Manalyze report for 43d178652432d3e7e9c5e673df3255440529309aaaeb5e0e0533080fd2c288a8

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Jan-01 00:00:00

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `Unusual section name found: UPX2` `The PE only has 4 import(s).`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress`
Malicious	VirusTotal score: 56/70 (Scanned on 2026-05-29 12:09:42)	`ALYac: Gen:Variant.Fragtor.913627` `APEX: Malicious` `AVG: Win32:Evo-gen [Trj]` `AhnLab-V3: Infostealer/Win.SalatStealer.R718726` `Alibaba: TrojanPSW:Win32/SalatStealer.20211e48` `Arcabit: Trojan.Fragtor.DDF0DB` `Avast: Win32:Evo-gen [Trj]` `Avira: TR/W32.Evo` `BitDefender: Gen:Variant.Fragtor.913627` `Bkav: W32.Malware.CD482E1` `CTX: exe.trojan.generic` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `DrWeb: Trojan.PWS.Salat.332` `ESET-NOD32: WinGo/Agent_AGen.QF trojan` `Elastic: malicious (moderate confidence)` `Emsisoft: Gen:Variant.Fragtor.913627 (B)` `F-Secure: Trojan.TR/W32.Evo` `Fortinet: W32/Agent.MP!tr` `GData: Gen:Variant.Fragtor.913627` `Google: Detected` `Ikarus: Trojan.WinGo.Agent` `K7AntiVirus: Trojan ( 005ce1d91 )` `K7GW: Trojan ( 005ce1d91 )` `Kaspersky: HEUR:Trojan-PSW.Win32.Convagent.gen` `Kingsoft: Win32.Trojan-PSW.Convagent.gen` `Lionic: Trojan.Win32.Salat.i!c` `Malwarebytes: Trojan.Injector.UPX` `MaxSecure: Trojan.Malware.575590274.susgen` `McAfeeD: Real Protect-LS!E5ABB807549C` `MicroWorld-eScan: Gen:Variant.Fragtor.913627` `Microsoft: Trojan:Win32/Kepavll!rfn` `Paloalto: generic.ml` `Panda: Trj/PhxBzA.A` `Rising: Spyware.Stealer!8.3090 (C64:YzY0OrEqYWdRXfyU)` `Sangfor: Infostealer.Win32.Evo.Vnr2` `SentinelOne: Static AI - Malicious PE` `Sophos: Troj/Salat-A` `TACHYON: Banker/W32.Agent.11657216.M` `Tencent: Trojan.Win32.Stealer.16001830` `Trapmine: malicious.high.ml.score` `TrellixENS: Artemis!E5ABB807549C` `TrendMicro: TrojanSpy.Win32.SALATSTEALER.YXGAPZ` `TrendMicro-HouseCall: TrojanSpy.Win32.SALATSTEALER.YXGAPZ` `VIPRE: Gen:Variant.Fragtor.913627` `Varist: W32/Agent.KKL.gen!Eldorado` `ViRobot: Trojan.Win.Z.Salat_B.3291648` `VirIT: Trojan.Win32.Genus.YVY` `Webroot: W32.Trojan.Injector` `Xcitium: Malware@#107j7310814is` `Zillya: Trojan.AgentAGen.Win32.159388` `ZoneAlarm: Troj/Salat-A` `alibabacloud: Trojan:Multi/Rozena.SS` `huorong: Trojan/Agent.e!crit`

Hashes

MD5	`e5abb807549c22d162b2dc284f6d45cf`
SHA1	`7525f49063fa0873e545e4b1116ea3a93140a69a`
SHA256	`43d178652432d3e7e9c5e673df3255440529309aaaeb5e0e0533080fd2c288a8`
SHA3	`689b08d8742c3359d90a909c3c06609659cc3a2fb20e9c6a0290070d35ef5327`
SSDeep	`98304:JzEtiVc0R0Y5WKRY1SkOX8UC7xPGza6aC/reb:JzEtiW0R0YZRYOX27xD5Oq`
Imports Hash	`6ed4f5f04d62b18d96b26d6db7c18840`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0x8b`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0xb1de00`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`3.0`
SizeOfCode	`0x324000`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0x865000`
AddressOfEntryPoint	`0x00B88890 (Section: UPX1)`
BaseOfCode	`0x866000`
BaseOfData	`0xb8a000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`1.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0xb8b000`
SizeOfHeaders	`0x200`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x865000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`6da7b6f85a4baf4e3a1d2676a6645524`
SHA1	`a223e5bf84467ce2bfb6a88b7aa13eb25063360a`
SHA256	`cf12666d793012a5fe29fdca438875bc68473f1503dc0fd51198f7ec9461601a`
SHA3	`7a0e847f873694c57a155d2bca93e34d8224702aeb67ea90fe58696b7618ad56`
VirtualSize	`0x324000`
VirtualAddress	`0x866000`
SizeOfRawData	`0x323600`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99994`

UPX2

MD5	`ce7ae221f602090727a7949f9a5c6ab3`
SHA1	`95a79741c53db845e87c070c82a035dcc53bc7f8`
SHA256	`cd6c367786a57740099a501aa9b441b4d03beb51659bf7ec1c41a371436a4370`
SHA3	`fa7112c5c2694b4b733c806420b956a49886c737f6a6d31d46f9199d56177994`
VirtualSize	`0x1000`
VirtualAddress	`0xb8a000`
SizeOfRawData	`0x200`
PointerToRawData	`0x323800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.47354`

Imports

KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!

Leave a comment

No comments yet.