Manalyze report for 2a8668a6d0e12c7380a26910d504ecbf

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2015-Feb-25 06:12:17

Plugin Output

Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryW` `Possibly launches other programs: CreateProcessA` `Has Internet access capabilities: URLDownloadToFileA`
Malicious	VirusTotal score: 31/71 (Scanned on 2023-02-12 09:52:20)	`Lionic: Trojan.Win32.Ursu.4!c` `Cynet: Malicious (score: 100)` `ALYac: Gen:Variant.Ursu.749657` `Malwarebytes: Malware.AI.3840348866` `VIPRE: Gen:Variant.Ursu.749657` `Sangfor: Trojan.Win32.AGEN.1040592` `Alibaba: Trojan:Win64/Genric.77ae27ba` `Cybereason: malicious.6d0e12` `Symantec: ML.Attribute.HighConfidence` `Elastic: malicious (high confidence)` `APEX: Malicious` `Paloalto: generic.ml` `BitDefender: Gen:Variant.Ursu.749657` `MicroWorld-eScan: Gen:Variant.Ursu.749657` `Avast: Win64:Malware-gen` `Rising: Trojan.Zpevdo!8.F912 (CLOUD)` `Emsisoft: Gen:Variant.Ursu.749657 (B)` `McAfee-GW-Edition: BehavesLike.Win64.NetLoader.nm` `FireEye: Generic.mg.2a8668a6d0e12c73` `Sophos: Generic Reputation PUA (PUA)` `MAX: malware (ai score=99)` `Microsoft: PUA:Win32/Presenoker` `Gridinsoft: Ransom.Win64.Wacatac.oa!s1` `Arcabit: Trojan.Ursu.DB7059` `GData: Gen:Variant.Ursu.749657` `AhnLab-V3: Malware/Win64.Generic.C3488826` `McAfee: Artemis!2A8668A6D0E1` `Cylance: Unsafe` `TrendMicro-HouseCall: TROJ_GEN.R002H09HG22` `MaxSecure: Trojan.Malware.74754451.susgen` `AVG: Win64:Malware-gen`

Hashes

MD5	`2a8668a6d0e12c7380a26910d504ecbf`
SHA1	`414300597938d64b3486be6004003d90d565360d`
SHA256	`cd78cf4af8e37b4a9de479867167027887a28527e2738c481a1c6891d707f21a`
SHA3	`74203d5f74419daf342c7d0495c732d152597ac8a3fc6a6d86adf1aff17e35c0`
SSDeep	`768:gcwwcKT7epG1BglqMLtbOKjK4+BzJZMSeUJnKsqkD3XJWOuGziVu:gceKT7JMLIdXMSeUpJxQWi`
Imports Hash	`a675367c6d79f8c7b7603d13cfd0a3ff`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`5`
TimeDateStamp	2015-Feb-25 06:12:17
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`10.0`
SizeOfCode	`0x5400`
SizeOfInitializedData	`0x5400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000001740 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0xf000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`683bfc83b9ebc12e44c691908837d772`
SHA1	`19b15d0ab49548afef5a3fa09073cc4d8680f417`
SHA256	`8c5527fda95e0c2b580d1038477d8d595eb79b1f50b11f3b8db1df93ba5872c2`
SHA3	`8d52e9cede3a0040e65b22399cd662cd157608005381492752e4d6e2aa2baaae`
VirtualSize	`0x52e8`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.18641`

.rdata

MD5	`ba612f3432713862dc089d17218f2038`
SHA1	`9a13e047dbf4f4e6c8178f3234d0519902a22e44`
SHA256	`5d2bfdc7f24db6fd2f7cc89639e14a1733e704aeaee9f5ad9426a2da206451d2`
SHA3	`0f9665f7d61ff41049cde6431b785e1c93c9a2aa087e2081986a6470ed780e27`
VirtualSize	`0x2628`
VirtualAddress	`0x7000`
SizeOfRawData	`0x2800`
PointerToRawData	`0x5800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.40715`

.data

MD5	`2c8c40e15f6a403116aac705277a7897`
SHA1	`8c1113299b1eba705dc44dcfda96be1532d59a3d`
SHA256	`f4dbdd2385ef9ac548202e2ef175ef5d2d2ac5a38b5b9a543ac19105f22f6e8c`
SHA3	`b9dcc6c6c3e57e171d1077fa30ad28dcf34ad879395c928583e4f203c7843843`
VirtualSize	`0x2220`
VirtualAddress	`0xa000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x8000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.24268`

.pdata

MD5	`dca427aad0e81237174bc3a627efefff`
SHA1	`4ba55659f6294d525ef0ccb797555aa3ab35039d`
SHA256	`4a08200702d3fb30792d1eb3b4b3474c4dab82288262d9fda405e4dc1b115ba3`
SHA3	`e814779569ffbcb28f85054f184e707878c77ec90093a07ce29c8822069b5e98`
VirtualSize	`0x51c`
VirtualAddress	`0xd000`
SizeOfRawData	`0x600`
PointerToRawData	`0x9000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.82128`

.reloc

MD5	`9eac576b39b1aee2bae1f98bc14d8e49`
SHA1	`d89c15fac5f596afa6dcd72f81f49ab8a6d708a4`
SHA256	`5ffb2a1a5c642e5f3bb4ab6682c90f0f556e692d81cb61ec58631875fbcd6f30`
SHA3	`7c7180c552320062add13f08fff10926d9b2ce2a1a9becfb9e42fc1344fa7419`
VirtualSize	`0x1be`
VirtualAddress	`0xe000`
SizeOfRawData	`0x200`
PointerToRawData	`0x9600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.92974`

Imports

KERNEL32.dll	`CreateProcessA` `GetTempFileNameA` `IsDebuggerPresent` `GetTempPathA` `HeapAlloc` `GetStringTypeW` `GetCommandLineA` `GetStartupInfoW` `TerminateProcess` `GetCurrentProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `GetProcAddress` `GetModuleHandleW` `ExitProcess` `DecodePointer` `WriteFile` `GetStdHandle` `GetModuleFileNameW` `RtlUnwindEx` `GetModuleFileNameA` `FreeEnvironmentStringsW` `WideCharToMultiByte` `GetEnvironmentStringsW` `SetHandleCount` `InitializeCriticalSectionAndSpinCount` `GetFileType` `DeleteCriticalSection` `EncodePointer` `FlsGetValue` `FlsSetValue` `FlsFree` `SetLastError` `GetCurrentThreadId` `GetLastError` `FlsAlloc` `HeapSetInformation` `GetVersion` `HeapCreate` `QueryPerformanceCounter` `GetTickCount` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `LeaveCriticalSection` `EnterCriticalSection` `LoadLibraryW` `GetCPInfo` `GetACP` `GetOEMCP` `IsValidCodePage` `HeapFree` `Sleep` `HeapSize` `LCMapStringW` `MultiByteToWideChar` `HeapReAlloc`
urlmon.dll	`URLDownloadToFileA`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x509c44a6`
Unmarked objects	`0`
C++ objects (VS2010 build 30319)	`10`
C objects (VS2010 build 30319)	`52`
ASM objects (VS2010 build 30319)	`8`
Imports (VS2008 SP1 build 30729)	`5`
Total imports	`66`
175 (VS2010 build 30319)	`1`
Linker (VS2010 build 30319)	`1`

2a8668a6d0e12c7380a26910d504ecbf

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.reloc

Imports

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors