Manalyze report for 28140bd636324bad2f0e8394f3e7f723

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-May-11 00:38:40
Detected languages	English - United States
Comments	Dugiyurarije xijo rafuxe rovizubo to rehunopovubeha nuka
FileVersion	`26, 8, 8, 10`
LegalCopyright	Vohewobuvaxado vavijuyi ximupu kilofa lezolewero re gifewoyahatige pudikuxebipo
OriginalFilename	zodacobi.exe
ProductVersion	`26, 8, 8, 10`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ v6.0 DLL` `Microsoft Visual C++ 6.0 - 8.0`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryW`
Info	The PE's resources present abnormal characteristics.	`Resource 123 is possibly compressed or encrypted.`
Malicious	VirusTotal score: 54/63 (Scanned on 2017-07-03 06:24:25)	`MicroWorld-eScan: Trojan.GenericKD.5045609` `CMC: Trojan-Downloader.Win32.Gamarue.2!O` `CAT-QuickHeal: TrojanBanker.Emotet` `McAfee: Generic.abu` `Cylance: Unsafe` `K7GW: Hacktool ( 655367771 )` `K7AntiVirus: Trojan ( 0050d6a81 )` `Arcabit: Trojan.Generic.D4CFD69` `TrendMicro: TSPY_EMOTET.XXTN` `Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9949` `F-Prot: W32/Emotet.CB` `Symantec: Ransom.Kovter` `TrendMicro-HouseCall: TSPY_EMOTET.XXTN` `Paloalto: generic.ml` `Kaspersky: Trojan-Banker.Win32.Emotet.vms` `BitDefender: Trojan.GenericKD.5045609` `NANO-Antivirus: Trojan.Win32.Agent.epvmnx` `ViRobot: Trojan.Win32.Emotet.175616` `AegisLab: Troj.Banker.W32.Emotet!c` `Rising: Trojan.Emotet!8.B95 (ktse)` `Ad-Aware: Trojan.GenericKD.5045609` `Sophos: Troj/Wonton-ZH` `Comodo: UnclassifiedMalware` `F-Secure: Trojan.GenericKD.5045609` `DrWeb: Trojan.Siggen7.21438` `VIPRE: Trojan.Win32.Generic!BT` `Invincea: heuristic` `McAfee-GW-Edition: BehavesLike.Win32.SoftPulse.cc` `Emsisoft: Trojan.GenericKD.5045609 (B)` `SentinelOne: static engine - malicious` `Cyren: W32/Emotet.YBAD-6300` `Jiangmin: Trojan.Banker.Emotet.z` `Webroot: W32.Trojan.Gen` `Avira: TR/Crypt.Xpack.skjke` `Antiy-AVL: Trojan[Backdoor]/Win32.Androm` `Microsoft: Trojan:Win32/Emotet.K` `SUPERAntiSpyware: Trojan.Agent/Gen-Kryptik` `ZoneAlarm: Trojan-Banker.Win32.Emotet.vms` `GData: Win32.Trojan.Agent.IFH4S8` `AhnLab-V3: Trojan/Win32.Emotet.C1946623` `ALYac: Trojan.GenericKD.5045609` `AVware: Trojan.Win32.Generic!BT` `MAX: malware (ai score=88)` `Malwarebytes: Trojan.MalPack` `Panda: Trj/WLT.C` `ESET-NOD32: Win32/Emotet.AO` `Tencent: Win32.Trojan.Inject.Auto` `Yandex: Trojan.PWS.Emotet!` `Ikarus: Trojan.Crypt.XPACK` `Fortinet: W32/Emotet.AO!tr` `AVG: Win32:Rootkit-gen [Rtk]` `Avast: Win32:Rootkit-gen [Rtk]` `CrowdStrike: malicious_confidence_89% (W)` `Qihoo-360: Trojan.Generic`

Hashes

MD5	`28140bd636324bad2f0e8394f3e7f723`
SHA1	`50b77fada1b900a0ade38566b960b213e6faa4f0`
SHA256	`4134e925f6fcb24366b243d7973bdb8a7d5298322c600c5c60bd808ff3eb156e`
SHA3	`bad2ff6d1b31664e3a4284ea9388e6cf4be0550828d42b9b79e9f59937b3b990`
SSDeep	`3072:ybYFaHhSJXP3SJEAxk26JqLo6nZPRO9tfaDseqhHtODk4c3:y0FaHC8nxk2zLo+BREFaIdtODk4c`
Imports Hash	`80175d36d6474b465262ca5d073695d8`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2017-May-11 00:38:40
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`10.0`
SizeOfCode	`0x7e00`
SizeOfInitializedData	`0x25400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000020B3 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x9000`
ImageBase	`0x1000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x30000`
SizeOfHeaders	`0x400`
Checksum	`0x39ad4`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`b2de85f67b66cb5cd1d5f57ace5a4746`
SHA1	`08fc76b7e4125aafc915006681f30743bd66dc08`
SHA256	`f54ff0d2d12e913d29ec8a678eee86f59e0955cacee00f0037bd8a788e6311eb`
SHA3	`6c75ccb0842bf59f324ebb567e2a90061cf1d1aa74f66fefdbe7b6df97c20966`
VirtualSize	`0x7d6c`
VirtualAddress	`0x1000`
SizeOfRawData	`0x7e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.50333`

.rdata

MD5	`0b9b9ff4560a592e680e680a76d16766`
SHA1	`89c146369abfb1c1270d1f60eef3bc6e0e13b544`
SHA256	`a7a0021c2f2c5db734a3cec9e5f60977d328ef4545b0bb4dd80187b3eb3fdfd1`
SHA3	`b6f5fc65d232232a2b7be072a29f0fd8f9e22ce10eb1454ac0b3007f84e0102e`
VirtualSize	`0x300e`
VirtualAddress	`0x9000`
SizeOfRawData	`0x3200`
PointerToRawData	`0x8200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.72942`

.data

MD5	`f1c00abff4c60806df3bc83a71d293ce`
SHA1	`8d631afacc28c4bfec93a4fc21d46005553b4cb1`
SHA256	`ae2831a7094ec43f57f8181b694b49b8718340c971d2fb7976753a75f89ffb2d`
SHA3	`7884075f921b2807c9bdffa1bf422e50cc1537935cb30e653e00556273f0d5fd`
VirtualSize	`0x36b0`
VirtualAddress	`0xd000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xb400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.33973`

.rsrc

MD5	`6e5b2a0ccf62d81692191e4886025f53`
SHA1	`fd2eff529024b9ce4ece3c0d959fdc9d401066df`
SHA256	`a3f5395e858cda77bed6d2d98cad516a62581ed1970bca44c1b1e98ef027577c`
SHA3	`6cf1ce99bb1a44e9d1b2a4607518e3a2e7082e56aec97c8bad11ac6f75c37c1d`
VirtualSize	`0x1e97c`
VirtualAddress	`0x11000`
SizeOfRawData	`0x1ea00`
PointerToRawData	`0xc400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.79714`

Imports

KERNEL32.dll	`lstrlenA` `GetFileAttributesW` `IsBadStringPtrA` `GetProcAddress` `LoadLibraryA` `GetCommandLineA` `HeapSetInformation` `GetStartupInfoW` `RaiseException` `TerminateProcess` `GetCurrentProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `IsProcessorFeaturePresent` `HeapAlloc` `GetLastError` `HeapFree` `SetFilePointer` `EnterCriticalSection` `LeaveCriticalSection` `EncodePointer` `DecodePointer` `GetModuleHandleW` `ExitProcess` `WriteFile` `GetStdHandle` `GetModuleFileNameW` `GetModuleFileNameA` `FreeEnvironmentStringsW` `WideCharToMultiByte` `GetEnvironmentStringsW` `SetHandleCount` `InitializeCriticalSectionAndSpinCount` `GetFileType` `DeleteCriticalSection` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `InterlockedIncrement` `SetLastError` `GetCurrentThreadId` `InterlockedDecrement` `HeapCreate` `QueryPerformanceCounter` `GetTickCount` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `SetStdHandle` `GetConsoleCP` `GetConsoleMode` `FlushFileBuffers` `Sleep` `RtlUnwind` `HeapSize` `LoadLibraryW` `GetCPInfo` `GetACP` `GetOEMCP` `IsValidCodePage` `WriteConsoleW` `MultiByteToWideChar` `HeapReAlloc` `LCMapStringW` `GetStringTypeW` `CreateFileW` `CloseHandle`
USER32.dll	`UpdateWindow` `TileWindows`

Delayed Imports

123

Type	`RT_BITMAP`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x175e4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.96609`
MD5	`213274be7b38849299b7cf15c177688f`
SHA1	`4ee1e74276ad8acca3d9c939f4a46e6ccd7e72d1`
SHA256	`6bcb6817dd89da430dba30297f788b3a5b13e68c819868abf9fc194a3a65d5e8`
SHA3	`02c8020b2b5c0a701ec837a83e3a36ed1a590b403bd7e6283d35f5f8faf67a3f`
Preview

168

Type	`RT_BITMAP`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x337c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.68371`
MD5	`33ba63efa77a811f450be4e7630de86f`
SHA1	`3145e7f508b1769cd8cf4bc6ed6eabb9774a97d2`
SHA256	`0b72ff0a3947225d2a2c61d207f536ed7408e40fe244835fde5b8cb419297252`
SHA3	`a9aba67fa6cabb2a440203892198fdb1872f70be9b66d0386dbd0c75a6bff475`
Preview

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.24257`
MD5	`f79d0ba19642327f6c4801f65d4b4ad0`
SHA1	`b0a11edcd8ef2ba84966dc18dfd47c90b2f27efd`
SHA256	`0c7ec842205f88d1a39667776e363e57450bf4fd765ca42a6ccd550b56c97919`
SHA3	`c04ab45d07081d5767e445172eb8344b39faadfe602c8a988a86d2791b848fee`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.57329`
MD5	`e62e16082bc9855d81c05c98232c811b`
SHA1	`297790f41246c1e6246bd3ac154599c2ddc6afe4`
SHA256	`aada8548652a34dd8cef2cbc3bf7213ecb16c3e4c24b52d3efdc29037a4c9293`
SHA3	`2174c865bfed0b58181cfd4a6a37df2a6444fc0a1936317e778b7e1306b49bb1`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.41096`
MD5	`154c4cb637b4e7df64e1b5156c1aa304`
SHA1	`a74ac1f5b5bc2f46d5aa7f9b0b2b3343843c36fc`
SHA256	`94eee50ca11eda3969a1dda85bd946eaba5f4246280e710b2aa7136a04c06e33`
SHA3	`91f05430d2e7f479d4a577288583507368e02a729eb64835d45f8bbab0c90e40`

101

Type	`RT_ACCELERATOR`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x40`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.63045`
MD5	`d3d4dd926b7bd8a6fb287dbddaa7a12e`
SHA1	`3b3b4533291e96426df70165731993c7a6f6bbcd`
SHA256	`cafae6d76b971e40776bb89e2e3214383288392d03b896d26bdf0c23ed152663`
SHA3	`74ddd96664357f0382b619915fcf90eae1220076b26ee321a02cbbd0f0e559a5`

115

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x30`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.45849`
Detected Filetype	Icon file
MD5	`1ec6a7b3300970378c29695a6cc13d36`
SHA1	`99ce74251d19d800608e30bed6e0d793931da56e`
SHA256	`77a1efb6136f52dd2372987b13bf486aa75baeacb93bad009aa3e284c57b8694`
SHA3	`7a94ba315b3ab461cec9dad3048599d32b0e597047f9655159bd6dfdc694e4a3`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x2ec`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.47919`
MD5	`6061e9284514427d31a8fe12a7f441d4`
SHA1	`1661fde1027094e422f233e48b16cb9425bcf78d`
SHA256	`6a4bb1803c9e1c71722f846253018628208e9da097fe72814d316e0b58893ee0`
SHA3	`2ad37b43b7521953c6288d8784877f1bb968ed19d8c959d085ac16ebdd7ad20a`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	26.8.8.10
ProductVersion	26.8.8.10
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_UNKNOWN`
Language	English - United States
Comments	Dugiyurarije xijo rafuxe rovizubo to rehunopovubeha nuka
FileVersion (#2)	26, 8, 8, 10
LegalCopyright	Vohewobuvaxado vavijuyi ximupu kilofa lezolewero re gifewoyahatige pudikuxebipo
OriginalFilename	zodacobi.exe
ProductVersion (#2)	26, 8, 8, 10

Resource LangID	UNKNOWN

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x100d07c`
SEHandlerTable	`0x100b3c0`
SEHandlerCount	`7`

RICH Header

XOR Key	`0xa306ef64`
Unmarked objects	`0`
ASM objects (VS2010 build 30319)	`16`
C objects (VS2010 build 30319)	`85`
C++ objects (VS2010 build 30319)	`30`
Imports (VS2008 SP1 build 30729)	`5`
Total imports	`81`
175 (VS2010 build 30319)	`1`
Resource objects (VS2010 build 30319)	`1`
Linker (VS2010 build 30319)	`1`

28140bd636324bad2f0e8394f3e7f723

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

123

168

1

2

3

101

115

1 (#2)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors