Manalyze report for 75573228fe05a1b3b111910d3a4117dd

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2013-Mar-25 09:34:55
Detected languages	Russian - Russia

Plugin Output

Suspicious	The PE is packed or was manually edited.	`Unusual section name found: .text5` `The number of imports reported in the RICH header is inconsistent.`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA`
Suspicious	The file contains overlay data.	`768 bytes of data starting at offset 0x2bc00.` `The overlay data has an entropy of 7.7222 and is possibly compressed or encrypted.`
Malicious	VirusTotal score: 65/71 (Scanned on 2023-05-24 11:51:24)	`Bkav: W32.AIDetectMalware` `Lionic: Trojan.Win32.ShipUp.lISW` `tehtris: Generic.Malware` `DrWeb: Trojan.Redirect.140` `MicroWorld-eScan: Trojan.Ransom.Cerber.1` `FireEye: Generic.mg.75573228fe05a1b3` `CAT-QuickHeal: Trojan.Mauvaise.SL1` `ALYac: Trojan.Ransom.Cerber.1` `Malwarebytes: Crypt.Trojan.Malicious.DDS` `VIPRE: Trojan.Ransom.Cerber.1` `Sangfor: Trojan.Win32.Save.a` `K7AntiVirus: Trojan ( 0042fce51 )` `K7GW: Trojan ( 0042fce51 )` `Cybereason: malicious.8fe05a` `BitDefenderTheta: Gen:NN.ZexaF.36196.kuX@aWPE!Imc` `VirIT: Trojan.Win32.Agent4.AKVT` `Cyren: W32/Zbot.JC.gen!Eldorado` `Symantec: Packed.Generic.459` `Elastic: malicious (high confidence)` `ESET-NOD32: Win32/Agent.UNQ` `APEX: Malicious` `ClamAV: Win.Trojan.Redirect-6055402-0` `Kaspersky: Trojan.Win32.ShipUp.bou` `BitDefender: Trojan.Ransom.Cerber.1` `NANO-Antivirus: Trojan.Win32.ShipUp.bqogfc` `ViRobot: Trojan.Win.Z.Ransom.179968.V` `Avast: Win32:Gepys-J [Trj]` `Rising: Trojan.Kryptik!1.AB8B (CLASSIC)` `Emsisoft: Trojan.Ransom.Cerber.1 (B)` `F-Secure: Trojan.TR/Crypt.XPACK.Gen7` `Baidu: Win32.Trojan.Agent.eq` `Zillya: Trojan.ShipUp.Win32.1164` `TrendMicro: TROJ_KRYPTK.SML3` `McAfee-GW-Edition: BehavesLike.Win32.FakeAVSecurityTool.cc` `Trapmine: malicious.high.ml.score` `Sophos: Mal/EncPk-AIT` `SentinelOne: Static AI - Malicious PE` `GData: Win32.Trojan.PSE.1387P79` `Jiangmin: Trojan/ShipUp.ih` `Google: Detected` `Avira: TR/Crypt.XPACK.Gen7` `MAX: malware (ai score=81)` `Antiy-AVL: Trojan/Win32.ShipUp` `Gridinsoft: Trojan.Win32.Agent.bot!s4` `Xcitium: TrojWare.Win32.Kryptik.AYQE@4wlbfl` `Arcabit: Trojan.Ransom.Cerber.1` `SUPERAntiSpyware: Trojan.Agent/Gen-Injector` `ZoneAlarm: Trojan.Win32.ShipUp.bou` `Microsoft: Trojan:Win32/ShipUp.DSK!MTB` `Cynet: Malicious (score: 100)` `AhnLab-V3: Trojan/Win32.Shipup.R58811` `McAfee: PWS-Zbot-FATG!75573228FE05` `TACHYON: Trojan/W32.Shipup.179968` `VBA32: BScope.Trojan.ShipUp` `Cylance: unsafe` `Panda: Trj/Hexas.HEU` `TrendMicro-HouseCall: TROJ_KRYPTK.SML3` `Tencent: Trojan.Win32.Cerber.i` `Yandex: Trojan.GenAsa!WywhmPdxlQw` `Ikarus: Trojan.Win32.ShipUp` `MaxSecure: Trojan.Malware.300983.susgen` `Fortinet: W32/Kryptik.AXRD!tr` `AVG: Win32:Gepys-J [Trj]` `DeepInstinct: MALICIOUS` `CrowdStrike: win/malicious_confidence_100% (W)`

Hashes

MD5	`75573228fe05a1b3b111910d3a4117dd`
SHA1	`f24b21b3b61c5bc8a8e639fecd5470af99343585`
SHA256	`0df4454fb94d163ca19db02087cb9ef5215cf58b8a99c2e573620f0a7fff5e79`
SHA3	`e796cb9ec649c004dc40fea42eda97fbe8e45e82a61001a4f050953990396e5d`
SSDeep	`3072:00LchyinW3kfGbhdccWRmxPaQVKBTxjnw89JnszQcJdXw:lin4kfsrdrxpK5xF52dXw`
Imports Hash	`0790c330313151ba48758a7b94dd7e1a`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2013-Mar-25 09:34:55
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x5200`
SizeOfInitializedData	`0x26600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00001940 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x5b000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`6ac78966cc21ef03920ac3b2fd41a806`
SHA1	`060191b77db7047649302dae167af8eb6ad0f35d`
SHA256	`8b71183092cd376adb537176dec96e39f46d17a3e4f662c6db5691794c851ba2`
SHA3	`f29118987c8c4843c3f18d96c1d0238065fe2cbdced7526f6f36206712efae1f`
VirtualSize	`0x4edc`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`1.57304`

.text5

MD5	`2cd81d7f45a9462b9e0b3cd954510ac9`
SHA1	`809cc197aa76ec61f558c2593595713f5d290888`
SHA256	`656ea7a679249d692f9c58ddee5b2a794abc8415b438218848f55ec87217c358`
SHA3	`fe3fff847becd9ae29d5cbcdbd2a0a16bf1032a08305bdd63edf388dd5af4e49`
VirtualSize	`0x44`
VirtualAddress	`0x6000`
SizeOfRawData	`0x200`
PointerToRawData	`0x5400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`0.750467`

.rdata

MD5	`75b1f4a9af9b030e5966a9b45bc42cf6`
SHA1	`c0e973a7212799a78503ed4493d8289275508758`
SHA256	`d46010420f0a57ea013d602cbcf83a3b66903b4db17bcdd4fa19e6571fa5621e`
SHA3	`9558ee4645ce7f7fb5ce392ae9b6208dccaff72f9ed87d398c7f4c8e048b9efd`
VirtualSize	`0x89a`
VirtualAddress	`0x7000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x5600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.52863`

.data

MD5	`c4dd4489dd07fc277b8537b5217a11a7`
SHA1	`f0658fc0fc26f1ac0d0ca4ba5c2ed83346f20371`
SHA256	`c629a532d4aafec24811d3726a3f43d98ce5bdee9bd6cdff25efeb376d9cac1d`
SHA3	`17ad57cec7d5babe4e0bc6580367faf02af9eb3d82247b04bff812671d5b6c0a`
VirtualSize	`0x24ff8`
VirtualAddress	`0x8000`
SizeOfRawData	`0x25000`
PointerToRawData	`0x6000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.50297`

.rsrc

MD5	`68258212e0b881155e06b0e9e69afcec`
SHA1	`b52765b37e268c723a033904112ab6188520cd49`
SHA256	`742c5801a5614d28611f7eae5290b4db0018ccff75229b97cdae9955714c514f`
SHA3	`5ae054ef130ef62670655946f264937bb8dd9d6d233998210977b30ff097fc8c`
VirtualSize	`0x2db18`
VirtualAddress	`0x2d000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x2b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.85486`

Imports

KERNEL32.dll	`GetProcAddress` `LoadLibraryA` `ReadFile` `VirtualAlloc` `CloseHandle` `CreateDirectoryA` `CreateFileA` `FindClose` `FindFirstFileA` `FindNextFileA` `GetDiskFreeSpaceA` `GetFileSize` `GetLastError` `GetLocalTime` `GetLocaleInfoA` `SetEndOfFile` `SetFilePointer` `SystemTimeToFileTime` `WriteFile` `lstrcmpiA` `lstrlenA`
USER32.dll	`LoadIconW` `LoadCursorA` `LoadIconA` `CharPrevA` `CheckDlgButton` `CreateDialogParamA` `DestroyWindow` `DialogBoxParamA` `DispatchMessageA` `EndDialog` `GetDesktopWindow` `GetDlgItem` `GetParent` `GetWindowRect` `IsDialogMessageA` `IsDlgButtonChecked` `LoadStringA` `MessageBoxA` `OffsetRect` `PeekMessageA` `SendMessageA` `SetDlgItemTextA` `SetFocus` `SetForegroundWindow` `SetWindowPos` `ShowWindow` `SystemParametersInfoA` `TranslateMessage`
msvcrt.dll	`_cexit` `_controlfp` `exit` `_acmdln`

Delayed Imports

1

Type	`RT_ICON`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x130`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.13758`
MD5	`f6d96848d7a8b427a104a40c79ee44d7`
SHA1	`e1d5d15112d5ecf41f3ab25f0e6c0d70d56d294b`
SHA256	`75f859d09122eca8d738a5c021df8da6ae07259098a450c9fa02bdbded600b6b`
SHA3	`e0ecc4e30932d4024bc7ba20eca49f8e2ad36e6ebb91df50e52923739d5ffc20`

2

Type	`RT_ICON`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.07133`
MD5	`164272aa548b92af9d2d7677c8e98928`
SHA1	`5cd593630f47df3ccdbcdc88daf8747b43894ccf`
SHA256	`0305d78507d29c05ad98de2b47ab2bf867f64c8bc64ca8ca889e003874838c19`
SHA3	`6c6173fe7cb08f456cd9b97312310aad6b5999964aad8f9a0b660295fb173214`

300

Type	`RT_DIALOG`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x140`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.62577`
MD5	`17863f2467d47c4f44c9dc4b11ae0189`
SHA1	`0631758df840e3584acd6b12081065645a3ec6b3`
SHA256	`f721645eb34be80554e4476cfba7faafdd6309143a4122bbdc2d6f0957e93c8d`
SHA3	`349ce877c9b14f5f6646eb45dbf5b08fcb604ee7c3a412d44ac6a1d002e44560`

13

Type	`RT_STRING`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x2f4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.83351`
MD5	`b3ddcce8f693e82fe8286cd0947f87cc`
SHA1	`0b90229bd113662e5c161efde8d7773316ffb9f1`
SHA256	`3170e9b19cce4350e3a5f17af36120cd45c919fdcc17fc0ac9c125590e9d41c7`
SHA3	`10156c4d5b91b951993299d7490705e7c403cb496e811dff8bc6f6ad3f00f8de`

14

Type	`RT_STRING`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x110`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.82177`
MD5	`faf4900e237e423ddaef119ed58c14ab`
SHA1	`e42859bdce9fb8ea3b0f4838aa0bb8b1db2f24d0`
SHA256	`20eafafb1d0d794660b47fd16c32858513cd4456e1ad0c82d83d804dacf47976`
SHA3	`ce0a7e7255a7af2c4bf23c942af1eafec7a4d3164fee295569a97c7047d5a796`

100

Type	`RT_GROUP_ICON`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x22`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.04854`
Detected Filetype	Icon file
MD5	`808817d6c9c741320d2e50357b6ae32b`
SHA1	`5d2ddd16a5a4dd1094b2190521d3ac8da4ae000b`
SHA256	`e823311a8f50ca1b0f82e984baf58f709aeec1b02df3fca5932f662e29b2b3de`
SHA3	`113a3e6102101e5b8be091065603c08d9346e3472c1e6f3d011042f174a52de9`

String Table contents

Группы (.grp)#.grp#Все файлы (.)#.#
Выберите преобразуемую группу
Конвертор групп диспетчера программ
Преобразовать группу "%s"\?
Ошибка при преобразовании группы. Преобразование выполнено не полностью.
Файл "%s" не является файлом описания группы диспетчера программ.
Не удается прочесть файл "%s".
Группа повреждена. Часть ее элементов преобразовать невозможно.
Программы
Группа программ
Другая
SendTo
Обновление ярлыков:
Автозагрузка
Рабочий стол
040904E4
Проверка оболочки:
Документы
Группа

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x9fe1c937`
Unmarked objects	`0`
19 (8078)	`6`
Imports (VS2012 build 50727 / VS2005 build 50727)	`5`
Total imports	`49`
C objects (VS2008 build 21022)	`1`
Unmarked objects (#2)	`1`
Linker (VS2008 build 21022)	`1`
Resource objects (VS2008 build 21022)	`1`

75573228fe05a1b3b111910d3a4117dd

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.text5

.rdata

.data

.rsrc

Imports

Delayed Imports

1

2

300

13

14

100

String Table contents

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors