Manalyze report for 778582d84e4ee0641ed843499e605c4a

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1992-Jun-19 22:22:17

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc`
Info	The PE's resources present abnormal characteristics.	`Resource MAIN is possibly compressed or encrypted.` `Resource DATA is possibly compressed or encrypted.`
Malicious	VirusTotal score: 39/70 (Scanned on 2022-06-02 13:00:06)	`Lionic: Virus.Win32.Lamer.kYNN` `MicroWorld-eScan: Gen:Variant.Application.HackTool.283` `FireEye: Generic.mg.778582d84e4ee064` `ALYac: Gen:Variant.Application.HackTool.283` `Cylance: Unsafe` `K7AntiVirus: Unwanted-Program ( 0054d0751 )` `K7GW: Unwanted-Program ( 0054d0751 )` `Cybereason: malicious.84e4ee` `Symantec: ML.Attribute.HighConfidence` `Elastic: malicious (moderate confidence)` `ESET-NOD32: a variant of Win32/HackTool.Patcher.ED potentially unsafe` `APEX: Malicious` `Paloalto: generic.ml` `BitDefender: Gen:Variant.Application.HackTool.283` `NANO-Antivirus: Riskware.Win32.Hacktool.fajjrg` `Avast: FileRepMetagen [Trj]` `Ad-Aware: Gen:Variant.Application.HackTool.283` `Emsisoft: Gen:Variant.Application.HackTool.283 (B)` `Zillya: Tool.Patcher.Win32.25848` `McAfee-GW-Edition: BehavesLike.Win32.PUPXKJ.qc` `Sophos: Generic PUA DD (PUA)` `SentinelOne: Static AI - Malicious PE` `Jiangmin: Trojan.Generic.cokhu` `MAX: malware (ai score=72)` `Gridinsoft: Ransom.Win32.Wacatac.oa!s2` `Microsoft: Program:Win32/Wacapew.C!ml` `GData: Gen:Variant.Application.HackTool.283` `Cynet: Malicious (score: 100)` `AhnLab-V3: Malware/Win.OT.R432232` `McAfee: GenericRXAA-AA!778582D84E4E` `VBA32: TrojanPSW.Zbot` `Malwarebytes: Malware.AI.3983288318` `Yandex: Trojan.GenAsa!Ya3cm6DmYHE` `Ikarus: Backdoor.Win32.Havar` `MaxSecure: Trojan.Malware.300983.susgen` `Fortinet: Riskware/Patcher` `BitDefenderTheta: AI:Packer.71DF0F8921` `AVG: FileRepMetagen [Trj]` `Panda: Trj/Genetic.gen`

Hashes

MD5	`778582d84e4ee0641ed843499e605c4a`
SHA1	`33fb6e5fee64f5e2064bf05d622e69c1cbeee39a`
SHA256	`f67328c03f7d85c75bbdf6b8928e111be4a753b6e84fbd8e0deabffa45550535`
SHA3	`06745b2b64f87bb14d440ca4c308b551657c590e9246cd8fef2a408a5ccccdaa`
SSDeep	`768:djpnvNPYBg24m8iJH1RQZ0MAB4CVHFwnWhUtBXqnS1PinCNw7eBMgf5RkpIHitR:NNNrYDH1RQZGBZxFwIoJxg1eBxTY`
Imports Hash	`7800dfc4603fefbc322a7744058d89d8`

DOS Header

e_magic	`MZ`
e_cblp	`0x50`
e_cp	`0x2`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0xf`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0x1a`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	1992-Jun-19 22:22:17
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_BYTES_REVERSED_HI` `IMAGE_FILE_BYTES_REVERSED_LO` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0xb000`
SizeOfInitializedData	`0x2000`
SizeOfUninitializedData	`0x28000`
AddressOfEntryPoint	`0x00033B90 (Section: UPX1)`
BaseOfCode	`0x29000`
BaseOfData	`0x34000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x36000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x4000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x28000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`0e86678f87c7f9a0f9e8c3749f8c5383`
SHA1	`be65f03e319aaa198beaba71d87d193a66fadad7`
SHA256	`a617215a91f8ff76414fad38d312127b5c71ee19b246f9ce9c1af15c12f21a12`
SHA3	`3240e0c99dd16b032660ab0650f14d3d6db4104736ca083120bbd0fad9120ea8`
VirtualSize	`0xb000`
VirtualAddress	`0x29000`
SizeOfRawData	`0xae00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.89211`

.rsrc

MD5	`456c3e7700159c675ee9848a95418742`
SHA1	`12becccd011e7a82004a5a7558868fc03d62d270`
SHA256	`7dbd9436c27885bf0e835e95e8adbe2b352a2e6f56a5e247732863b6513f5204`
SHA3	`40cb8807f573e7b8e52b4430cbd7f0423cc1aac5dac2e833536b5065a2c0c99c`
VirtualSize	`0x2000`
VirtualAddress	`0x34000`
SizeOfRawData	`0x1800`
PointerToRawData	`0xb200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.23838`

Imports

KERNEL32.DLL	`LoadLibraryA` `GetProcAddress` `VirtualProtect` `VirtualAlloc` `VirtualFree` `ExitProcess`
advapi32.dll	`FreeSid`
comdlg32.dll	`GetSaveFileNameA`
gdi32.dll	`SaveDC`
IMAGEHLP.DLL	`CheckSumMappedFile`
msimg32.dll	`AlphaBlend`
ole32.dll	`CoTaskMemFree`
oleaut32.dll	`SysFreeString`
shell32.dll	`SHGetPathFromIDListA`
user32.dll	`GetDC`
version.dll	`VerQueryValueA`
winmm.dll	`sndPlaySoundA`

Delayed Imports

50

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.23687`
MD5	`14562a3f60090516c9500e0acbf8b5c0`
SHA1	`32d12418ff3d5228bb1358d7858fa768451b42cd`
SHA256	`0d725f5d6a981f20bf08ffc6a6f4e12a5c189e75e76adcf0508ce9a381fef35c`
SHA3	`fadeb302646bd0b2a3a3f65565437bb6ac3ba0d81902d6a20d247abe2d0b8376`

MAIN

Type	`RT_DIALOG`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x410`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.61616`
MD5	`4054fad3fdb1311dd1784df97a9b9a9d`
SHA1	`55bf3f162813401660b3247423363f8d023ae7fa`
SHA256	`2c4f31d3cd21e65f51409cc41efba0ea6daaaf47d2fd225533509dcbed3c0b27`
SHA3	`ae0c28aca1e7ec849be7321849bef615cc1b614baf2d99fa4e359d5688149087`

DATA

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x213`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.25906`
MD5	`f729ba7e29af655ec0b69d279ff0c07f`
SHA1	`70de6b1a544db6195eb3c2934d80fe8b2b28763e`
SHA256	`e1881b0c37e064a9b22b892c1a11b2ba845dd140e81078a869d899576edb2300`
SHA3	`c3b9d4510447518cc8b93b28fa0205a670d97bd56afd49f503832e6e2bb346d5`

INFO

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x135`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.95067`
MD5	`49f67c6e5a4473ced3704512dec1df08`
SHA1	`650f5a2aa126202d684a8522dba602cd855b6546`
SHA256	`75428e95e57cd06de157298192dc496872d1550b83e0b3feca610450396b21f0`
SHA3	`3457a7ff1008bd55acf8b6e8c7cf235cc44f1058626ba09b9a41831cfa53625f`

MAINICON

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.83321`
Detected Filetype	Icon file
MD5	`0bf37607a62d3c602fda2ccec16b124b`
SHA1	`faeaa3ecc173a7735644231262fe8eec418e484c`
SHA256	`86507da66641fa7d3dd9a7bb6e881477eff0bb63708198523f9713bab2644857`
SHA3	`c7bc4c7dc76d5e790b3d4e7b5bd75e159a6495ad28c70fe0979d27eab533532a`

1

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2f3`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.09702`
MD5	`fd0c12f2d34a5f292be6d7b56131bb0f`
SHA1	`5689323b65b21961ab3328cdd9f9f1646120c72e`
SHA256	`ef5e3f966d8dac170f799988ae04be725703d99a83a27dbe51e9379484ea5756`
SHA3	`9ac6158c775dcf0eebdab0a3a6a9fadfea2936969459eeb7416b86b858506576`

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Ignored an invalid IMAGE_RESOURCE_DATA_ENTRY
[!] Error: Could not reach the TLS callback table.
[*] Warning: Section UPX0 has a size of 0!