Manalyze report for 60ff78514d6df20c6e82b7b777151c5c

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2009-Jul-13 15:45:45
Detected languages	English - United States
Comments	Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
CompanyName	Apache Software Foundation
FileDescription	ApacheBench command line utility
FileVersion	`2.2.14`
InternalName	ab.exe
LegalCopyright	Copyright 2009 The Apache Software Foundation.
OriginalFilename	ab.exe
ProductName	Apache HTTP Server
ProductVersion	`2.2.14`

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Info	Interesting strings found in the binary:	`Contains domain names: apache.org http://www.apache.org http://www.apache.org/licenses/LICENSE-2.0 www.apache.org`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `The PE only has 8 import(s).`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Leverages the raw socket API to access the Internet: WSARecv`
Malicious	VirusTotal score: 60/72 (Scanned on 2026-02-07 12:09:35)	`ALYac: Generic.ShellCode.Marte.H.1ADFF85F` `APEX: Malicious` `AVG: Win32:Evo-gen [Trj]` `Acronis: suspicious` `AhnLab-V3: Backdoor/Win32.Bifrose.R12476` `Alibaba: Trojan:Win32/CobaltStrike.5c89` `Antiy-AVL: Trojan/Win32.Meterpreter` `Arcabit: Generic.ShellCode.Marte.H.1ADFF85F` `Avast: Win32:Evo-gen [Trj]` `Avira: TR/Crypt.ULPM.Gen` `BitDefender: Generic.ShellCode.Marte.H.1ADFF85F` `Bkav: W32.AIDetectMalware` `CAT-QuickHeal: Trojan.Ghanarava.1765012524151c5c` `CTX: exe.trojan.swrort` `ClamAV: Win.Trojan.Swrort-5710536-0` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win32/Rozena.BJN.gen trojan` `Elastic: malicious (moderate confidence)` `Emsisoft: Generic.ShellCode.Marte.H.1ADFF85F (B)` `F-Secure: Trojan.TR/Crypt.ULPM.Gen` `Fortinet: W32/Rozena.ABV!tr` `GData: Win32.Trojan.PSE.1TDK453` `Google: Detected` `Ikarus: Trojan.Win32.Rozena` `K7AntiVirus: Trojan ( 005d00971 )` `K7GW: Trojan ( 005d00971 )` `Kaspersky: HEUR:Trojan.Win32.Generic` `Kingsoft: Win32.Trojan.Generic.a` `Lionic: Trojan.Win32.Jorik.lrUS` `Malwarebytes: Rozena.Trojan.Shell.DDS` `MaxSecure: Trojan.Malware.300983.susgen` `McAfeeD: Real Protect-LS!60FF78514D6D` `MicroWorld-eScan: Generic.ShellCode.Marte.H.1ADFF85F` `Microsoft: Trojan:Win32/Meterpreter!pz` `NANO-Antivirus: Trojan.Win32.Shellcode.ewfvwj` `Paloalto: generic.ml` `Panda: Trj/Genetic.gen` `Rising: Trojan.Crypto!8.364 (C64:YzY0OrV1qZbEtoBC)` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Skyhigh: BehavesLike.Win32.Downloader.pc` `Sophos: Mal/Generic-S` `Symantec: Packed.Generic.347` `Tencent: Trojan.Win32.CobaltStrike.16001077` `Trapmine: malicious.high.ml.score` `TrellixENS: GenericRXAA-AA!60FF78514D6D` `TrendMicro: BKDR_SWRORT.SM` `TrendMicro-HouseCall: BKDR_SWRORT.SM` `VBA32: Trojan.Swrort` `VIPRE: Generic.ShellCode.Marte.H.1ADFF85F` `Varist: W32/ASRisk.XHYE-5143` `Webroot: W32.Trojan.Swrort.Gen` `Xcitium: TrojWare.Win32.Rozena.A@4jwdqr` `Yandex: Trojan.GenAsa!O0/tdGI4TGA` `Zillya: Trojan.RozenaGen.Win32.2` `alibabacloud: Backdoor:Win/meterpreter.A` `huorong: HVM:Backdoor/Meterpreter.a`

Hashes

MD5	`60ff78514d6df20c6e82b7b777151c5c`
SHA1	`f7bc8beb30e9673d8fc4f6363eab07094ed35b59`
SHA256	`3279fb36cf70bdc4d5ccf02e6be855681a39602a9506fbf4cee0bc92323e6a9d`
SHA3	`707a5609fc75d8449eb74d2fc6e7068fd84547362871b4617349d11e7be956c0`
SSDeep	`768:InA1hNwbTrod66Pa/7eMVercixQLMi6kHgdmPZMBOYXYltfj6ZHxtR7XqGLGqaB:I4MbTkPaqWercixIh6p8Z4ZHxtRvGlQ`
Imports Hash	`25b3acc640473b6fce722f16eff93149`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2009-Jul-13 15:45:45
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0xb000`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0xc000`
AddressOfEntryPoint	`0x00017B30 (Section: UPX1)`
BaseOfCode	`0xd000`
BaseOfData	`0x18000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x19000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xc000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`a2ce02f50cf5158ba65759ffdc63e8f0`
SHA1	`910cb9e82b0862e118cd1a3ef726782201218dbc`
SHA256	`0ee7fab891a1dc31ff0609c9cf7d6bd138869683905f0d6d3cfe95d3687a27b9`
SHA3	`d3cc1b03018b6d4961159f7535956cf9b0722a400052a771ccbd2e756be5b429`
VirtualSize	`0xb000`
VirtualAddress	`0xd000`
SizeOfRawData	`0xae00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.89952`

.rsrc

MD5	`af80b1dba5cefe4ae931c57a73eddc1d`
SHA1	`a73e0eb35f39bf2527d8910e9f59befe4ab9ba8d`
SHA256	`47416b17a3104ee6a695cf9eaf9e1f09278fd999299ab330efab8bb82bec2a26`
SHA3	`2253788176a7e81ff5d46ba378efae031994282561cecd06bc7d51ab9fcb22ab`
VirtualSize	`0x1000`
VirtualAddress	`0x18000`
SizeOfRawData	`0xa00`
PointerToRawData	`0xb200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.35099`

Imports

ADVAPI32.dll	`FreeSid`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
MSVCRT.dll	`_iob`
WS2_32.dll	`WSARecv`
WSOCK32.dll	`WSAGetLastError`

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x768`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.49991`
MD5	`ddfda397f78597f8a3a40b972300dc26`
SHA1	`1e92b61cf6c7f7d73422bb7a2c0c335a7e459a7d`
SHA256	`465417d96548ce85076f6509efac41e5ad02fee2b8f712416e8b6aa08d93c494`
SHA3	`d057bd49bc4c303fa2411089f9681ec0f7baa4225cc802200eb9508872771603`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	2.2.14.0
ProductVersion	2.2.14.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments	Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
CompanyName	Apache Software Foundation
FileDescription	ApacheBench command line utility
FileVersion (#2)	2.2.14
InternalName	ab.exe
LegalCopyright	Copyright 2009 The Apache Software Foundation.
OriginalFilename	ab.exe
ProductName	Apache HTTP Server
ProductVersion (#2)	2.2.14

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x859e59d7`
Unmarked objects	`0`
12 (7291)	`4`
14 (7299)	`9`
C objects (8047)	`11`
Linker (8047)	`3`
Total imports	`201`
Imports (2179)	`8`
48 (9044)	`40`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section UPX0 has a size of 0!