Manalyze report for 38f0d47e4bbf2c5f05c51f6c48a90629

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2006-Sep-18 10:22:54
Detected languages	Chinese - PRC
CompanyName	1
ProductName	kill
FileVersion	`1.00`
ProductVersion	`1.00`
InternalName	tel.xls
OriginalFilename	tel.xls.exe

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual Basic v5.0/v6.0` `Microsoft Visual Basic v5.0 - v6.0` `Microsoft Visual Basic v6.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentVersion\Run`
Malicious	VirusTotal score: 62/71 (Scanned on 2023-05-27 12:18:37)	`ALYac: Trojan.VB-atg` `APEX: Malicious` `AVG: Win32:VB-BBA [Trj]` `AhnLab-V3: Worm/Win32.AutoRun.R4172` `Alibaba: Worm:Win32/Texel.39abea3e` `Arcabit: Win32.Worm.VB.DG` `Avast: Win32:VB-BBA [Trj]` `Avira: TR/Crypt.CFI.Gen` `Baidu: Win32.Worm.VB.sj` `BitDefender: Win32.Worm.VB.DG` `BitDefenderTheta: AI:Packer.FD5FEF2B1D` `Bkav: W32.QQRob.Trojan` `ClamAV: Win.Trojan.Generic-8593886-0` `CrowdStrike: win/malicious_confidence_100% (W)` `Cybereason: malicious.e4bbf2` `Cylance: unsafe` `Cynet: Malicious (score: 99)` `Cyren: W32/Trojan.UYVL-6286` `DeepInstinct: MALICIOUS` `DrWeb: Trojan.Unsecure` `ESET-NOD32: Win32/VB.OSI` `Elastic: malicious (high confidence)` `Emsisoft: Win32.Worm.VB.DG (B)` `F-Secure: Trojan.TR/Crypt.CFI.Gen` `FireEye: Generic.mg.38f0d47e4bbf2c5f` `Fortinet: W32/AutoRun.RPV!worm` `GData: Win32.Worm.VB.DG` `Google: Detected` `Ikarus: Virus.Win32.Texel` `Jiangmin: Trojan/VB.ads` `K7AntiVirus: P2PWorm ( 0051e64b1 )` `K7GW: P2PWorm ( 0051e64b1 )` `Kaspersky: Virus.Win32.Texel.a` `Lionic: Virus.Win32.Texel.n!c` `MAX: malware (ai score=100)` `Malwarebytes: Malware.AI.3283652613` `MaxSecure: Virus.W32.Texel.A` `McAfee: W32/Generic.p!worm` `McAfee-GW-Edition: W32/Generic.p!worm` `MicroWorld-eScan: Win32.Worm.VB.DG` `Microsoft: Worm:Win32/Cacfu.A` `NANO-Antivirus: Virus.Win32.Texel.bcexhy` `Panda: W32/Guarder.D.worm` `Rising: Trojan.Win32.VB.ync (CLASSIC)` `SUPERAntiSpyware: Trojan.Agent/Gen-Cacfu` `Sangfor: Worm.Win32.VB.OSI` `SentinelOne: Static AI - Suspicious PE` `Sophos: Troj/QQRob-AAT` `Symantec: Infostealer.QQRob.A` `TACHYON: Trojan/W32.VB-Small.45056.AO` `Tencent: Trojan.Win32.VB.twq` `Trapmine: suspicious.low.ml.score` `TrendMicro: WORM_VB.CKH` `TrendMicro-HouseCall: WORM_VB.CKH` `VIPRE: Win32.Worm.VB.DG` `ViRobot: Trojan.Win32.VB.45056.V` `VirIT: Trojan.Win32.VB.DH` `Webroot: W32.Worm.Gen` `Xcitium: Worm.Win32.VB.~DC@15oyp` `Yandex: Trojan.GenAsa!9UJWxyQqbKw` `Zillya: Worm.VB.Win32.24700` `ZoneAlarm: Virus.Win32.Texel.a`

Hashes

MD5	`38f0d47e4bbf2c5f05c51f6c48a90629`
SHA1	`ac97088838bd44a351e678b53ad77893a89c9720`
SHA256	`fd5616b89a162b5abaa764581f790a8fc5c44b04586c3b1be2b4db9af8350ac2`
SHA3	`d61d2beeba8e71606925e18cf43c58390b48ea053813afbae71562e8341223a4`
SSDeep	`768:FMhkHdRrZogCwMfxQ0gDh3xHzI7+nYcd6bKtU329kWptH:ywRrzCPfxQjDh3xM38p`
Imports Hash	`c2ae2d4a4eb6ed56466c7a9a81d68c44`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xb8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2006-Sep-18 10:22:54
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x8000`
SizeOfInitializedData	`0x2000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000018E0 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x9000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`1.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0xb000`
SizeOfHeaders	`0x1000`
Checksum	`0x17dce`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`316c2d89b030ef3f4e7f4d57e8e46e29`
SHA1	`3cdc3c25de0482e6476b75c11f4a5c2c3e5c1ba8`
SHA256	`fc121c1571caae944a77ac2c8f5a21f295c7988598cb35f3f1ed344f0abc969e`
SHA3	`7eacfec66312ef9bb7e04d097a87dbe05b6c897d6c3aaa21f372eaec6421387d`
VirtualSize	`0x7e60`
VirtualAddress	`0x1000`
SizeOfRawData	`0x8000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.52027`

.data

MD5	`620f0b67a91f7f74151bc5be745b7110`
SHA1	`1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d`
SHA256	`ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7`
SHA3	`a99f9ed58079237f7f0275887f0c03a0c9d7d8de4443842297fceea67e423563`
VirtualSize	`0xa70`
VirtualAddress	`0x9000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x9000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`2ee25c4d34858a11bbb1db0bf4e6858a`
SHA1	`008abb81a4eec223ebf46f94418d3a613df58461`
SHA256	`a1d26933ec0c4f1b279108d6fcd987edaf0e686e9e5909307dbf99874b5d1cf5`
SHA3	`1235b0b6c82e721ae4cabdbfd23ebff0b31682deb5f8870c9b7414799e6cae7b`
VirtualSize	`0x5e4`
VirtualAddress	`0xa000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xa000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.65591`

Imports

MSVBVM60.DLL	`__vbaVarSub` `_CIcos` `_adj_fptan` `__vbaVarMove` `__vbaStrI4` `__vbaFreeVar` `__vbaLenBstr` `__vbaStrVarMove` `__vbaLineInputStr` `__vbaEnd` `__vbaFreeVarList` `_adj_fdiv_m64` `__vbaVarIndexStore` `__vbaFreeObjList` `_adj_fprem1` `#518` `__vbaStrCat` `__vbaLsetFixstr` `#553` `__vbaSetSystemError` `#661` `__vbaHresultCheckObj` `_adj_fdiv_m32` `#593` `#594` `__vbaOnError` `__vbaObjSet` `_adj_fdiv_m16i` `__vbaObjSetAddref` `_adj_fdivr_m16i` `__vbaVarIndexLoad` `__vbaBoolVarNull` `_CIsin` `#632` `__vbaChkstk` `__vbaFileClose` `EVENT_SINK_AddRef` `__vbaStrCmp` `__vbaVarTstEq` `__vbaObjVar` `DllFunctionCall` `__vbaVarOr` `__vbaVarLateMemSt` `_adj_fpatan` `__vbaFixstrConstruct` `EVENT_SINK_Release` `__vbaNew` `#600` `_CIsqrt` `__vbaVarAnd` `EVENT_SINK_QueryInterface` `__vbaVarMul` `__vbaExceptHandler` `__vbaStrToUnicode` `__vbaPrintFile` `__vbaDateStr` `_adj_fprem` `_adj_fdivr_m64` `#607` `#608` `__vbaFPException` `__vbaInStrVar` `__vbaStrVarVal` `__vbaVarCat` `__vbaDateVar` `#645` `_CIlog` `__vbaErrorOverflow` `__vbaFileOpen` `__vbaNew2` `_adj_fdiv_m32i` `_adj_fdivr_m32i` `__vbaStrCopy` `__vbaVarSetObj` `__vbaFreeStrList` `__vbaVarNot` `#576` `_adj_fdivr_m32` `_adj_fdiv_r` `#100` `__vbaI4Var` `__vbaVarCmpEq` `#610` `__vbaVarAdd` `__vbaLateMemCall` `__vbaStrToAnsi` `__vbaFpI4` `__vbaVarTstGe` `__vbaVarCopy` `__vbaVarLateMemCallLd` `#617` `__vbaVarSetObjAddref` `_CIatan` `__vbaStrMove` `__vbaCastObj` `__vbaStrVarCopy` `_allmul` `#545` `_CItan` `#546` `_CIexp` `__vbaFreeObj` `__vbaFreeStr` `#580`

Delayed Imports

30001

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x2e8`
TimeDateStamp	2006-Sep-18 10:22:54
Entropy	`3.10336`
MD5	`7a7518145cd29c219c4cf93f24021659`
SHA1	`650a51476a6b43ce4f551ae9e3cba14c7930e6ad`
SHA256	`57596901e65e7da4131327bf97a06d8aa44fe28b462bc4d7c24cd4ac4d79de9b`
SHA3	`18a7ead1649a2e16695d88495223bd7832dda7e0b7bd12a7af8e268a8111e17d`

1

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x14`
TimeDateStamp	2006-Sep-18 10:22:54
Entropy	`2.55772`
Detected Filetype	Icon file
MD5	`3bf3dab34389939d33d9ed5fe5512e12`
SHA1	`9fa24dbd475945a72884a0eff2a65f3143c5403e`
SHA256	`28a84099cc59614e2e4f281774af68487a242bbb638164658b39435a1f0a57e1`
SHA3	`8ee351afb2db988569c0e2946baa513e52a25da7f882a909e43e70adec82d57d`

1 (#2)

Type	`RT_VERSION`
Language	Chinese - PRC
Codepage	Unicode (UTF 16LE)
Size	`0x1f8`
TimeDateStamp	2006-Sep-18 10:22:54
Entropy	`3.10118`
MD5	`8a54ded95e06a52a54fc7e7c6cb0a4ac`
SHA1	`bd101944423579fa766c91825f00f2cd275324c4`
SHA256	`d49563d79498c4ed3b739d97ed5b26665b6f0f108cf7117d9a42ce2fe7af5b1a`
SHA3	`4b2f6ac942044b594d1385b565675017cce466c7d6401474798a659f30a49827`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.0
ProductVersion	1.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	Chinese - PRC
CompanyName	1
ProductName	kill
FileVersion (#2)	1.00
ProductVersion (#2)	1.00
InternalName	tel.xls
OriginalFilename	tel.xls.exe

Resource LangID	Chinese - PRC

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x8897fe31`
Unmarked objects	`0`
14 (7299)	`1`
9 (8783)	`1`
13 (VS98 SP6 build 8804)	`1`

38f0d47e4bbf2c5f05c51f6c48a90629

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.data

.rsrc

Imports

Delayed Imports

30001

1

1 (#2)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors