Manalyze report for 42682d4a78fe5c2eda988185a344637d

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2017-Jun-06 15:24:44
Detected languages	English - United States Korean - Korea
Comments
CompanyName	Kamsky Co,.Ltd
FileDescription	Vote_Controller
FileVersion	`49, 0, 0, 0`
InternalName	MDL_170329_x86_V06Lv3
LegalCopyright	Copyright ⓒ 2017
LegalTrademarks
OriginalFilename	Vote_Controller
PrivateBuild
ProductName	Kamsky ColdFear
ProductVersion	`17, 0, 0, 0`
SpecialBuild

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryW` `Leverages the raw socket API to access the Internet: #23 #4 #16 #111 #18 #151 #21 #19 #3` `Enumerates local disk drives: GetLogicalDriveStringsW GetVolumeInformationW`
Malicious	VirusTotal score: 33/52 (Scanned on 2019-09-09 07:14:42)	`MicroWorld-eScan: Trojan.GenericKD.41198710` `CAT-QuickHeal: Trojan.Hoplight.S5795935` `ALYac: Trojan.Nukesped.A` `K7AntiVirus: Trojan ( 0054bc321 )` `K7GW: Trojan ( 0054bc321 )` `CrowdStrike: win/malicious_confidence_100% (W)` `TrendMicro: Trojan.Win64.HOPLIGHT.B` `Cyren: W64/Trojan.NKDY-0871` `Symantec: Trojan.Hoplight` `Paloalto: generic.ml` `Alibaba: Trojan:Win64/Hoplight.bd429bba` `ViRobot: Trojan.Win64.S.Agent.346624` `Rising: Trojan.Hoplight!1.B71E (CLASSIC)` `Ad-Aware: Trojan.GenericKD.41198710` `Comodo: Malware@#1o8aj0re9tng4` `FireEye: Trojan.GenericKD.41198710` `Emsisoft: Trojan.GenericKD.41198710 (B)` `Jiangmin: Trojan.Generic.dgxud` `Webroot: W32.Trojan.Gen` `Avira: TR/NukeSped.tbxxd` `MAX: malware (ai score=100)` `Antiy-AVL: Trojan/Win64.NukeSped` `AegisLab: Trojan.Win32.Generic.4!c` `GData: Trojan.GenericKD.41198710` `AhnLab-V3: Trojan/Win32.Generic.C3154759` `ESET-NOD32: a variant of Win64/NukeSped.T` `TrendMicro-HouseCall: Trojan.Win64.HOPLIGHT.B` `Tencent: Win32.Trojan.Generic.Pavo` `Yandex: Trojan.Agent!yMGm9L9385k` `Ikarus: Trojan.Win64.Nukesped` `Fortinet: W32/Generic.T!tr` `Panda: Trj/CI.A` `Qihoo-360: Win32/Trojan.542`

Hashes

MD5	`42682d4a78fe5c2eda988185a344637d`
SHA1	`4975de2be0a1f7202037f5a504d738fe512191b7`
SHA256	`4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761`
SHA3	`b3036498b78dca1f549ac223a26fb4ea1f7a144b2edb8fbc7c52578870c23f73`
SSDeep	`6144:nCgsFAkxS1rrtZQXTip12P04nTnvze6lxjWV346vze6lpjWV34Evze6lSjWV34a:nCgsukxS1vtZ+5nvze6lxjWV346vze6`
Imports Hash	`02478fdc25851919108f728115ed0c9a`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2017-Jun-06 15:24:44
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`10.0`
SizeOfCode	`0x45600`
SizeOfInitializedData	`0xf000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000009350 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x5e000`
SizeOfHeaders	`0x400`
Checksum	`0x63d41`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d061ffec6721133c433386c96520bc55`
SHA1	`e53019427441fe5cb827b74063b8a4d33182f90b`
SHA256	`e24e2223d7175df1ba0ab373b3126e7353d0d05b7aec89f3e4497c881c7c2c77`
SHA3	`5fa016cc40c9deff5e7b59a2cdc29ddc50725b476b79d99a07005d5c460f0c49`
VirtualSize	`0x45422`
VirtualAddress	`0x1000`
SizeOfRawData	`0x45600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.99973`

.rdata

MD5	`cbbc6550dcbdcaf012bdbf758a377779`
SHA1	`8533a2dc8f31eb21a6be6821ae4cce1026f905b5`
SHA256	`c846e61559ac1ee431ed786d9a7f68ebde6004d24556237a914f7f9c93fd36ca`
SHA3	`dfe95fbb856eeb12d6d4cce75e082b4c5eb25ef8669ceff7bd32eb2a5423a9cc`
VirtualSize	`0x97bc`
VirtualAddress	`0x47000`
SizeOfRawData	`0x9800`
PointerToRawData	`0x45a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.78943`

.data

MD5	`c83bcaab05056d5b84fc609f41eed210`
SHA1	`07456bdbf4337c0f948c3ae4deef1f536bea94c6`
SHA256	`2be2fe156a0b38ec46c72b89ebfe6951f66cecc6939ce7bbb07e9cc3309d460d`
SHA3	`73787d8aab704b7976f41968873c65392ea4778a393720db50bfc30e91f1dac4`
VirtualSize	`0x72b0`
VirtualAddress	`0x51000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x4f200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.1055`

.pdata

MD5	`b9fc36206883aa1902566b5d01c27473`
SHA1	`405be9bdc4d4d1b8d4d0cd0eef8f17166e777276`
SHA256	`b80cab19c645498f06266a3a0da2e33fbbdf88ff952274387904291d57768c82`
SHA3	`e566b9d3c1ff8217ea332dad2703ac72cc51150710894b1eb8d0eb2482fada0d`
VirtualSize	`0x2088`
VirtualAddress	`0x59000`
SizeOfRawData	`0x2200`
PointerToRawData	`0x51000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.31931`

.rsrc

MD5	`1c1d46056b4cb4627a5f92112b7e09f7`
SHA1	`484025cc6688d7be757f5019667813ca9dfa9ce6`
SHA256	`2910c5d2ff1a17760edfc69c0b98aa651eda4a7d89a20e2470eaa2fe0aef1cad`
SHA3	`110c3610bbd32292e1bd59e74b6653fb42a51412fadd941794d124ec5e6a0284`
VirtualSize	`0xebc`
VirtualAddress	`0x5c000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x53200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.60817`

.reloc

MD5	`3baedaa3d6b6d6dc9fb0ec4f5c3b007c`
SHA1	`9231fd2a26d9fcceb896e5a3403a69e120c3cec3`
SHA256	`32620662c052251f0efd57a560dd83ff58251dd0795a295afd69f0cbbaa26d55`
SHA3	`5f001d03dea5423d2716ec57d84fa86b022ff8b59892d35b6b479d59c60eb2d5`
VirtualSize	`0x6e4`
VirtualAddress	`0x5d000`
SizeOfRawData	`0x800`
PointerToRawData	`0x54200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.33115`

Imports

WS2_32.dll	`#23` `#4` `#16` `#111` `#18` `#151` `#21` `#19` `#3`
KERNEL32.dll	`ExitProcess` `CompareStringW` `GetProcessHeap` `SetEndOfFile` `CreateFileA` `GetTimeZoneInformation` `QueryPerformanceFrequency` `FindFirstFileW` `FindNextFileW` `FindClose` `GetLastError` `GetProcAddress` `LoadLibraryA` `GetWindowsDirectoryA` `GetWindowsDirectoryW` `GetTickCount` `QueryDosDeviceW` `GetLogicalDriveStringsW` `GetFileSize` `LocalFree` `GetVolumeInformationW` `GetSystemInfo` `GetModuleHandleW` `LocalAlloc` `CreateThread` `GetACP` `WideCharToMultiByte` `FileTimeToLocalFileTime` `CloseHandle` `Sleep` `UnmapViewOfFile` `DuplicateHandle` `GetSystemTimeAsFileTime` `GetFileAttributesW` `MultiByteToWideChar` `EncodePointer` `DecodePointer` `GetCurrentThreadId` `FlsSetValue` `GetCommandLineA` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `TerminateProcess` `GetCurrentProcess` `FlsGetValue` `FlsFree` `SetLastError` `FlsAlloc` `GetCPInfo` `GetOEMCP` `IsValidCodePage` `RtlUnwindEx` `EnterCriticalSection` `LeaveCriticalSection` `HeapSize` `SetEnvironmentVariableA` `HeapFree` `SetHandleCount` `GetStdHandle` `InitializeCriticalSectionAndSpinCount` `GetFileType` `GetStartupInfoW` `DeleteCriticalSection` `GetModuleFileNameA` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `HeapSetInformation` `GetVersion` `HeapCreate` `HeapDestroy` `QueryPerformanceCounter` `GetCurrentProcessId` `SetFilePointer` `WriteFile` `GetConsoleCP` `GetConsoleMode` `LCMapStringW` `GetStringTypeW` `RaiseException` `RtlPcToFileHeader` `HeapAlloc` `HeapReAlloc` `LoadLibraryW` `GetModuleFileNameW` `SetStdHandle` `WriteConsoleW` `FlushFileBuffers` `CreateFileW` `FileTimeToSystemTime` `FileTimeToDosDateTime` `ReadFile` `SystemTimeToFileTime` `GetLocalTime` `GetSystemTime` `GetFileInformationByHandle` `MapViewOfFile` `CreateFileMappingW`
USER32.dll	`GetSystemMetrics`

Delayed Imports

1

Type	`RT_ICON`
Language	Korean - Korea
Codepage	Latin 1 / Western European
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.63361`
MD5	`39a59a84581bc8f56423ae7ce774f72d`
SHA1	`418adf309dedc21edd971016dc9f8886840d1ac7`
SHA256	`bb2986bf2086025d856dc814c32e6fd3b0b585c044e165ec9f748631984d8aba`
SHA3	`0a7381241c0086e851ae58928a96313bbc578a6df89e7b8f5e0d6bc9ebde6881`

101

Type	`RT_GROUP_ICON`
Language	Korean - Korea
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.81924`
Detected Filetype	Icon file
MD5	`cbee427fa121aba9b9b265ff05de5383`
SHA1	`24fcae33001c8e0f5ec795c6edf076a69d59589f`
SHA256	`494e4fd717fa1ee0c5c7bb3b4e28fdab4b7f6e95b4f9865f5ab86f03f62ae62c`
SHA3	`a3fa35d56632275ba55716a4964f02031270f61f06a903fc460ac2dd6bebde85`

1 (#2)

Type	`RT_VERSION`
Language	Korean - Korea
Codepage	Latin 1 / Western European
Size	`0x374`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.42751`
MD5	`fa7609a394d437c7c9fb931d9f03ebf1`
SHA1	`2abe94e2961bea46c6ef08f4c6a3d2759e0de9b9`
SHA256	`eec17dc5963c97bb92106bd61f16fa344ac2032dfe7dcb04317e2a7c22ed282b`
SHA3	`c691d93a2d5dc004dc7e4e2d1bfab969b8bbe4ddd2768d6d74753ed8c21205d3`

2

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	49.0.0.0
ProductVersion	17.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	English - United States
Comments
CompanyName	Kamsky Co,.Ltd
FileDescription	Vote_Controller
FileVersion (#2)	49, 0, 0, 0
InternalName	MDL_170329_x86_V06Lv3
LegalCopyright	Copyright ⓒ 2017
LegalTrademarks
OriginalFilename	Vote_Controller
PrivateBuild
ProductName	Kamsky ColdFear
ProductVersion (#2)	17, 0, 0, 0
SpecialBuild

Resource LangID	Korean - Korea

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x48bea71b`
Unmarked objects	`0`
152 (20115)	`2`
C objects (VS2010 SP1 build 40219)	`155`
ASM objects (VS2010 SP1 build 40219)	`12`
Imports (VS2008 SP1 build 30729)	`7`
Total imports	`120`
C++ objects (VS2010 SP1 build 40219)	`60`
Resource objects (VS2010 SP1 build 40219)	`1`
Linker (VS2010 SP1 build 40219)	`1`

42682d4a78fe5c2eda988185a344637d

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

1

101

1 (#2)

2

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors