Manalyze report for 5c6a1a6ee07d6861741dcf01bfd73aeb

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2012-Jan-05 14:29:38
TLS Callbacks	2 callback(s) detected.

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentControlSet\Services`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES` `Uses constants related to Blowfish` `Uses known Diffie-Helman primes` `Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: /4`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Can access the registry: RegCloseKey RegOpenKeyExA RegQueryValueExA` `Uses Windows's Native API: ntohl ntohs` `Uses Microsoft's cryptographic API: CryptAcquireContextA CryptGenRandom` `Leverages the raw socket API to access the Internet: WSACleanup WSAGetLastError WSAIoctl WSASetLastError WSAStartup accept bind closesocket connect gethostbyname gethostname getservbyname getsockname getsockopt htonl htons ioctlsocket listen ntohl ntohs recv recvfrom select send sendto setsockopt shutdown socket` `Manipulates other processes: OpenProcess` `Can take screenshots: BitBlt CreateCompatibleDC`
Suspicious	The file contains overlay data.	`14 bytes of data starting at offset 0x2a4a00.`
Malicious	VirusTotal score: 20/70 (Scanned on 2019-12-07 21:36:15)	`MicroWorld-eScan: Trojan.GenericKD.40817954` `McAfee: Artemis!5C6A1A6EE07D` `Cybereason: malicious.ee07d6` `Arcabit: Trojan.Generic.D26ED522` `F-Prot: W32/Trojan3.ABOF` `Symantec: Trojan Horse` `Paloalto: generic.ml` `BitDefender: Trojan.GenericKD.40817954` `NANO-Antivirus: Trojan.Win32.Dwn.dzgqmx` `Ad-Aware: Trojan.GenericKD.40817954` `DrWeb: Trojan.DownLoader18.14091` `VIPRE: Trojan.Win32.Generic!BT` `McAfee-GW-Edition: BehavesLike.Win32.CryptDoma.vh` `Trapmine: malicious.moderate.ml.score` `FireEye: Trojan.GenericKD.40817954` `Emsisoft: Trojan.GenericKD.40817954 (B)` `Cyren: W32/Trojan.DWJR-6998` `Microsoft: PUA:Win32/Presenoker` `GData: Trojan.GenericKD.40817954` `ALYac: Trojan.GenericKD.40817954`

Hashes

MD5	`5c6a1a6ee07d6861741dcf01bfd73aeb`
SHA1	`3cb0f05415b927ab3af55be95a0293660842c7b0`
SHA256	`e91881528f7fcc3091735b1d4efb7570e60f4b9ba7019a5cc60ce435aeef3560`
SHA3	`2e9d4eb35569ca673cbacef71c4f8a8174232031d19b4930502a72e7b6d45fe8`
SSDeep	`49152:BEgv2l96EtaDpjoPRAs86gak7ijgTaDEWdzWyxxr7/Rz3nCEpUKu0C9taKbEfTZi:BEgv2l96EtcpjoPRAstg/+gTrCzWyx9K`
Imports Hash	`d7e68575548c9b734c7f5908baf955b2`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`8`
TimeDateStamp	2012-Jan-05 14:29:38
PointerToSymbolTable	`0x2a4a00`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x216e00`
SizeOfInitializedData	`0x2a4600`
SizeOfUninitializedData	`0x5c00`
AddressOfEntryPoint	`0x00001160 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x218000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`1.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x2af000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`08e2f2308219ea2ff1020d21102df5a9`
SHA1	`60dab5a01338e7d3b2b2f1750c9021868b203d3d`
SHA256	`12b7dcf301dffd5629108f35763726f1270f27a8efc7b83342b2c4e2fd853f95`
SHA3	`8dcb8bd8b280daaf871b5f5f7df5adad8db53e71e16e4922b569ae988fc55030`
VirtualSize	`0x216dd0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x216e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.14629`

.data

MD5	`ba092283a672c0023cbc930d69798dd7`
SHA1	`350a08c9a61ee601467aa2a1986fb3bf7479697e`
SHA256	`0df94a5d61f236de49a69cd4e94080893d478e42b83521c425cc804854f511f6`
SHA3	`05eb70fd5fbaec47d7f1ad579cdc2132aececc7ed49f3da0f7cfc02d12c263f6`
VirtualSize	`0xa85c`
VirtualAddress	`0x218000`
SizeOfRawData	`0xaa00`
PointerToRawData	`0x217200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.22634`

.rdata

MD5	`8b7e1e670f61d4944b94e87b285e208d`
SHA1	`8e3875697936450758cd719515c1c40fb02db7d7`
SHA256	`7c6c6976aadbd9b43c42dd2a2ba449ce236c163415746e40c39e44fbf5eeeccb`
SHA3	`4c36e4630d8031b696abf241ef4068f215f53bca5e490746b2258b89d2caa15a`
VirtualSize	`0x80fdc`
VirtualAddress	`0x223000`
SizeOfRawData	`0x81000`
PointerToRawData	`0x221c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.80154`

/4

MD5	`dd139abf93f672901a0f188ab6734f83`
SHA1	`393a6aefeb7acecbc4af052d35ada6e9a62b7d25`
SHA256	`2298d00a8a920b945ee6028d59db4bd3eab36af507d79e72ae393e490173c300`
SHA3	`eba496813a3b15c3bba2f2c986eddcf1e2722ce0663bb9f8b5f4fe1f2df8cea3`
VirtualSize	`0x120`
VirtualAddress	`0x2a4000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2a2c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.08088`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x5bf0`
VirtualAddress	`0x2a5000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`b2444e73da1de4b3f7f0ac29d9eb3204`
SHA1	`fe071bed3ace6a0c5be356840d3c54264d168071`
SHA256	`0770b627c7b4a760aa8ecb55e99ebffa22af324ea5c4bde5fce1be761fcdea39`
SHA3	`a0b48f0fdffb3189ac676d4926e8ab249d457c59d1b698c3886902f5af449f75`
VirtualSize	`0x16e4`
VirtualAddress	`0x2ab000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x2a2e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.76432`

.CRT

MD5	`6121364e8d537efd0e4fa025c2f907b9`
SHA1	`43d4f1faa9b8b2a602f07204d25faac951ecd794`
SHA256	`385d95ba12473dea732c98bc26b4c3bcd90a608052a6c32a8e3ada6187bb8f90`
SHA3	`b5f83d64c33972f51ea2ae717baca24a33545b5efcd6ea2dec84458b6af77276`
VirtualSize	`0x18`
VirtualAddress	`0x2ad000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2a4600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.114463`

.tls

MD5	`7fce883b255632630d02e00d1fb6b2ea`
SHA1	`fc8e10ec7cf19505cc235b5479d6ec6799fe79a4`
SHA256	`c4e6c7d784bdb2fbc8e0937bf348694e785f99d6fe0323af73788460a2ccc140`
SHA3	`02c19fc80ee5e1a2c23008c783c71922974fd479b6e67d7617dd94fcd505b836`
VirtualSize	`0x20`
VirtualAddress	`0x2ae000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2a4800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.22482`

Imports

KERNEL32.DLL	`CloseHandle` `CreateFileA` `CreateFileMappingA` `CreateIoCompletionPort` `CreateSemaphoreA` `DeleteCriticalSection` `EnterCriticalSection` `ExitProcess` `FindClose` `FindFirstFileA` `FindNextFileA` `FormatMessageA` `FreeLibrary` `GetCurrentProcessId` `GetCurrentThreadId` `GetExitCodeProcess` `GetFileSize` `GetFileType` `GetLastError` `GetModuleFileNameA` `GetModuleHandleA` `GetProcAddress` `GetQueuedCompletionStatus` `GetStdHandle` `GetSystemDirectoryA` `GetSystemTimeAsFileTime` `GetTickCount` `GetVersion` `GetVersionExA` `GlobalMemoryStatus` `InitializeCriticalSection` `InitializeCriticalSectionAndSpinCount` `InterlockedExchange` `IsDBCSLeadByteEx` `LeaveCriticalSection` `LoadLibraryA` `LocalFree` `MapViewOfFile` `MultiByteToWideChar` `OpenProcess` `PostQueuedCompletionStatus` `QueryPerformanceCounter` `ReleaseSemaphore` `SetLastError` `SetUnhandledExceptionFilter` `Sleep` `TlsGetValue` `UnmapViewOfFile` `VirtualProtect` `VirtualQuery` `WaitForSingleObject` `WideCharToMultiByte`
ADVAPI32.DLL	`CryptAcquireContextA` `CryptGenRandom` `DeregisterEventSource` `RegCloseKey` `RegOpenKeyExA` `RegQueryValueExA` `RegisterEventSourceA` `ReportEventA`
GDI32.dll	`BitBlt` `CreateCompatibleBitmap` `CreateCompatibleDC` `CreateDCA` `DeleteDC` `DeleteObject` `GetBitmapBits` `GetDeviceCaps` `GetObjectA` `SelectObject`
msvcrt.dll	`__getmainargs` `__lc_codepage` `__mb_cur_max` `__p__environ` `__p__fmode` `__set_app_type` `_assert` `_beginthread` `_cexit` `_close` `_endthread` `_errno` `_exit` `_fstati64` `_ftime` `_getch` `_getpid` `_iob` `_isctype` `_locking` `_lseek` `_onexit` `_open` `_pctype` `_read` `_setmode` `_snprintf` `_stat` `_strdup` `_stricmp` `_strnicmp` `_vsnprintf` `_wfopen` `_winmajor` `abort` `atexit` `atof` `atoi` `calloc` `exit` `exp` `fclose` `fflush` `fgets` `fopen` `fprintf` `fputc` `fputs` `fread` `free` `fseek` `ftell` `fwrite` `getenv` `gmtime` `localeconv` `localtime` `log` `malloc` `memchr` `memcmp` `memcpy` `memmove` `mktime` `pow` `printf` `puts` `qsort` `raise` `rand` `realloc` `rename` `signal` `sprintf` `srand` `sscanf` `strcat` `strchr` `strcmp` `strcpy` `strerror` `strftime` `strlen` `strncmp` `strncpy` `strrchr` `strspn` `strstr` `strtol` `strtoul` `time` `tolower` `vfprintf` `wcslen` `wcsstr`
msvcrt.dll (#2)	`__getmainargs` `__lc_codepage` `__mb_cur_max` `__p__environ` `__p__fmode` `__set_app_type` `_assert` `_beginthread` `_cexit` `_close` `_endthread` `_errno` `_exit` `_fstati64` `_ftime` `_getch` `_getpid` `_iob` `_isctype` `_locking` `_lseek` `_onexit` `_open` `_pctype` `_read` `_setmode` `_snprintf` `_stat` `_strdup` `_stricmp` `_strnicmp` `_vsnprintf` `_wfopen` `_winmajor` `abort` `atexit` `atof` `atoi` `calloc` `exit` `exp` `fclose` `fflush` `fgets` `fopen` `fprintf` `fputc` `fputs` `fread` `free` `fseek` `ftell` `fwrite` `getenv` `gmtime` `localeconv` `localtime` `log` `malloc` `memchr` `memcmp` `memcpy` `memmove` `mktime` `pow` `printf` `puts` `qsort` `raise` `rand` `realloc` `rename` `signal` `sprintf` `srand` `sscanf` `strcat` `strchr` `strcmp` `strcpy` `strerror` `strftime` `strlen` `strncmp` `strncpy` `strrchr` `strspn` `strstr` `strtol` `strtoul` `time` `tolower` `vfprintf` `wcslen` `wcsstr`
SHELL32.DLL	`SHGetMalloc` `SHGetPathFromIDListA` `SHGetSpecialFolderLocation` `SHGetSpecialFolderPathA`
USER32.dll	`GetDesktopWindow` `GetProcessWindowStation` `GetUserObjectInformationW` `MessageBoxA`
WS2_32.dll	`WSACleanup` `WSAGetLastError` `WSAIoctl` `WSASetLastError` `WSAStartup` `accept` `bind` `closesocket` `connect` `gethostbyname` `gethostname` `getservbyname` `getsockname` `getsockopt` `htonl` `htons` `ioctlsocket` `listen` `ntohl` `ntohs` `recv` `recvfrom` `select` `send` `sendto` `setsockopt` `shutdown` `socket`

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData	`0x6ae019`
EndAddressOfRawData	`0x6ae01c`
AddressOfIndex	`0x6a9060`
AddressOfCallbacks	`0x6ad004`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x0060E3D0` `0x0060E390`

Load Configuration

RICH Header

Errors

[*] Warning: Tried to read outside the COFF string table to get the name of section /4!
[*] Warning: Section .bss has a size of 0!