Manalyze report for 25ebf798c4922614b236c5628d3ff889

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2018-Jul-05 14:10:46
Detected languages	English - United States
CompanyName	anon
FileDescription	fortnite
FileVersion	`1.4`
InternalName	fortnite.exe
LegalCopyright	(C) 2018
OriginalFilename	fortnite.exe
ProductName	fortnite
ProductVersion	`1.4`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for Sandboxie presence: SbieDll.dll` `Miscellaneous malware strings: cmd.exe`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryExW` `Possibly launches other programs: CreateProcessA ShellExecuteA` `Uses Microsoft's cryptographic API: CryptDestroyHash CryptEncrypt CryptImportKey CryptDestroyKey CryptReleaseContext CryptHashData CryptCreateHash CryptGetHashParam CryptGenRandom CryptAcquireContextA` `Leverages the raw socket API to access the Internet: #8 #14 #57 #10 #20 #17 #13 #1 freeaddrinfo getaddrinfo WSAIoctl #21 #15 #9 #7 #6 #5 #4 #3 #2 #19 #16 #112 #18 #151 #23 #111 #116 #115` `Enumerates local disk drives: GetDriveTypeW`
Malicious	VirusTotal score: 13/68 (Scanned on 2018-07-09 16:50:39)	`McAfee: Artemis!25EBF798C492` `Symantec: ML.Attribute.HighConfidence` `TrendMicro-HouseCall: TROJ_GEN.R002H05G818` `Paloalto: generic.ml` `AegisLab: Ml.Attribute.Gen!c` `Rising: Trojan.Zpevdo!8.F912 (CLOUD)` `Invincea: heuristic` `McAfee-GW-Edition: BehavesLike.Win32.Dropper.bh` `Sophos: Mal/Generic-S` `Microsoft: Trojan:Win32/Zpevdo.A` `VBA32: BScope.Trojan.Gasti` `AVG: FileRepMalware` `CrowdStrike: malicious_confidence_60% (W)`

Hashes

MD5	`25ebf798c4922614b236c5628d3ff889`
SHA1	`ae2bf833b0e6220e8b3c46dd43a1cb4a403bf4e4`
SHA256	`bfad6c922930c8c0c654668af5a5f77935f511c0a7573aa634d1ce3c19fc1bb8`
SHA3	`234c290f5ccf9fce1b2a2abe6b396ef7837fb77827e2b844eec49edd86eb1160`
SSDeep	`12288:XtEaWuIk5BPq3q91RBY14EZ/rhJp0lHIuBz6EBEdVOf0JzYm0YBafukgE9ZUcpe:XGaWdIBCDEKzOe26ZrfhouZH7EaaMbV`
Imports Hash	`e8c20e34f61dd9b8c894d142bbdd3173`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x118`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`7`
TimeDateStamp	2018-Jul-05 14:10:46
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x64c00`
SizeOfInitializedData	`0x4e800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00041434 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x66000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0xb7000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`1708ad4d6b1c45d5852f01c738b9269e`
SHA1	`b373829cca4a6a3a0b9c5de48c5d35c02e839d58`
SHA256	`3e7a3769219cc78c999de1e34416084583af57562435d2cb43ab3ad55e580daf`
SHA3	`bccd5d731d20433199ed7bb0a0f4a24521172bed23c38d8026af465b805491e6`
VirtualSize	`0x64abb`
VirtualAddress	`0x1000`
SizeOfRawData	`0x64c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.55733`

.rdata

MD5	`79ec55ce76e0a58da4e889c5d671a8a9`
SHA1	`250ef11a39ab2019bac02f8efb534fa0f8fb5ca5`
SHA256	`989748430c2c920c5bc5acd9ce913dbbbdb2b29ecf5ea5e33a2e5bcddb776d56`
SHA3	`2e28a1ee20c76e1834b295af907ec90a6baedeb1aa1de68db0c6a730ce7757d9`
VirtualSize	`0x1a362`
VirtualAddress	`0x66000`
SizeOfRawData	`0x1a400`
PointerToRawData	`0x65000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.72408`

.data

MD5	`116a8dc5dac538a90b8301f6621de6ad`
SHA1	`727e8a024a3a7b2763a8a4113eccab9c0b280296`
SHA256	`0772e1844cbe6716c4e5806dad903a18ed0056701394e674c2ddade503643a49`
SHA3	`b8984c65303f63843c171e15e0ae7665a0eab075dead86415b32a6fa2129db89`
VirtualSize	`0x1fbc`
VirtualAddress	`0x81000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x7f400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.30012`

.gfids

MD5	`abc5a7b010213e9909521a64f76ac23a`
SHA1	`ab6a9eeffedf3ee555a2bd1fca6836f248759479`
SHA256	`1ecac7ad9f4b0f83c29a3933574c0b78c18241c1398abf6a11c9daacb50cdb81`
SHA3	`2a545038cac9816c2905278ed07ed0ab84b52d44a270b9b9992cb0a620881809`
VirtualSize	`0x2ec`
VirtualAddress	`0x83000`
SizeOfRawData	`0x400`
PointerToRawData	`0x80400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.03069`

.tls

MD5	`1f354d76203061bfdd5a53dae48d5435`
SHA1	`aa0d33a0c854e073439067876e932688b65cb6a9`
SHA256	`4c6474903705cb450bb6434c29e8854f17d8324efca1fdb9ee9008599060883a`
SHA3	`991fbbd46bbd69198269fe6c247d440e0f8a7d38259b7a1e04b74790301d1d2b`
VirtualSize	`0x9`
VirtualAddress	`0x84000`
SizeOfRawData	`0x200`
PointerToRawData	`0x80800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0203931`

.rsrc

MD5	`30d88ec923d3f4fafb5ea8f8eca1aca9`
SHA1	`c396f2e84f5d508706782fd8f3abc7e9d4451d6f`
SHA256	`e637b76e3c92d0bd827ca3356f87a6903a3b0a9e0cecdd2df1934d553c2bb2a1`
SHA3	`4d9008e6242382a0d09be4f42eb66dba888139f3ae677130b5d69d2f11777cec`
VirtualSize	`0x2cd80`
VirtualAddress	`0x85000`
SizeOfRawData	`0x2ce00`
PointerToRawData	`0x80a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.88438`

.reloc

MD5	`e1659a0eb801252831696cee1001d437`
SHA1	`a11fe42489e9d10d8262148a8eee3a9600b487eb`
SHA256	`8a755341eaeff22f2ae808b01bf70831bab1ce8aa83a9be86e8c4d4a1cbba0e4`
SHA3	`ea2de1209bd76605d203f5798cd18ec345b27178277f2c7bde329d86256ce6f3`
VirtualSize	`0x4ec8`
VirtualAddress	`0xb2000`
SizeOfRawData	`0x5000`
PointerToRawData	`0xad800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.65368`

Imports

WS2_32.dll	`#8` `#14` `#57` `#10` `#20` `#17` `#13` `#1` `freeaddrinfo` `getaddrinfo` `WSAIoctl` `#21` `#15` `#9` `#7` `#6` `#5` `#4` `#3` `#2` `#19` `#16` `#112` `#18` `#151` `#23` `#111` `#116` `#115`
ADVAPI32.dll	`CryptDestroyHash` `CryptEncrypt` `CryptImportKey` `CryptDestroyKey` `CryptReleaseContext` `CryptHashData` `CryptCreateHash` `CryptGetHashParam` `CryptGenRandom` `CryptAcquireContextA`
CRYPT32.dll	`CertFreeCertificateContext`
WLDAP32.dll	`#46` `#211` `#60` `#50` `#301` `#200` `#30` `#79` `#35` `#33` `#32` `#27` `#26` `#22` `#41` `#143`
Normaliz.dll	`IdnToAscii`
KERNEL32.dll	`FindFirstFileExA` `FindClose` `GetTimeZoneInformation` `GetProcessHeap` `GetFullPathNameW` `GetCurrentDirectoryW` `FindNextFileA` `IsValidCodePage` `GetOEMCP` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableA` `SetStdHandle` `FlushFileBuffers` `GetFileAttributesExW` `GetExitCodeProcess` `WaitForSingleObject` `EnumSystemLocalesW` `GetUserDefaultLCID` `IsValidLocale` `GetConsoleCP` `ReadConsoleW` `GetConsoleMode` `GetACP` `GetCommandLineW` `GetCommandLineA` `WriteFile` `FileTimeToSystemTime` `SystemTimeToTzSpecificLocalTime` `WriteConsoleW` `GetModuleFileNameA` `SetEndOfFile` `HeapSize` `ExitProcess` `HeapFree` `HeapReAlloc` `GetDriveTypeW` `Sleep` `CreateProcessA` `GetProcAddress` `LoadLibraryA` `GetModuleHandleA` `CreateDirectoryA` `FreeLibrary` `GetTickCount64` `GetLastError` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSectionEx` `DeleteCriticalSection` `SleepEx` `VerSetConditionMask` `GetSystemDirectoryA` `VerifyVersionInfoA` `FormatMessageA` `CloseHandle` `WaitForSingleObjectEx` `GetStdHandle` `GetFileType` `ReadFile` `PeekNamedPipe` `WaitForMultipleObjects` `ExpandEnvironmentStringsA` `MultiByteToWideChar` `WideCharToMultiByte` `CreateFileW` `SetFilePointerEx` `EncodePointer` `DecodePointer` `InitializeCriticalSectionAndSpinCount` `CreateEventW` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `GetSystemTimeAsFileTime` `GetModuleHandleW` `CompareStringW` `LCMapStringW` `GetLocaleInfoW` `GetStringTypeW` `GetCPInfo` `SetEvent` `ResetEvent` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `IsDebuggerPresent` `GetStartupInfoW` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `InitializeSListHead` `RaiseException` `RtlUnwind` `LoadLibraryExW` `CreateThread` `ExitThread` `FreeLibraryAndExitThread` `GetModuleHandleExW` `HeapAlloc`
SHELL32.dll	`ShellExecuteA`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2c830`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.87906`
MD5	`2b408f0644f0a3fe41fd641d88dd1a0e`
SHA1	`bad55b8335d2994fe7fcabe149b83e305f965fbb`
SHA256	`d06c809bea3c09c44e21420f4e01cee49db3084191219f98d2952eb5f38a79df`
SHA3	`fe8973ed4c34144a6ac9dee0fc551ba2647eb6b55655ac7d65c9022f5594b06f`

101

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.16096`
Detected Filetype	Icon file
MD5	`8e03689f7fdc7309f9388d641fcbda24`
SHA1	`512ba7d28c93f682a19ebbf9b432d02da394aa67`
SHA256	`f96388d9f276eaa290040e552457a08c620c3d8273cbdee6ec39d2b4a3d49340`
SHA3	`938c64ab1ff3817fae847c82e9b9abac026eb342f1e208eeedd83684fa04dd7d`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x284`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.22255`
MD5	`ba3211f4e475f558287fb176d5088c59`
SHA1	`539937b60f5ec512d17d0c775c0d6435777e7456`
SHA256	`d39ef08731c7b6be9c508e6431f40c9abe037ac2580eeaf4d977f873d2d40c1c`
SHA3	`f981f42e9cf37f2ee4652679245901cf1349a1dbf1db2f3c3f86f499f08693bf`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.4.0.0
ProductVersion	1.4.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	anon
FileDescription	fortnite
FileVersion (#2)	1.4
InternalName	fortnite.exe
LegalCopyright	(C) 2018
OriginalFilename	fortnite.exe
ProductName	fortnite
ProductVersion (#2)	1.4

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2018-Jul-05 14:10:46
Version	`0.0`
SizeofData	`960`
AddressOfRawData	`0x7e028`
PointerToRawData	`0x7d028`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2018-Jul-05 14:10:46
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

StartAddressOfRawData	`0x484000`
EndAddressOfRawData	`0x484008`
AddressOfIndex	`0x4827d0`
AddressOfCallbacks	`0x466308`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x5c`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x4810c8`
SEHandlerTable	`0x47df80`
SEHandlerCount	`42`

RICH Header

XOR Key	`0xcf3bd545`
Unmarked objects	`0`
241 (40116)	`14`
243 (40116)	`178`
242 (40116)	`29`
199 (41118)	`5`
ASM objects (VS2015 UPD3 build 24123)	`25`
C++ objects (VS2015 UPD3 build 24123)	`59`
C objects (VS2015 UPD3 build 24123)	`35`
Imports (VS2008 SP1 build 30729)	`4`
Total imports	`181`
Imports (24610)	`11`
C objects (VS2017 v15.2 compiler 25019)	`93`
265 (24234)	`2`
Resource objects (24234)	`1`
151	`1`
Linker (24234)	`1`

25ebf798c4922614b236c5628d3ff889

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.gfids

.tls

.rsrc

.reloc

Imports

Delayed Imports

1

101

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_POGO

IMAGE_DEBUG_TYPE_ILTCG

TLS Callbacks

Load Configuration

RICH Header

Errors