63732b8527a3adae1aaf4cf5d2506131

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2020-Aug-01 02:44:18
Detected languages English - United States

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • http://nsis.sf.net
  • http://nsis.sf.net/NSIS_Error
  • nsis.sf.net
Suspicious The PE is an NSIS installer Unusual section name found: .ndata
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
Can access the registry:
  • RegCreateKeyExW
  • RegEnumKeyW
  • RegQueryValueExW
  • RegSetValueExW
  • RegCloseKey
  • RegDeleteValueW
  • RegDeleteKeyW
  • RegOpenKeyExW
  • RegEnumValueW
Possibly launches other programs:
  • CreateProcessW
Can create temporary files:
  • GetTempPathW
  • CreateFileW
Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
Changes object ACLs:
  • SetFileSecurityW
Can shut the system down or lock the screen:
  • ExitWindowsEx
Suspicious The file contains overlay data. 11815405 bytes of data starting at offset 0x9000.
The overlay data has an entropy of 7.99999 and is possibly compressed or encrypted.
Overlay data amounts for 99.689% of the executable.
Malicious VirusTotal score: 30/67 (Scanned on 2021-11-25 08:55:10) Bkav: W32.AIDetect.malware2
Elastic: malicious (high confidence)
MicroWorld-eScan: Trojan.GenericKDZ.79325
BitDefender: Trojan.GenericKDZ.79325
Cybereason: malicious.13411c
Cyren: W32/MSIL_Kryptik.FHF.gen!Eldorado
ESET-NOD32: multiple detections
APEX: Malicious
ClamAV: Win.Packed.Barys-9859531-0
Kaspersky: Trojan.Win32.Agent.xaktij
Avast: Win32:CrypterX-gen [Trj]
Rising: Dropper.Agent/NSIS!1.D805 (CLASSIC:cmRtazqm+wdvciVImSVHriwQ4RCy)
Emsisoft: IL:Trojan.MSILZilla.4736 (B)
DrWeb: Trojan.PackedNET.972
TrendMicro: TROJ_GEN.R002C0DKO21
McAfee-GW-Edition: BehavesLike.Win32.AdwareDealPly.wc
FireEye: Generic.mg.63732b8527a3adae
GData: Trojan.Agent.FPXJ
Avira: HEUR/AGEN.1144141
Antiy-AVL: Trojan/Generic.ASMalwS.3454962
Kingsoft: Win32.Troj.Undef.(kcloud)
Microsoft: Trojan:Win32/Wacatac.B!ml
Cynet: Malicious (score: 99)
ALYac: Trojan.Agent.FPXJ
MAX: malware (ai score=86)
VBA32: CIL.HeapOverride.Heur
Malwarebytes: Trojan.Dropper.SFX.Generic
TrendMicro-HouseCall: TROJ_GEN.R002C0DKO21
Fortinet: W32/BSE.4Q7Q!tr
AVG: Win32:CrypterX-gen [Trj]

Hashes

MD5 63732b8527a3adae1aaf4cf5d2506131
SHA1 f5f797813411c0e4623fac53b59e9e5eaa1d4aca
SHA256 19ea2926f39f12b11c24f5bbb4ef1ff36bd3e5c993848a1ce77557b26acab58b
SHA3 d7d61f9419b3993c42706e8293b2adcb06165836ed6fb5026518d5deebf57a4b
SSDeep 196608:Jg/B0waEqbQXAGAbBHVprF/BQWvuU0V1gjuc373n79l4lsc7b5uUrJGtLlzN90Y7:JxEqeAbB1p78U0Dgj73b79l4lh5uU1Gp
Imports Hash c05041e01f84e1ccca9c4451f3b6a383

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2020-Aug-01 02:44:18
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x6600
SizeOfInitializedData 0x22a00
SizeOfUninitializedData 0x800
AddressOfEntryPoint 0x000035D8 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x8000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 6.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x3c000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 869e1d11bbf88d92521c022fa6f3d4f0
SHA1 3442c1bb49ba3c7bfc46618255cc471a7e3e3bb7
SHA256 7a538c35c247872f01b15c7f6c3ef38e2beb898ed0ee2831791dc252f682d7e4
SHA3 18176b457042f120366c90c49be5dfbfd7c65ac06c739b685d60bb7038e8d9a2
VirtualSize 0x6572
VirtualAddress 0x1000
SizeOfRawData 0x6600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.45392

.rdata

MD5 79e286249499b713a2ddbee33baa50da
SHA1 fe2bedee8c2ca0b3a39a9a62d201d08eee8b3f17
SHA256 83bea15184035cd426d88b077d6973382cb3ec99b72dda413183a0d751fcab2c
SHA3 12c7013e4c1c09d5a669b32a2e022721f8916191a733fbcdb2f1894d6a86c61c
VirtualSize 0x1398
VirtualAddress 0x8000
SizeOfRawData 0x1400
PointerToRawData 0x6a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.13672

.data

MD5 b6d02c867f7bfbcf68de2cfeea94fd73
SHA1 ac77cc46ab8d1809c15541e5c084c069a6bf8107
SHA256 c49462737ce149cb4c498bfa3d56d6883dca161155785402c8af95c10e3d7e29
SHA3 ecd4b42a60e0ce1edc396ff446f1b645da4584097cd55da5e4ef561ef43a6174
VirtualSize 0x20378
VirtualAddress 0xa000
SizeOfRawData 0x600
PointerToRawData 0x7e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.09681

.ndata

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x10000
VirtualAddress 0x2b000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc

MD5 ee5366c0b6c3ce68a7cd0901528e1abe
SHA1 2c20d8141c767ef144a57c556e3da7db13e66bea
SHA256 2c984a6ba7fd45ac84105d0563715d0339b274d7eaa1b71ec227c50a04b28fec
SHA3 bb786efea018c2614d65081e9ef9f392190b8e05677f0c4ffeccf658013a4b65
VirtualSize 0xa60
VirtualAddress 0x3b000
SizeOfRawData 0xc00
PointerToRawData 0x8400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.20969

Imports

ADVAPI32.dll RegCreateKeyExW
RegEnumKeyW
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetFileSecurityW
RegOpenKeyExW
RegEnumValueW
SHELL32.dll SHGetSpecialFolderLocation
SHFileOperationW
SHBrowseForFolderW
SHGetPathFromIDListW
ShellExecuteExW
SHGetFileInfoW
ole32.dll OleInitialize
OleUninitialize
CoCreateInstance
IIDFromString
CoTaskMemFree
COMCTL32.dll #17
ImageList_Create
ImageList_Destroy
ImageList_AddMasked
USER32.dll GetClientRect
EndPaint
DrawTextW
IsWindowEnabled
DispatchMessageW
wsprintfA
CharNextA
CharPrevW
MessageBoxIndirectW
GetDlgItemTextW
SetDlgItemTextW
GetSystemMetrics
FillRect
AppendMenuW
TrackPopupMenu
OpenClipboard
SetClipboardData
CloseClipboard
IsWindowVisible
CallWindowProcW
GetMessagePos
CheckDlgButton
LoadCursorW
SetCursor
GetWindowLongW
GetSysColor
SetWindowPos
PeekMessageW
SetClassLongW
GetSystemMenu
EnableMenuItem
GetWindowRect
ScreenToClient
EndDialog
RegisterClassW
SystemParametersInfoW
CreateWindowExW
GetClassInfoW
DialogBoxParamW
CharNextW
ExitWindowsEx
DestroyWindow
CreateDialogParamW
SetTimer
SetWindowTextW
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfW
SendMessageTimeoutW
FindWindowExW
IsWindow
GetDlgItem
SetWindowLongW
LoadImageW
GetDC
ReleaseDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
EmptyClipboard
CreatePopupMenu
GDI32.dll SetBkMode
SetBkColor
GetDeviceCaps
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
SetTextColor
SelectObject
KERNEL32.dll GetExitCodeProcess
WaitForSingleObject
GetModuleHandleA
GetProcAddress
GetSystemDirectoryW
lstrcatW
Sleep
lstrcpyA
WriteFile
GetTempFileNameW
lstrcmpiA
RemoveDirectoryW
CreateProcessW
CreateDirectoryW
GetLastError
CreateThread
GlobalLock
GlobalUnlock
GetDiskFreeSpaceW
WideCharToMultiByte
lstrcpynW
lstrlenW
SetErrorMode
GetVersion
GetCommandLineW
GetTempPathW
GetWindowsDirectoryW
SetEnvironmentVariableW
ExitProcess
CopyFileW
GetCurrentProcess
GetModuleFileNameW
GetFileSize
CreateFileW
GetTickCount
MulDiv
SetFileAttributesW
GetFileAttributesW
SetCurrentDirectoryW
MoveFileW
GetFullPathNameW
GetShortPathNameW
SearchPathW
CompareFileTime
SetFileTime
CloseHandle
lstrcmpiW
lstrcmpW
ExpandEnvironmentStringsW
GlobalFree
GlobalAlloc
GetModuleHandleW
LoadLibraryExW
MoveFileExW
FreeLibrary
WritePrivateProfileStringW
GetPrivateProfileStringW
lstrlenA
MultiByteToWideChar
ReadFile
SetFilePointer
FindClose
FindNextFileW
FindFirstFileW
DeleteFileW

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.50665
MD5 f00e9d9f29bad0b3f02ccf494a4f3a1f
SHA1 57f9c03e30c91d3035c2b658fff178f0e154947f
SHA256 7b99f0e5e7a3db2de9f02622f1ac8a0c9599492dd00196b3cb3c2ed15bbde57d
SHA3 ac2209893371010acb09ae7f6b8b3f6cb19c857bf9a89f6cfb543f351300bd09

105

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x100
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.66174
MD5 3409f314895161597f3c395cc5f65525
SHA1 1a99d016d65e567f24449d9362afb6ac44006d0b
SHA256 fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96
SHA3 b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26

106

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x11c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.88094
MD5 2d12c45dc2c029044aaff357141cb900
SHA1 083db861ab3c7db23c6257878296e73a89a74b8b
SHA256 69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729
SHA3 349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442

111

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x60
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.48825
MD5 6be4e1387d369cf86e68eacbdd0e81dd
SHA1 351970fe2681b9b35b5d59ad052011ed96a96e17
SHA256 85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0
SHA3 45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb

103

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.16096
Detected Filetype Icon file
MD5 42cf62b780813706e75fb9f2b2e8c258
SHA1 a022d5c1cfdd8aace0089f3e72f2eedd41bda464
SHA256 a0c9d012e2bf6b2fe05c2d97cb5594d97cf2f539e97935c12abd7a3562f4d9bf
SHA3 0aafc8e3d8b6bde595537da4ffe0efc5fe53f01dafe336a2a5828b6a71283d3c

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x34b
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.29035
MD5 c35124763079b01b86cd01df873a6ab1
SHA1 4424fca340c91e61f95ff2d52d5660706f5d876b
SHA256 ca87d7c948e18207198e03fb28ddb13b53a500e2dc384e127e758e613da92178
SHA3 020e76bff9b4cd53be4c0451c053213e24daa78855bf24e5a6d41a123498eaf7

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xd26650e9
Unmarked objects 0
C objects (VS2003 (.NET) build 4035) 2
Total imports 165
Imports (VS2003 (.NET) build 4035) 15
48 (9044) 10
Resource objects (VS98 SP6 cvtres build 1736) 1

Errors

[*] Warning: Section .ndata has a size of 0!
<-- -->