Manalyze report for 5189e3209b2eb0c14b661d13893b5ac50af823a54e9c1f83c037b1abfb4d369f

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2003-Sep-16 02:24:55
Detected languages	English - United States
CompanyName	PhantomL corp.
FileVersion	`1.0.0`
FileDescription	Try to reverse this prog
InternalName	ReverseMe Hard
ProductVersion	`1.0.0`

Plugin Output

Suspicious	PEiD Signature:	`ARM Protector v0.1 by SMoKE` `ARM Protector 0.1 by SMoKE`
Suspicious	The PE is possibly packed.	`Section .text is both writable and executable.` `Unusual section name found: .armp` `Section .armp is both writable and executable.` `The PE only has 0 import(s).`
Malicious	VirusTotal score: 41/72 (Scanned on 2024-02-29 20:07:24)	`APEX: Malicious` `AhnLab-V3: Trojan/Win32.Bumat.C254185` `Alibaba: Trojan:Win32/LdPinch.16a38429` `Antiy-AVL: Trojan[Backdoor]/Win32.VagrNocker` `Avira: HEUR/AGEN.1361179` `CrowdStrike: win/malicious_confidence_90% (W)` `Cybereason: malicious.81194f` `Cylance: unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: a variant of Generik.JTLFDXE` `Elastic: malicious (high confidence)` `F-Secure: Heuristic.HEUR/AGEN.1361179` `FireEye: Generic.mg.8b6bb460d3fa4dd3` `Fortinet: W32/MyDoom.F!tr` `Google: Detected` `Gridinsoft: Trojan.Heur!.0301A0A1` `Ikarus: Trojan-PWS.Win32.LdPinch` `Kingsoft: Win32.HeurC.KVMH008.a` `Lionic: Trojan.Win32.Hupigon.lAqL` `Malwarebytes: Malware.Heuristic.2082` `McAfee: ARM packed app` `Microsoft: TrojanDownloader:Win32/Upatre!ml` `NANO-Antivirus: Trojan.Win32.Renaz.gsfkx` `Panda: Malicious Packer` `Rising: Trojan.Bumat!8.710 (CLOUD)` `Sangfor: Trojan.Win32.Generik.JTLFDXE` `SentinelOne: Static AI - Malicious PE` `Skyhigh: BehavesLike.Win32.Generic.xc` `Sophos: Mal/Packer` `Symantec: ML.Attribute.HighConfidence` `Tencent: Win32.Trojan.Agen.Rwhl` `Trapmine: malicious.high.ml.score` `VBA32: TScope.Malware-Cryptor.SB` `Varist: W32/Heuristic-162!Eldorado` `VirIT: Trojan.Win32.Generic.VUG` `Webroot: W32.Bumat.Gen` `Xcitium: Packed.Win32.Packer.~GEN@1oh172` `Yandex: Trojan.Renaz!YTrmlYCtdfk` `Zillya: Trojan.Agent.Win32.181071` `Zoner: Probably Heur.ExeHeaderL`

Hashes

MD5	`8b6bb460d3fa4dd3eb8b8397fe0cb6f7`
SHA1	`bb2711581194f26e0d70c9e00373e57165e56f9e`
SHA256	`5189e3209b2eb0c14b661d13893b5ac50af823a54e9c1f83c037b1abfb4d369f`
SHA3	`8e6498a19b4fdbee78d696fe20d043bb3184a8aee4b6dfb6aee9c7c1cf4abc6e`
SSDeep	`96:lnhQRvu7HJhOEvrJnPpwACm5jP+LemnPBP1AqXAmq+1wl5E0+CcYBh:Mp8U+rJPOACm5jGpPxvE+1YqCc+`
Imports Hash	`d41d8cd98f00b204e9800998ecf8427e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xc0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2003-Sep-16 02:24:55
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`5.0`
SizeOfCode	`0x200`
SizeOfInitializedData	`0x800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00005000 (Section: .armp)`
BaseOfCode	`0x1000`
BaseOfData	`0x2000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`4.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x7000`
SizeOfHeaders	`0x400`
Checksum	`0x65af`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`ef8ff2c7d687a26bff814c45cfe35871`
SHA1	`882bbf14552c48558f4959013076f7e882ce92f5`
SHA256	`764ea96357213d7deda9dda26be1e1b799c1b8be99effdcfb5eeb6dbc9de159f`
SHA3	`be8569ffb5bc3d46ccade9a1f893cfbad730628c5c74a7e74ce62759d15f0f61`
VirtualSize	`0x4c`
VirtualAddress	`0x1000`
SizeOfRawData	`0x200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.94648`

.rdata

MD5	`5529bf82ac106412aa6276b6629cf773`
SHA1	`c6ce0b52206a71fdc102b237fa1eb7c36557b696`
SHA256	`ab0ec4c1825c2101cc2a3b620194974f71a000f74e74e746e765f1faa1e65517`
SHA3	`8b59e5ae342e8a81bafeed7f9fbb1d847bc2e42c25e71cf221f952702ab54690`
VirtualSize	`0x92`
VirtualAddress	`0x2000`
SizeOfRawData	`0x200`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.88707`

.data

MD5	`1f4b54872070cd65d950ee8f77a7b319`
SHA1	`e844a44fb585b1c1feefbf118933a8663e2ea8bc`
SHA256	`6ded138fc5123f4b671896ac8e135a998c9105f541d682dd0f007495c828dc20`
SHA3	`c73fe84a68775d46ec0e6ade4dfb10f959ee4f6ec331cc4209670dc7dd699ac9`
VirtualSize	`0x90`
VirtualAddress	`0x3000`
SizeOfRawData	`0x200`
PointerToRawData	`0x800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.86675`

.rsrc

MD5	`4b2d5c54d9c4c31ffa3dcd2ea9cec89c`
SHA1	`4f54f248d4418658f6d04710f9b53976c6c9efc5`
SHA256	`21fff6f5edf3f5eda08756624f8bec8f616a182d8eadc12b49bfc6f27810e9e3`
SHA3	`364e326647dbb693d59c43b1e422bbf6e9c9fe5ef6eb034703fcb6960e10df4d`
VirtualSize	`0x278`
VirtualAddress	`0x4000`
SizeOfRawData	`0x400`
PointerToRawData	`0xa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.04539`

.armp

MD5	`32dcab789aa556135cf1512ceca6c595`
SHA1	`24b189ed7f36b605bb87564f354c65b12b68ad4e`
SHA256	`befad72b20d195e0b6f185d86e43139f3fd3c0a226e4b818ddc246f4b0ab0b55`
SHA3	`fee5c45dc3fe3e8cdb02bb318a0d247beec18c4d5ad297e65f4ce933d980ef96`
VirtualSize	`0x2000`
VirtualAddress	`0x5000`
SizeOfRawData	`0x126e`
PointerToRawData	`0xe00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.93979`

Imports

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x214`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.2023`
MD5	`3adc934f3dabd68f7e527a5d75028d0c`
SHA1	`39454ce482c09986cc95124855c636385b974967`
SHA256	`7df73490d9e7d9c1de522b838b8b4d73ea4e51b7792aa3c7a6f9775fc97d7675`
SHA3	`68d122184749c0cae570b32805ba245511c8f80d497469086b7bad6ae3663c71`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.0
ProductVersion	1.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_UNKNOWN`
Language	English - United States
CompanyName	PhantomL corp.
FileVersion (#2)	1.0.0
FileDescription	Try to reverse this prog
InternalName	ReverseMe Hard
ProductVersion (#2)	1.0.0

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x9b9f11a7`
Unmarked objects	`0`
19 (8078)	`8`
18 (8444)	`1`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

Leave a comment

No comments yet.