c38c96d`
SHA3	`22f19befb457931bbed9a3e9349038e8bef6551aa47742e8428b46282d4b895f`

100

Type	`RT_GROUP_ICON`
Language	English - United Kingdom
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.16096`
Detected Filetype	Icon file
MD5	`42cf62b780813706e75fb9f2b2e8c258`
SHA1	`a022d5c1cfdd8aace0089f3e72f2eedd41bda464`
SHA256	`a0c9d012e2bf6b2fe05c2d97cb5594d97cf2f539e97935c12abd7a3562f4d9bf`
SHA3	`0aafc8e3d8b6bde595537da4ffe0efc5fe53f01dafe336a2a5828b6a71283d3c`

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[!] Error: Could not read PDB file information of invalid magic number.
[!] Error: Yara error: ERROR_TOO_MANY_MATCHES