5137f6c1b6fec54e3c4fce6261905dd6

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2018-Jan-30 03:57:38
Detected languages English - United States

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • http://nsis.sf.net
  • http://nsis.sf.net/NSIS_Error
  • nsis.sf.net
Suspicious The PE is an NSIS installer Unusual section name found: .ndata
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExA
 Can access the registry:
  • RegCreateKeyExA
  • RegOpenKeyExA
  • RegEnumValueA
  • RegDeleteKeyA
  • RegDeleteValueA
  • RegCloseKey
  • RegSetValueExA
  • RegQueryValueExA
  • RegEnumKeyA
 Possibly launches other programs:
  • CreateProcessA
 Can create temporary files:
  • CreateFileA
  • GetTempPathA
 Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
 Changes object ACLs:
  • SetFileSecurityA
 Can shut the system down or lock the screen:
  • ExitWindowsEx
Suspicious The file contains overlay data. 985846 bytes of data starting at offset 0x2a800.
The overlay data has an entropy of 7.84308 and is possibly compressed or encrypted.
Overlay data amounts for 84.9921% of the executable.
Malicious VirusTotal score: 49/67 (Scanned on 2022-01-18 20:50:22) Lionic: Riskware.Win32.Malicious.1!c
Elastic: malicious (high confidence)
Cynet: Malicious (score: 100)
CAT-QuickHeal: Trojan.Keygen
ALYac: Application.Generic.3093812
Cylance: Unsafe
VIPRE: Trojan.Win32.Generic!BT
Sangfor: PUP.Win32.Keygen.mt
K7AntiVirus: Unwanted-Program ( 0052f55b1 )
BitDefender: Application.Generic.3093812
K7GW: Unwanted-Program ( 0052f55b1 )
CrowdStrike: win/malicious_confidence_70% (D)
Cyren: W32/Trojan.EGVA-6075
ESET-NOD32: Win32/Keygen.ACE potentially unsafe
APEX: Malicious
Paloalto: generic.ml
ClamAV: Win.Malware.Score-6997747-0
MicroWorld-eScan: Application.Generic.3093812
Avast: Win32:Malware-gen
Ad-Aware: Application.Generic.3093812
Sophos: Generic PUA CK (PUA)
Comodo: Malware@#1xonnageqvj72
DrWeb: Trojan.Siggen8.9905
Zillya: Backdoor.Tofsee.Win32.1885
TrendMicro: TROJ_GEN.F0CBC0UCB21
McAfee-GW-Edition: BehavesLike.Win32.Exploit.tc
FireEye: Generic.mg.5137f6c1b6fec54e
Emsisoft: Application.Generic.3093812 (B)
Ikarus: not-a-virus:Keygen.Ableton
GData: Application.Generic.3093812
Webroot: W32.Adware.Gen
Antiy-AVL: Trojan/Generic.ASMalwS.30F9C3B
Gridinsoft: PUP.Win32.Keygen.oa
Arcabit: Application.Generic.D2F3534
SUPERAntiSpyware: Hack.Tool/Gen-KeyGen
Microsoft: PUA:Win32/Keygen
AhnLab-V3: Unwanted/Win32.KeyGen.C2198504
McAfee: Artemis!5137F6C1B6FE
MAX: malware (ai score=100)
VBA32: BScope.Trojan.OutBrowse
Malwarebytes: CrackTool.Agent.Keygen
TrendMicro-HouseCall: TROJ_GEN.F0CBC0UCB21
Yandex: Trojan.Igent.bVSWxy.2
SentinelOne: Static AI - Suspicious PE
Fortinet: Riskware/Generic_PUA_CK
BitDefenderTheta: Gen:NN.ZedlaF.34160.Rq4@a8IcBkk
AVG: Win32:Malware-gen
Cybereason: malicious.1b6fec
Panda: Trj/CI.A

Hashes

MD5 5137f6c1b6fec54e3c4fce6261905dd6
SHA1 2acfa6961576086cb34376222cca49027b77871d
SHA256 72c96f7e2f4823bb9f28944c96aa1b737be20edd52ca97b699085d3498e4ab74
SHA3 54f7590e176ca84b048c4cab725a424ad235164c1ffa70d3bb4c81b944d725a3
SSDeep 24576:scLyLVBj7bonifxHi8nnM6+uRCy/4cZTKRZiKx9j1zp9KtyUHW:sAOsif1TMC1wcZTK+KZzxUHW
Imports Hash 57e98d9a5a72c8d7ad8fb7a6a58b3daf

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2018-Jan-30 03:57:38
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x6200
SizeOfInitializedData 0x1d000
SizeOfUninitializedData 0x400
AddressOfEntryPoint 0x00003328 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x8000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 6.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x50000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 de10f6d8b01c12ec29a35514cd8d49da
SHA1 dc99bb270aba5528ea6772daef690660e0e00e52
SHA256 bb94301f6e60cbaab0f9c7c45883d625432da1199d48490eb36782d82160f044
SHA3 de4d52a9a1400519e801f96fc7577f2950884b479a55c61b82dbfa9ae3c40a7c
VirtualSize 0x6077
VirtualAddress 0x1000
SizeOfRawData 0x6200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.40397

.rdata

MD5 421f9404c16c75fa4bc7d37da19b3076
SHA1 caa6723796ab9ad4940d796a7ac9c888b55cb4ed
SHA256 e2cf6abb337a9d20f5f9c5f025bd53f839adef419be7067c4f2d59e833aeaac9
SHA3 9214b6f26a56c99ce8a3e20b035f88aea8d6152caa4592cc69b7428a36bb673f
VirtualSize 0x1248
VirtualAddress 0x8000
SizeOfRawData 0x1400
PointerToRawData 0x6600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.04426

.data

MD5 9b72314b8d9ad5c72778b00cdf336ee2
SHA1 bbd203dd006ce01350a17c86143140eb14a9d94e
SHA256 1b8fb6198506eaef35e7f92db9770170a7ce9aa0e85c43137e7c4dc180bf3a06
SHA3 ff15db8aea32748882caf52ba47d30dd187512b673ec544648061cb3403e92a5
VirtualSize 0x1a838
VirtualAddress 0xa000
SizeOfRawData 0x400
PointerToRawData 0x7a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.22445

.ndata

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x8000
VirtualAddress 0x25000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc

MD5 dd33e5bff351b424487092d17fe39588
SHA1 c4456c65f8d9e240434d70b56d8279d84604a853
SHA256 61b243aea5524efada89154e37eb8759a82cee8c64951799ec7e8d1b163f770b
SHA3 5d47f21605e3c34789fdb0e041baf1c5041887aecb553c0cfd789538daea4bb6
VirtualSize 0x22910
VirtualAddress 0x2d000
SizeOfRawData 0x22a00
PointerToRawData 0x7e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.06462

Imports

KERNEL32.dll SetEnvironmentVariableA
CreateFileA
GetFileSize
GetModuleFileNameA
ReadFile
GetCurrentProcess
CopyFileA
Sleep
GetTickCount
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
lstrlenA
GetVersion
SetErrorMode
lstrcpynA
ExitProcess
SetCurrentDirectoryA
GlobalLock
CreateThread
GetLastError
CreateDirectoryA
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
WriteFile
lstrcpyA
MoveFileExA
lstrcatA
GetSystemDirectoryA
GetProcAddress
GetExitCodeProcess
WaitForSingleObject
CompareFileTime
SetFileAttributesA
GetFileAttributesA
GetShortPathNameA
MoveFileA
GetFullPathNameA
SetFileTime
SearchPathA
CloseHandle
lstrcmpiA
GlobalUnlock
GetDiskFreeSpaceA
lstrcmpA
FindFirstFileA
FindNextFileA
DeleteFileA
SetFilePointer
GetPrivateProfileStringA
FindClose
MultiByteToWideChar
FreeLibrary
MulDiv
WritePrivateProfileStringA
LoadLibraryExA
GetModuleHandleA
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA
USER32.dll ScreenToClient
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
PostQuitMessage
GetWindowRect
EnableMenuItem
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
ReleaseDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndDialog
RegisterClassA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
ExitWindowsEx
GetDC
CreateDialogParamA
SetTimer
GetDlgItem
SetWindowLongA
SetForegroundWindow
LoadImageA
IsWindow
SendMessageTimeoutA
FindWindowExA
OpenClipboard
TrackPopupMenu
AppendMenuA
EndPaint
DestroyWindow
wsprintfA
ShowWindow
SetWindowTextA
GDI32.dll SelectObject
SetBkMode
CreateFontIndirectA
SetTextColor
DeleteObject
GetDeviceCaps
CreateBrushIndirect
SetBkColor
SHELL32.dll SHGetSpecialFolderLocation
ShellExecuteExA
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
SHFileOperationA
ADVAPI32.dll AdjustTokenPrivileges
RegCreateKeyExA
RegOpenKeyExA
SetFileSecurityA
OpenProcessToken
LookupPrivilegeValueA
RegEnumValueA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegEnumKeyA
COMCTL32.dll ImageList_Create
ImageList_AddMasked
ImageList_Destroy
#17
ole32.dll OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10828
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.24511
MD5 5b5022130f1d1dbdc6cde71771a5d5a0
SHA1 40ed7aa2fd0ab46670369b4cc723c09ac09fc8e9
SHA256 6b5fdefe6dd2d528c9945b7278a00145a0ac1bd84e8add4e3e32fca419f25200
SHA3 58843017377f6ce0844f0901fc966ee454231422843696c71cbfd89d2a724ed0

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0xd3f8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.92764
Detected Filetype PNG graphic file
MD5 8e234213412bb448337cfb1e05dec880
SHA1 69ecdabb73f87016394c1248606bf4e300573343
SHA256 47fffaf216469bbbefc3ae26d70990b9892d38f70571cc9179ae48708d63346a
SHA3 88a6ee33d21749f4effc806de7844244ec14335679eadb696b1e0e28f991c543

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.51849
MD5 be2b1e09de93e06a7fabe277f19fb858
SHA1 aac92694a24b2eb88ffefaed4b9a64aa85a38a60
SHA256 a41f6bb9977acd547d930b242992726149a0c1be828f2e8738c7086a8ba32c6d
SHA3 5038bc717043bd86c27084c5fcd5bd9b136ebdfd3ebb0475d49253ee752c40a6

4

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.75617
MD5 b6c1f5f4eaebd8a47b1e6cde0071bed0
SHA1 1674ed40858aae69c1d6dcfcf5cf3edfc88951a8
SHA256 82c21bdf67b5d1541a332b95f4d608e53f62b082ddccd7ddce131a7031d0c32f
SHA3 d9b8121d1743d57722ef3df47c54a1cfe0c730cb74192464a26f11af428ffb06

5

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x988
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.93004
MD5 bcc59368d45b5579e7800956bb51a186
SHA1 72b5b91b63245e85893efc630a91d67833bc4710
SHA256 61896d486a77df6beb5a61574023efe090d84e4d42466943ff1ea70c609b8050
SHA3 7448332a65762b449e00b9934a108b01e7cea71b7c66009f37659727ae5d7357

6

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.08765
MD5 f6692c2cdee7c8ac30439647d13abbd5
SHA1 a5e21684a8975d88fd875976f1d303bfda80848b
SHA256 f3601da020c40d12ebd27f044fae5aef42a1516358fd6a134395428d0de07759
SHA3 d81b1a790f5e8ce789cc5f8b3546e145a5a99d940f11e51bd0259232a9958cb8

105

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x100
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.66174
MD5 3409f314895161597f3c395cc5f65525
SHA1 1a99d016d65e567f24449d9362afb6ac44006d0b
SHA256 fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96
SHA3 b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26

106

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x11c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.88094
MD5 2d12c45dc2c029044aaff357141cb900
SHA1 083db861ab3c7db23c6257878296e73a89a74b8b
SHA256 69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729
SHA3 349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442

111

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x60
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.48825
MD5 6be4e1387d369cf86e68eacbdd0e81dd
SHA1 351970fe2681b9b35b5d59ad052011ed96a96e17
SHA256 85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0
SHA3 45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb

103

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x5a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.8213
Detected Filetype Icon file
MD5 269365d3bff809f0db865085c4757030
SHA1 fb8c074fa6ff8256aaab66a5a628a1114cb83b37
SHA256 dda68c1f5ebefcff8004d6425dfd295e6759d5095021abe2f07a687bf2dae53d
SHA3 8d1ff02155cc70269b42799bd7fcd3f692cb2d5439df5ab7ac4e655c6c484258

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x349
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.28733
MD5 81340e1903b2a05e71dd8a88aba25772
SHA1 d7d13e04ff51df2181b1491840d0652557bbb045
SHA256 e5b9c58bc853f8210e32183cb3f34ad6b936f61e531a7772fb4a2781f4853dc2
SHA3 efe529b26ac6d7376ec967d5f83859aae798e236bf4b23fb7e7ab2c20d825bd6

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xd246d0e9
Unmarked objects 0
C objects (VS2003 (.NET) build 4035) 2
Total imports 159
Imports (VS2003 (.NET) build 4035) 15
48 (9044) 10
Resource objects (VS98 SP6 cvtres build 1736) 1

Errors

[*] Warning: Section .ndata has a size of 0!
<-- -->