Manalyze report for 68970b2cd5430c812bef5b87c1add6ea

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Dec-27 11:39:06
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to AES`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryExW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Functions related to the privilege level: OpenProcessToken AdjustTokenPrivileges`
Suspicious	The PE is possibly a dropper.	`Resource 101 is possibly compressed or encrypted.` `Resources amount for 87.4081% of the executable.`
Malicious	VirusTotal score: 17/66 (Scanned on 2018-02-09 19:25:33)	`McAfee: Artemis!68970B2CD543` `Cylance: Unsafe` `Symantec: Trojan.Gen.2` `TrendMicro-HouseCall: Suspicious_GEN.F47V0209` `Paloalto: generic.ml` `Kaspersky: HEUR:Trojan.Win32.Generic` `Tencent: Win32.Trojan.Generic.Wqdj` `Invincea: heuristic` `McAfee-GW-Edition: BehavesLike.Win32.AdwareLinkury.bc` `Avira: TR/Dropper.Gen` `Endgame: malicious (high confidence)` `AegisLab: Troj.W32.Generic!c` `ZoneAlarm: HEUR:Trojan.Win32.Generic` `SentinelOne: static engine - malicious` `eGambit: Unsafe.AI_Score_82%` `Fortinet: W32/Generic!tr` `CrowdStrike: malicious_confidence_100% (D)`

Hashes

MD5	`68970b2cd5430c812bef5b87c1add6ea`
SHA1	`7695d829965b802c50d96a19dbc2fc361169624d`
SHA256	`e4e1e3c44e01c60fd433c6283bd8cd15a9941e1cbaad72e6409cc92e2e91263e`
SHA3	`b0b496d5907ed56f8ed2722c1d9dc4a70e2e9c0547a86a2e6ce87371d0f47390`
SSDeep	`12288:CfllCVZmJ8DZ3NneZhCC1Ktgfy7Wbw8b5t2p5g4j2/QvtH4Sde48m7G2:SbCVZmJ8DtNeZhCYtfy7gw82p5g4S/l`
Imports Hash	`da1c2d7acfe54df797bfb1f470257bc3`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x110`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2017-Dec-27 11:39:06
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0xee00`
SizeOfInitializedData	`0xad600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000040F1 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x10000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xc1000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`0a7d81f07adb281726b8317640ceab0f`
SHA1	`1e92e18f8af582780c771d00abb4260d648423c4`
SHA256	`e2ffc648ebce2887e7b17b1558ef4a7ea5485d996b72d27a4f9a079b9133d7f5`
SHA3	`6df0bee2021a4215f29f145d2dd45257a8aa602b6fcf205a091aa51df48c14be`
VirtualSize	`0xecbe`
VirtualAddress	`0x1000`
SizeOfRawData	`0xee00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.65174`

.rdata

MD5	`1ce9ef7a6de69488adfb23689ec2daeb`
SHA1	`e0daa6d63c91c1f10a1534b616d71f8112916ea3`
SHA256	`0fb2581bace04c01065c06a73f553ff2cf74a86afec6f54b34badbd09b176101`
SHA3	`0507ee4e578af708a1728e5b932642cef3a93985bf0cb4a68a586677130cdd7b`
VirtualSize	`0x67fe`
VirtualAddress	`0x10000`
SizeOfRawData	`0x6800`
PointerToRawData	`0xf200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.09407`

.data

MD5	`58117d04b6707649d45c9b9314c9f1da`
SHA1	`3aaacc16579ab392f6d2647b3278adfb61614316`
SHA256	`a20cf140301e2f217311d270eb7eef505c04c44761abfc3ac51a84cd031f36d9`
SHA3	`9911970ad91e0f82cf2fcb7ad826dc9ec54bef37c7857c27caedb886a176e5e4`
VirtualSize	`0x1398`
VirtualAddress	`0x17000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x15a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.28365`

.gfids

MD5	`47ef1dc44f97e3ad8dceb9a6abf66ebc`
SHA1	`eb3a1fba9d31034b191f9ebccd77e5751c3e20af`
SHA256	`ce485b6987c719bc0805f01b094256e01112094dca59621d5acf3d7df44ae37a`
SHA3	`dafaa3b63fc91ce049cf8945c1e8ff2836c72f26b62f6246fc57886f1f601b55`
VirtualSize	`0x11c`
VirtualAddress	`0x19000`
SizeOfRawData	`0x200`
PointerToRawData	`0x16400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.05091`

.rsrc

MD5	`9780edc8e7fcd68dc14f9f1e35334473`
SHA1	`68876cfd8d69be2025b86cd6a394f6678a0d2753`
SHA256	`37def02bf4bb19306ef4a684927bf74d52ed5dd85bf5400c9f5a627f1ec3bc3f`
SHA3	`a59f69ef09f9576a7d6ffea6071a3626d5811af96d42cba7367bcc2ab48315f4`
VirtualSize	`0xa4430`
VirtualAddress	`0x1a000`
SizeOfRawData	`0xa4600`
PointerToRawData	`0x16600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.99954`

.reloc

MD5	`9647b300bd22cf3acc60b3c000e8ca4f`
SHA1	`fb1f4592e9f2584dcef8a93bbbced79d13e7bf8f`
SHA256	`a75cb9eca948a9e93ff37ed0c4bafcd7067a39517c21f5cb8c6d0be40fb71b51`
SHA3	`a96a038d4884808cbef34d08fe299f69240250e5dabd68be468e550f24fe4949`
VirtualSize	`0x10c8`
VirtualAddress	`0xbf000`
SizeOfRawData	`0x1200`
PointerToRawData	`0xbac00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.35112`

Imports

KERNEL32.dll	`FreeLibrary` `CreateFileW` `CloseHandle` `WriteFile` `HeapFree` `HeapAlloc` `GetProcessHeap` `GetCurrentProcess` `GetProcAddress` `LockResource` `LoadResource` `FindResourceW` `GetModuleHandleW` `GetCommandLineW` `WriteConsoleW` `LoadLibraryA` `VirtualAlloc` `VirtualFree` `SizeofResource` `VirtualProtect` `HeapReAlloc` `HeapSize` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetStartupInfoW` `EncodePointer` `RaiseException` `GetLastError` `SetLastError` `RtlUnwind` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `LoadLibraryExW` `MultiByteToWideChar` `WideCharToMultiByte` `GetStdHandle` `GetModuleFileNameW` `ExitProcess` `GetModuleHandleExW` `GetACP` `SetFilePointerEx` `GetFileType` `GetConsoleMode` `FindClose` `FindFirstFileExW` `FindNextFileW` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `GetCommandLineA` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `LCMapStringW` `SetStdHandle` `GetStringTypeW` `FlushFileBuffers` `GetConsoleCP` `DecodePointer`
ADVAPI32.dll	`LookupPrivilegeNameW` `OpenProcessToken` `GetTokenInformation` `AdjustTokenPrivileges`
SHELL32.dll	`CommandLineToArgvW`

Delayed Imports

101

Type	`BMP`
Language	English - United States
Codepage	UNKNOWN
Size	`0xa4200`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99967`
MD5	`637d7698f54afe8444fd7e9bf58ac408`
SHA1	`c48637663ac4eed00ed8d0902fb0f7931cfc5062`
SHA256	`448a8e7cb613fcda3bbe0b3d4d91398f349d542d28f83e407a5c6def0647fe38`
SHA3	`1e6f3e95bb9e4b25ab9010a92ec460186b2442c3cf85feb81e513592e1127bfd`

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

TLS Callbacks

Load Configuration

Size	`0x5c`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x417004`
SEHandlerTable	`0x4156b0`
SEHandlerCount	`7`

RICH Header

68970b2cd5430c812bef5b87c1add6ea

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.gfids

.rsrc

.reloc

Imports

Delayed Imports

101

1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors