526d56017ef5105277fe0d366c95c39d

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2021-Jun-10 11:34:28
Detected languages English - United States
Russian - Russia

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
  • LoadLibraryW
Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
Suspicious The file contains overlay data. 270848 bytes of data starting at offset 0x3ac00.
The overlay data has an entropy of 7.99933 and is possibly compressed or encrypted.
Malicious VirusTotal score: 17/68 (Scanned on 2021-06-10 18:28:40) Bkav: W32.AIDetect.malware1
Elastic: malicious (high confidence)
Malwarebytes: Malware.AI.4050342259
Sangfor: Trojan.Win32.Save.a
Cybereason: malicious.23f4b8
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Paloalto: generic.ml
Cynet: Malicious (score: 100)
Sophos: Generic ML PUA (PUA)
FireEye: Generic.mg.526d56017ef51052
Microsoft: Trojan:Win32/Wacatac.B!ml
VBA32: BScope.Trojan.Agent
Cylance: Unsafe
SentinelOne: Static AI - Malicious PE
BitDefenderTheta: Gen:NN.ZexaF.34738.FyZ@aSLBqwnk
CrowdStrike: win/malicious_confidence_100% (W)

Hashes

MD5 526d56017ef5105277fe0d366c95c39d
SHA1 78a40d523f4b887b2383681fece447ef911c24ef
SHA256 28f2fa4f9ac95c3fc906e201b758d56c6a888b657dcf57c351a4f34ffb3e0fe2
SHA3 fa4516d20ce2f8f466d4626de3ca208883db427cf5e9e4d0f095b4b7af46fd50
SSDeep 12288:cyLjvFCsHOFO7t8BmzXiDm/znL2wOhlYuGUoPavYWIJdvrQoDptkYIN:BLDFTHOF0anwGYuGDQ2vQoDk5N
Imports Hash 583b80155ced34658fd6e3d555075407

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 6
TimeDateStamp 2021-Jun-10 11:34:28
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x29e00
SizeOfInitializedData 0x137e00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001023 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x2b000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x165000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 2e0fb8f330bab0409d32e7e1623a7baf
SHA1 e00f2e998b2f0e076c7f30d8f4ca78bece4f0bc8
SHA256 7c23e32f0f268908fd33356a9b883629d9a2a59273db4736feb4c9376495c63d
SHA3 97bbcd05b0ef5aaceb3bf29a66e4f22d4a7017228835b11a91b2e3e5abadfb4a
VirtualSize 0x29d39
VirtualAddress 0x1000
SizeOfRawData 0x29e00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.91873

.rdata

MD5 e8ca1652969df8ecdb173caa305d30ec
SHA1 2cdb3fd107d2cebbf6b76b0918219ea0cc2756e1
SHA256 1f771d040cb889e25da85bd7eac1c3ebe4e83e2d08e17435f0c25bebf984e26c
SHA3 54e271653d1017621a580a042772b89b753d8efac03b9f0c358d74cd53afb821
VirtualSize 0xb58e
VirtualAddress 0x2b000
SizeOfRawData 0xb600
PointerToRawData 0x2a200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.17301

.data

MD5 7a68b70cf4e88233d8f1cf01a4d1c301
SHA1 12b5cd4b5e4740dd464bf1559071439e2d8e3d9c
SHA256 db8185584c39520068b39e57aa9397ea521c6f97ad645cace4667c4eb78cbe5b
SHA3 bb17209fd758400e98860baf5207285300c78c8e7a09e677c4ee0992bc002ae2
VirtualSize 0x128d7c
VirtualAddress 0x37000
SizeOfRawData 0x1a00
PointerToRawData 0x35800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.8185

.idata

MD5 fd5f9e322601dc43927c301acfe7109c
SHA1 bbbe81a0b3a4e374cefce04aed08237c22b86141
SHA256 4574ebefb53f806e3307ce0753b506c6ca128740add9beab0dbb031d4d2f10f1
SHA3 36e97459c39f06cc0578396ba49c61e3db3c02d2a40bb3585c771f65eaeb4047
VirtualSize 0xbe7
VirtualAddress 0x160000
SizeOfRawData 0xc00
PointerToRawData 0x37200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.67045

.rsrc

MD5 916a3a215ba26950ba28d91ab97559e8
SHA1 51321bbbe9a4caa02bb2d6276c276b8aa6b01dc9
SHA256 ac6d7c97776bc456027bd2b3def6580dfd9f77962dc684161958e3e017b3406c
SHA3 2ba083c7168f48ab9d01013795f24b5a53cc3d4777b1141507a46e48ade3645a
VirtualSize 0x936
VirtualAddress 0x161000
SizeOfRawData 0xa00
PointerToRawData 0x37e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.18536

.reloc

MD5 b476a94370cd81ec5ef1af687ec324e0
SHA1 056ea79197e8823f12ebac233850f4015265b56c
SHA256 b3b9cc6076632e64bb45764d5ffcec60f7841f72bb8d24f7ba8573e037d462e0
SHA3 8173a8d9755004d5536dd201a619032b6e4f54981464f6ed3fc3a47a0aa1ed9d
VirtualSize 0x23c5
VirtualAddress 0x162000
SizeOfRawData 0x2400
PointerToRawData 0x38800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.49615

Imports

KERNEL32.dll GetProcAddress
LoadLibraryA
ActivateActCtx
CreateActCtxA
TlsSetValue
TlsAlloc
VirtualAlloc
VirtualProtect
GetTickCount
GetModuleHandleA
GetSystemTime
ReadFile
SetFilePointer
GlobalAlloc
GetFileSize
CreateFileW
GetModuleFileNameW
GetModuleHandleW
GetLocalTime
InterlockedDecrement
InterlockedIncrement
RaiseException
WideCharToMultiByte
IsDebuggerPresent
MultiByteToWideChar
lstrlenA
LoadLibraryW
IsProcessorFeaturePresent
EncodePointer
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCPInfo
DecodePointer
TlsGetValue
TlsFree
SetLastError
GetCurrentThreadId
GetLastError
GetCurrentThread
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
FatalAppExitA
EnterCriticalSection
HeapFree
GetACP
GetOEMCP
IsValidCodePage
Sleep
GetUserDefaultLCID
GetLocaleInfoW
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetStringTypeW
SetStdHandle
GetFileType
WriteFile
GetConsoleCP
GetConsoleMode
RtlUnwind
FreeLibrary
HeapAlloc
GetProcessHeap
VirtualQuery
LCMapStringW
ExitProcess
GetStdHandle
HeapCreate
HeapDestroy
HeapReAlloc
SetHandleCount
GetStartupInfoW
GetCommandLineA
HeapSetInformation
WriteConsoleW
CloseHandle
SetConsoleCtrlHandler
InterlockedExchange
HeapSize
FlushFileBuffers
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
SetEndOfFile

Delayed Imports

1

Type RT_CURSOR
Language Russian - Russia
Codepage UNKNOWN
Size 0x134
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.25052
MD5 5fe7ff1a79c20a87b5cd2ead21d4fbe5
SHA1 41dee8c70cad77d85d7998e696b774cc6f024cb2
SHA256 03c13fa83771c05415cecc64f7f03277b2e1e4765aa8e7c62fbdb253efa3474d
SHA3 f0a24571ce8a629ffea9c300b86f484c649edb245888d0bbfb8bb84bbd43048f

108

Type RT_BITMAP
Language Russian - Russia
Codepage UNKNOWN
Size 0xe0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.30316
MD5 76b7bb31fedfd75fc3385f8a62c9bd32
SHA1 31e641223f1b0d468a8457e681bd38e6dd20cf1e
SHA256 93766d29008bd47d9bdb5ec317ccfc0cb9333ab01ee0dd06a40ad2ac853302aa
SHA3 9011cddce3cd6f722895e60745312829b19a2d5a986120153e5565e93d7f0759
Preview

104

Type RT_GROUP_CURSOR
Language Russian - Russia
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.83876
Detected Filetype Cursor file
MD5 a2baa01ccdea3190e4998a54dbc202a4
SHA1 e8217df98038141ab4e449cb979b1c3bbea12da3
SHA256 c53efa8085835ba129c1909beaff8a67b45f50837707f22dfff0f24d8cd26710
SHA3 8874564c406835306368adf5e869422e1bb97109b97c1499caa8af219990e8dc
Preview

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x29b
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.04933
MD5 8dd3b91b5a218d5b49c543040a0d4b05
SHA1 82379b58dee79cccbd793092762bb38fe01e3f72
SHA256 707a2e45d9f38fa15b86f604f9bb8cb32ae863dabdd2bb1547a144969c9a9522
SHA3 ada95ba2cf2137fff705d28fabb5fe3423eb3cd800015427e9909ec5397bb8ca

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x2c1eefce
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 3
Total imports 90
C++ objects (VS2010 build 30319) 38
C objects (VS2010 build 30319) 124
ASM objects (VS2010 build 30319) 31
Resource objects (50709) 1
151 1
Linker (VS2010 build 30319) 1

Errors

<-- -->