Manalyze report for 6e4f8de7277b78686fe389e6d1df2b24f5bc3564208b76c8af5d1319073d1b2e

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2009-Apr-19 10:55:40
Detected languages	English - United States
Debug artifacts	0\asf\release\build-2.2.14\support\Release\ab.pdb
Comments	Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
CompanyName	Apache Software Foundation
FileDescription	ApacheBench command line utility
FileVersion	`2.2.14`
InternalName	ab.exe
LegalCopyright	Copyright 2009 The Apache Software Foundation.
OriginalFilename	ab.exe
ProductName	Apache HTTP Server
ProductVersion	`2.2.14`

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: apache.org http://www.apache.org http://www.apache.org/ http://www.apache.org/licenses/LICENSE-2.0 http://www.zeustech.net http://www.zeustech.net/ www.apache.org www.zeustech.net zeustech.net`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Leverages the raw socket API to access the Internet: WSARecv WSASend`
Suspicious	The file contains overlay data.	`74 bytes of data starting at offset 0x12000.`
Malicious	VirusTotal score: 63/70 (Scanned on 2026-05-06 13:06:32)	`ALYac: Trojan.CryptZ.Marte.1.Gen` `APEX: Malicious` `AVG: Win32:Meterpreter-C [Trj]` `Acronis: suspicious` `AhnLab-V3: Trojan/Win32.Shell.R1283` `Alibaba: Trojan:Win32/CobaltStrike.5c89` `Antiy-AVL: Trojan/Win32.Rozena` `Arcabit: Trojan.CryptZ.Marte.1.Gen` `Avast: Win32:Meterpreter-C [Trj]` `Avira: TR/Patched.Gen2` `BitDefender: Trojan.CryptZ.Marte.1.Gen` `CAT-QuickHeal: Trojan.Swrort.A` `CTX: exe.trojan.swrort` `ClamAV: Win.Trojan.Swrort-5710536-0` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win32/Rozena.AA trojan` `Elastic: Windows.Trojan.Metasploit` `Emsisoft: Trojan.CryptZ.Marte.1.Gen (B)` `F-Secure: Trojan.TR/Patched.Gen2` `Fortinet: W32/Rozena.ABV!tr` `GData: Win32.Backdoor.Swrort.C` `Google: Detected` `Gridinsoft: Trojan.Win32.Swrort.zv!s2` `Ikarus: Trojan.Win32.Rozena` `K7AntiVirus: Trojan ( 0058e0f11 )` `K7GW: Trojan ( 0058e0f11 )` `Kaspersky: HEUR:Trojan.Win32.Generic` `Kingsoft: Win32.Trojan.Generic.a` `Lionic: Trojan.Win32.Swrort.4!c` `Malwarebytes: Trojan.Rozena` `MaxSecure: Trojan.Malware.300983.susgen` `McAfeeD: Real Protect-LS!E17408BA8828` `MicroWorld-eScan: Trojan.CryptZ.Marte.1.Gen` `Microsoft: Trojan:Win32/Meterpreter.O` `NANO-Antivirus: Virus.Win32.Gen-Crypt.ccnc` `Paloalto: generic.ml` `Panda: Trj/GdSda.A` `Rising: HackTool.Swrort!1.6477 (CLASSIC)` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Skyhigh: BehavesLike.Win32.Swrort.lh` `Sophos: Mal/EncPk-ACE` `Symantec: Packed.Generic.347` `Tencent: Trojan.Win32.Metasploit_heur.16000690` `Trapmine: malicious.high.ml.score` `TrellixENS: Swrort.h` `TrendMicro: Backdoor.Win32.SWRORT.SMAL01` `TrendMicro-HouseCall: Backdoor.Win32.SWRORT.SMAL01` `VBA32: BScope.Trojan.Meterpreter` `VIPRE: Trojan.CryptZ.Marte.1.Gen` `Varist: W32/Swrort.A.gen!Eldorado` `ViRobot: Trojan.Win32.Elzob.Gen` `VirIT: Trojan.Win32.Rozena.AA` `Webroot: W32.Malware.Gen` `Xcitium: TrojWare.Win32.Rozena.A@4jwdqr` `Yandex: Trojan.Rosena.Gen.1` `Zillya: Trojan.RozenaGen.Win32.2` `ZoneAlarm: Mal/EncPk-ACE` `alibabacloud: Backdoor:Win/meterpreter.A` `huorong: VirTool/Meterpreter.a`

Hashes

MD5	`e17408ba8828d05c74a63d0a3b5525b7`
SHA1	`5ce98e43d7e6d33409a0305ca4c797ab759365d8`
SHA256	`6e4f8de7277b78686fe389e6d1df2b24f5bc3564208b76c8af5d1319073d1b2e`
SHA3	`98b5f9417d082204123aa7d4754370456f163c59f0a7c2356525be4b4785cbe3`
SSDeep	`1536:IgStBNaelZB2AFNOpgop9YPqECg6Ht7t6DdMb+KR0Nc8QsJq39:lStaelr24cN7mq9Ht7Ade0Nc8QsC9`
Imports Hash	`481f47bbb2c9c21e108d65f52b04c448`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2009-Apr-19 10:55:40
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0xb000`
SizeOfInitializedData	`0xa000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00007FE6 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xc000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x16000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`2af1349a4dc08b38cd87eddbe2e3e8d9`
SHA1	`560f4ebcfa45bed9dad5628bf92da3d7c56926a1`
SHA256	`bae5d19d862b72187a85754ea14dd20fc11a07e261169817256d7d7eb9ad5151`
SHA3	`d59f63708ecf5706b51525e459749656c7410e3ccb77f2b839aa514b016b8eb2`
VirtualSize	`0xa966`
VirtualAddress	`0x1000`
SizeOfRawData	`0xb000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.02358`

.rdata

MD5	`25d7ceee3aa85bb3e8c5174736f6f830`
SHA1	`2d1b3b256819734be18a5171828f544f2fe3c678`
SHA256	`c9c158955ada53055c12e5d0c4060730470167d0059b1f02aafcf886370d57e0`
SHA3	`da6fb56135ed03a247ebd4b2173b4e9871b1a9f5cd2867b977a36af64b3c9954`
VirtualSize	`0xfe6`
VirtualAddress	`0xc000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xc000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.31839`

.data

MD5	`283b5f792323d57b9db4d2bcc46580f8`
SHA1	`46bdccde681141c8e779b47220c1d7b1a1b9b011`
SHA256	`36c0aa22fb65d0f60ab7fc5648994eece1f2ef8c5d4d60855fada2f8bff4c3c2`
SHA3	`8516558c3e62d8d2e08dbde5e61186efeaa28491e42168849ebd5da8d879d7b7`
VirtualSize	`0x705c`
VirtualAddress	`0xd000`
SizeOfRawData	`0x4000`
PointerToRawData	`0xd000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.40784`

.rsrc

MD5	`c13a9413aea7291b6fc85d75bfcde381`
SHA1	`2e051ef30946f9bed1931d1f9dde3ebdb9b99b89`
SHA256	`77d4d9b7bcf6235ac21dc6b2569ecc9c3a854539e23d8b939078d4ce151baae0`
SHA3	`620378dff7f5fa3d0b3d5417b589a509dd0cb5902c34fcac6034e8bd2d6e626a`
VirtualSize	`0x7c8`
VirtualAddress	`0x15000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x11000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.9583`

Imports

MSVCRT.dll	`_iob` `_except_handler3` `__set_app_type` `__p__fmode` `__p__commode` `_adjust_fdiv` `__setusermatherr` `_initterm` `__getmainargs` `__p___initenv` `_XcptFilter` `_exit` `_onexit` `__dllonexit` `strrchr` `wcsncmp` `_close` `wcslen` `wcscpy` `strerror` `modf` `strspn` `realloc` `__p__environ` `__p__wenviron` `_errno` `free` `strncmp` `strstr` `strncpy` `_ftol` `qsort` `fopen` `perror` `fclose` `fflush` `calloc` `malloc` `signal` `printf` `_isctype` `atoi` `exit` `__mb_cur_max` `_pctype` `strchr` `fprintf` `_controlfp` `_strdup` `_strnicmp`
KERNEL32.dll	`PeekNamedPipe` `ReadFile` `WriteFile` `LoadLibraryA` `GetProcAddress` `GetVersionExA` `GetExitCodeProcess` `TerminateProcess` `LeaveCriticalSection` `SetEvent` `ReleaseMutex` `EnterCriticalSection` `DeleteCriticalSection` `InitializeCriticalSection` `CreateMutexA` `GetFileType` `SetLastError` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `GlobalFree` `GetCommandLineW` `TlsAlloc` `TlsFree` `DuplicateHandle` `GetCurrentProcess` `SetHandleInformation` `CloseHandle` `GetSystemTimeAsFileTime` `FileTimeToSystemTime` `GetTimeZoneInformation` `FileTimeToLocalFileTime` `SystemTimeToFileTime` `SystemTimeToTzSpecificLocalTime` `Sleep` `FormatMessageA` `GetLastError` `WaitForSingleObject` `CreateEventA` `SetStdHandle` `SetFilePointer` `CreateFileA` `CreateFileW` `GetOverlappedResult` `DeviceIoControl` `GetFileInformationByHandle` `LocalFree`
ADVAPI32.dll	`FreeSid` `AllocateAndInitializeSid`
WSOCK32.dll	`getsockopt` `connect` `htons` `gethostbyname` `ntohl` `inet_ntoa` `setsockopt` `socket` `closesocket` `select` `ioctlsocket` `__WSAFDIsSet` `WSAStartup` `WSACleanup` `WSAGetLastError`
WS2_32.dll	`WSARecv` `WSASend`

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x768`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.49991`
MD5	`ddfda397f78597f8a3a40b972300dc26`
SHA1	`1e92b61cf6c7f7d73422bb7a2c0c335a7e459a7d`
SHA256	`465417d96548ce85076f6509efac41e5ad02fee2b8f712416e8b6aa08d93c494`
SHA3	`d057bd49bc4c303fa2411089f9681ec0f7baa4225cc802200eb9508872771603`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	2.2.14.0
ProductVersion	2.2.14.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments	Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
CompanyName	Apache Software Foundation
FileDescription	ApacheBench command line utility
FileVersion (#2)	2.2.14
InternalName	ab.exe
LegalCopyright	Copyright 2009 The Apache Software Foundation.
OriginalFilename	ab.exe
ProductName	Apache HTTP Server
ProductVersion (#2)	2.2.14

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2009-Sep-29 03:34:14
Version	`0.0`
SizeofData	`74`
AddressOfRawData	`0`
PointerToRawData	`0x12000`
Referenced File	0\asf\release\build-2.2.14\support\Release\ab.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x859e59d7`
Unmarked objects	`0`
12 (7291)	`4`
14 (7299)	`9`
C objects (8047)	`11`
Linker (8047)	`3`
Total imports	`201`
Imports (2179)	`8`
48 (9044)	`40`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

Leave a comment

No comments yet.