Manalyze report for 41f32f75482b61287d2662b58a12dc5a

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-Apr-09 06:50:10
Detected languages	Chinese - PRC English - United States
Comments	Windows 服务主进程
FileDescription	Windows 服务主进程
FileVersion	`1, 0, 0, 1`
InternalName	mm
LegalCopyright	Copyright (C) 2018
OriginalFilename	mm.exe
ProductName	Windows 服务主进程
ProductVersion	`1, 0, 0, 1`

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can access the registry: RegOpenKeyA` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Leverages the raw socket API to access the Internet: #23`
Malicious	VirusTotal score: 11/67 (Scanned on 2018-07-09 12:38:53)	`Bkav: W32.eHeur.Malware14` `Cylance: Unsafe` `TheHacker: Posible_Worm32` `Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9553` `TrendMicro-HouseCall: TROJ_GEN.R002H0AG418` `Sophos: Mal/Generic-S` `Webroot: W32.Trojan.Gen` `Avira: TR/Tiny.qybuo` `VBA32: suspected of Trojan.Downloader.gen.h` `ESET-NOD32: a variant of Win32/Tiny.NCV` `CrowdStrike: malicious_confidence_80% (W)`

Hashes

MD5	`41f32f75482b61287d2662b58a12dc5a`
SHA1	`27bd79b9b9295ef5524dc4b5ec41a4a9b8548567`
SHA256	`6fe391d939b348bb1be235cdf3a963851d3f3d14cfb29dea21cf2b219005b18d`
SHA3	`34d3ccac2cbd0bfdcb954c7e4755af292b5ab05a8380c7f819caa9dfc5779cf4`
SSDeep	`192:B8b/K3DgmYuAr57hios/4eStG6mZQE3vC:B87aDlvAr5UosQ1AtaE3vC`
Imports Hash	`41e9b5bd48c0626db5dafe86570641b0`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2018-Apr-09 06:50:10
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x2000`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0x6000`
AddressOfEntryPoint	`0x00008570 (Section: UPX1)`
BaseOfCode	`0x7000`
BaseOfData	`0x9000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0xa000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x6000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`292b52c697b1a8a855de524e27aee6b9`
SHA1	`36bc61df47c539906966d53acb33963701f24700`
SHA256	`662c1b5198d5333988b7d1beacc7d1165d3f3f3a48b04d1b0fcae79bb3f0a766`
SHA3	`559e2bf309ea7d4350e8463bb7fc3e35708008d8d3e48c727c731aef32736645`
VirtualSize	`0x2000`
VirtualAddress	`0x7000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.40608`

.rsrc

MD5	`46e0153d7fc12cd46c38b668871395ae`
SHA1	`f166f90c1f6d093b382f991645b1d8cae818b016`
SHA256	`ad2f05502355691b6b34ea5cf649244ae93089cf7ee64fd862b2338932596732`
SHA3	`c356c6482891b48661880c4e396ab8bec70f5c27f924a76e29b8e9345c63cc05`
VirtualSize	`0x1000`
VirtualAddress	`0x9000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x1c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.94555`

Imports

KERNEL32.DLL	`LoadLibraryA` `GetProcAddress` `VirtualProtect` `VirtualAlloc` `VirtualFree` `ExitProcess`
ADVAPI32.dll	`RegOpenKeyA`
IPHLPAPI.DLL	`GetAdaptersInfo`
MSVCR90.dll	`exit`
SHLWAPI.dll	`SHSetValueA`
USER32.dll	`wsprintfA`
WS2_32.dll	`#23`

Delayed Imports

109

Type	`RT_MENU`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x50`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.24529`
MD5	`3768d661f1606dafe0bbd6dbcbb1aa50`
SHA1	`250a2f56a3becde33eceeb3ef69a502fc3bdfcca`
SHA256	`8f0d417b64215ec2f33379d29e91fbdcd15cd710652ef28e0478c7f4be0a030c`
SHA3	`e3cf07897350f1c39ad0376f00125782ae1786e1592554044d93e4f679f73935`

103

Type	`RT_DIALOG`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x108`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.1879`
MD5	`ffdf9578f442ec6bdd394df41722d974`
SHA1	`e54a3e0c329a9683ef61a36ad02a57ac2800da47`
SHA256	`c8f0ac03103094d6ad9b77ced23db02a2bd3d2b4c88861254efe04be6cefb2f1`
SHA3	`083e7550d9458ceb7c3a68a32baf184c2126b68efc63d6fa84f0ca0b8826e294`

7

Type	`RT_STRING`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x28`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0.847585`
MD5	`7b0515a2fb3cb8929c8768fd17407af8`
SHA1	`fc4a79d098739afbc3267c7ebc01fb38fee8b995`
SHA256	`fe0735f94dfe8c6c193639b81d788ab87428e4d572b1705fac8f82d06a0ffd04`
SHA3	`52ff9615fefa82bff273dc412a53b2116ade25815d61ab3f1691b9e821ee97c8`

109 (#2)

Type	`RT_ACCELERATOR`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x10`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.79879`
MD5	`3d2b1af3424dbcd504f73918619c7d99`
SHA1	`10d6ed54ea742211a14a05414883f6c00c03080a`
SHA256	`c2f0c188d6c493d7827bf83fb89c704815796445a0178bb2ae79658d96703a3c`
SHA3	`b8c5f28d2c132e5bc304e4dc1b314a3f32a2e48675c06828a2a8a014ea05e7fb`

1

Type	`RT_VERSION`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x2b0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.54863`
MD5	`968e93102991b061c313be76e9d87aa3`
SHA1	`3959f1ce3967c284b09a108fd0b715b5db9ab799`
SHA256	`031c94b6309300f90e32e8d7cde78b99d8b89ff142a04d9ea7ea7ead7209f7de`
SHA3	`32e628da0c8e1c7561187a269adc18344b249af8c62a5bc73afa3fdee7e5224d`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x256`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.0207`
MD5	`5a32206e4bb9d06170ae00fa980db49b`
SHA1	`126a45f48625322ba11eb0acf1ade9115ad6802b`
SHA256	`9f2fc067639866642bb1a73fb43006d233e569d25566b16dedec472fe5d3c5c3`
SHA3	`bfab9d66b065ea131bdc44ac811cfcf4d5c43a1075f9b6d16f0c8f2f20237cac`

String Table contents

mm
MM

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.1
ProductVersion	1.0.0.1
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	Chinese - PRC
Comments	Windows 服务主进程
FileDescription	Windows 服务主进程
FileVersion (#2)	1, 0, 0, 1
InternalName	mm
LegalCopyright	Copyright (C) 2018
OriginalFilename	mm.exe
ProductName	Windows 服务主进程
ProductVersion (#2)	1, 0, 0, 1

Resource LangID	Chinese - PRC

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x404000`
SEHandlerTable	`0x4034b0`
SEHandlerCount	`1`

RICH Header

XOR Key	`0xfd519a1`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`2`
ASM objects (VS2008 SP1 build 30729)	`3`
C objects (VS2008 SP1 build 30729)	`21`
C++ objects (VS2008 SP1 build 30729)	`2`
Imports (VS2012 build 50727 / VS2005 build 50727)	`13`
Total imports	`69`
138 (VS2008 SP1 build 30729)	`2`
Linker (VS2008 build 21022)	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

Errors

[*] Warning: Section UPX0 has a size of 0!