Manalyze report for 323ec4e03f16cc9dda8775c02924d6e1

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2016-Jan-30 00:31:12
Detected languages	English - United States
Debug artifacts	E:\Data\My Projects\Troy Source Code\tcp1st\rifle\Release\rifle.pdb
CompanyName	Initech (C) Co, Ltd
FileDescription	Initech Client
FileVersion	`5.5.5.5`
InternalName	Initech Client
LegalCopyright	Copyright (C) 2016
OriginalFilename	Initech Client
ProductName	Initech Client
ProductVersion	`1.0.0.24`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryW GetProcAddress` `Can access the registry: RegCloseKey RegOpenKeyExA RegCreateKeyA RegQueryValueExA RegSetValueExA` `Possibly launches other programs: ShellExecuteA CreateProcessA WinExec` `Can create temporary files: CreateFileW CreateFileA GetTempPathA` `Has Internet access capabilities: URLOpenBlockingStreamA` `Leverages the raw socket API to access the Internet: connect WSAStartup gethostname WSAIoctl htons setsockopt WSACleanup recv socket closesocket gethostbyname send WSAGetLastError`
Suspicious	The file contains overlay data.	`732 bytes of data starting at offset 0x13300.`
Info	The PE is digitally signed.	`Signer: Initech` `Issuer: VeriSign Class 3 Code Signing 2010 CA`
Malicious	VirusTotal score: 59/71 (Scanned on 2020-10-14 19:10:26)	`Bkav: W32.AIDetectVM.malware1` `Elastic: malicious (high confidence)` `MicroWorld-eScan: Trojan.Agent.BQRG` `FireEye: Generic.mg.323ec4e03f16cc9d` `CAT-QuickHeal: Trojan.Mauvaise.SL1` `McAfee: GenericRXGV-SU!323EC4E03F16` `Cylance: Unsafe` `Zillya: Trojan.GenericKDCRTD.Win32.9160` `Sangfor: Malware` `K7AntiVirus: Riskware ( 0040eff71 )` `K7GW: Riskware ( 0040eff71 )` `Cybereason: malicious.03f16c` `Invincea: Mal/Generic-R + Mal/Agent-ARR` `BitDefenderTheta: Gen:NN.ZexaF.34566.eu1@a4t0kKpi` `Cyren: W32/Rifdoor.A.gen!Eldorado` `Symantec: Backdoor.Trojan` `APEX: Malicious` `Avast: Win32:Trojan-gen` `ClamAV: Win.Malware.Johnnie-6840509-0` `Kaspersky: Trojan-Dropper.Win32.Agent.sbni` `BitDefender: Trojan.Agent.BQRG` `NANO-Antivirus: Trojan.Win32.Dwn.ealytx` `Rising: Backdoor.Rifdoor!8.107C7 (TFE:5:ZTCeJskxeoE)` `Ad-Aware: Trojan.Agent.BQRG` `Emsisoft: Trojan.Agent.BQRG (B)` `Comodo: TrojWare.Win32.Rifbu.RTC@7sjdj9` `F-Secure: Trojan.TR/Agent.fjnu` `DrWeb: Trojan.DownLoader19.30399` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: TROJ_GEN.R011C0CJE20` `McAfee-GW-Edition: BehavesLike.Win32.Generic.lh` `Sophos: Mal/Agent-ARR` `SentinelOne: DFI - Suspicious PE` `GData: Trojan.Agent.BQRG` `Jiangmin: Trojan.Generic.ohkb` `eGambit: Unsafe.AI_Score_96%` `Avira: TR/Agent.fjnu` `MAX: malware (ai score=86)` `Antiy-AVL: Trojan[Dropper]/Win32.Agent.sbni` `Arcabit: Trojan.Agent.BQRG` `ViRobot: Backdoor.Win32.Rifle.Gen` `ZoneAlarm: Trojan-Dropper.Win32.Agent.sbni` `Microsoft: Backdoor:Win32/Rifdoor.A!bit` `Cynet: Malicious (score: 100)` `AhnLab-V3: Win-Trojan/Rifdoor.78592` `Acronis: suspicious` `VBA32: BScope.Trojan.Downloader` `ALYac: Trojan.Agent.223232` `Malwarebytes: Backdoor.Agent` `Zoner: Trojan.Win32.87138` `ESET-NOD32: Win32/Agent.RTC` `TrendMicro-HouseCall: TROJ_GEN.R011C0CJE20` `Tencent: Malware.Win32.Gencirc.10b9cc27` `Yandex: Trojan.Agent!cqGvJGdAr58` `Ikarus: Backdoor.Win32.Rifdoor` `Fortinet: W32/Agent.RTC!tr` `AVG: Win32:Trojan-gen` `Panda: Trj/Genetic.gen` `CrowdStrike: win/malicious_confidence_100% (D)`

Hashes

MD5	`323ec4e03f16cc9dda8775c02924d6e1`
SHA1	`8f7dbd24936d1d77c26c1b7262221a0dab36313b`
SHA256	`2ac349867cf4282f4f93a2fb232a903a59b315e2a4272063793ec7bf70c70376`
SHA3	`6048d61dcab30e42d1d330cef44a84b4e2db79bd68c9ea75f3c855c8b1f4f8c0`
SSDeep	`1536:nLNIW39SaZTbFARlq7jC1OZstZu0TS3gEdUJCkb0FGV:nLlbZTZX3BAtTS3gEdUJCkb0FGV`
Imports Hash	`587bf55eb237bb0ee3c9d753b5b27e23`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2016-Jan-30 00:31:12
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`10.0`
SizeOfCode	`0xae00`
SizeOfInitializedData	`0x6800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000367F (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xc000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x17000`
SizeOfHeaders	`0x400`
Checksum	`0x14886`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`234eb5dbcff2f9e86366963f4b4e54b4`
SHA1	`18b3f3a4da2165719c45530222ec9a690a16d221`
SHA256	`92afb20e5ef75df6fc9cb78f362b83fac0535ad9f7f0c3e21eb27afb690d1fa6`
SHA3	`ce6623a615ea3b79dc0d0568f1d5b6167bbf9ce7188902c5feef189b74f947b1`
VirtualSize	`0xac08`
VirtualAddress	`0x1000`
SizeOfRawData	`0xae00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.53257`

.rdata

MD5	`2ec05c3954f5ff17a59c2bcd65341562`
SHA1	`5294756c955e2211a0bb57ccaa8499d1de3efd17`
SHA256	`4397a289c112c173ee70f7d10ecc4503c2a07dfe262519d4025046b4ae8e4693`
SHA3	`213683268b87e7121f4a404abbe7fac2bf468a8bc5c89e9d1b2f577249f0acc5`
VirtualSize	`0x3450`
VirtualAddress	`0xc000`
SizeOfRawData	`0x3600`
PointerToRawData	`0xb200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.04897`

.data

MD5	`c1c740263560700f4483e80e3b6f81f7`
SHA1	`fecb3a6cab5ec5dbb90b8d87ce3c25367ad1a43c`
SHA256	`cd600b15f2349747c0491264ce5e2ba59f266093d8dcd77bebdf5b6818bfe2a7`
SHA3	`bf4008a42086e09d87acf807ce868e56b93713aabbac115e61a8ddae9cf7e1a3`
VirtualSize	`0x3260`
VirtualAddress	`0x10000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xe800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.36519`

.rsrc

MD5	`f0991e45f8fec6f15ded02b513e73c4e`
SHA1	`8570a6238d6c681704d07c136b689102b85a100b`
SHA256	`99534252e1ffc4d9f0377295e4e3b510c082ee5a8d42daa25208dbacdbc60432`
SHA3	`2d32e76ee02a87e605081e0a40d9e2177698a66c7dd94b3e817a132136ba9c26`
VirtualSize	`0xbf4`
VirtualAddress	`0x14000`
SizeOfRawData	`0xc00`
PointerToRawData	`0xf800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.9099`

.reloc

MD5	`9b3cced7d78100d22773bc775f9d126e`
SHA1	`a8a5d3fc1c3574b32695008b19f3e844d6dacaa1`
SHA256	`1fb710378bc1bb3ba3ae045939f08e5977f4d6eb958e984bc456e5244c1b66aa`
SHA3	`1759f55497bbb4a0ba23ebc72c239016b277d53f22e1ebbe18f1a30d9ff73ac9`
VirtualSize	`0x1506`
VirtualAddress	`0x15000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x10400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.1737`

Imports

SHLWAPI.dll	`StrToIntA` `StrChrA` `StrStrA`
WS2_32.dll	`connect` `WSAStartup` `gethostname` `WSAIoctl` `htons` `setsockopt` `WSACleanup` `recv` `socket` `closesocket` `gethostbyname` `send` `WSAGetLastError`
WININET.dll	`DeleteUrlCacheEntry`
ADVAPI32.dll	`RegCloseKey` `GetUserNameA` `RegOpenKeyExA` `RegCreateKeyA` `RegQueryValueExA` `RegSetValueExA`
urlmon.dll	`URLOpenBlockingStreamA`
SHELL32.dll	`ShellExecuteA`
USER32.dll	`wsprintfA`
IPHLPAPI.DLL	`GetAdaptersInfo`
KERNEL32.dll	`IsProcessorFeaturePresent` `GetStringTypeW` `LoadLibraryW` `HeapSize` `RtlUnwind` `SetStdHandle` `WriteConsoleW` `CreateFileW` `FlushFileBuffers` `CompareStringW` `SetEnvironmentVariableA` `LeaveCriticalSection` `EnterCriticalSection` `GetConsoleMode` `GetConsoleCP` `SetFilePointer` `HeapReAlloc` `ExitProcess` `GetComputerNameA` `CreateFileA` `GetFileSize` `lstrcmpA` `lstrlenA` `HeapAlloc` `HeapFree` `WaitForSingleObject` `GetTickCount` `GetProcessHeap` `WriteFile` `GetCommandLineA` `GlobalAlloc` `Sleep` `GetExitCodeProcess` `CreateProcessA` `TerminateProcess` `ReadFile` `lstrcatA` `CreateDirectoryA` `SetCurrentDirectoryA` `GetLastError` `OpenMutexA` `CreatePipe` `GetModuleFileNameA` `CreateMutexA` `GetVersionExA` `WinExec` `CloseHandle` `GetTempPathA` `lstrcpyA` `GetSystemTimeAsFileTime` `HeapSetInformation` `GetStartupInfoW` `GetCurrentProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `DecodePointer` `EncodePointer` `HeapCreate` `GetProcAddress` `GetModuleHandleW` `GetStdHandle` `GetModuleFileNameW` `GetCPInfo` `InterlockedIncrement` `InterlockedDecrement` `GetACP` `GetOEMCP` `IsValidCodePage` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `SetLastError` `GetCurrentThreadId` `WideCharToMultiByte` `LCMapStringW` `MultiByteToWideChar` `GetTimeZoneInformation` `RaiseException` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `SetHandleCount` `InitializeCriticalSectionAndSpinCount` `GetFileType` `DeleteCriticalSection` `QueryPerformanceCounter` `GetCurrentProcessId`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.43818`
MD5	`071e753a695f17583e4d99310654da1b`
SHA1	`bb0622544a1ecb19e351e6265bf057a9f58d97d4`
SHA256	`755174b94de7774e635bfa4c58cb74284510e57c6ef10a2e2caeb39c6b1cd845`
SHA3	`6a2b42b277886fbfdedd1886fa632f26eeabfbcb2b14a41cd8b31f7513f510ae`

106

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`48b7daa094a69053983c7c0a1a9d1892`
SHA1	`f2ee97c66ac167b7bb8ddb35c50464102dc716fd`
SHA256	`8aecd886e67d8cbe30bc719e7c0df4cd4f4a7e000d14f296e8a1af2c6fb04a11`
SHA3	`455e955dfde4b66ee569c5f5454265d5d73c14249e0c13f943d5ea56dc93fcdf`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.34473`
MD5	`75c40047acb03ea4ba0dce3136f1cca8`
SHA1	`c13218f8ff0d5865232554e3b3f47de3769af045`
SHA256	`554a211d90f395507db16638348857dbffb93a7cb8ac7a3c8195b709943f1dc6`
SHA3	`1c4cb120fa319deacc70204268e00bd534b2781400fa831da344362a9a4c5302`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x25f`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.94904`
MD5	`e54df675446f104f3e6153a586774b18`
SHA1	`2f5a10f15684b67189b923111f804cace29d5ae2`
SHA256	`45cb3493020782cfcd906fb9afbf72d7f973b6e425fc5d3bd88a429e8ea395b1`
SHA3	`0c19618a4c7e6c8a7d54b8702d0132f746eb83cfff35aa7a8d49792cfda314df`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	5.5.5.5
ProductVersion	1.0.0.24
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Initech (C) Co, Ltd
FileDescription	Initech Client
FileVersion (#2)	5.5.5.5
InternalName	Initech Client
LegalCopyright	Copyright (C) 2016
OriginalFilename	Initech Client
ProductName	Initech Client
ProductVersion (#2)	1.0.0.24

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2016-Jan-30 00:31:12
Version	`0.0`
SizeofData	`92`
AddressOfRawData	`0xe540`
PointerToRawData	`0xd740`
Referenced File	E:\Data\My Projects\Troy Source Code\tcp1st\rifle\Release\rifle.pdb

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x41003c`
SEHandlerTable	`0x40e680`
SEHandlerCount	`3`

RICH Header

XOR Key	`0x536db74b`
Unmarked objects	`0`
C++ objects (VS2010 build 30319)	`34`
ASM objects (VS2010 build 30319)	`18`
C objects (VS2010 build 30319)	`102`
Imports (VS2008 SP1 build 30729)	`19`
Total imports	`126`
175 (VS2010 build 30319)	`1`
Resource objects (VS2010 build 30319)	`1`
Linker (VS2010 build 30319)	`1`

323ec4e03f16cc9dda8775c02924d6e1

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

1

106

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors