Manalyze report for 2a791769aa73ac757f210f8546125b57

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Aug-11 05:03:45

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++` `Microsoft Visual C++ v6.0` `Microsoft Visual C++ v5.0/v6.0 (MFC)`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Enumerates local disk drives: GetVolumeInformationW`
Malicious	VirusTotal score: 43/70 (Scanned on 2019-09-09 03:36:22)	`MicroWorld-eScan: Gen:Variant.Graftor.487501` `FireEye: Generic.mg.2a791769aa73ac75` `McAfee: Trojan-HidCobra` `Alibaba: Trojan:Win32/Autophyte.7d996c20` `K7GW: Trojan ( 0052cf421 )` `CrowdStrike: win/malicious_confidence_100% (W)` `Invincea: heuristic` `Symantec: Trojan.Gen.MBT` `ESET-NOD32: a variant of Win32/NukeSped.AU` `APEX: Malicious` `Kaspersky: HEUR:Trojan.Win32.Generic` `BitDefender: Gen:Variant.Graftor.487501` `NANO-Antivirus: Trojan.Win32.NukeSped.fyoobu` `Paloalto: generic.ml` `Endgame: malicious (high confidence)` `Sophos: Mal/Generic-S` `F-Secure: Trojan.TR/NukeSped.bimth` `TrendMicro: TROJ_GEN.R002C0DI819` `McAfee-GW-Edition: Trojan-HidCobra` `Trapmine: suspicious.low.ml.score` `Emsisoft: Gen:Variant.Graftor.487501 (B)` `SentinelOne: DFI - Suspicious PE` `Avira: TR/NukeSped.bimth` `Fortinet: W32/NukeSped.AU!tr` `Antiy-AVL: Trojan/Win32.Autophyte` `Arcabit: Trojan.Graftor.D7704D` `AegisLab: Trojan.Win32.Generic.4!c` `ZoneAlarm: HEUR:Trojan.Win32.Generic` `Microsoft: Trojan:Win32/Autophyte.E!dha` `AhnLab-V3: Trojan/Win32.Akdoor.R206569` `VBA32: BScope.Trojan.Autophyte` `ALYac: Gen:Variant.Graftor.487501` `MAX: malware (ai score=100)` `Ad-Aware: Gen:Variant.Graftor.487501` `Cylance: Unsafe` `TrendMicro-HouseCall: TROJ_GEN.R002C0DI819` `Rising: Trojan.Generic@ML.86 (RDML:6YzJm3oWRgf5AaUorWwNew)` `Ikarus: Trojan.Win32.NukeSped` `GData: Gen:Variant.Graftor.487501` `AVG: FileRepMalware` `Cybereason: malicious.9aa73a` `Panda: Trj/CI.A` `Qihoo-360: HEUR/QVM07.1.BD91.Malware.Gen`

Hashes

MD5	`2a791769aa73ac757f210f8546125b57`
SHA1	`269f1cc44f6b323118612bde998d17e5bfbf555e`
SHA256	`b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101`
SHA3	`3aa5e40e032897df4952ba8b9e2aca8f220366a492a192fe2de6df45bff7e344`
SSDeep	`1536:BdQGY/Ni+mo06N1homALeoYbrAUD7Qum5T9Xlxgj5MX7jbthYWL3:DQGYFFzxAgoYbrAOQum5TsgjbHP`
Imports Hash	`e56949fef3294200cb30be8009694a42`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2017-Aug-11 05:03:45
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x15000`
SizeOfInitializedData	`0x8000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0001566F (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x16000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x1e000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`8f28409d19efb02746f0cc7f186ac3e3`
SHA1	`9de21f07e9707d95d0338c20dd73bd86eb754ed2`
SHA256	`b84093c1567d45d0b65d55582d80dcf7975cfef3d793a7386936c420048a91c4`
SHA3	`2231bdf39a297ecde2e327a5be87b470df5d63480ef3c9199fff7b81e32646d5`
VirtualSize	`0x14925`
VirtualAddress	`0x1000`
SizeOfRawData	`0x15000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.55392`

.rdata

MD5	`03ec21be9a3702ad9b6a107a387c2be1`
SHA1	`bb6a03d9ce8d67f4ddaadb31eaaed59ce086d32a`
SHA256	`fefd0c22d6cd652949eab14f13edea79b9f71375c3e711a15460a131ba0c0216`
SHA3	`006e31beac8e872f452e8d54994b15156f9fdb7c0d67b4feb69686287e536011`
VirtualSize	`0x3514`
VirtualAddress	`0x16000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x16000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.84415`

.data

MD5	`cecd220a4af1182a425b07c4547fd1e6`
SHA1	`7081c50b29282320b886eb50a97099e9eba18a62`
SHA256	`bc8c20530750d8fee18c468da94e0f03de10174c9ae88607fbfd2e6352d216ee`
SHA3	`7b6eb45e9ba96c8ef4a6e9961e34b07feb302dcd895a4eeaa3a45b47b82aed56`
VirtualSize	`0x32e8`
VirtualAddress	`0x1a000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x1a000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.63849`

Imports

KERNEL32.dll	`GetProcAddress` `LoadLibraryA` `FreeLibrary` `GetModuleHandleW` `GetVolumeInformationW` `Module32FirstW` `CreateToolhelp32Snapshot` `FileTimeToLocalFileTime` `GetTickCount` `GetSystemInfo` `GetVersionExW` `WideCharToMultiByte` `CreateDirectoryW` `Sleep` `CopyFileW` `FileTimeToSystemTime` `GetACP` `GetModuleHandleA` `GetStartupInfoA`
USER32.dll	`GetSystemMetrics`
MSVCRT.dll	`memcmp` `malloc` `free` `strstr` `sscanf` `memmove` `localtime` `time` `__dllonexit` `_onexit` `_exit` `_XcptFilter` `exit` `_acmdln` `__getmainargs` `_initterm` `__setusermatherr` `_adjust_fdiv` `__p__commode` `__p__fmode` `__set_app_type` `_except_handler3` `_controlfp` `memset` `strlen` `memcpy` `wcstombs` `wcsrchr` `_wfopen` `fwprintf` `fclose` `wcscmp` `__CxxFrameHandler` `srand` `rand` `wcscat` `wcsncpy` `_waccess` `swprintf` `_wtoi` `wcscpy` `wcslen` `strncmp` `??3@YAXPAX@Z`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x127562ac`
Unmarked objects	`0`
14 (7299)	`5`
Linker (VS98 build 8168)	`2`
12 (7291)	`2`
C objects (VS98 build 8168)	`25`
Imports (VS2003 (.NET) build 4035)	`5`
Total imports	`111`
C++ objects (VS98 build 8168)	`10`

2a791769aa73ac757f210f8546125b57

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

Imports

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors