Manalyze report for 4c4c1bcad07ab73f446ba1f382c94df2

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2013-Nov-25 12:49:14

Plugin Output

Suspicious	PEiD Signature:	`ASPack v2.12`
Suspicious	The PE is packed with Aspack or Armadillo	`Section .text is both writable and executable.` `Unusual section name found: .aspack` `Section .aspack is both writable and executable.` `Unusual section name found: .adata` `Section .adata is both writable and executable.` `The PE only has 9 import(s).`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Has Internet access capabilities: URLDownloadToFileA` `Functions related to the privilege level: OpenProcessToken`
Suspicious	The file contains overlay data.	`3983 bytes of data starting at offset 0x3e00.`
Malicious	VirusTotal score: 61/68 (Scanned on 2023-03-11 01:11:27)	`ALYac: Trojan.GenericKD.45627792` `APEX: Malicious` `AVG: Win32:Evo-gen [Trj]` `Acronis: suspicious` `AhnLab-V3: Trojan/Win32.Agent.R94615` `Alibaba: TrojanDownloader:Win32/Banload.4f6f7940` `Antiy-AVL: Trojan/Win32.Wapomi` `Arcabit: Trojan.Generic.D2B83990` `Avast: Win32:Evo-gen [Trj]` `Avira: TR/Dldr.Small.Z.haljq` `BitDefender: Trojan.GenericKD.45627792` `BitDefenderTheta: AI:Packer.23CEAB981E` `CAT-QuickHeal: PUA.GenericRI.S28207581` `ClamAV: Win.Trojan.Downloader-64720` `Cylance: unsafe` `Cynet: Malicious (score: 100)` `Cyren: W32/Downloader.WXUE-4498` `DrWeb: BackDoor.Darkshell.246` `ESET-NOD32: Win32/Wapomi.BA` `Elastic: malicious (high confidence)` `Emsisoft: Trojan.GenericKD.45627792 (B)` `FireEye: Generic.mg.4c4c1bcad07ab73f` `Fortinet: W32/Nimnul.F` `GData: Win32.Trojan.Agent.05HJWV` `Google: Detected` `Gridinsoft: Trojan.Win32.Downloader.zv!s1` `Ikarus: Trojan-Downloader.Win32.Small` `Jiangmin: TrojanDownloader.Banload.bpxt` `K7AntiVirus: Riskware ( 0040eff71 )` `K7GW: Riskware ( 0040eff71 )` `Kaspersky: Trojan-Downloader.Win32.Banload.cqfs` `Lionic: Virus.Win32.Nimnul.m1R5` `MAX: malware (ai score=82)` `Malwarebytes: Ramnit.Virus.FileInfector.DDS` `MaxSecure: Trojan.Malware.6812811.susgen` `McAfee: Generic.ru` `McAfee-GW-Edition: BehavesLike.Win32.Agent.lm` `MicroWorld-eScan: Trojan.GenericKD.45627792` `Microsoft: Trojan:Win32/Skeeyah.W!MTB` `NANO-Antivirus: Trojan.Win32.Banload.cstqaj` `Paloalto: generic.ml` `Panda: Trj/WLT.A` `Rising: Win32.Wapomi.a (CLASSIC)` `SUPERAntiSpyware: Trojan.Agent/Gen-Downloader` `Sangfor: Suspicious.Win32.Save.ins` `SentinelOne: Static AI - Malicious PE` `Sophos: W32/Nimnul-A` `Symantec: W32.Wapomi.C!inf` `TACHYON: Trojan-Downloader/W32.Banload.36864.BP` `Tencent: Trojan.Win32.Small.aab` `Trapmine: malicious.high.ml.score` `TrendMicro: TROJ_DLOADR.XD` `TrendMicro-HouseCall: TROJ_DLOADR.XD` `VBA32: TrojanDownloader.Banload` `VIPRE: Trojan.GenericKD.45627792` `VirIT: Backdoor.Win32.Darkshell.JM` `Webroot: W32.Heuristic.Dkvt` `Zillya: Downloader.Banload.Win32.56343` `ZoneAlarm: Trojan-Downloader.Win32.Banload.cqfs` `Zoner: Virus.Win32.21902` `tehtris: Generic.Malware`

Hashes

MD5	`4c4c1bcad07ab73f446ba1f382c94df2`
SHA1	`a0701226b3c3abcb198ab30d61ef05d28256d056`
SHA256	`4695dab1cdbcbd0b6eaf4abf9117583db67fb63e13b85446c0655a89ee60ae70`
SHA3	`2527fc69128e8ef606cd8a33cfe85196dee88134ba315fd7514f69ab3d183d5f`
SSDeep	`384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr`
Imports Hash	`aa631f25c4bbd544554d9285d2f8bd38`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2013-Nov-25 12:49:14
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x1e00`
SizeOfInitializedData	`0x1e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00006001 (Section: .aspack)`
BaseOfCode	`0x1000`
BaseOfData	`0x3000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x9000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`c784ee670e244bb5d464b2b2cd780320`
SHA1	`54fbef8144e69217a46cbaf6f228145f01ffe52c`
SHA256	`4fb3dc32b13c6991076771c2ff2f640a34d8d34b9f8b0cf2544391fd3ae974af`
SHA3	`488589302b699fb3165a47f100181128820c913751b6a579ea1e7325aa9e7ec0`
VirtualSize	`0x2000`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.81169`

.rdata

MD5	`07ff04e3983b8c305e9bd28f8c653aa6`
SHA1	`1b5f828f55336a83262e8e98460f912874f07649`
SHA256	`23c7029f9e2c948f39fae348aff07b13f215544ad0b3f196f3c4128e403144df`
SHA3	`2ba64c78caa161aade2bee19775267254942103ea59f2594cc476a4fec2c26a2`
VirtualSize	`0x1000`
VirtualAddress	`0x3000`
SizeOfRawData	`0x600`
PointerToRawData	`0x1800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.07007`

.data

MD5	`c6687c71f9b53c6b31b9346ade7fd920`
SHA1	`02ffb8239b75cb657043e21fb581b713ce661e9a`
SHA256	`a533496cbfbc51045f343f8c646b0a465f9a15e1d82c0fddfae25fa3e95463a2`
SHA3	`ca41beeb43edbaad7b2c7500c154e190ce83eea5a8d8d6eef8ace3e14ad84412`
VirtualSize	`0x1000`
VirtualAddress	`0x4000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x1e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.68117`

.reloc

MD5	`3e9c51b0ed08e4118560c5f4ea7b8f21`
SHA1	`29e9ea5a2a86848eaa39d32b4c321ee953b98c0f`
SHA256	`bb159db3e47a607ef83faefd7867e79a1f33c12b130b9ca0f510c39b179516a4`
SHA3	`482952bc2b8a0fca0babc20684d8d73edc6f35ea478011313ef8170166d43688`
VirtualSize	`0x1000`
VirtualAddress	`0x5000`
SizeOfRawData	`0x400`
PointerToRawData	`0x2800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.52396`

.aspack

MD5	`8dac827e057e0dc1aaa80dc94ce27219`
SHA1	`979dad79fb9e29ee799b1b66c8d75bfc264ff944`
SHA256	`c40236055dd5bc69003bc7b896dc4b24984e65d330f56751d690103c6cbc3404`
SHA3	`373013e378c4f72cb240fa17d26ba9afcd26c49b6e930c7df726d236b9fc39b0`
VirtualSize	`0x2000`
VirtualAddress	`0x6000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x2c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.9919`

.adata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1000`
VirtualAddress	`0x8000`
SizeOfRawData	`0`
PointerToRawData	`0x3e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

Imports

kernel32.dll	`GetProcAddress` `GetModuleHandleA` `LoadLibraryA`
msvcrt.dll	`??2@YAPAXI@Z`
shlwapi.dll	`PathFileExistsA`
urlmon.dll	`URLDownloadToFileA`
user32.dll	`wsprintfA`
advapi32.dll	`OpenProcessToken`
shell32.dll	`SHGetSpecialFolderPathA`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd127f13e`
Unmarked objects	`0`
Imports (VS2012 build 50727 / VS2005 build 50727)	`12`
ASM objects (VS2003 (.NET) build 4035)	`1`
Total imports	`71`
Linker (8047)	`3`
14 (7299)	`1`
138 (VS2008 SP1 build 30729)	`8`
Resource objects (VS2008 SP1 build 30729)	`1`

Errors

[*] Warning: Section .adata has a size of 0!