Manalyze report for 4d8f6dfbe49ef6a40b47d46ce6a892bf

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1992-Jun-19 22:22:17

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `The PE only has 7 import(s).`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can access the registry: RegCloseKey`
Suspicious	The PE header may have been manually modified.	`Resource 4090 is possibly compressed or encrypted.` `Resource 4091 is possibly compressed or encrypted.` `Resource 4092 is possibly compressed or encrypted.` `Resource 4093 is possibly compressed or encrypted.` `Resource 4094 is possibly compressed or encrypted.` `Resource 4095 is possibly compressed or encrypted.` `Resource 4096 is possibly compressed or encrypted.` `The resource timestamps differ from the PE header: 2018-Feb-10 17:00:02`
Suspicious	The file contains overlay data.	`21 bytes of data starting at offset 0xa000.`
Malicious	VirusTotal score: 32/71 (Scanned on 2020-10-29 05:03:52)	`Elastic: malicious (high confidence)` `MicroWorld-eScan: Trojan.GenericKD.32731475` `McAfee: RDN/Autorun.worm.gen` `Cylance: Unsafe` `CrowdStrike: win/malicious_confidence_100% (W)` `Alibaba: Worm:Win32/Autorun.25b6ebf3` `K7GW: Riskware ( 0040eff71 )` `K7AntiVirus: Riskware ( 0040eff71 )` `Symantec: ML.Attribute.HighConfidence` `APEX: Malicious` `Paloalto: generic.ml` `BitDefender: Trojan.GenericKD.32731475` `Ad-Aware: Trojan.GenericKD.32731475` `Sophos: Mal/Emogen-I` `Comodo: Malware@#11lqir733njld` `Invincea: Mal/Generic-R + Mal/Emogen-I` `McAfee-GW-Edition: BehavesLike.Win32.Generic.pc` `FireEye: Generic.mg.4d8f6dfbe49ef6a4` `Emsisoft: Trojan.GenericKD.32731475 (B)` `eGambit: Unsafe.AI_Score_89%` `Microsoft: Trojan:Win32/Zpevdo.A` `Arcabit: Trojan.Generic.D1F37153` `AegisLab: Virus.Win32.Lamer.lmQV` `GData: Trojan.GenericKD.32731475` `AhnLab-V3: Malware/Win32.Generic.C2822172` `BitDefenderTheta: Gen:NN.ZelphiF.34590.cmHfam9n3zb` `ALYac: Trojan.GenericKD.32731475` `MAX: malware (ai score=100)` `Panda: Trj/GdSda.A` `Fortinet: W32/Emogen.I!worm` `Webroot: W32.Malware.Gen` `Cybereason: malicious.be49ef`

Hashes

MD5	`4d8f6dfbe49ef6a40b47d46ce6a892bf`
SHA1	`1f7344c8b5888cf76ea81a1308036349519dde46`
SHA256	`d7771d305b0a0cfc4b508dc1f319416e59eaafe1c953f1af46cddd706d946bef`
SHA3	`1b96662916b7ba1486f6e8e0bf9cd28f5860a83310bdef31d4119a3413fd5941`
SSDeep	`768:+BfCV2xibd6N9FxJl0WwKdTY0JdoIjd5Jej30nHRPS290ANJ06G9i:+IV4NLnJaWRRTo/jqHM29zN0i`
Imports Hash	`0e836bd3be54eeeafd05573d50eaca49`

DOS Header

e_magic	`MZ`
e_cblp	`0x50`
e_cp	`0x2`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0xf`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0x1a`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	1992-Jun-19 22:22:17
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_BYTES_REVERSED_HI` `IMAGE_FILE_BYTES_REVERSED_LO` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0xa000`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0x14000`
AddressOfEntryPoint	`0x0001E460 (Section: UPX1)`
BaseOfCode	`0x15000`
BaseOfData	`0x1f000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x20000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x4000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x14000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`83df071d2351171bf3b99c476f9225b4`
SHA1	`3e62ec7d4fb8d65a6adc7f0bc5dbb4d235a9d8ee`
SHA256	`1bc5e706679829ba274255bdb2550f8ddf39c34ae7b6fc175aaa81bbf4289e1f`
SHA3	`9ec5774a5829dca8439a5eab6bc77188cc251ffb96d6a1d2dd009a2e81b86042`
VirtualSize	`0xa000`
VirtualAddress	`0x15000`
SizeOfRawData	`0x9800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.87469`

.rsrc

MD5	`e3214974b9682041d20991c15463a005`
SHA1	`17754f60e41e0bf8c48086a966aaf91f970d2792`
SHA256	`00823b673e547b5fe08af64f4a983187f5c4902e05515553b48338b3fdc31c56`
SHA3	`288e66cf7e8a8b81a39b7230a9ba4594f0469e49e6261514af99b00f5ae468f9`
VirtualSize	`0x1000`
VirtualAddress	`0x1f000`
SizeOfRawData	`0x400`
PointerToRawData	`0x9c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.88783`

Imports

advapi32.dll	`RegCloseKey`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
oleaut32.dll	`VariantCopy`
user32.dll	`CharNextA`

Delayed Imports

4090

Type	`RT_STRING`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x1b4`
TimeDateStamp	2018-Feb-10 17:00:02
Entropy	`7.37783`
MD5	`bfac2ccb62bca1809bd5cf1c9c268d2b`
SHA1	`4b17cd1e40f172750406f7bb62ed7d52297a2473`
SHA256	`1962886dfb3318166e820a6f09a021095a82882c2c59b0e97e9d23378fdcc72f`
SHA3	`a99033128d326989701fbee5b44f243a12a0406cd16df66dfb1102e915c4a21c`

4091

Type	`RT_STRING`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x208`
TimeDateStamp	2018-Feb-10 17:00:02
Entropy	`7.37357`
MD5	`257337f41cf56083bacbfca82026e497`
SHA1	`38c8ba546f7da5b597e0b92c3fd1e9ccc5a625ef`
SHA256	`66c8be3d34b468da52cdb81b7a408519b0ec42eca1fffe6485c86de519fee4e4`
SHA3	`be8812dbd10dcb59fb8eca75f69d8b315e2f9c5a67a8de5145dc88afd30a08b1`

4092

Type	`RT_STRING`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0xec`
TimeDateStamp	2018-Feb-10 17:00:02
Entropy	`7.14934`
MD5	`7712929b7a2fb9d4ac1625253c67bd3e`
SHA1	`f77bf0000742c192a2a39d3224a7bff608c53971`
SHA256	`c5b690e88a1b65b5191416569acd54d6bb87ea56fb644f14b8a85dbe6b2474f9`
SHA3	`71f1aa5b140d5a0f17dab3954213cbdffbf9346452e328fda58c68839212d3f3`

4093

Type	`RT_STRING`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x198`
TimeDateStamp	2018-Feb-10 17:00:02
Entropy	`7.27219`
MD5	`c55f53cfa952714753d4e16bf107abf5`
SHA1	`9905797c36a07ffe2071b9ea6579a5e1e54951ba`
SHA256	`b706ee717e799b7b7a8a82a0e21f975e6a371c8de27e84bb41ce2d981c38fa7b`
SHA3	`a3d88763ec7a9853538fb5682ff2cd7a457fc86f6df79341c15f9d791fca4f1d`

4094

Type	`RT_STRING`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x3b4`
TimeDateStamp	2018-Feb-10 17:00:02
Entropy	`7.5101`
MD5	`58273971d39d0ae0f2635d7cbc68a337`
SHA1	`1275895e8ab9e2c619ca7a96c25db2691bcfb91e`
SHA256	`2dbc5cb728fa259f8d8c7f1d63cff56f529f5d6d2a09655ca0d83bb70781319c`
SHA3	`09d18a79a2223658438d22088f10008b12d8c7235db81c932249d60027813d71`

4095

Type	`RT_STRING`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x37c`
TimeDateStamp	2018-Feb-10 17:00:02
Entropy	`7.65865`
MD5	`ada5fa12ff33560ad81a1cd3ff76a60e`
SHA1	`f6747c9aa3fb04502269bd02ab6a1915203f4847`
SHA256	`c3dd8d37442e7a13a00bec439ce5a09b1ed46c0648cfe2c0a602637a48f451ff`
SHA3	`06ddcd54f391598893db338b026a097be10d958581bd509b0868200f9b508b71`

4096

Type	`RT_STRING`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x2a0`
TimeDateStamp	2018-Feb-10 17:00:02
Entropy	`7.44662`
MD5	`80099c3331eb965648fc8777a86e7a75`
SHA1	`eab86ba72c91d78b714ee15c8e940d4c557905f3`
SHA256	`e7d1f2470f7f31f57db602fcfb76e868092f7f1f9ba82723fe28c825268f123f`
SHA3	`fab6e655a75f2ed8dad9a81acd3ee74688984044a28ecbefc4aa5b462aadddad`

DVCLAL

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x10`
TimeDateStamp	2018-Feb-10 17:00:02
Entropy	`4`
MD5	`d5f32d90957feb4edf317aeab17483e9`
SHA1	`16090f2ff525b5d733e66a624431e04c073ca60c`
SHA256	`3b77fbef14f265f434a38d1b39d2abccb0b75ffacf51fa07705c73e6d2a6b668`
SHA3	`39331e822dc5c644e0178de8b3e16dd0b6175940d685996a2dd9f6ad580e3f1a`

PACKAGEINFO

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x9c`
TimeDateStamp	2018-Feb-10 17:00:02
Entropy	`6.52012`
MD5	`eb71c57b2e58b686482c406118dbc83c`
SHA1	`d6280f051b887e2a9075aaa792d849a9307509d6`
SHA256	`af7079c31ba3fcadbd98c6f7c0bba6ceff771f3e0e711291049f9afd05618259`
SHA3	`43584bb2e414e067a1e5607dcdda45eb4dfcdab71abe911d3f6a5b7358775212`

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section UPX0 has a size of 0!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!