Manalyze report for 765bec5ba71b5b4d5dad94828d6a58fc

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2020-Jan-05 12:16:15

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW LoadLibraryA` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Leverages the raw socket API to access the Internet: ntohl` `Enumerates local disk drives: GetDriveTypeW`
Suspicious	The file contains overlay data.	`12234835 bytes of data starting at offset 0x57000.` `The overlay data has an entropy of 7.99333 and is possibly compressed or encrypted.` `Overlay data amounts for 97.1698% of the executable.`
Malicious	VirusTotal score: 5/64 (Scanned on 2021-09-15 05:04:20)	`Bkav: W32.AIDetect.malware2` `APEX: Malicious` `McAfee-GW-Edition: BehavesLike.Win32.Generic.rc` `FireEye: Generic.mg.765bec5ba71b5b4d` `Gridinsoft: Backdoor.Win32.Bladabindi.vl!i`

Hashes

MD5	`765bec5ba71b5b4d5dad94828d6a58fc`
SHA1	`c30892fa6caf171bdbc8dae8db0b749fc65423f8`
SHA256	`d22c699218b484267bfc6ce02d21002ed5ad0261ede7b1b17255751df4808009`
SHA3	`09dedcce8e1caba75368712057d1d8a408211f8ab93bc564ea654022b3a517c3`
SSDeep	`196608:LM0wqYGmk90oeMjUxFFOhoP1HSsimvlG2etbYPvbJQlHJCsipGwt8CeTbE3TGsz:eqYJa0osLFOGP1pimtokJQlpS9UwH4`
Imports Hash	`38cec625fecfa77d86b81445b2b79675`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2020-Jan-05 12:16:15
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x1f600`
SizeOfInitializedData	`0x37600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00007A6A (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x21000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x69000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`96eb51e42fb963e8dfec68198d49e223`
SHA1	`8b548c803a5dc550a02a2363a34fcab09dd7ae5e`
SHA256	`9e48bacb0e86085ceda9acd5aba1e15e7939ff280f9ae8b50b1cd3f17c252424`
SHA3	`9d6cc8d9f0946a8d22a65c813dd0ffbba83126d32cf14f3aa212152db4f6828a`
VirtualSize	`0x1f4d4`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1f600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.6643`

.rdata

MD5	`875513fd66e9e4466f91f1baa2578f36`
SHA1	`4c22158a359686c600235ea9ff112e60fd1f61f4`
SHA256	`4052bd6bf88122a485cf67d14820db408ab85c45ba75a787f074cb10ffeedceb`
SHA3	`48b8c58fb30d21b484fd9fda7e120f0c9b90f33c5f99e14fe2306d58d1c4f4a0`
VirtualSize	`0xb19e`
VirtualAddress	`0x21000`
SizeOfRawData	`0xb200`
PointerToRawData	`0x1fa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.11204`

.data

MD5	`8df4863a32f5927bfa2a6277e12d1702`
SHA1	`0fe144f5cb1dac67f392923fe23170008cfef5af`
SHA256	`0a7aa175a113355a7ccd2c9d7f8ca120474c649de0b38157b450e57fb6b719a6`
SHA3	`0b07544f975c9f59c64d73adc7dba97a8b31e6f0581c3e51782151bdaafd60ae`
VirtualSize	`0xe680`
VirtualAddress	`0x2d000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x2ac00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.93811`

.gfids

MD5	`74140133bd3f0662e3ae446587baeee8`
SHA1	`33da3da8bbb886ec6cbbd73f70f4363e96fc015d`
SHA256	`e29df32710be1dd987087bb563e5d241dace4d6e2855a62fb47ce39cfe5b3e6f`
SHA3	`9be70c2c71ebe01381159f9b2a1011db7aa42e267279311fa2137e66211d9fd7`
VirtualSize	`0xb8`
VirtualAddress	`0x3c000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2b600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.86299`

.rsrc

MD5	`4e0a4b70faaa30808586894c813bae8d`
SHA1	`aa0924363f5b89d8332c533312ca66ddb991dcf1`
SHA256	`3da3ce4de4eaa0abc69ef48d806de214e6d2ace84f35eb15665b4c78400549c2`
SHA3	`48bc7915e24e2537ea995589fe545881b8f6abfc8fd4071f44f20b526e45999d`
VirtualSize	`0x29e6c`
VirtualAddress	`0x3d000`
SizeOfRawData	`0x2a000`
PointerToRawData	`0x2b800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.67152`

.reloc

MD5	`aeeab247e170c9e20e5caf509017e36d`
SHA1	`d6cfd8778ed98c8bda73b97aa5670c13a3b68ae6`
SHA256	`820a565c88455bd95a0b97a25f6bb88da36a1de28ff0e0787fe765b14562cccb`
SHA3	`517ead9e9d188854624e28aab5b69c3c5a80b683aeecc09b14632fc507947e05`
VirtualSize	`0x17d4`
VirtualAddress	`0x67000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x55800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.65456`

Imports

KERNEL32.dll	`GetModuleFileNameW` `GetProcAddress` `GetCommandLineW` `GetEnvironmentVariableW` `SetEnvironmentVariableW` `ExpandEnvironmentStringsW` `GetTempPathW` `WaitForSingleObject` `Sleep` `SetDllDirectoryW` `CreateProcessW` `GetStartupInfoW` `LoadLibraryExW` `CreateDirectoryW` `GetShortPathNameW` `FormatMessageW` `LoadLibraryA` `MultiByteToWideChar` `WideCharToMultiByte` `GetExitCodeProcess` `GetLastError` `DecodePointer` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetModuleHandleW` `RtlUnwind` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `GetCommandLineA` `ReadFile` `CreateFileW` `GetDriveTypeW` `GetFileType` `CloseHandle` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `GetFullPathNameW` `GetFullPathNameA` `RemoveDirectoryW` `FindClose` `FindFirstFileExW` `FindNextFileW` `SetStdHandle` `SetConsoleCtrlHandler` `DeleteFileW` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `GetACP` `HeapFree` `HeapAlloc` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleCP` `CompareStringW` `LCMapStringW` `GetCurrentDirectoryW` `FlushFileBuffers` `SetEnvironmentVariableA` `GetFileAttributesExW` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetStringTypeW` `GetProcessHeap` `WriteConsoleW` `GetTimeZoneInformation` `HeapSize` `HeapReAlloc` `SetEndOfFile` `RaiseException`
ADVAPI32.dll	`ConvertStringSecurityDescriptorToSecurityDescriptorW`
WS2_32.dll	`ntohl`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1f1e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.89682`
Detected Filetype	PNG graphic file
MD5	`2768cc9350ec0327cf79960b18462239`
SHA1	`4ead09f7afbe6e98d15ae81f0f676c9e123f36de`
SHA256	`21923f3bd028dd01e7c7bea17d7a1520f92bcac234e93215867d5416ea6efa63`
SHA3	`e315f144087398418b83e91d7b7457ef75e1a1afab378a0591ca396d103cb481`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.59292`
MD5	`be32d52c916e4fd69b182aade221888e`
SHA1	`1b51b4ed8e1ce2345faac783da102a546f6c0995`
SHA256	`eef3b3a6ef6ce2dcf96b5506772b7bfb4ec7f57aa6a10b760b2704987626f901`
SHA3	`92bd2c52d6abc26edd9ab01a2d2fe340e6288a071aefd1306a22ee258cdf1ba8`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x94a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.43879`
MD5	`f1c687d80725a737b089ab4b861cc8e1`
SHA1	`276bdb92bb4ab606ffc1e68a6ac32936b6d8aaee`
SHA256	`dc148a811cd3e02bbeb7bb3d03965dd037a1c5063b8124391ab9296e4bcdae58`
SHA3	`60ca8f330cf3ca36677a74dd522f9005cd0a0faa6c43dee3b14c1b4033469000`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x5488`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.39923`
MD5	`592cbe0fb5b3a8912d144f11f955ff97`
SHA1	`d66c1b6a93c9244faa3c64933439d96c033a5e52`
SHA256	`2ba2ee7a6a85c91b12425fe61547d37ca4c0393d7dd17f65ba76b78007691bd9`
SHA3	`6dbb8f05c7e77b40a13260808983e39ada1f332e374fd93cff05b478b9fa8c15`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.94128`
MD5	`cbe386493e62eda6a00e4dcb33adcd30`
SHA1	`c22ff1ee235ff458167b5b932b920a498ae916d4`
SHA256	`cd72faedeadbd1612c639dc07f955632c28c0340574844f52d003a7edc2b43c3`
SHA3	`9813a4ca3c28f1e59800fb50349b0b88bb471bcd3245fca2ca9c1d4a3e15f4b0`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.75034`
MD5	`108b5f86ae9d5fc6f7ce7ea3fc5c1431`
SHA1	`3262d4cbea18118b1a8dea90add9d4ba30395ca5`
SHA256	`95a8bc1ac5f8500decc2eff14f68411320bfa534949714e0a3b3e67d314ab230`
SHA3	`2460f61dd2638010f806447b3554bc5d028f0030ac35aec7beecd81296767a3f`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.44346`
MD5	`4aa16ff746a2ba000aee23818310a50b`
SHA1	`a2418f46d883d76e10e3fd11e3672d2215ae9401`
SHA256	`cb882f49de344141836288a540bb0d663d6bdc4394f12fbfcd6762123df8172f`
SHA3	`17ef5f9fd0ecefe45cb28284dce3f7dc68a6468af9980bbe3b354942ddf59b59`

8

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.19008`
MD5	`26bdebe3f24cac5f8c4cf06e6ec43df8`
SHA1	`be1d3dc0f90062b4d745730c2cb5949d2a7c808b`
SHA256	`4392979c7de9a3683ee66ccc2863450196aeca6cdeb3612d07b9a9df2ebadaa8`
SHA3	`9e0b341b4871e0857544e1e2b8f553d77bb87e5530b308080b21cb6c9bdc3b75`

9

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.01716`
MD5	`8d16ea004b3e1be696698738da4564c2`
SHA1	`d1f57047c77c803e7324246db7d7846ea5160474`
SHA256	`2f88677986a399c74c1195dd93d8e35be41f862cf166ce5885f74e6a62c9eb7e`
SHA3	`495d4b6e21afb81a9c1b4343a83b7d7f35b3ad09e1a5ed8caedf7e286ed1fb63`

0

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x84`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.03466`
Detected Filetype	Icon file
MD5	`6081875b679b9a7367761e2e5d6240a2`
SHA1	`4f61865b94bbcf6632037df1bf96641f751f4aa4`
SHA256	`9ee3574fc771c962eebe2f5b50b5845f38e26d4bab080f8878a3ccb0fe6545e1`
SHA3	`b44c50fd3f7920f65a09450804b06c468df8904a2ace703a77bd59fb80687d68`

101

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.71858`
Detected Filetype	Icon file
MD5	`d06bb5f499a7e63fdebdde478b53af68`
SHA1	`f4b46ca808dc838d436be1d2c13a40d51bdd8f4f`
SHA256	`038506ab04814afcdce660ffc0de198ebe40a5b0d8e090799549e208c689fed5`
SHA3	`af3d6a80a0ad9e117953a9e1466a44d29b3d32a19a456a9297995e94ead2efd7`

1 (#2)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x407`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.31241`
MD5	`3db02e168bec799344cd41fdbcc36b11`
SHA1	`afedcd0cb50080effee72a8003e55b2cb2052c44`
SHA256	`70646759b8afba76f309719f84bbfca33dd6f9e1b2be04aa7bfc23041d873012`
SHA3	`9553afc4defed9d2429275d0c6f964fa6f6e0e5d93194dd73c144e1684082695`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2020-Jan-05 12:16:15
Version	`0.0`
SizeofData	`696`
AddressOfRawData	`0x2af1c`
PointerToRawData	`0x2991c`

TLS Callbacks

Load Configuration

Size	`0x5c`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x42d008`
SEHandlerTable	`0x42af10`
SEHandlerCount	`3`

RICH Header

XOR Key	`0xb674ed86`
Unmarked objects	`0`
241 (40116)	`12`
243 (40116)	`169`
242 (40116)	`24`
ASM objects (VS2015 UPD3 build 24123)	`18`
C++ objects (VS2015 UPD3 build 24123)	`29`
C objects (VS2015 UPD3 build 24123)	`18`
Imports (65501)	`7`
Total imports	`114`
C objects (VS2015 UPD3 build 24210)	`17`
Resource objects (VS2015 UPD3 build 24210)	`1`
Linker (VS2015 UPD3 build 24210)	`1`

765bec5ba71b5b4d5dad94828d6a58fc

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.gfids

.rsrc

.reloc

Imports

Delayed Imports

1

2

3

4

5

6

7

8

9

0

101

1 (#2)

Version Info

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors