Manalyze report for 5b3630c8e18ecba8782741c948117363

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1992-Jun-19 22:22:17

Plugin Output

Suspicious	The PE is possibly packed.	`Section CODE is both writable and executable.`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress`
Info	The PE's resources present abnormal characteristics.	`Resource SETTINGS is possibly compressed or encrypted.`
Malicious	VirusTotal score: 39/40 (Scanned on 2009-04-18 20:49:30)	`McAfee+Artemis: MultiDropper-RY` `nProtect: Backdoor/W32.Bifrose.61179` `CAT-QuickHeal: Backdoor.Bifrose.ahih` `McAfee: MultiDropper-RY` `K7AntiVirus: Trojan.Win32.Buzus.ajt` `VirusBuster: Trojan.PWS.LdPinch.LEL` `NOD32: a variant of Win32/Injector.BT` `F-Prot: W32/TrojanX.AYAZ` `Symantec: Backdoor.IRC.Bot` `Norman: W32/Smalldoor.dam` `Avast: Win32:Ldpinch-CWA` `eSafe: Win32.TRPSW.LdPinch` `ClamAV: Trojan.Agent-16172` `Kaspersky: Backdoor.Win32.Bifrose.aer` `BitDefender: Trojan.PSW.LdPinch.AKY` `Comodo: Backdoor.Win32.Bifrose.~AV` `F-Secure: Backdoor.Win32.Bifrose.aer` `DrWeb: BackDoor.Bifrost.750` `NOD32Beta: a variant of Win32/Injector.BT` `AntiVir: TR/PSW.LdPinch.fbq` `TrendMicro: BKDR_AGENT.XQB` `McAfee-GW-Edition: Trojan.PSW.LdPinch.fbq` `Sophos: Troj/LdPinch-RT` `eTrust-Vet: Win32/AMalum.DNSA` `Authentium: W32/TrojanX.AYAZ` `Prevx1: High Risk System Back Door` `Antiy-AVL: Trojan/Win32.LdPinch` `Microsoft: VirTool:Win32/DelfInject.gen!N` `ViRobot: Trojan.Win32.Buzus.67126.B` `GData: Trojan.PSW.LdPinch.AKY` `AhnLab-V3: Win-Trojan/Bifrose.61440.G` `VBA32: Trojan-PSW.Win32.LdPinch.fbq` `Sunbelt: Backdoor.Win32.Bifrose.aer` `PCTools: Trojan.Buzus.KG` `Rising: Backdoor.Win32.Bifrose.fdc` `Ikarus: Trojan.Crypt` `Fortinet: W32/LdPinch.RT!tr` `AVG: Dropper.Delf.AYP` `Panda: Bck/SdBot.LWZ`

Hashes

MD5	`5b3630c8e18ecba8782741c948117363`
SHA1	`0bda8ee5f3904d01c10a0cd2bfbc69ffc8ad2c90`
SHA256	`aeac500ea5a9f473831b60b8e478b0df8009c6ac10c31e4cf326fc67d8a0f009`
SHA3	`d25394455e8d55129348532e14fc39f30de4ae32f5272138d0ef4d01be30acd1`
SSDeep	`1536:mCxCNSQ85GdSuacRbpa8j6+m7WgBeTVJT:YMGdSuzbpah+HBJT`
Imports Hash	`a4f0ea86e62afb0d95ddfc8b2beb08b6`

DOS Header

e_magic	`MZ`
e_cblp	`0x50`
e_cp	`0x2`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0xf`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0x1a`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`8`
TimeDateStamp	1992-Jun-19 22:22:17
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_BYTES_REVERSED_HI` `IMAGE_FILE_BYTES_REVERSED_LO` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x1800`
SizeOfInitializedData	`0x7400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000026E4 (Section: CODE)`
BaseOfCode	`0x1000`
BaseOfData	`0x3000`
ImageBase	`0x10000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x10000`
SizeOfHeaders	`0x400`
Checksum	`0x58ff`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x4000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

CODE

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x16e4`
VirtualAddress	`0x1000`
SizeOfRawData	`0xee001800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

DATA

MD5	`f737eb73e48964f3b5459531563e9dad`
SHA1	`8d98eb6868a778d630de85573b43a362f7783e74`
SHA256	`49d463bfda30a0a8f941748c37a82d23924d1d3017fa7fb216c4ff3782433f83`
SHA3	`0ffb632e9a9f89f050fdded4673755608e77d38f4e7ee81f1b839df092d33d33`
VirtualSize	`0x70`
VirtualAddress	`0x3000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.927261`

BSS

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x14d`
VirtualAddress	`0x4000`
SizeOfRawData	`0`
PointerToRawData	`0x1e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`096e0b14ce7aea950a870290190ba670`
SHA1	`16ba6f9b0944bcbe99a6d96bec7cceda421852fc`
SHA256	`f01fb8c0d5c12b8e06792a23e06a802c1a8f61c0a644ccaaa19e82e87e4ce9db`
SHA3	`573a1c3976313bcfceb8e97ce0d0a8fa8245eaf1513a89ba1ef64af091fbf612`
VirtualSize	`0x224`
VirtualAddress	`0x5000`
SizeOfRawData	`0x400`
PointerToRawData	`0x1e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.60093`

.tls

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x4`
VirtualAddress	`0x6000`
SizeOfRawData	`0`
PointerToRawData	`0x2200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rdata

MD5	`ad39404475fa1b75ea86d13337121ea7`
SHA1	`ddac1e873622038e128e6c37a31993a6d996d4f3`
SHA256	`d572e3fe52825caa6a8980e03bec4c08e64a3e618b5288e6c9396d769799d4d8`
SHA3	`ec27cd9f3efb5331aa58ea4e9caedea5eb58cf133843518cced41e3f682294d4`
VirtualSize	`0x18`
VirtualAddress	`0x7000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_SHARED`
Entropy	`0.197438`

.reloc

MD5	`872781737db2525f38b405988661cfbe`
SHA1	`3561c0465a471c60e872b9d31300fc0dc551c460`
SHA256	`a8373c0f2fdf959a77cf97bc7137f3a9e24694be78d8539ac5d447019a988d0a`
SHA3	`f60477aa8da78d9bbd5ee90a444f3ecb5c987b5d38ca3d146836c30d27eb01db`
VirtualSize	`0x1ec`
VirtualAddress	`0x8000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_SHARED`
Entropy	`5.94989`

.rsrc

MD5	`d6e6ec71dfd5b7f12a811535b9a3db5d`
SHA1	`98670ecd17117b829fd5d6d0971488c3b1e9f4ea`
SHA256	`55463c1e172979600f1a375efd0ce59158076c03a7b300c0827f01107448ab2a`
SHA3	`12fde5fb4aaa1268ec4df1c894f3eed704f5763167568434deaf3f99f45e6985`
VirtualSize	`0x6838`
VirtualAddress	`0x9000`
SizeOfRawData	`0x6a00`
PointerToRawData	`0x2600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_SHARED`
Entropy	`7.9364`

Imports

kernel32.dll	`GetCurrentThreadId` `ExitProcess` `RtlUnwind` `RaiseException` `GetCommandLineA` `TlsSetValue` `TlsGetValue` `LocalAlloc` `GetModuleHandleA` `GetModuleFileNameA` `FreeLibrary` `HeapFree` `HeapReAlloc` `HeapAlloc` `GetProcessHeap`
user32.dll	`CharNextA`
kernel32.dll (#2)	`GetCurrentThreadId` `ExitProcess` `RtlUnwind` `RaiseException` `GetCommandLineA` `TlsSetValue` `TlsGetValue` `LocalAlloc` `GetModuleHandleA` `GetModuleFileNameA` `FreeLibrary` `HeapFree` `HeapReAlloc` `HeapAlloc` `GetProcessHeap`
ntdll.dll	`RtlDecompressBuffer`

Delayed Imports

SETTINGS

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x67ca`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.94505`
MD5	`3b5b8435993c86d7645e2b03cbbe7560`
SHA1	`e4e0132977abf2bc59732ebf117dc5a2e536500b`
SHA256	`4456e065bf22c1edddb9a07959d44a186e993ffa517df186110cba07ad56f6b5`
SHA3	`6a0bc3ff1ca925e14b4dc5dabb095ba741ab093e4f34553226e5faa1a5b034d6`

Version Info

TLS Callbacks

StartAddressOfRawData	`0x10006000`
EndAddressOfRawData	`0x10006004`
AddressOfIndex	`0x1000410c`
AddressOfCallbacks	`0x10007010`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`(EMPTY)`

Load Configuration

RICH Header

Errors

[*] Warning: Section CODE is larger than the executable!
[*] Warning: Section CODE is larger than the executable!
[*] Warning: Section BSS has a size of 0!
[*] Warning: Section .tls has a size of 0!
[*] Warning: Section CODE is larger than the executable!