Manalyze report for 63b54c6dc8354b881442e21276803188

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-Feb-01 20:18:00

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig2(h)`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress LoadLibraryW` `Can create temporary files: GetTempPathW CreateFileW`
Info	The PE's resources present abnormal characteristics.	`Resource 9B9840EAA1A76AF7BB1868B10ED8E4CB is possibly compressed or encrypted.` `Resource AB47C57B653ED393398EDE4725607050A82A2901 is possibly compressed or encrypted.` `Resource CD5C4E8FFC04F57B6F0FEB7E4E9DF9C08F537CE6 is possibly compressed or encrypted.`
Malicious	VirusTotal score: 36/66 (Scanned on 2018-11-05 02:00:50)	`MicroWorld-eScan: Trojan.Generic.23177354` `McAfee: RDN/Generic PUP.z` `Cylance: Unsafe` `Zillya: Trojan.Agent.Win32.877885` `BitDefender: Trojan.Generic.23177354` `K7GW: Riskware ( 0040eff71 )` `K7AntiVirus: Riskware ( 0040eff71 )` `F-Prot: W32/Strictor.AR` `Symantec: PUA.Gen.2` `TrendMicro-HouseCall: TROJ_GEN.R002C0OK218` `Paloalto: generic.ml` `Kaspersky: not-a-virus:HEUR:RiskTool.Win32.Generic` `Rising: Trojan.Fuerboos!8.EFC8 (CLOUD)` `Ad-Aware: Trojan.Generic.23177354` `Emsisoft: Trojan.Generic.23177354 (B)` `F-Secure: Trojan.Generic.23177354` `Invincea: heuristic` `McAfee-GW-Edition: BehavesLike.Win32.Generic.dc` `Fortinet: W32/Jaiks.ps!tr` `SentinelOne: static engine - malicious` `Cyren: W32/Strictor.ZBXX-9129` `Jiangmin: RiskTool.BitCoinMiner.gwc` `Antiy-AVL: Trojan/Win32.TSGeneric` `Endgame: malicious (high confidence)` `Arcabit: Trojan.Generic.D161A88A` `ZoneAlarm: not-a-virus:HEUR:RiskTool.Win32.Generic` `Microsoft: Trojan:Win32/Occamy.C` `Sophos: Generic PUA JH (PUA)` `TotalDefense: Win32/Inject.C!generic` `VBA32: BScope.Trojan.Tiggre` `Ikarus: Trojan.CoinMiner` `GData: Win32.Trojan.Agent.HW3TT4` `Cybereason: malicious.dc8354` `Panda: Trj/Genetic.gen` `CrowdStrike: malicious_confidence_100% (W)` `Qihoo-360: Win32/Virus.RiskTool.2bb`

Hashes

MD5	`63b54c6dc8354b881442e21276803188`
SHA1	`970694a22f8353b89fd0635070a3d93fc3a96bfe`
SHA256	`fdbbe98d7c32d118bc0ae18774076e46207904e8f716f3ab7631a7c48415e527`
SHA3	`36bdfe0639e4ea45d69e4e8ce262b474f9f63d017c69f9aa26120626e1bf599c`
SSDeep	`6144:7zBkLL2NTB1ksvfG6Vaeh0BHK6IdoU1VJaJG2Jr7z+b5:7KyNTnLv+OhCLILqBu5`
Imports Hash	`5877688b4859ffd051f6be3b8e0cd533`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2018-Feb-01 20:18:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x10800`
SizeOfInitializedData	`0x34a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00001000 (Section: .code)`
BaseOfCode	`0x1000`
BaseOfData	`0x12000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x49000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.code

MD5	`d8af5494a902a4276e7a118e639a9058`
SHA1	`6e426ae2df7082b91cd0cadbb72b138102ba6151`
SHA256	`48a78b31bf41ba0daf0c70d4ae1db2b1b55b841601fd275761ac97fca34fbae5`
SHA3	`1e664ef7bea68bb4dd13b5afa576da5ba19a356a6a8a8aa37e162ddc4bf7ff84`
VirtualSize	`0x37f0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x3800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.61236`

.text

MD5	`3d44adf99d47c66df6ed2c6ecde44714`
SHA1	`80a57adbc364dfb80e69990554b76e3d5c1faef0`
SHA256	`6e2472ffd964225c655a494fa93de374ce169cf1b9e2ee74ced2f8b3161d4b5d`
SHA3	`e18bd2f60a34878ad204c417d8535ddadd9ecedbecd4f7d00e665c43ea400e5f`
VirtualSize	`0xcfa2`
VirtualAddress	`0x5000`
SizeOfRawData	`0xd000`
PointerToRawData	`0x3c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.58582`

.rdata

MD5	`e4a2346f39e8c4c981487f3b09547faf`
SHA1	`65e4957d4d49eac6870a775db724f4c14c125592`
SHA256	`a65928e839b65ed68bd3504d3c1951cd8ed2889a37405e602c3dd87210eeac9e`
SHA3	`036418b11deeda8fa99555c9c24e60fc5faea50444ad3a2b03ebdb417f1ddf3b`
VirtualSize	`0x33a0`
VirtualAddress	`0x12000`
SizeOfRawData	`0x3400`
PointerToRawData	`0x10c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.11024`

.data

MD5	`8ee4e4f585ab4eaa0e93de679dc02432`
SHA1	`f7ad4e300a244b404a997eb7a0f12bac1ca648ae`
SHA256	`9d3d75765f4746ce5cbbd2750f4e10f0f66df853e957afb89d4661ce19d71835`
SHA3	`5da63be758ab0d36b8b2b6836cadae351296ae3ee7acbff34bcf2b37d0f17cdf`
VirtualSize	`0x1724`
VirtualAddress	`0x16000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x14000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.93767`

.rsrc

MD5	`50ecd552c93ccd9b2035953f5d9229bc`
SHA1	`cb122a4b7ea01ab6669825a71178ba204f7f53b8`
SHA256	`0382473618fc2c1e7327272b7d5b7feb4eb10798e047aed3b8eb640d888dc923`
SHA3	`95a5c2555e7a8766215a24c0e00a7e940e0bf1e7aa23c36c362b35a2d0400e3e`
VirtualSize	`0x30290`
VirtualAddress	`0x18000`
SizeOfRawData	`0x30400`
PointerToRawData	`0x15200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.71888`

Imports

MSVCRT.dll	`memset` `wcsncmp` `memmove` `wcsncpy` `wcsstr` `_wcsnicmp` `_wcsdup` `free` `_wcsicmp` `wcslen` `wcscpy` `wcscmp` `memcpy` `tolower` `wcscat` `malloc`
KERNEL32.dll	`GetModuleHandleW` `HeapCreate` `GetStdHandle` `HeapDestroy` `ExitProcess` `WriteFile` `GetTempFileNameW` `LoadLibraryExW` `EnumResourceTypesW` `FreeLibrary` `RemoveDirectoryW` `GetExitCodeProcess` `EnumResourceNamesW` `GetCommandLineW` `LoadResource` `SizeofResource` `FreeResource` `FindResourceW` `GetNativeSystemInfo` `GetShortPathNameW` `GetWindowsDirectoryW` `GetSystemDirectoryW` `EnterCriticalSection` `CloseHandle` `LeaveCriticalSection` `InitializeCriticalSection` `WaitForSingleObject` `TerminateThread` `CreateThread` `Sleep` `GetProcAddress` `GetVersionExW` `WideCharToMultiByte` `HeapAlloc` `HeapFree` `LoadLibraryW` `GetCurrentProcessId` `GetCurrentThreadId` `GetModuleFileNameW` `GetEnvironmentVariableW` `SetEnvironmentVariableW` `GetCurrentProcess` `TerminateProcess` `SetUnhandledExceptionFilter` `HeapSize` `MultiByteToWideChar` `CreateDirectoryW` `SetFileAttributesW` `GetTempPathW` `DeleteFileW` `GetCurrentDirectoryW` `SetCurrentDirectoryW` `CreateFileW` `SetFilePointer` `TlsFree` `TlsGetValue` `TlsSetValue` `TlsAlloc` `HeapReAlloc` `DeleteCriticalSection` `InterlockedCompareExchange` `InterlockedExchange` `GetLastError` `SetLastError` `UnregisterWait` `GetCurrentThread` `DuplicateHandle` `RegisterWaitForSingleObject`
USER32.DLL	`CharUpperW` `CharLowerW` `MessageBoxW` `DefWindowProcW` `DestroyWindow` `GetWindowLongW` `GetWindowTextLengthW` `GetWindowTextW` `UnregisterClassW` `LoadIconW` `LoadCursorW` `RegisterClassExW` `IsWindowEnabled` `EnableWindow` `GetSystemMetrics` `CreateWindowExW` `SetWindowLongW` `SendMessageW` `SetFocus` `CreateAcceleratorTableW` `SetForegroundWindow` `BringWindowToTop` `GetMessageW` `TranslateAcceleratorW` `TranslateMessage` `DispatchMessageW` `DestroyAcceleratorTable` `PostMessageW` `GetForegroundWindow` `GetWindowThreadProcessId` `IsWindowVisible` `EnumWindows` `SetWindowPos`
GDI32.DLL	`GetStockObject`
COMCTL32.DLL	`InitCommonControlsEx`
SHELL32.DLL	`ShellExecuteExW` `SHGetFolderLocation` `SHGetPathFromIDListW`
WINMM.DLL	`timeBeginPeriod`
OLE32.DLL	`CoInitialize` `CoTaskMemFree`
SHLWAPI.DLL	`PathAddBackslashW` `PathRenameExtensionW` `PathQuoteSpacesW` `PathRemoveArgsW` `PathRemoveBackslashW`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.09935`
MD5	`32fe641c846ab708ae90d2fed6a60b43`
SHA1	`126a816f083bd6530187d9ecf7669a5ee62cc7af`
SHA256	`9512e952bc2219d88c24378909120a08cc23ff74d055e92b0f1b53ba29a1b72a`
SHA3	`76ee75818079e5ab01b4c7caec98e48da550f543f7d2e02e50f29394b01f4145`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.17349`
MD5	`d472b07c138b619ef1167f834db77aaa`
SHA1	`ff0b110a793a406f0ed7f85bb0856cb244ed60f4`
SHA256	`152f99650846b7f3e41580ebb2dabdc839b41c203471c01b6f2b4e766c056361`
SHA3	`e039ab1672bae48f931d07572c28d507df2a52d86572e0d845559769353b01fb`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x94a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.17549`
MD5	`cbba791786840cbe7d6953f413406e5f`
SHA1	`426c050062df0e059c0efb79d6fb1628af79ccdf`
SHA256	`cba67594cd6f7c2b100a929627111f0f925c83f421ef005482bf0a68234ed817`
SHA3	`fcde8f46c57533e79055ba3e6ea6b1dfe8ca6ec9d090523caf97a645e9323c94`

01B6A91F3ABEBABF4C109322D5D0775E0BA5EA7C

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x13`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.14266`
MD5	`8d49702c3cae642167b2061f4005a794`
SHA1	`123629963cda9f57511e79f2b569c53e174c989a`
SHA256	`f3aac42ea798a8d2a112ec10b3f8fb8bbd522906adff708e0fe7686d230a61c7`
SHA3	`58589a8fe7eb96105b0451cda8c0c9def308a107071f217fb5da9681193eb312`

4AAD91FE1A50D3C9CB4AF4649AFDF1D7

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x12`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.41938`
MD5	`3c0616df54b443c31cdfb9cac3dd3ffe`
SHA1	`9d018aa936d4fc138f914c6765be44b0dab01513`
SHA256	`49b343d3658e4f0aa82b9560ac6cdc13a665c899dd8b42063511500482db9a0c`
SHA3	`ddbfd4aa4546c573943ba6492f0e53de97cd4faba01b59c109545872fa6749fd`

7858FBDF7CE37C111742073D29D6F5BC6994F7C5

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x5c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.13759`
MD5	`353fc34a440e405326ce02c78535eef2`
SHA1	`1b8bb37d176c9d124cd07bd361efca7270ad30a8`
SHA256	`a0011ef9d50bdd2ec24e76ea9a09432c7700d8a43860fa8a4bac236e764c1ef0`
SHA3	`844dbb2cebca96836b9c3ed49bf9ce33dc95aa1d3389a1dbd14ecfc09a37e414`

8245F8FFA0

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`55a54008ad1ba589aa210d2629c1df41`
SHA1	`bf8b4530d8d246dd74ac53a13471bba17941dff7`
SHA256	`4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a`
SHA3	`2767f15c8af2f2c7225d5273fdd683edc714110a987d1054697c348aed4e6cc7`

9B9840EAA1A76AF7BB1868B10ED8E4CB

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x6a2`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.89142`
MD5	`4ef9897bf7b7747d6e73560879cd0931`
SHA1	`691fe02477f8ab327c77988c5df0a2984d7d4a9f`
SHA256	`07289784d2ae6fc86bcc21686bfc6329787940bb68a6d167f175c25b72a61e92`
SHA3	`0d45e5f03fb7ad7623aab2474a2014aacfb43498984c48e189d7f2a834d93923`

AB47C57B653ED393398EDE4725607050A82A2901

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1edfc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99838`
MD5	`0b6b32e3d1059fc3eae8931df511bc6c`
SHA1	`9565e289ad52adf1bedc1cd59c682698d7785952`
SHA256	`0a8887e1a0094db1e967cda2a07a461e70f5a261cd6aa753f6d1a06a391f9389`
SHA3	`064e514d2f40c4cdb87dc396a27807cddeda599b55d34049a6a4d08f857a54ff`

CD5C4E8FFC04F57B6F0FEB7E4E9DF9C08F537CE6

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x3a1b`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.9879`
MD5	`f621e5d278127627a64838c633fc17f5`
SHA1	`02d8779af636e3b589724fc0fb0be223141b8e77`
SHA256	`9e41f5f5848698daffc4b3ff6cb176ee3a434dd7aed225b87d4efe3616fc98c7`
SHA3	`8992fdae683a6e0963c74ca10751ddc5b3510929b30446591f5f90220e738075`

D41369E36FEB976FFAC5CB136061ABBC

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x7e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.53673`
MD5	`82a05bfde439d59f4f0cdf5da9a6f791`
SHA1	`433da6a6559f234e91f3f2b1ede97e3be7612078`
SHA256	`d734e3ff383caafb5b03f2df92e135ef7f7e0839e41b27256912f55d663e3ab3`
SHA3	`bf2170f404cf211b5525425d20e765c42ac60be7a32ead26ec0c49c7d95465b6`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x30`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.45849`
Detected Filetype	Icon file
MD5	`df96cf7cd97fb2aff0cd6c4f7efc324d`
SHA1	`9f6653b47ce912fbee6de49cba584382bc6ac21c`
SHA256	`0514985341ce5dd451eb84555c9e334af835608f868e6b35935a86bcc8d847fa`
SHA3	`fbab2a795ac21ab9a77569ca4fd894aa12baff8b0bd2b2d90f2475a835100d47`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2a0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.08821`
MD5	`ffd3b06250ba95d239365ef050b3627b`
SHA1	`16e3981245d8dbd44f33d93b203c02a44f3c2b95`
SHA256	`1c3703755b6e9a690e8eafaa0cc318f667cd5d4c06935b6e3cd07296df9e9dcd`
SHA3	`2c6baa84c172762978837565c2b2ed4f7716c0edaab79bda3a3ef74724426773`

Version Info

TLS Callbacks

Load Configuration

RICH Header

63b54c6dc8354b881442e21276803188

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.code

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

1

2

3

01B6A91F3ABEBABF4C109322D5D0775E0BA5EA7C

4AAD91FE1A50D3C9CB4AF4649AFDF1D7

7858FBDF7CE37C111742073D29D6F5BC6994F7C5

8245F8FFA0

9B9840EAA1A76AF7BB1868B10ED8E4CB

AB47C57B653ED393398EDE4725607050A82A2901

CD5C4E8FFC04F57B6F0FEB7E4E9DF9C08F537CE6

D41369E36FEB976FFAC5CB136061ABBC

1 (#2)

1 (#3)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors