Manalyze report for 20686fc4bf65e292ce5a699eb83176210caa4b90c33ac55e2013a84a4aa5d1ee

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2008-Jul-31 17:22:44
Detected languages	English - United States
Comments	Created with Setup Factory 8.0
FileDescription	Setup Application
FileVersion	`8.1.1000.0`
InternalName	suf80_launch
LegalCopyright	Setup Engine Copyright © 2004-2008 Indigo Rose Corporation
LegalTrademarks	Setup Factory is a trademark of Indigo Rose Corporation.
OriginalFilename	suf80_launch.exe
ProductName	Setup Factory 8.0 Runtime
ProductVersion	`8.1.1000.0`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++ 8` `Microsoft Visual C++ 8.0` `MSVC++ v.8 (procedure 1 recognized - h)`
Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains a XORed PE executable: 53 6f 6e 74 27 77 75 68 60 75 66 6a 27 64 66 69 69 68 73 27 ...` `Contains domain names: indigorose.com www.indigorose.com`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions related to the privilege level: OpenProcessToken`
Suspicious	The file contains overlay data.	`14584758 bytes of data starting at offset 0x14000.` `The overlay data has an entropy of 7.9996 and is possibly compressed or encrypted.` `Overlay data amounts for 99.4415% of the executable.`
Suspicious	VirusTotal score: 2/58 (Scanned on 2024-11-06 05:01:49)	`Antiy-AVL: Virus/Win32.Expiro.imp` `Ikarus: Trojan.Patched`

Hashes

MD5	`667668c9ba475d7825b8528498bbea16`
SHA1	`32bd247df3ce17de3fdc1cb718ef20c7959af296`
SHA256	`20686fc4bf65e292ce5a699eb83176210caa4b90c33ac55e2013a84a4aa5d1ee`
SHA3	`40802eeb4e4f7e95c7138dd0adeec8c67e9c5a8c3a21ae1adfeb3eacaeeb1f79`
SSDeep	`393216:B7vtmFZkcFdHsWpcPetqwRG7YJRZ63Nckne:BLtmbks/cwpUNTne`
Imports Hash	`e8ac49403e5d9c65de103a82cdc9e08c`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2008-Jul-31 17:22:44
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`8.0`
SizeOfCode	`0x7000`
SizeOfInitializedData	`0xc000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00002FB9 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x15000`
SizeOfHeaders	`0x1000`
Checksum	`0x1e8c1`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`eb57ff953b761a62c443cd98865a6193`
SHA1	`1dd0fb43660cae4e5983967a2163e3defd741a0e`
SHA256	`42b03227c8439468e214d9b3b107695db03e31e48c65c7e8de88d7681cbec019`
SHA3	`4ee9987eb97302794f7331c2560c0b9d287c404150e65fd70569d19cad52c36c`
VirtualSize	`0x6ef4`
VirtualAddress	`0x1000`
SizeOfRawData	`0x7000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.58256`

.rdata

MD5	`1f70c33733719503d9e3c737d7ee6656`
SHA1	`cd81ac5958b2d2a965ef8ada07c10d28f53887f2`
SHA256	`e1d204c11f1d269e886b7e9fad86e9b1a519c631b4c2a04c34c49a745b1ee715`
SHA3	`b384f7866c6e59498ad02a6547bbfeba100939d56d1acbcfc56fd1c40bf40307`
VirtualSize	`0x284c`
VirtualAddress	`0x8000`
SizeOfRawData	`0x3000`
PointerToRawData	`0x8000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.94892`

.data

MD5	`cf7139f055026960ac6ed0e40fa4b072`
SHA1	`546d62f42048e5c0ec219991ad0344e37d909aa5`
SHA256	`46fa26fdf43c0f997145959afc995481a66d885018ee2338afd564f0e4c58648`
SHA3	`3ef644f1bb9b947dc622973f40db7e471547ec0b3bbf0cc02db16b7718b93d32`
VirtualSize	`0x1908`
VirtualAddress	`0xb000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xb000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.23929`

.rsrc

MD5	`84de9a9210d8eafe70ab0f5676afd4ab`
SHA1	`bf5522595b16a2a2d8ac5dca1a90b834b08b088b`
SHA256	`0d1c43bf2653e89e74e3050160b5a5f016806f1d0d7062b01d57bc711d3c93c1`
SHA3	`35b3fbaf7a51702eac6a7a5db6bdbb6157b8f3c334e47cc44e7923ae996ac97d`
VirtualSize	`0x79d0`
VirtualAddress	`0xd000`
SizeOfRawData	`0x8000`
PointerToRawData	`0xc000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.01047`

Imports

KERNEL32.dll	`SetUnhandledExceptionFilter` `lstrcmpiA` `lstrcpyA` `lstrlenA` `_lclose` `GetModuleFileNameA` `_lread` `_llseek` `_lopen` `_lwrite` `_lcreat` `CreateDirectoryA` `SetCurrentDirectoryA` `lstrcatA` `FreeLibrary` `GetProcAddress` `LoadLibraryA` `UnhandledExceptionFilter` `GetFileAttributesA` `RemoveDirectoryA` `DeleteFileA` `GetTempPathA` `GetCurrentDirectoryA` `CloseHandle` `GetExitCodeProcess` `LocalFree` `HeapSize` `RtlUnwind` `LCMapStringW` `LCMapStringA` `GetStringTypeW` `GetCurrentProcess` `GetDiskFreeSpaceA` `TerminateProcess` `MultiByteToWideChar` `GetStringTypeA` `GetModuleHandleA` `TlsGetValue` `TlsAlloc` `TlsSetValue` `TlsFree` `InterlockedIncrement` `SetLastError` `GetCurrentThreadId` `GetLastError` `InterlockedDecrement` `ExitProcess` `HeapFree` `HeapAlloc` `GetCommandLineA` `GetVersionExA` `GetProcessHeap` `GetStartupInfoA` `DeleteCriticalSection` `LeaveCriticalSection` `EnterCriticalSection` `GetCPInfo` `GetACP` `GetOEMCP` `Sleep` `WriteFile` `GetStdHandle` `InitializeCriticalSection` `HeapDestroy` `HeapCreate` `VirtualFree` `VirtualAlloc` `HeapReAlloc` `FreeEnvironmentStringsA` `GetEnvironmentStrings` `FreeEnvironmentStringsW` `WideCharToMultiByte` `GetEnvironmentStringsW` `SetHandleCount` `GetFileType` `QueryPerformanceCounter` `GetTickCount` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `GetLocaleInfoA`
USER32.dll	`TranslateMessage` `DispatchMessageA` `PeekMessageA` `wsprintfA` `LoadCursorA` `SetCursor` `MessageBoxA` `MsgWaitForMultipleObjects`
ADVAPI32.dll	`GetTokenInformation` `OpenProcessToken`
SHELL32.dll	`ShellExecuteExA`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.27612`
MD5	`244f05b9de8a004e5ca5b6460b3ff2a1`
SHA1	`308b9a07c1e5ddb0e85435ec752fe838efaacddc`
SHA256	`b7c7212d70172272821a26e7166d9082be5cb7ed5551152229c564ebe618f8e1`
SHA3	`5af8e902435fae71aea2a59c8caa2d8160b49357fb5c8320fc11da42917ef649`

2

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.31421`
MD5	`ceea1f40f26b391da8977d0bc69ce333`
SHA1	`b0cc7faf384a4a9b55661c9dd00afff3bd478469`
SHA256	`1f8d3da0dd89dca26c6bb14ac7be9ed5a01bc929574ad46b87524f251e80e2be`
SHA3	`b2209ce5f96a2132ab957018f921de9955c4e2d755221c41dd1263f681fb7608`

3

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.9477`
MD5	`286299765e413961c577250b562a9f6d`
SHA1	`c11066e0b36e102c15530a0a2bcf3ff59a447e38`
SHA256	`06fb164c24b5774aa1cc61dee3855f98998e7d8b80e7370403da6c202f054da8`
SHA3	`78911af57398ed019c2227579f388a129529836767481d8f3a52a82fca9ab835`

4

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.78233`
MD5	`2bfdea3afd1fff1a7b0289c617cfae05`
SHA1	`bc3d4258adec91cf01ff8d841bec5c48dd58000f`
SHA256	`a8af8d3e6282e1efdd38fb2787c9ec42cfbbf9cd1d473f6845590c3e31ea3c11`
SHA3	`f14c0636ff106d35a48416d618b5f71220091567cea7ad6f582412d2e81f1afd`

5

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.14953`
MD5	`d400262b6638ac150461e04641caf542`
SHA1	`bff6b574a2d8b8597b021e26699da166d7520104`
SHA256	`31e4e1eea0a0e2e6443773d356ddca1fe28d32e74727a13638c85bdbd78281a6`
SHA3	`b007210806cc46ddec9dbe9dcef89d122150393bfd47f2cae5e4419fdbb17ab7`

6

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.83714`
MD5	`b5c47d2978f629cc35ab63e89cabcb2c`
SHA1	`2b979114d1a0832ede92cc14a62be2fe3a5572fd`
SHA256	`7a7ef627be60b3f8f5b2366d513efd6b341eb942f039bfcc9399d82ebd898d0d`
SHA3	`bb2328d1e5c94651d22cf3798eb92a76f9d12a8f9bc237339608787594276d5a`

7

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x668`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.64397`
MD5	`6acf27cac1ed0cc79e0b5cf6bbfa35af`
SHA1	`ae882712f338525cbb428dbb0dc5556a858993db`
SHA256	`d8bbb3fb720499a58160e7956e4bd18855b384c6dbd3aa262fea0e121436c6f2`
SHA3	`06441aae6d59e83b9369b36d31536ea17a6ecc34b49ea1958dc0fca25ff89567`

8

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.84115`
MD5	`5073c50c3a136934f16481bc0b3df044`
SHA1	`11df1eebfbd55cb5acf95991e7c0169475ef9b8a`
SHA256	`b65d018eb43b3c976a891e6677049eee014093e7c77774ffa1a4d08565891ecd`
SHA3	`89b824ae6dc6f8b6f2e1336885fc0cd021eaf37e1efa48eeafc39a70a171b764`

9

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.41049`
MD5	`ca478133475a2622104a5405539831fe`
SHA1	`8f2ad79e45e19b6ad4c3dc6aa273ea53479b67fa`
SHA256	`9df16fabe1cfc3dc3095c7c70f5fa39be14a8ca6a4fdf4aeaa194cde7995127c`
SHA3	`34ec32be9c59ab7710496e0b02eb1c81b11ff5394d1a13e31ade7870126bbc7d`

101

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`58ebb87a86317b6d24927da35043510c`
SHA1	`0b9f73c9e0df4ce471f81a69c9d55b09e4326899`
SHA256	`c04493b5cb4e400e784578fb8c753741c693ea4e58bfba318b4cffb66ef163eb`
SHA3	`013f63e9b53b05ce3a2dce811658c3adf591f08394b799d8945d1befa03b2be8`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x408`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.44242`
MD5	`e6b3f2a9decc1695d9da5655d86685d9`
SHA1	`62378907556c013faf661f9789819ea7a2667b1b`
SHA256	`d52508a513cc81fa84d83e751f0498d8b8d343f2db4f9989e8215f8cc74e8412`
SHA3	`4dc2876279dd3bc6d0889d3a40a0cf88233ae8ea64a935e87a34527f2449ce31`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x39b`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.85247`
MD5	`500e32f191579c440a3f870891059712`
SHA1	`55899561f3bc4a82fa4a17990c6330013a69d536`
SHA256	`b5b2686444699bacf7b0a9f5f9ce7b4b14ffd04ebbf32794fbc0a2311dfa35f4`
SHA3	`987935bb24087e05f91072d28e8ff8e77f74616e5b8b9c996ac73ab10f2a6837`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	8.1.1000.0
ProductVersion	8.1.1000.0
FileFlags	`VS_FF_PRIVATEBUILD`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments	Created with Setup Factory 8.0
FileDescription	Setup Application
FileVersion (#2)	8.1.1000.0
InternalName	suf80_launch
LegalCopyright	Setup Engine Copyright © 2004-2008 Indigo Rose Corporation
LegalTrademarks	Setup Factory is a trademark of Indigo Rose Corporation.
OriginalFilename	suf80_launch.exe
ProductName	Setup Factory 8.0 Runtime
ProductVersion (#2)	8.1.1000.0

Resource LangID	English - United States

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x40b020`
SEHandlerTable	`0x409d40`
SEHandlerCount	`3`

RICH Header

XOR Key	`0x45d0d24e`
Unmarked objects	`0`
ASM objects (VS2012 build 50727 / VS2005 build 50727)	`16`
Imports (VS2003 (.NET) build 4035)	`9`
Total imports	`106`
C objects (VS2012 build 50727 / VS2005 build 50727)	`74`
C++ objects (VS2012 build 50727 / VS2005 build 50727)	`31`
Resource objects (VS2012 build 50727 / VS2005 build 50727)	`1`
Linker (VS2012 build 50727 / VS2005 build 50727)	`1`

Errors

Leave a comment

No comments yet.