Manalyze report for 370ce5389f0ca29361e20222f47ca4ea

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2015-May-08 17:12:51
Detected languages	Chinese - PRC
Debug artifacts	Embedded COFF debugging symbols

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig2(h)`
Suspicious	The PE is possibly packed.	`Unusual section name found: /text` `Unusual section name found: .tdata` `Unusual section name found: .idata\xa4` `Unusual section name found: .rsrc\x00\xff` `Unusual section name found: .r\x8aloc`
Info	The PE contains common functions which appear in legitimate applications.	`Can access the registry: RegCreateKeyW`
Info	The PE's resources present abnormal characteristics.	`Resource 128 is possibly compressed or encrypted.`
Suspicious	The file contains overlay data.	`47658 bytes of data starting at offset 0xd000.` `The overlay data has an entropy of 7.95478 and is possibly compressed or encrypted.`
Malicious	VirusTotal score: 32/56 (Scanned on 2015-05-30 08:39:57)	`Bkav: W32.SympaiY.Trojan` `MicroWorld-eScan: Trojan.Inject.AWW` `nProtect: Trojan.Inject.AWW` `Malwarebytes: Trojan.Inject` `K7GW: Trojan ( 004c388b1 )` `K7AntiVirus: Trojan ( 004c388b1 )` `NANO-Antivirus: Trojan.Win32.Winlock.dsfnau` `Symantec: WS.Reputation.1` `ESET-NOD32: a variant of Win32/Injector.CBQB` `TrendMicro-HouseCall: Suspicious_GEN.F47V0528` `Avast: Win32:Malware-gen` `Kaspersky: Trojan.Win32.Inject.uubl` `BitDefender: Trojan.Inject.AWW` `Tencent: Trojan.Win32.YY.Gen.0` `Ad-Aware: Trojan.Inject.AWW` `Emsisoft: Trojan.Inject.AWW (B)` `F-Secure: Trojan.Inject.AWW` `DrWeb: Trojan.Winlock.12151` `VIPRE: Trojan.Win32.Generic!BT` `Jiangmin: Backdoor/Hlux.hug` `Avira: TR/Crypt.Xpack.241160` `Antiy-AVL: Trojan/Win32.TSGeneric` `Microsoft: VirTool:Win32/CeeInject.gen!KK` `GData: Trojan.Inject.AWW` `ALYac: Trojan.Inject.AWW` `AVware: Trojan.Win32.Generic!BT` `Baidu-International: Trojan.Win32.Injector.CBQB` `Ikarus: Trojan.Win32.Injector` `Fortinet: W32/CBQB!tr` `AVG: Inject2.CFME` `Panda: Trj/Genetic.gen` `Qihoo-360: Win32/Trojan.BO.9cb`

Hashes

MD5	`370ce5389f0ca29361e20222f47ca4ea`
SHA1	`4bcb16f8326b0680ce473c91633a7dcc2c5e88a2`
SHA256	`8eae0496be04bac18a56311fbbbc3b0fbeeb34964ed9767d8244b4734fc67985`
SHA3	`1a834006283d633b2fbd3f56f0c914079de1271a8d081060bcc8c1b913147fe1`
SSDeep	`1536:4plIjqMTlh6dXHVrYrBBKVP5hPSUXZeM3f2LFqj/ZnWjWIfJVRWkk:olCqMxh69VrYrBInh8FhqzlAVIkk`
Imports Hash	`93c13431aec5970851cd927f2496208e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2015-May-08 17:12:51
PointerToSymbolTable	`0x60000`
NumberOfSymbols	`234881024`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`1.0`
SizeOfCode	`0x6001`
SizeOfInitializedData	`0x6000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00005D76 (Section: /text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`D.9`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0xd000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_LIBRARY_PROCESS_INIT` `IMAGE_LIBRARY_PROCESS_TERM` `IMAGE_LIBRARY_THREAD_INIT` `IMAGE_LIBRARY_THREAD_TERM`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1001`
LoaderFlags	`0x600`
NumberOfRvaAndSizes	`16`

/text

MD5	`d87ba160511eaeab9b305f13b630822f`
SHA1	`93676366ef192f0ab1bf72d79fd1406aa5fae9a2`
SHA256	`75a1f43389390728b3e38dce5a5793bfc1c70d08e6d9170a633a0cfdeb463744`
SHA3	`fa5adef029cf7a2c22b515fd0e4673c1fee6b0b9fb9ea5bbe9fa6df89578c6d7`
VirtualSize	`0x539b`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.38879`

.tdata

MD5	`01a770943e1f3641b73c16d01d23f6f7`
SHA1	`8b9a290c0296d1228d765e6747bb1444c8acd742`
SHA256	`ecdd7678490d86548d99fc6c50169f8c170d7570284b0764d6954c245bee2243`
SHA3	`47909a1f019f44ad10c82c7a5e409985b8e181c9d2d1ecaea1563782a6eb7a47`
VirtualSize	`0x10f0`
VirtualAddress	`0x7000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x7000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_TYPE_DSECT` `IMAGE_SCN_TYPE_NO_PAD`
Entropy	`2.41197`

.data

MD5	`87b0631153bd246c43804d5ee089d7e7`
SHA1	`a90505067a563cd23df539523192cac00a63ecb6`
SHA256	`926d974f3cd4281b089adc3154346f8ed6d65332f150bf13af3645f32831e4f3`
SHA3	`edb8e0495551d0a13c1ad410b45d08ef923afeaef83e84280950edca4509c934`
VirtualSize	`0xdfe`
VirtualAddress	`0x9000`
SizeOfRawData	`0x100c`
PointerToRawData	`0x9000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_GPREL` `IMAGE_SCN_LNK_COMDAT` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.38524`

.idata\xa4

MD5	`4b32c307ca6cf5e665257fd44a45c686`
SHA1	`5ba4ddbcddd3563652699e9a4eeeb820233997c1`
SHA256	`b30c84fe6b62edc63ed496d295a1e6dd2651334460b88fc0de8d73f19e181c67`
SHA3	`e59c3832570c81dcd3dbfda43a8d44840dbee2aa294a2ef2b42e2202948f9e63`
VirtualSize	`0x7f2`
VirtualAddress	`0xa000`
SizeOfRawData	`0x1098`
PointerToRawData	`0xa000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.51062`

.rsrc\x00\xff

MD5	`bdfd237a1bab40576f79cea833f68951`
SHA1	`5a71f7d79d7df43e6b8fa36ad8e0cc6f9fca9bea`
SHA256	`eea59b8347355c09263531b8e5b3226258539bbe1c437546105f49ad87bb3b42`
SHA3	`2128b97320577e17bf9f84933f39f98baa00cf0846023b93cb0ada581ab74782`
VirtualSize	`0x150`
VirtualAddress	`0xb000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xb000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_TYPE_GROUP` `IMAGE_SCN_TYPE_NO_PAD`
Entropy	`4.05024`

.r\x8aloc

MD5	`e67298ab8a436eb49b151c8c3fd5567d`
SHA1	`f3772428e731712c97ee0b914ea230860fddd4dd`
SHA256	`cd1df0002b7693306a70bff2dda98c3645af5e8a14d7947a2d8d8cd84f02afb1`
SHA3	`910e454b482fa3537d3759ba67e79b6bbc5070f0f96fc4be0a7fa63419cde915`
VirtualSize	`0x9f2`
VirtualAddress	`0xc000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xc000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.36016`

Imports

MFC42u.DLL	`#6051` `#4072` `#1768` `#4401` `#5233` `#2374` `#5157` `#6370` `#4347` `#5279` `#2641` `#1658` `#3793` `#4831` `#4430` `#2640` `#2047` `#6372` `#3744` `#5059` `#1720` `#2437` `#2116` `#5273` `#2977` `#3142` `#3254` `#4459` `#3131` `#3257` `#2980` `#3076` `#2971` `#3825` `#3826` `#3820` `#3074` `#4075` `#4621` `#4421` `#401` `#674` `#5250` `#825` `#823` `#4606` `#4604` `#4269` `#6371` `#4480` `#2546` `#2504` `#5727` `#3917` `#1089` `#5193` `#2388` `#3341` `#5296` `#5298` `#2717` `#4074` `#4692` `#5303` `#5285` `#5710` `#4616` `#4418` `#3733` `#561` `#815` `#6211` `#617` `#5297` `#5208` `#296` `#986` `#411` `#4154` `#6113` `#2613` `#1131` `#5261` `#4370` `#4847` `#4992` `#4704` `#2506` `#6048` `#4073` `#1767` `#5237` `#2377` `#5276` `#4435` `#5257` `#2438` `#4419` `#3592` `#324` `#641` `#4229` `#1817` `#4233` `#4690` `#3053` `#3060` `#6332` `#2502` `#2534` `#5239` `#5736` `#1739` `#5573` `#4147` `#5649` `#4414` `#4947` `#2391` `#4381` `#3449` `#3193` `#6076` `#6171` `#4617` `#4420` `#652` `#338` `#4817` `#4852` `#2879` `#1165` `#1912` `#4257` `#4583` `#4582` `#4893` `#4364` `#4886` `#5070` `#4335` `#4343` `#4883` `#4525` `#4539` `#4537` `#4520` `#4523` `#4518` `#4957` `#4954` `#4103` `#5236` `#5286` `#3743` `#1718` `#4426` `#784` `#517` `#5256` `#5673` `#6127` `#6212` `#4717` `#800` `#616` `#2078` `#1971` `#3313` `#5769` `#5438` `#665` `#5180` `#354` `#6381` `#540` `#2294` `#3312` `#613` `#283` `#289` `#755` `#470` `#3568` `#3621` `#2406` `#3658` `#2854` `#2403` `#2015` `#4213` `#2570` `#4392` `#3397` `#3577` `#567` `#4128` `#4292` `#1851` `#4241` `#3864` `#2119` `#2383` `#5096` `#5099` `#4462` `#3345` `#975` `#2875` `#4148` `#2375` `#5280` `#4431` `#4422` `#796` `#554` `#529` `#402` `#807` `#2486` `#2619` `#2618` `#5996` `#2109` `#6617` `#4451` `#5251` `#4158` `#2873` `#2874` `#3398` `#5468` `#976` `#5006` `#3346` `#4298` `#4461` `#5098` `#5094` `#3054` `#2382` `#2715` `#2093` `#5095` `#4240` `#3167` `#1850` `#1569`
MSVCRT.dll	`_onexit` `__dllonexit` `_except_handler3` `__set_app_type` `__p__fmode` `__p__commode` `_adjust_fdiv` `__setusermatherr` `_initterm` `__wgetmainargs` `__CxxFrameHandler` `_ftol` `sqrt` `fabs` `rand` `_controlfp` `_exit` `_XcptFilter` `exit` `_wcmdln`
KERNEL32.dll	`GetStartupInfoW` `GetModuleHandleW` `GetVersionExA` `WaitForSingleObject` `FindNextFileA` `HeapDestroy` `WriteFile` `ExitProcess` `FreeEnvironmentStringsA`
USER32.dll	`CreateWindowExA` `SetClassLongA` `InsertMenuW` `GetMessageTime` `SendMessageW` `FillRect` `InvalidateRect` `GetClientRect` `EnableWindow` `UpdateWindow` `GetDC`
GDI32.dll	`(EMPTY)`
ADVAPI32.dll	`RegCreateKeyW`

Delayed Imports

100

Type	`RT_DIALOG`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x112`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`

130

Type	`RT_DIALOG`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x122`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`

132

Type	`RT_DIALOG`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x32`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`

128

Type	`UNKNOWN`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x901e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.54855`
MD5	`5c732ee4d9e036268ee58ba2cc5cafae`
SHA1	`ca6e9b0a9b67f88f41b5a8357b549b89c94727db`
SHA256	`173bb2201a2bd9959e3a4bdc5a9983ada162acfb5b4f05e1cdf0884568f5c7ad`
SHA3	`c8fde59b4402910637caa2f8ea8d1ec1a8730e42e794b0aecdcda0024adc8e93`

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Found a non-integer index of the COFF string table (/text). This PE was almost certainly manually crafted.
[!] Error: Could not read a COFF symbol.
[!] Error: directory 13 has a RVA of 0 but a non-null size.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[!] Error: Could not read an IMAGE_RESOURCE_DIRECTORY_ENTRY's name.
[*] Warning: Could not locate the section containing resource 100. Trying to use the RVA as an offset...
[*] Warning: Could not locate the section containing resource 130. Trying to use the RVA as an offset...
[*] Warning: Could not locate the section containing resource 132. Trying to use the RVA as an offset...
[*] Warning: Resource 128 has a size of 0!
[*] Warning: Ignored an invalid IMAGE_RESOURCE_DIRECTORY_ENTRY.
[!] Error: Could not read an IMAGE_BASE_RELOCATION!
[*] Warning: Resource  is empty!
[*] Warning: Resource  is empty!
[*] Warning: Resource  is empty!