Manalyze report for 2ff1688fe866ec2871169197f9d46936

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Jun-13 15:12:43
Detected languages	Korean - Korea

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++` `Microsoft Visual C++ v6.0` `Microsoft Visual C++ v5.0/v6.0 (MFC)`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Possibly launches other programs: CreateProcessW` `Leverages the raw socket API to access the Internet: #16 #111 #23 #4 #18 #151 #21 #19 #22 #3 #11` `Enumerates local disk drives: GetLogicalDriveStringsW GetVolumeInformationW`
Suspicious	The file contains overlay data.	`124 bytes of data starting at offset 0x38000.`
Malicious	VirusTotal score: 54/70 (Scanned on 2020-01-22 07:30:16)	`MicroWorld-eScan: Trojan.GenericKD.32416090` `CAT-QuickHeal: Trojan.Generic` `McAfee: Trojan-HidCobra` `Cylance: Unsafe` `Zillya: Trojan.NukeSped.Win32.160` `Sangfor: Malware` `K7AntiVirus: Trojan ( 005329311 )` `Alibaba: Trojan:Win32/Nukesped.137c7b50` `K7GW: Trojan ( 005329311 )` `Cybereason: malicious.32ea70` `Symantec: Trojan.Gen.MBT` `ESET-NOD32: a variant of Win32/NukeSped.AI` `APEX: Malicious` `Paloalto: generic.ml` `ClamAV: Win.Trojan.HiddenCobra-7402602-0` `Kaspersky: HEUR:Trojan.Win32.Generic` `BitDefender: Trojan.GenericKD.32416090` `ViRobot: Trojan.Win32.S.Agent.229500` `Avast: Win32:Trojan-gen` `Ad-Aware: Trojan.GenericKD.32416090` `Sophos: Troj/Inject-DZV` `Comodo: Malware@#1dpmth2llp9fd` `F-Secure: Trojan.TR/AD.APTLazerus.oytdw` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: BKDR_HOPLIGHT.ZKGJ` `McAfee-GW-Edition: Trojan-HidCobra` `Trapmine: malicious.moderate.ml.score` `FireEye: Generic.mg.2ff1688fe866ec28` `Emsisoft: Trojan.GenericKD.32416090 (B)` `SentinelOne: DFI - Suspicious PE` `Cyren: W32/Trojan.GCCR-6631` `Jiangmin: Trojan.Generic.egcnd` `Webroot: W32.Trojan.Hiddencobra` `Avira: TR/AD.APTLazerus.oytdw` `MAX: malware (ai score=100)` `Antiy-AVL: Trojan/Win32.Casdet` `Microsoft: Trojan:Win32/Nukesped.PA!MTB` `Endgame: malicious (high confidence)` `Arcabit: Trojan.Generic.D1EEA15A` `ZoneAlarm: HEUR:Trojan.Win32.Generic` `GData: Trojan.GenericKD.32416090` `AhnLab-V3: Trojan/Win32.Agent.R290904` `ALYac: Trojan.Nukesped.A` `TrendMicro-HouseCall: BKDR_HOPLIGHT.ZKGJ` `Rising: Trojan.Hoplight!1.B71E (CLOUD)` `Yandex: Trojan.Agent!4PGYBZAmAZU` `Ikarus: Trojan.Win32.NukeSped` `eGambit: Unsafe.AI_Score_97%` `Fortinet: W32/HidCobra.9CFB!tr` `BitDefenderTheta: Gen:NN.ZexaE.34084.oqX@amBCcSeG` `AVG: Win32:Trojan-gen` `Panda: Trj/Agent.KOS` `CrowdStrike: win/malicious_confidence_100% (W)` `Qihoo-360: Win32/Trojan.5ee`

Hashes

MD5	`2ff1688fe866ec2871169197f9d46936`
SHA1	`6dc37ff32ea70cbd0078f1881a351a0a4748d10e`
SHA256	`b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9`
SHA3	`464c04a2abfcc743a1c135ba9ebb48d931ba5fe04d6ef1bc4703553a8d65d401`
SSDeep	`6144:GANjUaXCXwz+vLFOLEq3VNwO9zyPqYNkHms:bNjxXgA9uPqR`
Imports Hash	`9bd558d106ace4535433f58c584c0fbc`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2017-Jun-13 15:12:43
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x2f000`
SizeOfInitializedData	`0xc000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00008447 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x30000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x3c000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`f9aa8191af45813b80031064403835f1`
SHA1	`ab2587c9dcfba85046cc69e26e980501b8d0a7d6`
SHA256	`dd95e1273f1720e10ddd4631801a7fe70b4a175de04effe5f7abc02262a020d8`
SHA3	`39a9a34df59a91e25de621ba7957a48ca23339ab6ee98b67ce2723fd3fd32164`
VirtualSize	`0x2e46a`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2f000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.40085`

.rdata

MD5	`bbcbbf5f54deaee51d41d404973c30e4`
SHA1	`fa64ad9897105b3e16e5b9df631604ad99203af8`
SHA256	`beb8004bc7c6dbe585923ce4d3a4c99bb94c6dfe5fa5222419af6620853d757a`
SHA3	`b3db6fedaecba5261ac08755892828019374aea8ec6c81fc29ab96fe1fdd2f78`
VirtualSize	`0x3b7e`
VirtualAddress	`0x30000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x30000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.22887`

.data

MD5	`8ea12cda731d50b93944d8534c11402c`
SHA1	`e309d6f90701b78023023c9133253cb7ece39f4f`
SHA256	`bbff27b4498ddf7cab9b9920c75cf6cd9343d800b8634065a12e9918c438d133`
SHA3	`350d48798a9855d877fd09ea35b1a1cd174612daec2c9ce281a1c437366e2f20`
VirtualSize	`0x6dc4`
VirtualAddress	`0x34000`
SizeOfRawData	`0x3000`
PointerToRawData	`0x34000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.92766`

.rsrc

MD5	`06d5d2729a367d565819e6867d8caea7`
SHA1	`98c7db9811f1f717e59d3e07eea28ee551b69ed7`
SHA256	`c9b4d03c5ce45ae6897e8c94eba78e65e5002667134d20b9d606e302b870ea87`
SHA3	`c34b885176df6752f7b9fc1c457977bc01b1b4e64e82a421163bde40859295d7`
VirtualSize	`0x980`
VirtualAddress	`0x3b000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x37000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.31798`

Imports

WS2_32.dll	`#16` `#111` `#23` `#4` `#18` `#151` `#21` `#19` `#22` `#3` `#11`
KERNEL32.dll	`LeaveCriticalSection` `CreateFileA` `QueryPerformanceCounter` `QueryPerformanceFrequency` `FindFirstFileW` `FindNextFileW` `FindClose` `UnmapViewOfFile` `DuplicateHandle` `CreateFileW` `CreateFileMappingW` `MapViewOfFile` `CreateProcessW` `GetModuleFileNameW` `GetWindowsDirectoryW` `GetTickCount` `WideCharToMultiByte` `FileTimeToLocalFileTime` `LocalFree` `LocalAlloc` `QueryDosDeviceW` `GetLogicalDriveStringsW` `GetFileSize` `CreateThread` `GetVolumeInformationW` `GetACP` `GetSystemInfo` `GetProcAddress` `GetModuleHandleW` `GetLastError` `LoadLibraryA` `Sleep` `GetFileInformationByHandle` `SystemTimeToFileTime` `GetTimeZoneInformation` `GetSystemTime` `GetLocalTime` `RtlUnwind` `InterlockedDecrement` `InterlockedIncrement` `MultiByteToWideChar` `GetFileAttributesW` `GetModuleHandleA` `GetStartupInfoW` `GetVersion` `ExitProcess` `TerminateProcess` `GetCurrentProcess` `HeapReAlloc` `HeapAlloc` `HeapSize` `GetCurrentThreadId` `TlsSetValue` `TlsAlloc` `SetLastError` `TlsGetValue` `InitializeCriticalSection` `DeleteCriticalSection` `EnterCriticalSection` `SetEndOfFile` `UnhandledExceptionFilter` `FreeEnvironmentStringsA` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `GetEnvironmentStrings` `GetCommandLineW` `GetCommandLineA` `SetHandleCount` `GetStdHandle` `GetFileType` `GetStartupInfoA` `HeapDestroy` `HeapCreate` `VirtualFree` `HeapFree` `WriteFile` `GetModuleFileNameA` `VirtualAlloc` `IsBadWritePtr` `SetFilePointer` `SetUnhandledExceptionFilter` `IsBadReadPtr` `IsBadCodePtr` `GetCPInfo` `LCMapStringA` `LCMapStringW` `SetStdHandle` `GetStringTypeA` `GetStringTypeW` `FlushFileBuffers` `CloseHandle` `CompareStringA` `CompareStringW` `GetOEMCP` `SetEnvironmentVariableA` `FileTimeToSystemTime` `FileTimeToDosDateTime` `ReadFile`
USER32.dll	`GetSystemMetrics`

Delayed Imports

1

Type	`RT_ICON`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.19506`
MD5	`00ecd29321807c83650ce1e1216bc4f2`
SHA1	`9538a09f50ae009fe0af34a8748093cbe4866da7`
SHA256	`54b433ec4967fb4c1c194ab3b081ced6f122bbec78e0dfab9c6f9376d64a0870`
SHA3	`fd6d4b24f2de9140f30d2f5e8b5b9d1976911af1915b0b0962d627fdfe8f0d54`

IDI_ICON1

Type	`RT_GROUP_ICON`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.81924`
Detected Filetype	Icon file
MD5	`cbee427fa121aba9b9b265ff05de5383`
SHA1	`24fcae33001c8e0f5ec795c6edf076a69d59589f`
SHA256	`494e4fd717fa1ee0c5c7bb3b4e28fdab4b7f6e95b4f9865f5ab86f03f62ae62c`
SHA3	`a3fa35d56632275ba55716a4964f02031270f61f06a903fc460ac2dd6bebde85`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x7efa3341`
Unmarked objects	`0`
12 (7291)	`2`
14 (7299)	`25`
C objects (VS98 build 8168)	`140`
Total imports	`121`
Imports (VS2003 (.NET) build 4035)	`7`
C++ objects (VS98 build 8168)	`16`
Resource objects (VS98 cvtres build 1720)	`1`

2ff1688fe866ec2871169197f9d46936

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

1

IDI_ICON1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors