Manalyze report for 2fed54e4b3db498446f474b388be8beb

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2018-Oct-27 12:33:57
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Possibly launches other programs: CreateProcessW`
Malicious	VirusTotal score: 8/67 (Scanned on 2018-12-06 10:35:18)	`MicroWorld-eScan: Gen:Variant.Razy.414089` `Cylance: Unsafe` `Arcabit: Trojan.Razy.D65189` `Ad-Aware: Gen:Variant.Razy.414089` `ALYac: Gen:Variant.Razy.414089` `MAX: malware (ai score=88)` `Rising: Malware.Heuristic!ET#95% (RDM+:cmRtazoyxPZZTxquf5HcIfPgHjOC)` `Qihoo-360: HEUR/QVM20.1.AE7E.Malware.Gen`

Hashes

MD5	`2fed54e4b3db498446f474b388be8beb`
SHA1	`cde5614959ba7ec94c6aa47ba90150bfd9826f77`
SHA256	`e974db6373fbb7c05405a56ccce221fcd627d6d005d70d864719c172b0ff6646`
SHA3	`a4e273cade85f1c20557e0df96310431aec22b9bfc582624594484562b6747a3`
SSDeep	`6144:bu8kkEqw0DH0Fdrv9Zk3ps0zAO3ltKsT:3kkEqw0DH0Fdx8a0ztKsT`
Imports Hash	`b63a0a365d0755baeff7c9cbd9563319`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2018-Oct-27 12:33:57
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x22000`
SizeOfInitializedData	`0x13c00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00007673 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x23000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x39000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`89e5bfb9e133cc97d26132adccfba1cb`
SHA1	`8dcbc60fbad11c9d25f5238a42fdb839698c3222`
SHA256	`21b58358da21b09cb2d4917e515376e19b7d8652cd8c7768e77ee377b36adea1`
SHA3	`c1c7b7709b474c5d1403076cff01ba8add44961cd75c6d0a442a6e58d41a8738`
VirtualSize	`0x21f34`
VirtualAddress	`0x1000`
SizeOfRawData	`0x22000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.62399`

.rdata

MD5	`a1bfdbf69fbf6b243dacd2e831a38926`
SHA1	`c5726c9800e65522a7f9592909fcddd6fe5a96a2`
SHA256	`2540369b4a2d0091f878fb78eee7ab78af72f9c447951134e614734c918b384a`
SHA3	`70dd922308e5dc4fb803402350f9a6b665b99d31495d37feb141d594bee6db9b`
VirtualSize	`0xf8f6`
VirtualAddress	`0x23000`
SizeOfRawData	`0xfa00`
PointerToRawData	`0x22400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.41892`

.data

MD5	`b1f372ef698ef3e1eec586b3b5ffea08`
SHA1	`e726f086e36fefe4d096be80a8a3016e44cb1bf4`
SHA256	`9391fd7665d58a3a779653e2bfda6643b23946c2b7575f014711449b92106713`
SHA3	`a31fcdeaab2d71f46f251f2d2bdd8c52e2b15c3d4dc37d96393b6f724cf41d38`
VirtualSize	`0x1cac`
VirtualAddress	`0x33000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x31e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.07133`

.rsrc

MD5	`da89d975c5983383cba50353c22e6a18`
SHA1	`faeb62580962f39e83e2e311f1279aba0f048100`
SHA256	`b85b09a0721fb317ba3067ee7c76fd960be862121ae2701aa0948a6685d4edba`
SHA3	`e2865026aa93175d2394f1305fa2b9826d24459485fd7fcf7fc1d9865c701d74`
VirtualSize	`0x1e0`
VirtualAddress	`0x35000`
SizeOfRawData	`0x200`
PointerToRawData	`0x32e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.7123`

.reloc

MD5	`fc17370825e1eddcaa7f3a4247bd2303`
SHA1	`88dcaab6639f3eb710ea4d4c7adeaf4ba25d238d`
SHA256	`57c81af9e6c460ba910acb0cffe5c3c9e7b9b8bf4234dd4b7455751230554a78`
SHA3	`dda0263948c404f61c6336ca9ae40e6510da419c8e1a36b10fcf8027996f6a7e`
VirtualSize	`0x2050`
VirtualAddress	`0x36000`
SizeOfRawData	`0x2200`
PointerToRawData	`0x33000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.4468`

Imports

KERNEL32.dll	`CreateMutexW` `GetLastError` `GetModuleFileNameW` `CreateProcessW` `WaitForDebugEventEx` `OpenThread` `GetThreadContext` `SetThreadContext` `ContinueDebugEvent` `CreateFileW` `WideCharToMultiByte` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `EncodePointer` `DecodePointer` `MultiByteToWideChar` `SetLastError` `InitializeCriticalSectionAndSpinCount` `SwitchToThread` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `GetSystemTimeAsFileTime` `GetModuleHandleW` `GetProcAddress` `CompareStringW` `LCMapStringW` `GetLocaleInfoW` `GetStringTypeW` `GetCPInfo` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `InitializeSListHead` `IsDebuggerPresent` `GetStartupInfoW` `RtlUnwind` `RaiseException` `FreeLibrary` `LoadLibraryExW` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `GetCommandLineA` `GetCommandLineW` `HeapAlloc` `HeapFree` `IsValidLocale` `GetUserDefaultLCID` `EnumSystemLocalesW` `GetFileType` `CloseHandle` `FlushFileBuffers` `GetConsoleCP` `GetConsoleMode` `ReadFile` `GetFileSizeEx` `SetFilePointerEx` `ReadConsoleW` `HeapReAlloc` `FindClose` `FindFirstFileExW` `FindNextFileW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableW` `SetStdHandle` `GetProcessHeap` `HeapSize` `WriteConsoleW`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2018-Oct-27 12:33:57
Version	`0.0`
SizeofData	`788`
AddressOfRawData	`0x30ff0`
PointerToRawData	`0x303f0`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2018-Oct-27 12:33:57
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0xa0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x43306c`
SEHandlerTable	`0x430f60`
SEHandlerCount	`36`

RICH Header

XOR Key	`0xd66e749e`
Unmarked objects	`0`
ASM objects (26213)	`13`
C++ objects (26213)	`165`
C objects (26213)	`22`
ASM objects (VS 2015/2017 runtime 26706)	`20`
C++ objects (VS 2015/2017 runtime 26706)	`59`
C objects (VS 2015/2017 runtime 26706)	`33`
Imports (26213)	`3`
Total imports	`92`
265 (VS2017 v15.8.9 compiler 26732)	`2`
Resource objects (VS2017 v15.8.9 compiler 26732)	`1`
Linker (VS2017 v15.8.9 compiler 26732)	`1`

2fed54e4b3db498446f474b388be8beb

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

IMAGE_DEBUG_TYPE_POGO

IMAGE_DEBUG_TYPE_ILTCG

TLS Callbacks

Load Configuration

RICH Header

Errors