Manalyze report for 60bdd4902b48e69b25eeee4df19ad417

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2019-Jan-30 17:36:27
TLS Callbacks	2 callback(s) detected.
Debug artifacts	Embedded COFF debugging symbols

Plugin Output

Info	The PE contains common functions which appear in legitimate applications.	`Possibly launches other programs: system`
Suspicious	The file contains overlay data.	`18566 bytes of data starting at offset 0x2b600.`
Malicious	VirusTotal score: 60/73 (Scanned on 2019-12-26 20:08:52)	`Bkav: HW32.Packed.` `DrWeb: Trojan.Trick.46210` `MicroWorld-eScan: Trojan.Autoruns.GenericKD.31601281` `FireEye: Generic.mg.60bdd4902b48e69b` `CAT-QuickHeal: Trojan.Multi` `McAfee: Trojan-FQGT!60BDD4902B48` `Cylance: Unsafe` `VIPRE: Trojan.Win32.Generic!BT` `K7AntiVirus: Trojan ( 00546bc61 )` `Alibaba: Trojan:Win32/Trickbot.8ab883d7` `K7GW: Trojan ( 00546bc61 )` `Cybereason: malicious.02b48e` `Invincea: heuristic` `BitDefenderTheta: Gen:NN.ZexaF.33558.lGY@au@o7Wp` `Symantec: Trojan.Gen.2` `ESET-NOD32: Win32/TrickBot.BN` `TrendMicro-HouseCall: Trojan.Win32.MERETAM.AD` `Avast: Win32:Malware-gen` `Kaspersky: Trojan.Win32.Inject.alefz` `BitDefender: Trojan.Autoruns.GenericKD.31601281` `NANO-Antivirus: Trojan.Win32.Trick.fmnxda` `Paloalto: generic.ml` `ViRobot: Trojan.Win32.Trickbot.196230` `Endgame: malicious (high confidence)` `Sophos: Troj/Trikbot-CI` `Comodo: Malware@#3gqg7pufxo88e` `F-Secure: Trojan.TR/Dropper.Gen` `Zillya: Trojan.Inject.Win32.282573` `TrendMicro: Trojan.Win32.MERETAM.AD` `McAfee-GW-Edition: BehavesLike.Win32.Ardurk.cc` `Fortinet: W32/TrickBot.D417!tr` `Emsisoft: Trojan.Autoruns.GenericKD.31601281 (B)` `Ikarus: Trojan-Banker.TrickBot` `Cyren: W32/Trojan.RREM-4904` `Jiangmin: Trojan.Inject.aqzd` `Webroot: W32.Trojan.Gen` `Avira: TR/Dropper.Gen` `MAX: malware (ai score=99)` `Antiy-AVL: Trojan/Win32.Inject` `Arcabit: Trojan.Autoruns.Generic.D1E23281` `AegisLab: Trojan.Win32.Inject.4!c` `ZoneAlarm: Trojan.Win32.Inject.alefz` `Microsoft: Trojan:Win32/Trickbot.V` `AhnLab-V3: Malware/Gen.Generic.C2985594` `Acronis: suspicious` `VBA32: Trojan.Trick` `ALYac: Trojan.Trickster.Gen` `Ad-Aware: Trojan.Autoruns.GenericKD.31601281` `Malwarebytes: Trojan.TrickBot` `APEX: Malicious` `Rising: Trojan.Generic@ML.91 (RDMK:ChHhADcp3qlCsbPF7G28/w)` `Yandex: Trojan.Inject!rL3MzuGzHCg` `SentinelOne: DFI - Malicious PE` `eGambit: Unsafe.AI_Score_89%` `GData: Trojan.Autoruns.GenericKD.31601281` `MaxSecure: Trojan.Malware.74102624.susgen` `AVG: Win32:Malware-gen` `Panda: Trj/GdSda.A` `CrowdStrike: win/malicious_confidence_100% (W)` `Qihoo-360: HEUR/QVM01.1.EC6F.Malware.Gen`

Hashes

MD5	`60bdd4902b48e69b25eeee4df19ad417`
SHA1	`2848018b904ef4faa2dabbb47c3816c3fb051d46`
SHA256	`4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9`
SHA3	`b1c8cfa4204a914879f0540ff3ef7c05847203c3bebf8dc49689c98751a4aa2f`
SSDeep	`3072:Z+gDsLmB3tO3fcOfXUmdDPEilXg+tLpGXXYtTe/IMm4I4mqrqwxWjA3t:Qkmg3tO1XJdvxgGpGXSewM/IcxHd`
Imports Hash	`1d642e450b189ba1bfa339ffaf69e6b1`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`8`
TimeDateStamp	2019-Jan-30 17:36:27
PointerToSymbolTable	`0x2b600`
NumberOfSymbols	`849`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x1a00`
SizeOfInitializedData	`0x2b200`
SizeOfUninitializedData	`0x200`
AddressOfEntryPoint	`0x000012A0 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x3000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`1.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x31000`
SizeOfHeaders	`0x400`
Checksum	`0x39d68`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`921467630f82d1b4593f9fd85565de44`
SHA1	`b1f9ad79459218b1f4b69773d099fcc30b91702d`
SHA256	`70099b51beb093e069788dc023ebc33cada7e6665b5436c27c359e80d17eb203`
SHA3	`534f41f88295355e65958f29ec7fbbb95050133925e09545c4613ce49e9ad0d4`
VirtualSize	`0x1880`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.56332`

.data

MD5	`f1e15284767bfbd652a35e2017975159`
SHA1	`e3bc0a5e8ff5d24f467b0387970d57b5fff728c2`
SHA256	`5646cd8a90fc150c7a2264f2d274031c56508d9217cba0c7c3611b55904f65f3`
SHA3	`6db593e61e15723e6900b49dbd5366991bc176149afcdd6592835451ba32ebec`
VirtualSize	`0x27f30`
VirtualAddress	`0x3000`
SizeOfRawData	`0x28000`
PointerToRawData	`0x1e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99837`

.rdata

MD5	`c42d7c093b82ee9e268ccbceb7c73d33`
SHA1	`6e8ed44125ce210e4c8f06ed6bb25f672b8a2d22`
SHA256	`ff0e44bd2564897ed67b7b3828c1b99b09060fa1f4eecee3e51b86d24af20667`
SHA3	`094ecf64b90678b77cf31f79c72e5691556654aa8381759e3fc7a1d681c2b674`
VirtualSize	`0x730`
VirtualAddress	`0x2b000`
SizeOfRawData	`0x800`
PointerToRawData	`0x29e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.8094`

.eh_fram

MD5	`4b2c1c1725f22c886fd070ad590dfeb5`
SHA1	`6b39aa2a429cba34e2a079ebd57333064a969f46`
SHA256	`29d193aa263e3b068272665806d98f7a4e4a1accab2196014606087fd525739a`
SHA3	`2fcc143bdf1a42952d8058c056cf15b1408270cd60f2d42aef24403faa540644`
VirtualSize	`0x4cc`
VirtualAddress	`0x2c000`
SizeOfRawData	`0x600`
PointerToRawData	`0x2a600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.93538`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x138`
VirtualAddress	`0x2d000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`2b585e735dacc843cf563286fd0a9e96`
SHA1	`368087799af466059b3b4fca02abb8617906a2ec`
SHA256	`c61f7f76a933e7afdc3ff37965ac1252f9327bf80717994998da4d58ddd1ac14`
SHA3	`c58f962e12a028d4677607152c5b4163b91778d9655142140056d27d03c90f66`
VirtualSize	`0x53c`
VirtualAddress	`0x2e000`
SizeOfRawData	`0x600`
PointerToRawData	`0x2ac00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.43839`

.CRT

MD5	`f88697431a1cbef9cf1aa0625f2020dc`
SHA1	`06219b216d8e4296ed7c3e3d00580b4058f53f7c`
SHA256	`f363843f7c3363db5b880b85bc09909cbf2d7fe6a170aab56c2d2b0309ae12d7`
SHA3	`f8ead03112f093dfcda2005ebcccbb4bd08375c4f616aca0c0dbd11304d048eb`
VirtualSize	`0x18`
VirtualAddress	`0x2f000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2b200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.114463`

.tls

MD5	`78e8753ba328f4cd65d3eee14914710f`
SHA1	`2396f717abb223fca26840cfd2c00bb9d31def59`
SHA256	`8acae62c3c2982b48b7fee17b87d3c313eeb4b5b082129c8ba0ff9632714ab4a`
SHA3	`324ea38dcbffb6506d15dd71697d614638438ff8ca8344961871c595552cd37c`
VirtualSize	`0x20`
VirtualAddress	`0x30000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2b400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.195869`

Imports

KERNEL32.dll	`DeleteCriticalSection` `EnterCriticalSection` `ExitProcess` `GetLastError` `GetModuleHandleA` `GetProcAddress` `InitializeCriticalSection` `LeaveCriticalSection` `SetUnhandledExceptionFilter` `TlsGetValue` `VirtualProtect` `VirtualQuery`
msvcrt.dll	`_access` `_getch` `_stricmp`
msvcrt.dll (#2)	`_access` `_getch` `_stricmp`
USER32.dll	`MessageBoxA`

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData	`0x430019`
EndAddressOfRawData	`0x43001c`
AddressOfIndex	`0x42d02c`
AddressOfCallbacks	`0x42f004`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x00401F60` `0x00401F10`

Load Configuration

RICH Header

Errors

[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF String Table's reported size is bigger than the remaining bytes!
[*] Warning: Section .bss has a size of 0!