Manalyze report for 3ab00a9b0d4e2c8336568a5de00ae43a

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2013-Mar-28 22:45:04

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++ 8`
Suspicious	PEiD Signature:	`ASPack v2.12`
Suspicious	The PE is packed with Aspack or Armadillo	`Section .text is both writable and executable.` `Unusual section name found: .aspack` `Section .aspack is both writable and executable.` `Unusual section name found: .adata` `Section .adata is both writable and executable.` `Unusual section name found: .newiat`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryW`
Suspicious	The PE header may have been manually modified.	`Resource 79 is possibly compressed or encrypted.` `The resource timestamps differ from the PE header: 2020-Oct-22 01:10:16`
Malicious	The program tries to mislead users about its origins.	`The PE pretends to be from AMd but is not signed!`
Malicious	VirusTotal score: 56/71 (Scanned on 2023-05-24 07:49:33)	`Bkav: W32.AIDetectMalware` `Lionic: Trojan.Win32.Generic.m9uu` `Elastic: malicious (high confidence)` `MicroWorld-eScan: Trojan.Generic.KDZ.12397` `ClamAV: Win.Trojan.Ag-4254306-1` `CAT-QuickHeal: TrojanDownloader.Carberp` `McAfee: PWS-Zbot-FAXY!3AB00A9B0D4E` `Malwarebytes: Malware.AI.788052892` `VIPRE: Trojan.Generic.KDZ.12397` `Sangfor: Suspicious.Win32.Save.ins` `K7AntiVirus: Trojan ( 0053bba21 )` `K7GW: Trojan ( 0053bba21 )` `Cybereason: malicious.b0d4e2` `Cyren: W32/Injector.BNF.gen!Eldorado` `Symantec: ML.Attribute.HighConfidence` `ESET-NOD32: a variant of Win32/Injector.AEOI` `APEX: Malicious` `Cynet: Malicious (score: 100)` `Kaspersky: Trojan.Win32.Agentb.jcf` `BitDefender: Trojan.Generic.KDZ.12397` `NANO-Antivirus: Trojan.Win32.Agent.brmlyv` `Avast: Win32:Carberp-AOR [Trj]` `Tencent: Win32.Trojan.Agentb.Mqil` `Emsisoft: Trojan.Generic.KDZ.12397 (B)` `F-Secure: Trojan.TR/GenGun.A` `DrWeb: Trojan.Packed.24081` `Zillya: Trojan.Agentb.Win32.758` `TrendMicro: Mal_LIFTOH2` `McAfee-GW-Edition: BehavesLike.Win32.Generic.dt` `Trapmine: malicious.high.ml.score` `FireEye: Generic.mg.3ab00a9b0d4e2c83` `Sophos: Mal/Generic-S` `SentinelOne: Static AI - Malicious PE` `GData: Trojan.Generic.KDZ.12397` `Jiangmin: Trojan/Agentb.uh` `Avira: TR/GenGun.A` `MAX: malware (ai score=86)` `Antiy-AVL: Trojan/Win32.Agentb` `Xcitium: TrojWare.Win32.Injector.AFSS@4wik6f` `Arcabit: Trojan.Generic.KDZ.D306D` `ZoneAlarm: Trojan.Win32.Agentb.jcf` `Microsoft: TrojanDownloader:Win32/Carberp.BR` `Google: Detected` `AhnLab-V3: Trojan/Win.Agentb.C5432075` `BitDefenderTheta: AI:Packer.21A2605920` `ALYac: Trojan.Generic.KDZ.12397` `VBA32: BScope.Trojan.Agent` `Cylance: unsafe` `Panda: Trj/CI.A` `TrendMicro-HouseCall: Mal_LIFTOH2` `Rising: Malware.FakeDOC/ICON!1.9C3B (CLASSIC)` `Ikarus: Virus.Win32.CeeInject` `Fortinet: W32/Injector.ZVR!tr` `AVG: Win32:Carberp-AOR [Trj]` `DeepInstinct: MALICIOUS` `CrowdStrike: win/malicious_confidence_100% (W)`

Hashes

MD5	`3ab00a9b0d4e2c8336568a5de00ae43a`
SHA1	`e061e82d78e4d97ada5a380132589c225ddc4e9a`
SHA256	`741c26bed7659054d221b342cb6bda331af7ce56021dee5c7599f6274424b806`
SHA3	`b5aa31e468692388d054cff26ba4891a07a0329fe19e9bf7606ee15f20a0aac2`
SSDeep	`3072:521OyPWu2zkRiiGm0Ztoz+BwXUlHaKCvpHzmsq6A5087:521Pr4iGTtUoHazTmsq6G`
Imports Hash	`d41d8cd98f00b204e9800998ecf8427e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`8`
TimeDateStamp	2013-Mar-28 22:45:04
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0xe400`
SizeOfInitializedData	`0x1be00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00002647 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x10000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x4b000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`2a10fc0d046f18c83ca521c528b76dbc`
SHA1	`d2ba54580195846bd257a1426dca00d3c97b4e1b`
SHA256	`70bbb32bb22f441ecdc8b5d72e0be1ef4925a8d9d8ed16af3cad8a92824b7229`
SHA3	`cc4e1ee089f5cd9047d78e971f02dc5292495c9fe985dc86f889280b18fcc35d`
VirtualSize	`0xf000`
VirtualAddress	`0x1000`
SizeOfRawData	`0x10000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.37256`

.rdata

MD5	`f019ad8fca843fb88df4d8e2930ea8f3`
SHA1	`e3d05e2949408d201764d0471e47dec3ac46e399`
SHA256	`f8aad53ef8710d939fe33466831c0cd09358e85870ce1b351faf1cf98313151b`
SHA3	`12546643c4ca6c62f70d9bda19e7569e9b1fedc039d22e173f5c464ba17b23e3`
VirtualSize	`0x4000`
VirtualAddress	`0x10000`
SizeOfRawData	`0x5000`
PointerToRawData	`0x10000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.41616`

.data

MD5	`c2176e89877ae0f86f1879a86df23c70`
SHA1	`b252545edd7d5fa0ef6e30b63eb5916b18e97931`
SHA256	`bf64d243a769b2a152a1e1246676b0a0b4df3c295d7dc02dcc79ba202be75638`
SHA3	`b881d1cab45e8ffb847de46daa95b619ae85b0bcbc8df15337ce96ae48cef8d3`
VirtualSize	`0x5000`
VirtualAddress	`0x14000`
SizeOfRawData	`0x6000`
PointerToRawData	`0x14000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.21131`

.rsrc

MD5	`84fafa341f0147b3abbe4d722eccaf51`
SHA1	`86692f988e2b19b5349dfb1bc8a9b5688ce7f1e4`
SHA256	`1be5cadebc564fcfc52cff5899748fcd76ba7b8a59f13719c2a6abad5f1ac0b7`
SHA3	`74502d3613b5a473510172c81c772970f6b1bbaea8d4685e461da5e18e7a20cd`
VirtualSize	`0x16000`
VirtualAddress	`0x19000`
SizeOfRawData	`0x17000`
PointerToRawData	`0x19000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.383713`

.reloc

MD5	`90bfc4a8020a552bc0572e623d1d13ea`
SHA1	`b5bf4525373d05f421ff2320b853956974d5cda1`
SHA256	`644c01c94c5eb6109180eef03a8028b1416e3dd4536b8c7aa1e978a7f8af6bc1`
SHA3	`1b87ec3c62f848701f352a9fd53b8fbfd396a7c2f3c1cf09acb66f876e55b8aa`
VirtualSize	`0x1000`
VirtualAddress	`0x2f000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x2f000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.04779`

.aspack

MD5	`fdea1730ab0f0cd5e047d5d67d7ad363`
SHA1	`f563f441d85d1b240269ebca96fdef8570919cc6`
SHA256	`776135b37ab878cbee28f7b6121645e28fa08449ff38ab0053d5becbbb9aa524`
SHA3	`5de27211a3eddd06220291faf76a16c29d27c050c4cbf054d6e6ef656e656151`
VirtualSize	`0x17000`
VirtualAddress	`0x30000`
SizeOfRawData	`0x18000`
PointerToRawData	`0x30000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.0267`

.adata

MD5	`0829f71740aab1ab98b33eae21dee122`
SHA1	`0631457264ff7f8d5fb1edc2c0211992a67c73e6`
SHA256	`9f1dcbc35c350d6027f98be0f5c8b43b42ca52b7604459c0c42be3aa88913d47`
SHA3	`f681764da64aad321f365155d0cf743275005f05c67517a0d3751c26c4ef5fa1`
VirtualSize	`0x2000`
VirtualAddress	`0x47000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x47000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.newiat

MD5	`c6b09c46d7667ddcd0658ca6c7ea9480`
SHA1	`bf0aa98bb97d8278ed67b7615ff4048ebe923490`
SHA256	`9783bd9557319b9fde01f44afbd4b9201eb093d1755d09ed4eeea80e816a2672`
SHA3	`bcbcc37d6fe02a0249c0535b80bbebe183f48aac9c23f257e781f8ace36e0f77`
VirtualSize	`0x11c8`
VirtualAddress	`0x49000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x49000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.34122`

Imports

KERNEL32.DLL	`(EMPTY)`
gdi32.dll	`(EMPTY)`
ntdll.dll	`(EMPTY)`
KERNEL32.DLL (#2)	`(EMPTY)`
KERNEL32.DLL (#3)	`(EMPTY)`
KERNEL32.DLL (#4)	`(EMPTY)`
KERNEL32.DLL (#5)	`(EMPTY)`
KERNEL32.DLL (#6)	`(EMPTY)`
KERNEL32.DLL (#7)	`(EMPTY)`
KERNEL32.DLL (#8)	`(EMPTY)`
KERNEL32.DLL (#9)	`(EMPTY)`
KERNEL32.DLL (#10)	`(EMPTY)`
KERNEL32.DLL (#11)	`(EMPTY)`
KERNEL32.DLL (#12)	`(EMPTY)`
KERNEL32.DLL (#13)	`(EMPTY)`
KERNEL32.DLL (#14)	`(EMPTY)`
KERNEL32.DLL (#15)	`(EMPTY)`
KERNEL32.DLL (#16)	`(EMPTY)`
KERNEL32.DLL (#17)	`(EMPTY)`
KERNEL32.DLL (#18)	`(EMPTY)`
KERNEL32.DLL (#19)	`(EMPTY)`
KERNEL32.DLL (#20)	`(EMPTY)`
KERNEL32.DLL (#21)	`(EMPTY)`
KERNEL32.DLL (#22)	`(EMPTY)`
KERNEL32.DLL (#23)	`(EMPTY)`
KERNEL32.DLL (#24)	`(EMPTY)`
KERNEL32.DLL (#25)	`(EMPTY)`
KERNEL32.DLL (#26)	`(EMPTY)`
KERNEL32.DLL (#27)	`(EMPTY)`
KERNEL32.DLL (#28)	`(EMPTY)`
KERNEL32.DLL (#29)	`(EMPTY)`
KERNEL32.DLL (#30)	`(EMPTY)`
KERNEL32.DLL (#31)	`(EMPTY)`
KERNEL32.DLL (#32)	`(EMPTY)`
KERNEL32.DLL (#33)	`(EMPTY)`
KERNEL32.DLL (#34)	`(EMPTY)`
KERNEL32.DLL (#35)	`(EMPTY)`
KERNEL32.DLL (#36)	`(EMPTY)`
KERNEL32.DLL (#37)	`(EMPTY)`
KERNEL32.DLL (#38)	`(EMPTY)`
KERNEL32.DLL (#39)	`(EMPTY)`
KERNEL32.DLL (#40)	`(EMPTY)`
KERNEL32.DLL (#41)	`(EMPTY)`
KERNEL32.DLL (#42)	`(EMPTY)`
KERNEL32.DLL (#43)	`(EMPTY)`
KERNEL32.DLL (#44)	`(EMPTY)`
KERNEL32.DLL (#45)	`(EMPTY)`
KERNEL32.DLL (#46)	`(EMPTY)`
KERNEL32.DLL (#47)	`(EMPTY)`
KERNEL32.DLL (#48)	`(EMPTY)`
KERNEL32.DLL (#49)	`(EMPTY)`
KERNEL32.DLL (#50)	`(EMPTY)`
KERNEL32.DLL (#51)	`(EMPTY)`
KERNEL32.DLL (#52)	`(EMPTY)`
KERNEL32.DLL (#53)	`(EMPTY)`
KERNEL32.DLL (#54)	`(EMPTY)`
KERNEL32.DLL (#55)	`(EMPTY)`
KERNEL32.DLL (#56)	`(EMPTY)`
KERNEL32.DLL (#57)	`(EMPTY)`
KERNEL32.DLL (#58)	`(EMPTY)`
KERNEL32.DLL (#59)	`(EMPTY)`
KERNEL32.DLL (#60)	`(EMPTY)`
KERNEL32.DLL (#61)	`(EMPTY)`
KERNEL32.DLL (#62)	`(EMPTY)`
KERNEL32.DLL (#63)	`(EMPTY)`
KERNEL32.DLL (#64)	`(EMPTY)`
KERNEL32.DLL (#65)	`(EMPTY)`
KERNEL32.DLL (#66)	`(EMPTY)`
gdi32.dll (#2)	`(EMPTY)`
gdi32.dll (#3)	`(EMPTY)`
gdi32.dll (#4)	`(EMPTY)`
gdi32.dll (#5)	`(EMPTY)`
gdi32.dll (#6)	`(EMPTY)`
gdi32.dll (#7)	`(EMPTY)`
gdi32.dll (#8)	`(EMPTY)`
gdi32.dll (#9)	`(EMPTY)`
ntdll.dll (#2)	`(EMPTY)`
ntdll.dll (#3)	`(EMPTY)`
ntdll.dll (#4)	`(EMPTY)`
ntdll.dll (#5)	`(EMPTY)`
ntdll.dll (#6)	`(EMPTY)`
ntdll.dll (#7)	`(EMPTY)`
ntdll.dll (#8)	`(EMPTY)`
ntdll.dll (#9)	`(EMPTY)`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	2013-Mar-29 17:03:04
Entropy	`5.36889`
MD5	`74e97cca4777de69fc7fb0063bea623f`
SHA1	`1cdb2a6f17477ee0215445acfce139be5fb6b455`
SHA256	`4536fc5a1f6d03b89d36956725ba00f1fc1186e69a90167bde89958a599ee1c4`
SHA3	`f45ed572e8932fd310d5660a2d7029ea0aaf3d5a5bc73f2f6fa80f938847c7d9`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	2013-Mar-29 17:03:04
Entropy	`1.7815`
Detected Filetype	Icon file
MD5	`3c68f77c35c26ff079a1c410ee44fa62`
SHA1	`0b40150c95fc2c6414c90d44ee78b8d8814b3393`
SHA256	`a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0`
SHA3	`590dcbf2ec3f485a6c24e3e627f383ee7588eb49978321f12c07d8190a6c1396`

79

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1400f`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.35179`
MD5	`ebe2daff599ace37f18a0f61b9f35e3b`
SHA1	`ef847606c1b8ee508a68102a47f407aecc474cf2`
SHA256	`fe2dbc047fd30d5b2b6093982beeb049ecff7be3ee56a0120e308eed5cdb9e14`
SHA3	`3afe1f25ad73048b1db468eb0e5c098943b1f681ae30de49258bf894139750f5`

125

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.6552`
MD5	`a1a80c40ac117d49c355f0f474ed12aa`
SHA1	`57a151e377224438f0d1c9142fd9bd846529cb4e`
SHA256	`77254dd3a7057fd7d9f0f27b33cbd285f530ccb1e6a9060159a65b199520feb9`
SHA3	`2e44290baa8de0d19f8c05e34c7cf93c7a390a518e737fcac9da57546282cc5d`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xcf8022da`
Unmarked objects	`0`
C++ objects (VS2010 SP1 build 40219)	`25`
ASM objects (VS2010 SP1 build 40219)	`14`
C objects (VS2010 SP1 build 40219)	`103`
Imports (VS2008 SP1 build 30729)	`5`
Total imports	`86`
C++ objects (VS2008 build 21022)	`1`
Resource objects (VS2008 build 21022)	`1`

Errors

[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[!] Error: Could not read a VS_FIXED_FILE_INFO!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[!] Error: Could not read a VS_FIXED_FILE_INFO!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[!] Error: Could not read a VS_FIXED_FILE_INFO!
[*] Warning: Could not parse a VERSION_INFO resource!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[!] Error: Could not read a VS_FIXED_FILE_INFO!
[*] Warning: Could not parse a VERSION_INFO resource!