Manalyze report for 4d037478ca682c5e9498b33d361f9894

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2010-Aug-01 10:32:37
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig2(h)`
Suspicious	PEiD Signature:	`FASM 1.5x` `FASM v1.5x`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains another PE executable: This program cannot be run in DOS mode.` `Miscellaneous malware strings: cmd.exe` `Contains domain names: aContentWindow.top adobe.com http://ns.adobe.com http://ns.adobe.com/xap/1.0/ http://ns.adobe.com/xap/1.0/mm/ http://ns.adobe.com/xap/1.0/sType/ResourceRef# http://www.foo.com http://www.foo.com/q http://www.w3.org http://www.w3.org/1999/02/22-rdf-syntax-ns# mozilla.org ns.adobe.com www.foo.com www.w3.org`
Suspicious	The PE is possibly packed.	`Section .code is both writable and executable.` `Unusual section name found: .NewSec` `Section .NewSec is both writable and executable.`
Info	The PE contains common functions which appear in legitimate applications.	`Possibly launches other programs: CreateProcessA` `Enumerates local disk drives: GetDriveTypeA`
Suspicious	The PE header may have been manually modified.	`The resource timestamps differ from the PE header: 2018-Dec-24 12:24:46`
Suspicious	The file contains overlay data.	`2485774 bytes of data starting at offset 0x8000.` `Overlay data amounts for 98.6989% of the executable.`
Malicious	VirusTotal score: 64/73 (Scanned on 2020-07-18 01:08:44)	`Bkav: W32.OverlayND.PE` `MicroWorld-eScan: Trojan.Agent.EMNR` `FireEye: Generic.mg.4d037478ca682c5e` `CAT-QuickHeal: Trojan.Ausiv.S12202810` `McAfee: Packed-SU!4D037478CA68` `Cylance: Unsafe` `Zillya: Trojan.Black.Win32.51155` `Sangfor: Malware` `K7AntiVirus: Trojan ( 005205011 )` `Alibaba: virus:Win32/InfectPE.ali2000007` `K7GW: Trojan ( 00517a0d1 )` `Cybereason: malicious.8ca682` `Arcabit: Trojan.Agent.EMNR` `Invincea: heuristic` `F-Prot: W32/S-a846205f!Eldorado` `Symantec: W32.Suviapen` `APEX: Malicious` `ClamAV: Win.Virus.VMProtBad-6450060-0` `Kaspersky: Packed.Win32.Krap.jc` `BitDefender: Trojan.Agent.EMNR` `NANO-Antivirus: Trojan.Win32.Krap.espnuv` `ViRobot: Trojan.Win32.Agent.Gen.C` `Avast: Win32:Agent-BCFZ [Trj]` `Tencent: Trojan.Win32.Kryptik.fwwy` `Ad-Aware: Trojan.Agent.EMNR` `TACHYON: Worm/W32.Sivis.Zen` `Emsisoft: Trojan.Agent.EMNR (B)` `Comodo: Virus.Win32.VirLock.GA@7lv9go` `F-Secure: Trojan.TR/ATRAPS.Gen2` `DrWeb: Trojan.Encoder.14453` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: PE_LUMER.MR` `Trapmine: malicious.high.ml.score` `Sophos: W32/Sivis-B` `Ikarus: Trojan.Win32.Ausiv` `Cyren: W32/S-a846205f!Eldorado` `Jiangmin: Packed.Krap.fyig` `Webroot: W32.Trojan.Fileinfector-2` `Avira: TR/ATRAPS.Gen2` `Fortinet: W32/Ausiv.A` `Antiy-AVL: Trojan[Packed]/Win32.Krap` `Endgame: malicious (high confidence)` `Microsoft: Trojan:Win32/Ausiv!rfn` `AegisLab: Hacktool.Win32.Krap.x!e` `ZoneAlarm: Packed.Win32.Krap.jc` `Cynet: Malicious (score: 100)` `AhnLab-V3: Trojan/Win32.Ransom.R213603` `Acronis: suspicious` `BitDefenderTheta: Gen:NN.ZexaF.34136.zAZ@a8Hp6rci` `ALYac: Trojan.Agent.EMNR` `MAX: malware (ai score=82)` `VBA32: Trojan.Encoder` `Malwarebytes: Ransom.Winlock` `ESET-NOD32: Win32/Ausiv.A` `TrendMicro-HouseCall: PE_LUMER.MR` `Rising: Virus.Sivis!1.A647 (CLOUD)` `Yandex: Trojan.Encoder!pNjka2bf5mk` `SentinelOne: DFI - Malicious PE` `eGambit: Unsafe.AI_Score_100%` `GData: Trojan.Agent.EMNR` `MaxSecure: Packed.Krap.JC` `AVG: Win32:Agent-BCFZ [Trj]` `CrowdStrike: win/malicious_confidence_100% (W)` `Qihoo-360: HEUR/QVM19.1.A30F.Malware.Gen`

Hashes

MD5	`4d037478ca682c5e9498b33d361f9894`
SHA1	`c800ae4e8a96513f40bcb162ea799ff5b7cbb988`
SHA256	`72ed71ead6107983928bb20f06dbf1bc34be3a59faf098bd39952ea3667db10d`
SHA3	`5dba5be04b932089ef3bcc361f1cb2c64404023325b365f07e9514ddfcd88602`
SSDeep	`6144:QHmft7iTnRHmft7iTngHmft7iTnRHmft7iTngHmft7iTngHmft7iTnpHmft7iTn:`
Imports Hash	`a8f69eb2cf9f30ea96961c86b4347282`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2010-Aug-01 10:32:37
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x3200`
SizeOfInitializedData	`0x1e00`
SizeOfUninitializedData	`0x1000`
AddressOfEntryPoint	`0x00001000 (Section: .code)`
BaseOfCode	`0x1000`
BaseOfData	`0x4000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x8000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.code

MD5	`8d45c4e221103ecf06a2ffb4f6b4170a`
SHA1	`f582d16c81814ab09ac1f2e0c1818876c9e9ef45`
SHA256	`3e96869bbfefa39a1c2946532a1edef25af903c9682985a3c4f0e8e9acc78bad`
SHA3	`a7523d1e157e815139c18571122a4d707c185f1800c6ae50adfa90841ad09477`
VirtualSize	`0x731`
VirtualAddress	`0x1000`
SizeOfRawData	`0x731`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.33884`

.text

MD5	`4ebd8ab0ae60f9f48672a6a851790881`
SHA1	`9c9f2d7002bb498f79713cc2b5270ea880b12987`
SHA256	`3274cfdb91531c6e7f9d3b2fb772c87cc9aa149e08a844b4c56fbcb413398999`
SHA3	`7c1a408886ad8d45d6c58359f34944ab1b27a481dd1361a0eaad77002cd1a7fa`
VirtualSize	`0x1998`
VirtualAddress	`0x2000`
SizeOfRawData	`0x1998`
PointerToRawData	`0x2000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.19155`

.rdata

MD5	`eac55f75efa653ab097cc26955eaadb9`
SHA1	`4ad1837a80216fec1e4fb760406b2667f2de05e9`
SHA256	`ebfe137c22e6ed2c0217bbb7efcdae8ea57a07f3faddd604d60898a8028e5e55`
SHA3	`5d3d57e5ef58f9e95175cde2d03fc5584746a49352405e37b9fac25aa256c1df`
VirtualSize	`0x1c`
VirtualAddress	`0x4000`
SizeOfRawData	`0x1c`
PointerToRawData	`0x4000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.76955`

.data

MD5	`6225dbf9e53a67a2c06175fc5437ecdb`
SHA1	`fe7b5f4a8e858a60640b865a9b37035932b9bff0`
SHA256	`70ce974ec5e6ac78958cf4aa47be01b7ce408271444803f4c8608fa26cada977`
SHA3	`54736d24089ac031bcac5b4ae3aba0cb71dc4f53e9f971f16b47a43a0d7bd373`
VirtualSize	`0x7a8`
VirtualAddress	`0x5000`
SizeOfRawData	`0x7a8`
PointerToRawData	`0x5000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.97869`

.rsrc

MD5	`13993501e832b475bd7eac46370ba265`
SHA1	`1831f846fdf2ec491a0e1de01e9097171ba5ac48`
SHA256	`fc620a37616029a612557f8f69785ff211db1c88824d530ea32f6e95f9e757de`
SHA3	`46de49b414231c79b9093a5ece855bee7bb954d2ea259eb90344b326424d78f8`
VirtualSize	`0x2bc`
VirtualAddress	`0x6000`
SizeOfRawData	`0x2bc`
PointerToRawData	`0x6000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.06745`

.NewSec

MD5	`b8292cc5a528e176dffe2e390f4b6974`
SHA1	`4b64e325bf42f635bed6fdbf0b0e485b679eb441`
SHA256	`1e0bcb0fc4cf0e119455c24c1c21fb652612e1333ed10c162e9fca77af5141a3`
SHA3	`a67bc5c190e9ffabc93ca95b4d5bcf97483157fc8bc2e53ce7d1269f1de8bd60`
VirtualSize	`0x1000`
VirtualAddress	`0x7000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x7000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.532349`

Imports

MSVCRT.dll	`memset` `memcpy` `_stricmp` `strncmp` `_strnicmp` `strcmp` `memmove` `strlen` `strcpy` `strcat` `strncpy`
KERNEL32.dll	`GetModuleHandleA` `HeapCreate` `HeapDestroy` `ExitProcess` `GetCurrentThreadId` `GetTickCount` `HeapAlloc` `HeapFree` `WriteFile` `CloseHandle` `CreateFileA` `GetFileSize` `ReadFile` `SetFilePointer` `InitializeCriticalSection` `GetModuleFileNameA` `GetCurrentProcess` `DuplicateHandle` `CreatePipe` `GetStdHandle` `CreateProcessA` `WaitForSingleObject` `EnterCriticalSection` `LeaveCriticalSection` `GetCurrentProcessId` `GetDriveTypeA` `FindFirstFileA` `FindClose` `GetFileAttributesA` `CreateDirectoryA` `GetLastError` `FindNextFileA` `SetFileAttributesA` `HeapReAlloc`
COMCTL32.DLL	`InitCommonControls`
USER32.DLL	`MessageBoxA` `GetWindowThreadProcessId` `IsWindowVisible` `IsWindowEnabled` `GetForegroundWindow` `EnableWindow` `EnumWindows`
SHELL32.DLL	`ShellExecuteExA`
OLE32.DLL	`CoInitialize`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x263`
TimeDateStamp	2018-Dec-24 12:24:46
Entropy	`4.92322`
MD5	`841795bb3b61ebd511249778aa26af77`
SHA1	`59f426938522ef9906b0740821e8cc270d1ca897`
SHA256	`be809cba9d14bfb52a969d766992832b10e99e133babcdd99dc6d1bba5597cf7`
SHA3	`5fa5c36711cc5c3661248b1180ce35543201ff1dc77d158129b844f03a2144c9`

Version Info

TLS Callbacks

Load Configuration

RICH Header

4d037478ca682c5e9498b33d361f9894

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.code

.text

.rdata

.data

.rsrc

.NewSec

Imports

Delayed Imports

1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors