Manalyze report for 792973ab04fadbeeca697c8cc4fe5a0b098b5ee73ba16472f97f148fe910e6a9

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2021-Sep-03 14:23:56
Detected languages	English - United States
CompanyName	FAZUA GmBH
FileDescription	FAZUA Toolbox
FileVersion	`2.12.1`
LegalCopyright	COPYRIGHT (C) 2021 FAZUA GmBH
OriginalFilename	FAZUA Toolbox.exe
ProductName	FAZUA Toolbox basic
ProductVersion	`2.12.1`

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to RC5 or RC6` `Uses constants related to TEA`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Has Internet access capabilities: WinHttpOpen` `Leverages the raw socket API to access the Internet: WSAStartup` `Can take screenshots: BitBlt GetDC`
Info	The PE's resources present abnormal characteristics.	`Resource 1 is possibly compressed or encrypted.` `Resource 2 is possibly compressed or encrypted.`
Info	The PE is digitally signed.	`Signer: FAZUA GmbH` `Issuer: Sectigo RSA Code Signing CA`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`97732d11076e1046a250b7117635ec41`
SHA1	`c0604adde226778b2441029ad9de8cd4f8201121`
SHA256	`792973ab04fadbeeca697c8cc4fe5a0b098b5ee73ba16472f97f148fe910e6a9`
SHA3	`1ec49e72dfeab98382873d6830e792846598c70332099880311bc465bd3fbbf0`
SSDeep	`786432:8owjNyajUHmEtQPYvYKFckv3YY7otLoXtTC90uq1:8p0rQgnFdvzktLst+90j1`
Imports Hash	`1997755b2a13633357fa7e477cda3ddd`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x138`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`3`
TimeDateStamp	2021-Sep-03 14:23:56
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x1d10000`
SizeOfInitializedData	`0x4b000`
SizeOfUninitializedData	`0x5eb5000`
AddressOfEntryPoint	`0x0000000007BC4ED0 (Section: UPX1)`
BaseOfCode	`0x5eb6000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x7c11000`
SizeOfHeaders	`0x1000`
Checksum	`0x1d630ed`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x5eb5000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`a6e4fa3cf17359cc2e7e7f2af70b7548`
SHA1	`fb18683c191a01c6dd511aab00841fd643921f25`
SHA256	`9ee011f84452acc74489af694170c2d82530343321fc9338dac12631c0773301`
SHA3	`f2ada21674d0d912c67784947431d8031875fb8dfe4f023d5ea3ca1bfaa91594`
VirtualSize	`0x1d10000`
VirtualAddress	`0x5eb6000`
SizeOfRawData	`0x1d0f400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.92386`

.rsrc

MD5	`943452dd09d783c1cac562b6932383aa`
SHA1	`b558bd8e12c9684ebf736c0fae72f03bdf608055`
SHA256	`7f916805a513b7867525246e64dadac8641efacc0e9e4d3913efa89d9b634a2a`
SHA3	`31964d86ac08511dd8cffef3c810e5d3990d413a0222af5d02160db9cb17ca4f`
VirtualSize	`0x4b000`
VirtualAddress	`0x7bc6000`
SizeOfRawData	`0x4a200`
PointerToRawData	`0x1d0f800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.85509`

Imports

ADVAPI32.dll	`GetAce`
api-ms-win-crt-convert-l1-1-0.dll	`_wtoi`
api-ms-win-crt-environment-l1-1-0.dll	`getenv`
api-ms-win-crt-filesystem-l1-1-0.dll	`_wrename`
api-ms-win-crt-heap-l1-1-0.dll	`free`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`
api-ms-win-crt-math-l1-1-0.dll	`ceilf`
api-ms-win-crt-runtime-l1-1-0.dll	`exit`
api-ms-win-crt-stdio-l1-1-0.dll	`fgets`
api-ms-win-crt-string-l1-1-0.dll	`wcslen`
api-ms-win-crt-utility-l1-1-0.dll	`labs`
COMDLG32.dll	`GetSaveFileNameW`
dwmapi.dll	`DwmIsCompositionEnabled`
GDI32.dll	`BitBlt`
IMM32.dll	`ImmNotifyIME`
IPHLPAPI.DLL	`GetIfTable`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
MSVCP140.dll	`?_Xlength_error@std@@YAXPEBD@Z`
MSWSOCK.dll	`TransmitFile`
ole32.dll	`DoDragDrop`
OLEAUT32.dll	`SysStringLen`
Secur32.dll	`CompleteAuthToken`
SHELL32.dll	`SHBindToParent`
UIAutomationCore.DLL	`UiaClientsAreListening`
urlmon.dll	`CopyStgMedium`
USER32.dll	`GetDC`
USERENV.dll	`GetUserProfileDirectoryW`
VCRUNTIME140.dll	`memcmp`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
VERSION.dll	`VerQueryValueW`
WINHTTP.dll	`WinHttpOpen`
WINMM.dll	`timeSetEvent`
WS2_32.dll	`WSAStartup`

Delayed Imports

1

Type	`RT_CURSOR`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10ac`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.81552`
MD5	`4d872cc8d0e6c5168aa6b9ea468fdfef`
SHA1	`030d9fb037de4fedc486b8120effe15a84c7e9ab`
SHA256	`49ec9a81331fe97b69c8a9475f6021eae8ec0ad1608dbebf0d3b8f8b7084cd3b`
SHA3	`0d0686b64522d15da032d15082810008e0c5649c3ef3cac56f910aa361d79912`

2

Type	`RT_CURSOR`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10ac`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.82728`
MD5	`5e74352eb136e3a583fa7b2d88d8ec72`
SHA1	`b8d5bcba1ed9ca5602746331e8522607d263bffe`
SHA256	`5fca5f0c50c7bacdc2637554ac1efec198784140a748cd4d74aea4c1fd470db1`
SHA3	`df259f3b1c8c868187201c63540bdf55b6cec956897e4d2246d977fbbe463f6e`

1 (#2)

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.36975`
MD5	`5ae7471e6ae735ff989e5ba3690fad44`
SHA1	`d5d1c1a0e0c47c92a0914018c4649e3a6408e547`
SHA256	`c47cc68af3810d72113596b956766b870f46ef98da3901778657ee7a6a34d789`
SHA3	`c2784f33d8ce53f0c487bcf9853d2d6cbc53c52dd7cdf9421b1657d243dc15b9`

2 (#2)

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.74995`
MD5	`673b5abaa69d36a383f6712150cc6930`
SHA1	`60b84bee6ec84b1607b584f4c82f231d06d4d9ff`
SHA256	`38777cd02ef4c760eb8aff00a013720896577cd027654dc37c0e43f97755176c`
SHA3	`efe4c1fad2b22905b4d0a40ad1ce4e12d2d5e2764df842c04fc4a0f195c0e828`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.43232`
MD5	`708cb4c83d6ce8a60fe4d016ee549c75`
SHA1	`fe78b47e13a1097a25949684311dd399cf8bd6f4`
SHA256	`0cad91d8480c5d3a4fe90a105f8bb99ea437461b698f649713aea20ba39d17de`
SHA3	`e9f2fff554e98cfea8278352ec769840029ce6a81f2bfc87331b4e633f5011b8`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.05079`
MD5	`68bd69bbd31679f53de515b5d5a36c48`
SHA1	`368d5426872998edfcab01b344b6db11df0fa9f0`
SHA256	`f9095d9f40117f0045383e720db9fc901f39cfb2720054e2afb0ac709cb586f0`
SHA3	`9c783854d61511e9823637a7f4508b9e11125fe0b89d7549d8195b927800346b`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.84075`
MD5	`3e8eaf0b602e03e673523f13c68b28ec`
SHA1	`3584cb204317c1d87a827342f04c60bf7be487d4`
SHA256	`6ce4a53e4e1fd038421594b12602f82a3b57554263a3607cb4766e22d794d343`
SHA3	`34b32e45b59f375e5962e10d1fd9fab3a7c696c41e3011b3c73b8b5123f72dd1`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x94a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.62265`
MD5	`bfc8f20e8bd668bbd2349d2952323354`
SHA1	`e613e17d8dc3063349f703dd762c73485bf3bb6c`
SHA256	`d7e59765ef0e543810917747cbd5ed94850fe5f3cffa12cc8029dfb98c2f4748`
SHA3	`83bda120e66519e6ee317e565d821089dd2d964816bfcaa2ea77fd23d2d603a6`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.4972`
MD5	`d362f866c1e4e19c36543fdbf7e03e5e`
SHA1	`c4a814dba70238461d2ebf62b848b6416201a7da`
SHA256	`bb353be9c6c99a6c235b8b23d00cc560cbc5b8f12404f30bc68e7f39e895e3d5`
SHA3	`ec85a3cd171a88adb3f84c5db0f3c83a8e14c3baa32652e6391ba764c40963b7`

8

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x25228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.39064`
MD5	`d0ec266534841f6446e2775e40ea62bc`
SHA1	`e99a5cfa2feba962c89dabcef67f612d75c78780`
SHA256	`508fc0bf6bc8d21ecd9bd31d9291b03edc5ca4a92403d68353647edbfc3e857a`
SHA3	`d5d3c0ddffe539855f34e01cb9faf25e950ecb6754120b2d31c589d5a95d0824`

9

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x1b04`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.95518`
Detected Filetype	PNG graphic file
MD5	`632c0a2beae24d7c30cad21ad779eb0e`
SHA1	`f56d941ce96bd49a9ef4b11d96d54398b36a647a`
SHA256	`32b12a3482eafd38474adbeda32d27bddaace73674cfe551edfe711b902058e6`
SHA3	`8bc77b3e91300c5b45a856a394b539e3a7ee987a98d2d76c8dfab3383a65a413`

IDC_CLOSED_HAND

Type	`RT_GROUP_CURSOR`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.60869`
MD5	`24376d396ca083bb969cd111a907374e`
SHA1	`cf3829759c75f34f3255dd67e0d09839d8052a60`
SHA256	`5cae101924be4f4a32e3079ad4cf89bfaffaffb72b00ca1694b32252f03ed726`
SHA3	`cfc90db2d8e4d2d8efa25744b5200532f9d4ea6a9295c2e11e39fa04b3a15018`

IDC_OPEN_HAND

Type	`RT_GROUP_CURSOR`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.32193`
MD5	`9ab737e02c747d4642be0e76dbbcbbf7`
SHA1	`582fed8f835b160dfc50084bb0652898ef62a07f`
SHA256	`5fb2b6367e6745858abfd6837c15b3030f15f57f41117db78c59ad8425102530`
SHA3	`38ee9a8078f263a35d8074a262f129d02bd98debf01017107294955cb6202930`

MAINICON

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x84`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.04988`
Detected Filetype	Icon file
MD5	`677f471090096a75b7cdee8d0e4b67e5`
SHA1	`2aea36ac8ee96e109cdd2c023aeab383ea4733ba`
SHA256	`28293fe7aadb10f2ab2445e091782ac0cb43f590a45696370d23c467e9648ce2`
SHA3	`d270430a54a856aa5ac0ab7ea8a31a193d531760e61743c52edaa21eacf24ce7`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2b0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.40562`
MD5	`653807d791a1598d69c92cbf8824ed03`
SHA1	`277d5654e43e61c25f236bf6d7efbb895a0c401a`
SHA256	`591f6b6847bee61fd11b328fd5ea9dc90a9cea5c176ab932a43464bfc8acd0e1`
SHA3	`7d6924ab3081e199adf6d8ba93927ce6e0dbd3828d4e70c2cc760748d3606ca3`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	2.0.0.0
ProductVersion	2.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	FAZUA GmBH
FileDescription	FAZUA Toolbox
FileVersion (#2)	2.12.1
LegalCopyright	COPYRIGHT (C) 2021 FAZUA GmBH
OriginalFilename	FAZUA Toolbox.exe
ProductName	FAZUA Toolbox basic
ProductVersion (#2)	2.12.1

Resource LangID	English - United States

TLS Callbacks

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x142f3cdb8`

RICH Header

XOR Key	`0x64625350`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`20`
Imports (VS 2015/2017/2019 runtime 29804)	`6`
C objects (27412)	`5`
253 (28518)	`4`
C++ objects (VS 2015/2017/2019 runtime 29804)	`40`
C objects (VS 2015/2017/2019 runtime 29804)	`10`
ASM objects (VS 2015/2017/2019 runtime 29804)	`4`
C objects (VS2019 Update 9 (16.9.4) compiler 29914)	`51`
Resource objects (VS2019 Update 9 (16.9.4) compiler 29914)	`1`
C++ objects (VS2019 Update 9 (16.9.4) compiler 29914)	`41`
C++ objects (27041)	`1`
C objects (27041)	`127`
262 (27412)	`2`
Imports (27412)	`41`
Total imports	`591`
C objects (VS2019 Update 9 (16.9.2-3) compiler 29913)	`1`
Unmarked objects (#2)	`1`
Exports (VS2019 Update 9 (16.9.2-3) compiler 29913)	`1`
Linker (VS2019 Update 9 (16.9.2-3) compiler 29913)	`1`

Errors

[!] Error: Could not read the IMAGE_EXPORT_DIRECTORY.
[!] Error: Could not reach the TLS callback table.
[*] Warning: Section UPX0 has a size of 0!
[!] Error: The number of ICON_DIRECTORY_ENTRIES is bigger than the number of resources in the file.
[*] Warning: Resource 0 is empty!
[!] Error: The number of ICON_DIRECTORY_ENTRIES is bigger than the number of resources in the file.
[*] Warning: Resource 0 is empty!

Leave a comment

No comments yet.