Manalyze report for 5942ba36cf732097479c51986eee91ed

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2010-Mar-11 17:17:10

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `The PE only has 9 import(s).`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc`
Malicious	VirusTotal score: 60/70 (Scanned on 2021-01-04 06:26:47)	`Bkav: W32.Common.561EC8ED` `ClamAV: Win.Dropper.SpyEye-7139736-0` `FireEye: Generic.mg.5942ba36cf732097` `CAT-QuickHeal: Trojan.Eyestye.6640` `Qihoo-360: HEUR/QVM11.1.FDCB.Malware.Gen` `McAfee: PWS-Spyeye.ew` `Cylance: Unsafe` `Zillya: Trojan.SpyEyes.Win32.6` `Sangfor: Malware` `K7AntiVirus: Spyware ( 0014d6131 )` `Alibaba: TrojanSpy:Win32/SpyEyes.28f2afaa` `K7GW: Spyware ( 0014d6131 )` `Cybereason: malicious.6cf732` `Baidu: Win32.Trojan.SpyEye.k` `Cyren: W32/Risk.TZKO-3872` `Symantec: Trojan.Spyeye` `ESET-NOD32: Win32/Spy.SpyEye.BW` `APEX: Malicious` `Avast: Win32:SpyBot-GFS [Trj]` `Cynet: Malicious (score: 100)` `Kaspersky: Trojan-Spy.Win32.SpyEyes.bw` `BitDefender: Trojan.Generic.6034531` `NANO-Antivirus: Trojan.Win32.SpyEyes.rpop` `Paloalto: generic.ml` `ViRobot: Spyware.SpyEyes.68096` `MicroWorld-eScan: Trojan.Generic.6034531` `Tencent: Win32.Trojan.Inject.Auto` `Ad-Aware: Trojan.Generic.6034531` `Sophos: Mal/Spyeye-A` `Comodo: TrojWare.Win32.Spy.Spyeyes.DAD@42q80v` `F-Secure: Trojan.TR/Crypt.XPACK.Gen2` `DrWeb: Trojan.PWS.SpySweep.4` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: TROJ_SPYEYE.EZ` `McAfee-GW-Edition: BehavesLike.Win32.Rootkit.kc` `Emsisoft: Trojan.Generic.6034531 (B)` `Ikarus: Trojan-Spy.Win32.SpyEyes` `GData: Win32.Trojan.Spyeye.D` `Jiangmin: TrojanSpy.SpyEyes.d` `Webroot: W32.Malware.Gen` `Avira: TR/Crypt.XPACK.Gen2` `Antiy-AVL: Trojan[Spy]/Win32.SpyEyes` `Arcabit: Trojan.Generic.D5C1463` `AegisLab: Trojan.Win32.SpyEyes.l!c` `ZoneAlarm: Trojan-Spy.Win32.SpyEyes.bw` `Microsoft: Trojan:Win32/EyeStye` `TACHYON: Trojan-Spy/W32.SpyEyes.82432` `TotalDefense: Win32/Spyeye.K` `VBA32: TrojanSpy.SpyEyes` `ALYac: Trojan.Generic.6034531` `MAX: malware (ai score=100)` `TrendMicro-HouseCall: TROJ_SPYEYE.EZ` `Rising: Spyware.SpyEyes!8.4AA (TFE:5:tElbczFv65G)` `Yandex: Trojan.GenAsa!zJ0vfevbzKs` `SentinelOne: Static AI - Malicious PE` `Fortinet: W32/SpyEyes.AS!tr.spy` `BitDefenderTheta: AI:Packer.CBB980D01E` `AVG: Win32:SpyBot-GFS [Trj]` `Panda: Trj/SpyEyes.B` `CrowdStrike: win/malicious_confidence_100% (W)`

Hashes

MD5	`5942ba36cf732097479c51986eee91ed`
SHA1	`7cddef600cdae3890bbe2a2587e44de11bbc57bb`
SHA256	`9459b0d6f7cdec6860c458944386896f78cb60befdd04fbeab0df5b6661a3f81`
SHA3	`0ace0d2e8d0e9993d24b86b83d0c48adc4c9e3eec007c33742f69e8cf26b9438`
SSDeep	`1536:jDfWNrkKt4O2igKFicCR7fb/C7EchKmPKrjCKsOB0YxIma:jDfgj4OoICRvCwtZKOqCxa`
Imports Hash	`0ae51079a486d3ed91ae413cfa97e4f6`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2010-Mar-11 17:17:10
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`8.0`
SizeOfCode	`0x11000`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0x8000`
AddressOfEntryPoint	`0x00018F30 (Section: UPX1)`
BaseOfCode	`0x9000`
BaseOfData	`0x1a000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x1b000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NO_SEH`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x8000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`00ae77ce8d6186c0508dff045d9af4fc`
SHA1	`b4843b8955849a03b010a4f0965e7a3dba37016a`
SHA256	`e5c4c52e5928fcba214a36c53e11b8c714db6254d31768d7004e59fbc06d118b`
SHA3	`f0392380d443ce4ddc69f89cefac5dc2ba9dce073aa2bc4c8ccb5becb6b8d1e4`
VirtualSize	`0x11000`
VirtualAddress	`0x9000`
SizeOfRawData	`0x10200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.81779`

.rsrc

MD5	`d8322b090cff0c36bb7aca47fa22bc54`
SHA1	`8ef31b2ec0a599868da68136295c88ce30523d53`
SHA256	`df72392a835339eb30684a37a8308c53f5942e104930aafbc57285292ca90804`
SHA3	`5ad0f05d2b020d3e5ad0d0b0cb04d7c2047875f66aa0eed928782cbb226653cb`
VirtualSize	`0x1000`
VirtualAddress	`0x1a000`
SizeOfRawData	`0x400`
PointerToRawData	`0x10600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.37703`

Imports

KERNEL32.DLL	`LoadLibraryA` `GetProcAddress` `VirtualProtect` `VirtualAlloc` `VirtualFree` `ExitProcess`
GDI32.dll	`CreateBitmap`
ntdll.dll	`memcpy`
USER32.dll	`ShowWindow`

Delayed Imports

_strdup

Ordinal	`1`
Address	`0x1070`

free

Ordinal	`2`
Address	`0x103c`

malloc

Ordinal	`3`
Address	`0x1000`

rand

Ordinal	`4`
Address	`0x1064`

CONFIG

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x117`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.04238`
MD5	`2c4c2e4cc5999e5902c534618cd6b349`
SHA1	`3af95b9672e85ea2fc6d38e65b6270a4af40a773`
SHA256	`fd42953765337532984a0a760460fd9c2d36a473ada38eca0bbf13eb8309d745`
SHA3	`6ed31edf2456b077c52543566b44c7ad0d5bc96adeb8e6044aa192f0c3d3bd78`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x595df66f`
Unmarked objects	`0`
Imports (VS2003 (.NET) build 4035)	`8`
C objects (VS2012 build 50727 / VS2005 build 50727)	`2`
Total imports	`67`
19 (9049)	`3`
C++ objects (VS2012 build 50727 / VS2005 build 50727)	`8`
Exports (VS2012 build 50727 / VS2005 build 50727)	`1`
Resource objects (VS2012 build 50727 / VS2005 build 50727)	`1`
Linker (VS2012 build 50727 / VS2005 build 50727)	`1`

Errors

[*] Warning: Section UPX0 has a size of 0!