Manalyze report for 28cf5ebe7cca4f596abdada5d2ab23b0

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2010-Jan-30 10:24:51
Detected languages	English - United States
Debug artifacts	c:\Free\Hat\hard\Log\problemtable.pdb
CompanyName	MyWebGrocer
FileDescription	Norgreat
OriginalFilename	Creasesalt.exe
InternalName	Norgreat
LegalCopyright	Copyright (c) 2004-2014, MyWebGrocer book coverheat
ProductVersion	`10.3.21.16`
LegalTrademarks	Norgreat freshschool thousand
FileVersion	`10.3.21.16`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can access the registry: RegisterHotKey RegOpenKeyExA RegQueryValueExA RegCreateKeyExA RegDeleteKeyA RegCloseKey` `Can create temporary files: GetTempPathA CreateFileA` `Memory manipulation functions often used by packers: VirtualProtectEx VirtualAlloc` `Functions related to the privilege level: OpenProcessToken` `Interacts with services: ControlService CreateServiceW OpenSCManagerA OpenServiceA QueryServiceStatus` `Manipulates other processes: OpenProcess` `Can shut the system down or lock the screen: ExitWindowsEx`
Malicious	VirusTotal score: 48/70 (Scanned on 2019-02-08 14:26:43)	`MicroWorld-eScan: Trojan.Autoruns.GenericKDS.41002543` `CAT-QuickHeal: Trojan.IcedID` `ALYac: Trojan.IcedID.gen` `Malwarebytes: Trojan.IcedID` `K7GW: Spyware ( 0053a3c61 )` `K7AntiVirus: Spyware ( 0053a3c61 )` `TrendMicro: TROJ_GEN.R045C0WAV19` `Symantec: Trojan.Gen.2` `TrendMicro-HouseCall: TROJ_GEN.R045C0WAV19` `Paloalto: generic.ml` `Kaspersky: Trojan-Banker.Win32.IcedID.tope` `BitDefender: Trojan.Autoruns.GenericKDS.41002543` `NANO-Antivirus: Trojan.Win32.Inject3.fmoavy` `Avast: Win32:Malware-gen` `Tencent: Win32.Trojan-banker.Icedid.Htmt` `Ad-Aware: Trojan.Autoruns.GenericKDS.41002543` `Emsisoft: Trojan.Autoruns.GenericKDS.41002543 (B)` `DrWeb: Trojan.Inject3.12534` `Zillya: Trojan.IcedId.Win32.475` `Invincea: heuristic` `McAfee-GW-Edition: RDN/PWS-Banker` `Trapmine: malicious.high.ml.score` `Ikarus: Trojan-Banker.IcedID` `Webroot: W32.Rogue.Gen` `Fortinet: W32/IcedId.H!tr.spy` `Antiy-AVL: Trojan[Banker]/Win32.IcedID` `Endgame: malicious (moderate confidence)` `Arcabit: Trojan.Autoruns.GenericS.D271A62F` `ViRobot: Trojan.Win32.Z.Icedid.173056` `ZoneAlarm: Trojan-Banker.Win32.IcedID.tope` `Microsoft: Trojan:Win32/Occamy.C` `TACHYON: Banker/W32.IcedID.173056` `Sophos: Mal/Generic-L` `AhnLab-V3: Trojan/Win32.Banker.C2986132` `Acronis: suspicious` `McAfee: RDN/PWS-Banker` `MAX: malware (ai score=100)` `VBA32: TrojanBanker.IcedID` `Cylance: Unsafe` `ESET-NOD32: Win32/Spy.IcedId.H` `Rising: Spyware.IcedId!8.F061 (TFE:5:bcGlcaMyMpM)` `SentinelOne: static engine - malicious` `GData: Trojan.Autoruns.GenericKDS.41002543` `AVG: Win32:Malware-gen` `Cybereason: malicious.237015` `Panda: Trj/WLT.E` `CrowdStrike: malicious_confidence_100% (W)` `Qihoo-360: Win32/Trojan.9c5`

Hashes

MD5	`28cf5ebe7cca4f596abdada5d2ab23b0`
SHA1	`73702b3237015aa3db0123c1f9cae2d95f437ba5`
SHA256	`bc5c0986903154cd84089a5a37082aed31c86b968b0a12bd06281df84e45c1b0`
SHA3	`d57b8cd67cc1740a840e1f1dbb695c09e141257551123eab5beaf15a9b85912f`
SSDeep	`3072:7HogBAhpeZN1IJ5w+SZQN8ZyTIdyIU55+nrHUN5HDpCfsz:7HmhQZ/2GQi4TImSrHyFCfsz`
Imports Hash	`eeca6bb09f6bb9e66ea98454101bce84`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2010-Jan-30 10:24:51
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x14600`
SizeOfInitializedData	`0x2b200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000A7C9 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x16000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x43000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`5eafb759daba0e0ea1aa8714e4e585b9`
SHA1	`68cd6f319bb7103023c6dc1ff6177a55084ff0ea`
SHA256	`654403e16229f3e60dd30d304e2e23a2cff77dec03eb859ac8158be665e20b29`
SHA3	`4196f7f275b7ee584a4a976802a3bdd5bbcdf2de4eaf72c225c96de1f6a4b457`
VirtualSize	`0x144a4`
VirtualAddress	`0x1000`
SizeOfRawData	`0x14600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.89691`

.rdata

MD5	`2b5c278bbb9a868b030cb942717a7516`
SHA1	`07e6d71772d911b1df91a9c04bac1146f013d8d3`
SHA256	`2a74a69885ae278990fe27eb9a1c3bd2d831ee92f0c40e5caf6a0c9e858e54ba`
SHA3	`2faa29900ae338294c2b418cf2218d98da26d8bab95aca49e063a74efde579fd`
VirtualSize	`0x661e`
VirtualAddress	`0x16000`
SizeOfRawData	`0x6800`
PointerToRawData	`0x14a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.20339`

.data

MD5	`c50d0aa0a7c44f66cf6078a5173a2882`
SHA1	`59cb9ba1531df68a0fa808223ef772fead9c5b45`
SHA256	`fdcea7fc0758ecb8f2dd5f3bbfbfda5cd52f1db8cfbcee2e2f89abafc7ed6c6d`
SHA3	`2983146563813d67293dc774ab01b4afd61a69a6605e55862fb35533968b8848`
VirtualSize	`0x1a620`
VirtualAddress	`0x1d000`
SizeOfRawData	`0x5000`
PointerToRawData	`0x1b200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.0931`

.rsrc

MD5	`b7efff20360ef9f219522d1bbe4663fb`
SHA1	`b844423daac23ac16b09c775f61ae77091d623a9`
SHA256	`4a9958287a0f6749d8c724b06f8fae270710636b4505641588e6c61760288c3d`
SHA3	`64884d0eeae858172901a34536a3c3b0dd6db67ac604624a5c1c44c1db6bcec8`
VirtualSize	`0xa0e0`
VirtualAddress	`0x38000`
SizeOfRawData	`0xa200`
PointerToRawData	`0x20200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.40643`

Imports

KERNEL32.dll	`GetLocaleInfoA` `FlushFileBuffers` `GetStringTypeA` `LCMapStringW` `MultiByteToWideChar` `LCMapStringA` `GetCurrentProcessId` `LoadLibraryA` `HeapSize` `GetConsoleMode` `GetConsoleCP` `InitializeCriticalSectionAndSpinCount` `GetTickCount` `GetFileType` `SetHandleCount` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `CompareStringA` `CompareStringW` `SetEnvironmentVariableA` `CloseHandle` `WriteConsoleA` `GetConsoleOutputCP` `WriteConsoleW` `SetFilePointer` `GetTempPathA` `Sleep` `VirtualProtectEx` `LockResource` `GetDateFormatA` `GetModuleHandleA` `GetVersionExA` `OpenProcess` `GetSystemTime` `GetWindowsDirectoryA` `CreateFileA` `GetStringTypeW` `QueryPerformanceCounter` `SetStdHandle` `GetEnvironmentStrings` `GetSystemTimeAsFileTime` `GetTimeFormatA` `GetLastError` `HeapReAlloc` `HeapAlloc` `HeapFree` `RaiseException` `RtlUnwind` `GetCommandLineA` `GetStartupInfoA` `TerminateProcess` `GetCurrentProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `WideCharToMultiByte` `GetTimeZoneInformation` `GetCPInfo` `InterlockedIncrement` `InterlockedDecrement` `GetACP` `GetOEMCP` `IsValidCodePage` `GetModuleHandleW` `GetProcAddress` `TlsGetValue` `TlsAlloc` `TlsSetValue` `TlsFree` `SetLastError` `GetCurrentThreadId` `DeleteCriticalSection` `LeaveCriticalSection` `EnterCriticalSection` `HeapCreate` `VirtualFree` `VirtualAlloc` `ExitProcess` `WriteFile` `GetStdHandle` `GetModuleFileNameA` `FreeEnvironmentStringsA`
USER32.dll	`AppendMenuA` `InflateRect` `SetParent` `EndDeferWindowPos` `ExitWindowsEx` `GetClientRect` `SetFocus` `RegisterClassExA` `GetWindowTextLengthA` `IntersectRect` `CallWindowProcA` `GetCursorPos` `GetFocus` `GetClassInfoExA` `CheckMenuRadioItem` `LoadImageA` `DrawIcon` `RegisterHotKey` `DispatchMessageA` `IsWindowEnabled` `GetClassNameA`
GDI32.dll	`OffsetViewportOrgEx` `SetViewportExtEx` `ScaleViewportExtEx` `SetWindowExtEx`
WINSPOOL.DRV	`ClosePrinter` `DocumentPropertiesA` `OpenPrinterA` `AddPrinterConnectionA` `GetJobA`
COMCTL32.dll	`CreatePropertySheetPageA` `PropertySheetA` `#6`
COMDLG32.dll	`ReplaceTextA` `GetOpenFileNameA` `GetSaveFileNameA`
SHLWAPI.dll	`PathAppendA` `PathAddBackslashA` `PathFindFileNameA` `PathStripToRootA`
ADVAPI32.dll	`RegOpenKeyExA` `RegQueryValueExA` `AllocateAndInitializeSid` `FreeSid` `OpenProcessToken` `StartServiceCtrlDispatcherA` `InitializeSecurityDescriptor` `RegisterServiceCtrlHandlerA` `SetEntriesInAclA` `SetSecurityDescriptorDacl` `SetServiceStatus` `ControlService` `CreateServiceW` `LookupPrivilegeValueA` `OpenSCManagerA` `OpenServiceA` `OpenThreadToken` `QueryServiceStatus` `RegCreateKeyExA` `RegDeleteKeyA` `RegCloseKey`
SensApi.dll	`IsDestinationReachableA`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.13018`
MD5	`8f955c9527d6f47686ad7708a0f3284b`
SHA1	`791cb507d6a7c6d9326fd9571fc38755861d7d2a`
SHA256	`c82e533c8695f3904a6a9345aeea3863ca1e1da265721772a05543f54d4564a4`
SHA3	`80f8db0681247b3ba58da555daea71396562523ed80de442d69eda2d91149cee`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.61319`
MD5	`d6ef40cea9aba5ec919ded2d395885d0`
SHA1	`d6489177e2091d0f2c671a6951fbe62daeb585d9`
SHA256	`4f2c7f75de1bbb23a42b972190bf3d423d43055fc698fd85ffe59f49a4d17e8c`
SHA3	`85f068beaa5a2447030d5bb74e5684d45a1b6e28ebadb2d59014614b99cf5532`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.05967`
MD5	`753eca3142a8a807682dddaa80377e8c`
SHA1	`0717912bf856d811d96c4a1cd08aa83981677666`
SHA256	`1f1649e8b8d5d5cc27a4921c8aa07594a91971522a437846ed73e7d90722f574`
SHA3	`e63d004d77912ddc6bbf09be5812405025b6a074f5696aee5ca9366ad1befb4c`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.11939`
MD5	`bd486471d752e16e95cb3fb163f0b6cd`
SHA1	`9b1b3a60fc22d03864d996aae1ace2e05a7e3aac`
SHA256	`69d627698c345ed4f79d4a4aa80ef9b0045c4e4abbe3173be6445fd517cc3b58`
SHA3	`7f5906f72eeba0f4e6517c127bcf4c86f81df8cd3ff5328f48dfb761912f2553`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.4135`
MD5	`feb8fdee406e1892ba6b4a9e4ba29a60`
SHA1	`29b877ca93aedb97342c9844385f32886aa03901`
SHA256	`153baf0fcdc0e759f935812467d168f75daf40f33507e7e6e73eb4e84b268082`
SHA3	`7571f77002ef6c8474b657e7db03aeab71b33b222674c972d304fee32bc06e64`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.42695`
MD5	`74358e588ecdf4bfe0cc7fd2577f141b`
SHA1	`74f9b8321e523909da62a9d1031ea4568961920b`
SHA256	`5283824558acfca856cde2c54d51b6cb9894a0c9a90799caed446fe72e67e156`
SHA3	`5d724714df322ba1ae4a748c5e371d36b9698cdf41e2e8986599f168f2052eab`

7

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.11838`
MD5	`550f0de3cb928633ae05622a254cbb3a`
SHA1	`41841808ce36e9385932addcfb371947b1b2c57a`
SHA256	`18ca2e12fc154cdeacca475f4ba82b2335cca820fb654b2362acf72405d303c1`
SHA3	`d5fe31aff5ecf7a8f207cf215d07732a389627dc17b614ca7bd32989596bdb9c`

100

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.83776`
Detected Filetype	Icon file
MD5	`7fe09150272e3f38ad2a39ba9c0a67e2`
SHA1	`aa3acdf83de3f707079fd5a6316010e0665650df`
SHA256	`bec1b1e6bbc3c908d382c53b15a37d610620ef0bc3dbdafe5a612299d3220a73`
SHA3	`00e10ff12b8c1856db64cfa3eaf1a3d1c1ee9526af6e94518834e822d7173b79`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x330`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.44391`
MD5	`f0787ed7bb8139a225e08d9fa5e98eeb`
SHA1	`edae274b648be435eb0cbe2c618d6c74d821f450`
SHA256	`f7ba87efae0d3347e04a52033a3800df2f9144dbb314481c2424ee94d47654fc`
SHA3	`8f359ab75b491f003d3c2ad501f5315d43eae03385575a858c475cfa7fd7849f`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.3.21.16
ProductVersion	10.3.21.16
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	MyWebGrocer
FileDescription	Norgreat
OriginalFilename	Creasesalt.exe
InternalName	Norgreat
LegalCopyright	Copyright (c) 2004-2014, MyWebGrocer book coverheat
ProductVersion (#2)	10.3.21.16
LegalTrademarks	Norgreat freshschool thousand
FileVersion (#2)	10.3.21.16

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2010-Jan-30 10:24:51
Version	`0.0`
SizeofData	`62`
AddressOfRawData	`0x1ae18`
PointerToRawData	`0x19818`
Referenced File	c:\Free\Hat\hard\Log\problemtable.pdb

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x420ff4`
SEHandlerTable	`0x41b070`
SEHandlerCount	`9`

RICH Header

XOR Key	`0xeddcffe6`
Unmarked objects	`0`
ASM objects (VS2008 build 21022)	`21`
C objects (VS2008 build 21022)	`108`
C++ objects (VS2008 build 21022)	`47`
Imports (VS2008 SP1 build 30729)	`19`
Total imports	`154`
C++ objects (VS2008 SP1 build 30729)	`1`
Linker (VS2008 SP1 build 30729)	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

28cf5ebe7cca4f596abdada5d2ab23b0

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

1

2

3

4

5

6

7

100

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors