Manalyze report for 3964691daaafe4966588d0b1d03a29d749f220492080e9c975e30ec41a1f06e4

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2016-Apr-03 20:18:53
Detected languages	English - United States
Comments	Tool to directly print from web browser
CompanyName	PT. MKM
FileVersion	`5.0.0.0`
ProductName	PPOB Plugin

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: http://nsis.sf.net http://nsis.sf.net/NSIS_Error nsis.sf.net`
Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExA` `Can access the registry: RegDeleteKeyA RegOpenKeyExA RegEnumValueA RegDeleteValueA RegCloseKey RegCreateKeyExA RegSetValueExA RegQueryValueExA RegEnumKeyA` `Possibly launches other programs: CreateProcessA ShellExecuteA` `Can create temporary files: CreateFileA GetTempPathA` `Functions related to the privilege level: OpenProcessToken AdjustTokenPrivileges` `Changes object ACLs: SetFileSecurityA` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The file contains overlay data.	`3277111 bytes of data starting at offset 0x9000.` `The overlay data has an entropy of 7.99995 and is possibly compressed or encrypted.` `Overlay data amounts for 98.8876% of the executable.`
Suspicious	VirusTotal score: 2/68 (Scanned on 2021-05-20 06:01:10)	`Bkav: W32.AIDetect.malware1` `APEX: Malicious`

Hashes

MD5	`587b0fbfa243219c2386e599344bff7e`
SHA1	`ae8d473730f9c3632b2836c224c2562530c9ff37`
SHA256	`3964691daaafe4966588d0b1d03a29d749f220492080e9c975e30ec41a1f06e4`
SHA3	`0c8c0601aa52da7e0fa3ae06c65608abdd0287ddea95256661af5403352b221c`
SSDeep	`98304:Lq2wFRIpVnhhY18siTiQRKTBIUq+xc4/LtM:L9wyY18hRKtIh+xK`
Imports Hash	`4f67aeda01a0484282e8c59006b0b352`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2016-Apr-03 20:18:53
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x5e00`
SizeOfInitializedData	`0x1d000`
SizeOfUninitializedData	`0x400`
AddressOfEntryPoint	`0x0000322B (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x2e000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`a23d2965909b5f64725fd24c7252001b`
SHA1	`702af4fa7e33a0b816c547f5aebb3babcbeea641`
SHA256	`ecf9cae74e0c473ea0bd49dd879c2cf41453bcb157531b17438aa0df1494cca4`
SHA3	`54164042ef29981d8a4a714f14d43750613a7455e5ade2ed071e7de4ac87d74f`
VirtualSize	`0x5dc5`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.47113`

.rdata

MD5	`6389f916226544852e494114faf192ad`
SHA1	`5a8bd7dc51e26e238ac906646d9390d89e9de99b`
SHA256	`96fda7c3b5c92d7089fdd266fb9069a5490e2ae8ea7704c5a15f8ef53ee746ad`
SHA3	`4b0f9cf9e8c6bf0014311228d4e775d5a3ef7c286d6e4b0c9e2e4756a62b3dba`
VirtualSize	`0x1246`
VirtualAddress	`0x7000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.0004`

.data

MD5	`72dcd89e8824ae186467be61797ed81e`
SHA1	`c6906f332b1845c07472aabe92674e8d436cbf12`
SHA256	`3e9253bb993ad5268ecf27f1ef8f33adad3dbb57ce5bf0d58e1ae1c0a64b4545`
SHA3	`979578ce7b54a64e6c3682c3ddb6023964ecb9681571ec94b197f5bcc6cf37d8`
VirtualSize	`0x1a818`
VirtualAddress	`0x9000`
SizeOfRawData	`0x400`
PointerToRawData	`0x7600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.2206`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x8000`
VirtualAddress	`0x24000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`42d1d8945db0204821c516b4ed2134d7`
SHA1	`be1833a14ebef71d6e2d60588698519dfad9dfed`
SHA256	`9f0d8da48c6da23f388140a167860f4ec62a61906562416ce09c09c359b4e14c`
SHA3	`f5df7448c39d1b8aafece6729390e484423fa637d12b1d2595e85728acb6f63a`
VirtualSize	`0x1418`
VirtualAddress	`0x2c000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x7a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.14947`

Imports

KERNEL32.dll	`CopyFileA` `Sleep` `GetTickCount` `CreateFileA` `GetFileSize` `GetModuleFileNameA` `ReadFile` `GetFileAttributesA` `SetFileAttributesA` `ExitProcess` `SetEnvironmentVariableA` `GetWindowsDirectoryA` `GetTempPathA` `GetCommandLineA` `lstrlenA` `GetVersion` `GetCurrentProcess` `GetFullPathNameA` `GetDiskFreeSpaceA` `GlobalUnlock` `GlobalLock` `CreateThread` `GetLastError` `CreateDirectoryA` `CreateProcessA` `RemoveDirectoryA` `GetTempFileNameA` `WriteFile` `lstrcpyA` `MoveFileExA` `lstrcatA` `GetSystemDirectoryA` `GetProcAddress` `CloseHandle` `SetCurrentDirectoryA` `MoveFileA` `CompareFileTime` `GetShortPathNameA` `SearchPathA` `lstrcmpiA` `SetFileTime` `lstrcmpA` `ExpandEnvironmentStringsA` `lstrcpynA` `SetErrorMode` `GlobalFree` `FindFirstFileA` `FindNextFileA` `DeleteFileA` `SetFilePointer` `GetPrivateProfileStringA` `FindClose` `MultiByteToWideChar` `FreeLibrary` `MulDiv` `WritePrivateProfileStringA` `LoadLibraryExA` `GetModuleHandleA` `GetExitCodeProcess` `WaitForSingleObject` `GlobalAlloc`
USER32.dll	`ScreenToClient` `GetSystemMenu` `SetClassLongA` `IsWindowEnabled` `SetWindowPos` `GetSysColor` `GetWindowLongA` `SetCursor` `LoadCursorA` `CheckDlgButton` `GetMessagePos` `LoadBitmapA` `CallWindowProcA` `IsWindowVisible` `CloseClipboard` `SetClipboardData` `EmptyClipboard` `PostQuitMessage` `GetWindowRect` `EnableMenuItem` `CreatePopupMenu` `GetSystemMetrics` `SetDlgItemTextA` `GetDlgItemTextA` `MessageBoxIndirectA` `CharPrevA` `DispatchMessageA` `PeekMessageA` `ReleaseDC` `EnableWindow` `InvalidateRect` `SendMessageA` `DefWindowProcA` `BeginPaint` `GetClientRect` `FillRect` `DrawTextA` `EndDialog` `RegisterClassA` `SystemParametersInfoA` `CreateWindowExA` `GetClassInfoA` `DialogBoxParamA` `CharNextA` `ExitWindowsEx` `GetDC` `CreateDialogParamA` `SetTimer` `GetDlgItem` `SetWindowLongA` `SetForegroundWindow` `LoadImageA` `IsWindow` `SendMessageTimeoutA` `FindWindowExA` `OpenClipboard` `TrackPopupMenu` `AppendMenuA` `EndPaint` `DestroyWindow` `wsprintfA` `ShowWindow` `SetWindowTextA`
GDI32.dll	`SelectObject` `SetBkMode` `CreateFontIndirectA` `SetTextColor` `DeleteObject` `GetDeviceCaps` `CreateBrushIndirect` `SetBkColor`
SHELL32.dll	`SHGetSpecialFolderLocation` `SHGetPathFromIDListA` `SHBrowseForFolderA` `SHGetFileInfoA` `ShellExecuteA` `SHFileOperationA`
ADVAPI32.dll	`RegDeleteKeyA` `SetFileSecurityA` `OpenProcessToken` `LookupPrivilegeValueA` `AdjustTokenPrivileges` `RegOpenKeyExA` `RegEnumValueA` `RegDeleteValueA` `RegCloseKey` `RegCreateKeyExA` `RegSetValueExA` `RegQueryValueExA` `RegEnumKeyA`
COMCTL32.dll	`ImageList_Create` `ImageList_AddMasked` `ImageList_Destroy` `#17`
ole32.dll	`OleUninitialize` `OleInitialize` `CoTaskMemFree` `CoCreateInstance`

Delayed Imports

110

Type	`RT_BITMAP`
Language	English - United States
Codepage	UNKNOWN
Size	`0x368`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.22336`
MD5	`3811c1e0a9153b958f1da69a3f801f3c`
SHA1	`4044512d457358973fc8f9180edca0486227e1fe`
SHA256	`a875f9b3c1f31835b3f70c23a8a1daa06404b82d61887d035731eb13f649c0db`
SHA3	`a1ff563ee071b39f785871bba806b49079d9b91b72bc90853b26e663f150d722`
Preview

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.50665`
MD5	`f00e9d9f29bad0b3f02ccf494a4f3a1f`
SHA1	`57f9c03e30c91d3035c2b658fff178f0e154947f`
SHA256	`7b99f0e5e7a3db2de9f02622f1ac8a0c9599492dd00196b3cb3c2ed15bbde57d`
SHA3	`ac2209893371010acb09ae7f6b8b3f6cb19c857bf9a89f6cfb543f351300bd09`

103

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x144`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.61782`
MD5	`46e58d12697ed2f2a218e47ae5bcfa3c`
SHA1	`1b5cde960720d5c1a9c26ded031e89d9e9ec2ecb`
SHA256	`18cfaba468cd4b07a8909fc3273f06302319b7963f75c4dda78b688c576511f0`
SHA3	`b08f048407ff29a6cadc4ed351fb591beeb4ccb1a0be22148fc38832807cb1b3`

104

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x13c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.6935`
MD5	`f710f3209a382e2a0e846cba6190f7d7`
SHA1	`357127cda13b5efb04d3dbde8bff3c4e17633447`
SHA256	`0a8e57a753806a4051f65d26f2da369cc30a0820b2d275bb3ad4ec43127afc25`
SHA3	`33f283ae26c36baeca1b65a18d658bc4c43e7095fd7fe682dd5ebec5f055755b`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.66174`
MD5	`3409f314895161597f3c395cc5f65525`
SHA1	`1a99d016d65e567f24449d9362afb6ac44006d0b`
SHA256	`fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96`
SHA3	`b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x11c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.88094`
MD5	`2d12c45dc2c029044aaff357141cb900`
SHA1	`083db861ab3c7db23c6257878296e73a89a74b8b`
SHA256	`69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729`
SHA3	`349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442`

107

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xc4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.62276`
MD5	`b3b970ba2a434ca224efafe05aad1d06`
SHA1	`d972e50cdb3e17d9b8d22b160b65c2d6c8b66c52`
SHA256	`2d986f26ff752607366192a903078cdd7d6da06ab97309c85cd5c8cf05f823b6`
SHA3	`7b712c22d11a139c02d0f53916c725b62010452bca8c6fa37dad7542e322d0b8`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x60`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.48825`
MD5	`6be4e1387d369cf86e68eacbdd0e81dd`
SHA1	`351970fe2681b9b35b5d59ad052011ed96a96e17`
SHA256	`85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0`
SHA3	`45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb`

103 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.16096`
Detected Filetype	Icon file
MD5	`42cf62b780813706e75fb9f2b2e8c258`
SHA1	`a022d5c1cfdd8aace0089f3e72f2eedd41bda464`
SHA256	`a0c9d012e2bf6b2fe05c2d97cb5594d97cf2f539e97935c12abd7a3562f4d9bf`
SHA3	`0aafc8e3d8b6bde595537da4ffe0efc5fe53f01dafe336a2a5828b6a71283d3c`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x1dc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.18387`
MD5	`aaa487f258efe4d728bc75646b4d4077`
SHA1	`2637cbe6fdf1fecaff16186907cca2fbcdfeb131`
SHA256	`48a9fd71d3e3b211ee7bbce578c84f9b3656f0208a9bbb0c48ecff9741e8d91a`
SHA3	`fe850fc7f5fa60bbd1ffff724bdd8864949c0f57f7dea531175a5b4f73975cfb`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x34b`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.28635`
MD5	`9c9172023d736a81ab35a005294b71e1`
SHA1	`a19a712428fa02ec7da887c4d836ceb905cb22ea`
SHA256	`c3fd4c96c4a3487294c9a5e7cd17ebe6f4d70f12dd641d8e912abe210ded9dcc`
SHA3	`11f0e3d6803d9fe74b06ff88ec2b2607f1e4b8f1e4cb4b46131d569157a3e2d2`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0`
FileVersion	5.0.0.0
ProductVersion	5.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments	Tool to directly print from web browser
CompanyName	PT. MKM
FileVersion (#2)	5.0.0.0
ProductName	PPOB Plugin

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd246d0e9`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`159`
Imports (VS2003 (.NET) build 4035)	`15`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!

Leave a comment

No comments yet.