Manalyze report for 2c7e580663c70993680a53b845fd6704bcade7cf4f19289d81b266c76473325a

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-Feb-01 20:18:00

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig2(h)`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress LoadLibraryW` `Can create temporary files: GetTempPathW CreateFileW`
Malicious	VirusTotal score: 24/70 (Scanned on 2024-01-31 20:44:42)	`Antiy-AVL: Trojan/Win32.Nitol` `Bkav: W32.AIDetectMalware` `CrowdStrike: win/malicious_confidence_60% (W)` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `Elastic: malicious (high confidence)` `FireEye: Generic.mg.8066ab647f6cf9de` `Fortinet: W32/Nitol.AB!tr` `Google: Detected` `Gridinsoft: Trojan.Win32.CoinMiner.vb!s1` `Lionic: Trojan.Win32.Generic.4!c` `Malwarebytes: Generic.Malware.AI.DDS` `McAfee: Artemis!8066AB647F6C` `Rising: Trojan.Generic@AI.95 (RDML:mbthUFtfijIC+YGlo33cIw)` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Skyhigh: BehavesLike.Win32.RealProtect.mh` `Sophos: Generic ML PUA (PUA)` `Trapmine: malicious.high.ml.score` `Varist: W32/Trojan.IUNU-0892` `ViRobot: Adware.Highconfidence.88064.C` `VirIT: Trojan.Win32.Hosts.CMYT` `Webroot: W32.Trojan.Gen` `Zoner: Trojan.Win32.73853`

Hashes

MD5	`8066ab647f6cf9def40f16e86295fd6f`
SHA1	`4b1dbd2f6885bf1afe7bcc7b51986ec5837250d4`
SHA256	`2c7e580663c70993680a53b845fd6704bcade7cf4f19289d81b266c76473325a`
SHA3	`0fa37335982e9b81600b1a69d7dfac7163c3b154e286890dc60ca6c182a67886`
SSDeep	`1536:47f9h0UPJP/CpICdikMLMLv5PFNg1qrX+VIOlnToIfWgIxJ:WliUPXC8k1nJrX+fNTBf27`
Imports Hash	`5877688b4859ffd051f6be3b8e0cd533`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2018-Feb-01 20:18:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x10800`
SizeOfInitializedData	`0x4c00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00001000 (Section: .code)`
BaseOfCode	`0x1000`
BaseOfData	`0x12000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x19000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.code

MD5	`d8af5494a902a4276e7a118e639a9058`
SHA1	`6e426ae2df7082b91cd0cadbb72b138102ba6151`
SHA256	`48a78b31bf41ba0daf0c70d4ae1db2b1b55b841601fd275761ac97fca34fbae5`
SHA3	`1e664ef7bea68bb4dd13b5afa576da5ba19a356a6a8a8aa37e162ddc4bf7ff84`
VirtualSize	`0x37f0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x3800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.61236`

.text

MD5	`3d44adf99d47c66df6ed2c6ecde44714`
SHA1	`80a57adbc364dfb80e69990554b76e3d5c1faef0`
SHA256	`6e2472ffd964225c655a494fa93de374ce169cf1b9e2ee74ced2f8b3161d4b5d`
SHA3	`e18bd2f60a34878ad204c417d8535ddadd9ecedbecd4f7d00e665c43ea400e5f`
VirtualSize	`0xcfa2`
VirtualAddress	`0x5000`
SizeOfRawData	`0xd000`
PointerToRawData	`0x3c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.58582`

.rdata

MD5	`e4a2346f39e8c4c981487f3b09547faf`
SHA1	`65e4957d4d49eac6870a775db724f4c14c125592`
SHA256	`a65928e839b65ed68bd3504d3c1951cd8ed2889a37405e602c3dd87210eeac9e`
SHA3	`036418b11deeda8fa99555c9c24e60fc5faea50444ad3a2b03ebdb417f1ddf3b`
VirtualSize	`0x33a0`
VirtualAddress	`0x12000`
SizeOfRawData	`0x3400`
PointerToRawData	`0x10c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.11024`

.data

MD5	`c3d8e0d634cd6f29bf242bc0ba8e9ad9`
SHA1	`3a6b51b20d643d7903c208f340bf20c4411857cc`
SHA256	`0b41be8dcb258d078f4cad9e35113741ddbca8b55eb4476b11b27d787002be95`
SHA3	`a5e4be16512ffa3244321c95126a614253c740a4cb5f9fdfcfc999aa2713281b`
VirtualSize	`0x1724`
VirtualAddress	`0x16000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x14000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.9366`

.rsrc

MD5	`145ea9f6cfc04a5e9f4a15bf6a6d90b8`
SHA1	`c8edbf22ded0e52612a3dd7480021f1a8bc133e6`
SHA256	`eeede7758d76477f720116203a31ac8d3521871b4daee760359028e37ff9dbb9`
SHA3	`ed0fdd73c6ec2f689ad6c49c291fdbbda923ed82c332fe20e7f8446117c3e4bf`
VirtualSize	`0x524`
VirtualAddress	`0x18000`
SizeOfRawData	`0x600`
PointerToRawData	`0x15200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.39448`

Imports

MSVCRT.dll	`memset` `wcsncmp` `memmove` `wcsncpy` `wcsstr` `_wcsnicmp` `_wcsdup` `free` `_wcsicmp` `wcslen` `wcscpy` `wcscmp` `memcpy` `tolower` `wcscat` `malloc`
KERNEL32.dll	`GetModuleHandleW` `HeapCreate` `GetStdHandle` `HeapDestroy` `ExitProcess` `WriteFile` `GetTempFileNameW` `LoadLibraryExW` `EnumResourceTypesW` `FreeLibrary` `RemoveDirectoryW` `GetExitCodeProcess` `EnumResourceNamesW` `GetCommandLineW` `LoadResource` `SizeofResource` `FreeResource` `FindResourceW` `GetNativeSystemInfo` `GetShortPathNameW` `GetWindowsDirectoryW` `GetSystemDirectoryW` `EnterCriticalSection` `CloseHandle` `LeaveCriticalSection` `InitializeCriticalSection` `WaitForSingleObject` `TerminateThread` `CreateThread` `Sleep` `GetProcAddress` `GetVersionExW` `WideCharToMultiByte` `HeapAlloc` `HeapFree` `LoadLibraryW` `GetCurrentProcessId` `GetCurrentThreadId` `GetModuleFileNameW` `GetEnvironmentVariableW` `SetEnvironmentVariableW` `GetCurrentProcess` `TerminateProcess` `SetUnhandledExceptionFilter` `HeapSize` `MultiByteToWideChar` `CreateDirectoryW` `SetFileAttributesW` `GetTempPathW` `DeleteFileW` `GetCurrentDirectoryW` `SetCurrentDirectoryW` `CreateFileW` `SetFilePointer` `TlsFree` `TlsGetValue` `TlsSetValue` `TlsAlloc` `HeapReAlloc` `DeleteCriticalSection` `InterlockedCompareExchange` `InterlockedExchange` `GetLastError` `SetLastError` `UnregisterWait` `GetCurrentThread` `DuplicateHandle` `RegisterWaitForSingleObject`
USER32.DLL	`CharUpperW` `CharLowerW` `MessageBoxW` `DefWindowProcW` `DestroyWindow` `GetWindowLongW` `GetWindowTextLengthW` `GetWindowTextW` `UnregisterClassW` `LoadIconW` `LoadCursorW` `RegisterClassExW` `IsWindowEnabled` `EnableWindow` `GetSystemMetrics` `CreateWindowExW` `SetWindowLongW` `SendMessageW` `SetFocus` `CreateAcceleratorTableW` `SetForegroundWindow` `BringWindowToTop` `GetMessageW` `TranslateAcceleratorW` `TranslateMessage` `DispatchMessageW` `DestroyAcceleratorTable` `PostMessageW` `GetForegroundWindow` `GetWindowThreadProcessId` `IsWindowVisible` `EnumWindows` `SetWindowPos`
GDI32.DLL	`GetStockObject`
COMCTL32.DLL	`InitCommonControlsEx`
SHELL32.DLL	`ShellExecuteExW` `SHGetFolderLocation` `SHGetPathFromIDListW`
WINMM.DLL	`timeBeginPeriod`
OLE32.DLL	`CoInitialize` `CoTaskMemFree`
SHLWAPI.DLL	`PathAddBackslashW` `PathRenameExtensionW` `PathQuoteSpacesW` `PathRemoveArgsW` `PathRemoveBackslashW`

Delayed Imports

6A7BFAA477785B0C42B2C593D01F0865

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xe`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.23593`
MD5	`7bb55e591962edd967c9a3039407256c`
SHA1	`e84642313805d66ef70fdada202992d040a1c2cc`
SHA256	`8fcbd3ba77d0af716d0b3f342b877539512ba665a6c5ad7999a531bff05a6a91`
SHA3	`116f25e12adcabbb7a50c5223cf85536391d06d1114f226b2e5d018f6907ff91`

95E3ED113FD0FF42808A8D5706E53D18

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x3d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.72164`
MD5	`8c7a121e1aa603eb9f46a91958286106`
SHA1	`3f9975a1cdf22fe10de922f0fd217fb4acacbf8b`
SHA256	`4252215404a28155b71d8ccdd832202dca24e7d10305def8192ebedf88c62731`
SHA3	`bf212136ba586557c35f303afc440117f1adc60a88955df893085e546eab04ad`

C4C92C08B66D3A215D64120C3A4666A65EF18355

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x13`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.14266`
MD5	`68828ccc2bc81c4fc6a38af479f3a799`
SHA1	`63a42021d921c7adaa448a938af494639f0c023b`
SHA256	`2a9dfe2021389b69d14bc8e7e5cade33d4828df3a882d2ce565f5219e638fa29`
SHA3	`245684fc76f135ded26c91c951053c1f0ba625ba71be9d84538e03ad1c8edd70`

F9A6714ADC

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`55a54008ad1ba589aa210d2629c1df41`
SHA1	`bf8b4530d8d246dd74ac53a13471bba17941dff7`
SHA256	`4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a`
SHA3	`2767f15c8af2f2c7225d5273fdd683edc714110a987d1054697c348aed4e6cc7`

1

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2a0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.08821`
MD5	`ffd3b06250ba95d239365ef050b3627b`
SHA1	`16e3981245d8dbd44f33d93b203c02a44f3c2b95`
SHA256	`1c3703755b6e9a690e8eafaa0cc318f667cd5d4c06935b6e3cd07296df9e9dcd`
SHA3	`2c6baa84c172762978837565c2b2ed4f7716c0edaab79bda3a3ef74724426773`

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

Leave a comment

No comments yet.