Manalyze report for 27599c22e0eba42f3e91e27fe1d04598

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2007-May-07 12:58:10
Detected languages	Process Default Language Russian - Russia

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can access the registry: RegCloseKey`
Malicious	VirusTotal score: 60/72 (Scanned on 2024-01-01 10:22:13)	`ALYac: Trojan.FakeAlert.RS` `APEX: Malicious` `AVG: Win32:WormX-gen [Wrm]` `AhnLab-V3: Win-AppCare/Renos.30720.D` `Alibaba: Trojan:Win32/Renos.2bdcb21c` `Antiy-AVL: HackTool[Hoax]/Win32.Renos` `Arcabit: Trojan.FakeAlert.RS` `Avast: Win32:WormX-gen [Wrm]` `Avira: TR/Dldr.Zlob.Gen` `BitDefender: Trojan.FakeAlert.RS` `BitDefenderTheta: Gen:NN.ZexaF.36608.cmGfamRyy9iI` `Bkav: W32.AIDetectMalware` `ClamAV: Win.Trojan.Fakealert-33` `CrowdStrike: win/malicious_confidence_90% (D)` `Cylance: unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `DrWeb: Trojan.Fakealert` `ESET-NOD32: Win32/Adware.SpySheriff` `Elastic: malicious (moderate confidence)` `Emsisoft: Trojan.FakeAlert.RS (B)` `F-Secure: Trojan.TR/Dldr.Zlob.Gen` `FireEye: Generic.mg.27599c22e0eba42f` `Fortinet: Riskware/Renos` `GData: Trojan.FakeAlert.RS` `Google: Detected` `Gridinsoft: Trojan.Win32.Renos.zv!s2` `Ikarus: not-a-virus:Hoax.Win32.Renos` `Jiangmin: Trojan/Agent.fnv` `K7AntiVirus: Adware ( 004c1c281 )` `K7GW: Adware ( 004c1c281 )` `Kaspersky: UDS:Trojan.Win32.Generic` `Lionic: Trojan.Win32.Renos.4!c` `MAX: malware (ai score=100)` `Malwarebytes: Adware.Agent` `MaxSecure: Trojan.Malware.300983.susgen` `McAfee: GenericRXAA-AA!27599C22E0EB` `MicroWorld-eScan: Trojan.FakeAlert.RS` `Microsoft: Trojan:Win32/Renos!ic` `NANO-Antivirus: Virus.Win32.Gen.ccmw` `Panda: Adware/BraveSentry` `Rising: Hoax.Renos!8.1140 (TFE:5:tkcL0R1CgNE)` `Sangfor: Suspicious.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win32.Fasong.pm` `Sophos: Mal/Generic-R` `Symantec: SpySheriff` `Tencent: Malware.Win32.Gencirc.1173c566` `Trapmine: malicious.moderate.ml.score` `TrendMicro: TROJ_RENOS.SZ` `TrendMicro-HouseCall: TROJ_RENOS.SZ` `VBA32: Trojan-DownLoader.Revelation.Tupak` `VIPRE: Trojan.FakeAlert.RS` `Varist: W32/FakeAlert.G.gen!Eldorado` `VirIT: Trojan.Win32.Fakealert.JN` `Webroot: W32.Trojan.FakeAlert` `Xcitium: Application.Win32.Adware.SpySheriff@oso` `Yandex: Trojan.Renos.Gen.9` `Zillya: Tool.Renos.Win32.1408` `ZoneAlarm: Hoax.Win32.Renos.fi`

Hashes

MD5	`27599c22e0eba42f3e91e27fe1d04598`
SHA1	`62f64646050a7052767881f73fdf57825ed501ac`
SHA256	`f09ffe74770a7229ddef667bc95fa73e0886adf8739cdfff36101443975e5b5a`
SHA3	`007dcb9d799022e19c944eed1f6e81d24330c78e54b160853823fa4140615a7a`
SSDeep	`384:b6sus8sjumVO2DdGfa8BeQVaZbsjmisNp8UhGWqkLNRaPX1:2seCumVO2DdGf/evVsjLs8UvAPl`
Imports Hash	`4a5ebec485beb64f91edf76f986f8113`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2007-May-07 12:58:10
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x4000`
SizeOfInitializedData	`0x7000`
SizeOfUninitializedData	`0xe000`
AddressOfEntryPoint	`0x00012790 (Section: UPX1)`
BaseOfCode	`0xf000`
BaseOfData	`0x13000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x1a000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xe000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`7e0f289bdef726829a29dd5ea5efd834`
SHA1	`2fc6c00426e27c5dfea005bdd7aa808092c01b23`
SHA256	`b41ab1b6f1224eee03a21c507a29d892f9f7b57a6c4dfa90b6b4a3c4bd5c537a`
SHA3	`add16a40ac82b65aa19a72c6ef76e4d5bc98ad2bfe00643ff70d7bf73f05ca7a`
VirtualSize	`0x4000`
VirtualAddress	`0xf000`
SizeOfRawData	`0x3a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.84437`

.rsrc

MD5	`55c562032de529ba157d9142fd44f806`
SHA1	`5134c560c3cf90160ab1d4d6437e360f4d86478f`
SHA256	`bb0cf2abea9d08873ff8daf8085860fb552b4ab94dcc157728119e4093555196`
SHA3	`b1c015fb76a548cc99a4e775e1a56ec6a8d251f62c63d1aa7f67abed51ad6e85`
VirtualSize	`0x7000`
VirtualAddress	`0x13000`
SizeOfRawData	`0x6c00`
PointerToRawData	`0x3e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.47007`

Imports

ADVAPI32.dll	`RegCloseKey`
COMCTL32.dll	`InitCommonControlsEx`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
ole32.dll	`CoInitialize`
SHELL32.dll	`Shell_NotifyIconA`
USER32.dll	`IsChild`
WSOCK32.dll	`sendto`

Delayed Imports

1

Type	`RT_ICON`
Language	Process Default Language
Codepage	Latin 1 / Western European
Size	`0x67e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.42443`
MD5	`9e6b4ab49cd90f337114500cc3e270b5`
SHA1	`b130abd56c822daf2c84ac27b6a7f3797fcfed2e`
SHA256	`810a12d36729f3342b61055ed12792e2925fb1c814a7c8e7ce71b292289bfbe8`
SHA3	`ca996ca04adf203f910e6fb42465be69b4be15339b2b3a7d947e7be2354d879e`

101

Type	`RT_DIALOG`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x8a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.44704`
MD5	`a71769f03266dd9cd346044673e59232`
SHA1	`111693f24642c2090a6fb4c8f5bc2f0bef888472`
SHA256	`eeefa8ac2f9940626656435ed7505dc56597c2328764596ae0b4b82cf6d91a75`
SHA3	`d589a6b1e5d129743432c0c871fc5a9a657b7f13b3f2b04196359edcdc27bd31`

1 (#2)

Type	`RT_GROUP_ICON`
Language	Process Default Language
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`eeea78b1cdafb203817ab9c01e3cd177`
SHA1	`6b0cb3a6a93e84e9d38882e8cf910bdc7bcaf089`
SHA256	`525979e8f412425450ba6282ca1697b9f1933aaa9d801e4a0a1dc3c48ba43711`
SHA3	`897dd31533c13343d520d1c23140b25fbb323442167633bcce293be83c6977c0`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x45dda252`
Unmarked objects	`0`
C objects (VS98 build 8168)	`24`
14 (7299)	`11`
Unmarked objects (#2)	`5`
19 (8034)	`13`
Total imports	`85`
C++ objects (VS98 build 8168)	`4`
Resource objects (VS98 cvtres build 1720)	`1`

Errors

[*] Warning: Section UPX0 has a size of 0!