Manalyze report for 3f13da44561a3e2881f102a0f4beabc0

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2012-Dec-21 20:59:46

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Can create temporary files: GetTempPathA CreateFileA`
Suspicious	The PE is possibly a dropper.	`Resource DLL is possibly compressed or encrypted.` `Resources amount for 99.4785% of the executable.`
Malicious	VirusTotal score: 52/70 (Scanned on 2019-09-25 09:24:10)	`Lionic: Hacktool.Win32.Agent.tpR4` `MicroWorld-eScan: Gen:Trojan.Heur.OuW@!xsN1Jc` `FireEye: Generic.mg.3f13da44561a3e28` `CAT-QuickHeal: Riskware.Dupatcher.A4` `McAfee: FilePatcher` `Cylance: Unsafe` `K7AntiVirus: Trojan ( 0040f3a51 )` `Alibaba: HackTool:Win32/Patcher.762292af` `K7GW: Trojan ( 0040f3a51 )` `Cybereason: malicious.4561a3` `Arcabit: Trojan.Heur.EA526C` `Invincea: heuristic` `Baidu: Win32.Trojan.Generic.f` `F-Prot: W32/Agent.KFY` `Symantec: ML.Attribute.HighConfidence` `TotalDefense: Win32/Patcher.AC` `APEX: Malicious` `Paloalto: generic.ml` `BitDefender: Gen:Trojan.Heur.OuW@!xsN1Jc` `SUPERAntiSpyware: Hack.Tool/Gen-Patcher` `Avast: Win32:Malware-gen` `Tencent: Win32.Trojan.Heur.Lkxn` `Ad-Aware: Gen:Trojan.Heur.OuW@!xsN1Jc` `Emsisoft: Gen:Trojan.Heur.OuW@!xsN1Jc (B)` `Comodo: TrojWare.Win32.Agent.WFN@4t5srs` `VIPRE: Trojan.Win32.Agent.wfn (v)` `TrendMicro: TROJ_GEN.R002C0PBN19` `McAfee-GW-Edition: BehavesLike.Win32.Generic.jc` `Trapmine: malicious.high.ml.score` `Sophos: Generic Patcher (PUA)` `Ikarus: possible-Threat.Hacktool.Patcher` `Cyren: W32/Agent.EWQQ-1275` `Webroot: W32.Hacktool.Gen` `Fortinet: Riskware/GamePatcher` `Antiy-AVL: RiskWare[RiskTool]/Win32.Patcher` `Endgame: malicious (high confidence)` `Microsoft: PUA:Win32/Keygen` `ViRobot: Trojan.Win32.Agent.754688.B` `AhnLab-V3: Unwanted/Win32.GameTool.C2318854` `Acronis: suspicious` `MAX: malware (ai score=100)` `Malwarebytes: HackTool.FilePatch` `ESET-NOD32: a variant of Win32/HackTool.Patcher.AD potentially unsafe` `TrendMicro-HouseCall: TROJ_GEN.R002C0PBN19` `Rising: PUF.Patcher!1.B3BB (CLASSIC)` `Yandex: Riskware.HackTool!LT2poWNG63M` `SentinelOne: DFI - Malicious PE` `eGambit: HackTool.Generic` `GData: Win32.Riskware.Patcher.E` `AVG: Win32:Malware-gen` `Panda: Trj/CI.A` `CrowdStrike: win/malicious_confidence_100% (D)`

Hashes

MD5	`3f13da44561a3e2881f102a0f4beabc0`
SHA1	`9fdf7bd2cf72f77cdcf56705f8f2b8ef618066e3`
SHA256	`0628f21d74d8260cc80057e0c7b95903096ab240e84d3993db6b9f2e9d599d2f`
SHA3	`5832ce7d1cd8b0707126d707ba3a728b5c5c2dd0f5a7f4e4c5dd6b46c4abeb88`
SSDeep	`12288:B0658vDhFiq1T2JZy7COoRclaNylzZqAr/GwD24nQBjSik7U7cDvYhuAd/a4SEH:K6U7RQZy72yZqa+gnQJSikaYYhhiTE`
Imports Hash	`dc73a9bd8de0fd640549c85ac4089b87`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2012-Dec-21 20:59:46
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`10.0`
SizeOfCode	`0x200`
SizeOfInitializedData	`0xa1800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000102B (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x2000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0xa7000`
SizeOfHeaders	`0x400`
Checksum	`0xecdd`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`4c584307e5aa70f515ee8c3d942e5f6c`
SHA1	`05668764efd56b4a53d8574ff9dec26b851ca07b`
SHA256	`9c0c821fe1c66ad45a044fec0be845fa08b96ea7b7c24e852b132a92fe08a90c`
SHA3	`a56964eb90adb7bd0f5c92dbd62425658cbd2b396621386f34ca3397e2a0465f`
VirtualSize	`0x1f6`
VirtualAddress	`0x1000`
SizeOfRawData	`0x200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.06408`

.rdata

MD5	`e5aa65265e17d8a1b524adbc10c0a1ad`
SHA1	`0e0eb11d610df253f860f9b46790f28f7477d12a`
SHA256	`b8af2ef3ea5c0fb35d0c846a94425f028f8cdba30eefbb401377749e0266640b`
SHA3	`7c0d77a4d031c3944bb719376c53cf53fc047471e027fa4f69aacd44c986f6a8`
VirtualSize	`0x1d8`
VirtualAddress	`0x2000`
SizeOfRawData	`0x200`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.27064`

.data

MD5	`f8fedf1be1122ff5cd0e5b4716311cc5`
SHA1	`c41831c104ced77633be9d2b09364c22a9392a73`
SHA256	`b23a9af37c2bfeb0bcb17555a8038d0403b12616851e58513e9135a77c84363b`
SHA3	`eed0f7054aa182d7497331ee77969143efb3a63e8fee1ed02e44e82494404132`
VirtualSize	`0x34`
VirtualAddress	`0x3000`
SizeOfRawData	`0x200`
PointerToRawData	`0x800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.568988`

.rsrc

MD5	`07d75ee1487575c1d447c15d4b4f495d`
SHA1	`c3ee32a9a92fa2d136bce32c6c97fa21faa6d0d9`
SHA256	`5aeb132a1bc8f8b4d95e813145418632b95b1cfcbe80e5ad969fdd73df312a9a`
SHA3	`1fbfbacba38328e879f6c8b1925212cd32ee58eb561c55b2574893b2842ed647`
VirtualSize	`0xa11b8`
VirtualAddress	`0x4000`
SizeOfRawData	`0xa1200`
PointerToRawData	`0xa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.99945`

.reloc

MD5	`2e6554ffc943448b686d85ad68f9ec9a`
SHA1	`2983937fa0491ffb874e3d5084ddc909f7b417ba`
SHA256	`4bb6e032bb8a0cc87b345564204b1e74d8eb2ed7665c2a1d82dcd3b3096bf885`
SHA3	`1037aac5df319410ca7ed864e945ccb384d66f6e8ac2a1f9c2cfcdc03c63f497`
VirtualSize	`0x52`
VirtualAddress	`0xa6000`
SizeOfRawData	`0x200`
PointerToRawData	`0xa1c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.736046`

Imports

kernel32.dll	`DeleteFileA` `ExitProcess` `FindResourceA` `FreeLibrary` `GetModuleHandleA` `GetProcAddress` `GetTempPathA` `LoadLibraryA` `LoadResource` `RtlMoveMemory` `SizeofResource` `VirtualAlloc` `lstrcatA` `CloseHandle` `CreateFileA` `FlushFileBuffers` `WriteFile`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.239`
MD5	`3402c0dcdd656102b7cf1b1e81678e2a`
SHA1	`74076c29aadf439f0b017186e04fc35cd9c62ed1`
SHA256	`4acc8803eb3cc2464378bc7f90439ed7bba24ad28e41edbe35f3a4979a5461d4`
SHA3	`fa0bf2b2094eea3d9d66b2c13c716d6061820ce7c252d779339542e526a212d4`

DLL

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xa0a00`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.9997`
MD5	`c48a747a30382d23f74428fe5823dda5`
SHA1	`d2128d62b2c1646bf10996b94fb32c6e06dce2e1`
SHA256	`a948130d6dc31b9950e901b8918b3a2fe0a06bbe2515a28fc37407988c3f7d36`
SHA3	`80d93aad296322add649cf553e4d04d72173044292a123cde4339aea50d03f9d`

500

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.83321`
Detected Filetype	Icon file
MD5	`d8e825fcdd51947ba0736106151f83bf`
SHA1	`ace66e098645794467a2fd382bd88862c9f481b7`
SHA256	`fd3e89f77c0889e0855cbe878577ddd6b4cdcf228dc17998f572141c9ba0f1cf`
SHA3	`8200d6936130842cb3aa0c58078c24bb6a353f2ed12b076ee069a6e5d29ddb65`

1 (#2)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x382`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.85663`
MD5	`3d015c7d35d5e650f594c23c7368cd6f`
SHA1	`b5fdca6e0c5847a306b43553ce96c7c37a40c680`
SHA256	`3e11f55df49746534018ddcb81f928559124029992dfaa0adb67318b2d41df15`
SHA3	`94d9e3898971601d603eb374856eca2677a11d61314d956b1f82e18cd60c9b4c`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x9103f02d`
Unmarked objects	`0`
18 (8444)	`1`
Imports (VS2010 build 30319)	`3`
Total imports	`17`
ASM objects (VS2010 build 30319)	`1`
Resource objects (VS2010 build 30319)	`1`
Linker (VS2010 build 30319)	`1`

3f13da44561a3e2881f102a0f4beabc0

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

1

DLL

500

1 (#2)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors