Manalyze report for 79d234d9a78acafbaeeef507121c7bd46a227b53a8b34212ab1e06eb5c9af1e0

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2019-Jul-30 08:52:50

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig2(h)`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress LoadLibraryW` `Can create temporary files: GetTempPathW CreateFileW`
Info	The PE's resources present abnormal characteristics.	`Resource 0256A04424CAB3A75690AF3B63B5031702F4559E is possibly compressed or encrypted.` `Resource 60CD3802805DBF1718D70DBC8988601ECF793B78 is possibly compressed or encrypted.` `Resource F18BB1E049B96733E3956474BF76577A is possibly compressed or encrypted.`
Malicious	VirusTotal score: 30/72 (Scanned on 2025-07-27 16:01:33)	`AVG: Win32:Malware-gen` `Avast: Win32:Malware-gen` `Bkav: W32.Common.38DCE5A2` `CAT-QuickHeal: Trojan.GenericPMF.S14896628` `CTX: exe.trojan.generic` `CrowdStrike: win/malicious_confidence_90% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `Elastic: malicious (high confidence)` `Fortinet: W32/PossibleThreat` `Kaspersky: HEUR:Trojan.BAT.Alien.gen` `Kingsoft: malware.kb.a.986` `Lionic: Trojan.Win32.Tiny.trFe` `Malwarebytes: Generic.Malware.AI.DDS` `MaxSecure: Trojan.Malware.121218.susgen` `McAfeeD: ti!79D234D9A78A` `Microsoft: Trojan:Win32/Wacatac.C!ml` `Paloalto: generic.ml` `Rising: Trojan.Alien/BAT!8.1886B (CLOUD)` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win32.Generic.ch` `Sophos: Generic ML PUA (PUA)` `TrellixENS: GenericRXWO-YL!2E5087BFCFAF` `TrendMicro-HouseCall: TROJ_GEN.R002H07GH25` `VBA32: BScope.Trojan.Wacatac` `VirIT: Trojan.Win32.Genus.IHW` `Zillya: Tool.Lazagne.Win32.102` `Zoner: Trojan.Win32.85523`

Hashes

MD5	`2e5087bfcfaf1198272bfcae84d60977`
SHA1	`b11e75d38a0f0268c992a331d9d7ac9b6e2eefab`
SHA256	`79d234d9a78acafbaeeef507121c7bd46a227b53a8b34212ab1e06eb5c9af1e0`
SHA3	`77c58131007e2fc5564fd4610559ca6fab6db4c1e541af2295756c06ee718491`
SSDeep	`1536:u7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIftxHK26xj9smV6syQE3:kq6+ouCpk2mpcWJ0r+QNTBftVKn3rVE3`
Imports Hash	`5877688b4859ffd051f6be3b8e0cd533`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2019-Jul-30 08:52:50
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x10c00`
SizeOfInitializedData	`0xb800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00001000 (Section: .code)`
BaseOfCode	`0x1000`
BaseOfData	`0x13000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x21000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.code

MD5	`6c0f4094a5493360ae8c9032ef3a9f47`
SHA1	`46e4e4c197cbfd5b6bc4fcfe852e2f6c19ff32d5`
SHA256	`f6e9812089d0028c33a2b9eb53df013efade78f2c7a82910557b2ab9ff8f24e1`
SHA3	`36b8e17b505b7236975ff151e879eec5490c1aa7483cfb43a819f0d42876bf25`
VirtualSize	`0x37f0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x3800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.60878`

.text

MD5	`1da643e4b1937b50550f9d9e8250428e`
SHA1	`705a8d46edc2898b99a24b89e3af8a73702de27e`
SHA256	`5dd774a6dd19c00b8ae3b487d1a1297ccdfe7c83f6c8b1a13c97f9c64e3f1b0f`
SHA3	`b3f3032b15c38542c6b1f3e9906bfb5e2c66877804d9811f2f948dee7774131b`
VirtualSize	`0xd2c2`
VirtualAddress	`0x5000`
SizeOfRawData	`0xd400`
PointerToRawData	`0x3c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.55808`

.rdata

MD5	`4fb07923b0eb72c40319d48fd2d4f13f`
SHA1	`f8f4ac5ba9f5ff221c01568f2e378e4582faa7fe`
SHA256	`cdfd6bc8c473d8389be0f336e7ed1ea672d6918ed1be6b2f5554f649f6dd4695`
SHA3	`614e0060afaa826b4884f4069d01868583d72e4233009f9779b0529a02a10922`
VirtualSize	`0x339d`
VirtualAddress	`0x13000`
SizeOfRawData	`0x3400`
PointerToRawData	`0x11000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.11064`

.data

MD5	`f689d57231adc03bad68055709cabaf0`
SHA1	`63a34570c951a5b0ff022e8ec060d1df76a37ec4`
SHA256	`448302742f905d8638ef88a2bf0eed729df5c3f679a931ab66474730594c5a6c`
SHA3	`562eaac8b9976528636094b8fe60b0bb87af997e947b5701619f09467088904d`
VirtualSize	`0x172c`
VirtualAddress	`0x17000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x14400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.99613`

.rsrc

MD5	`0e3ee051f32041dc97470bec9aa6746d`
SHA1	`ed4b26296c32db6ebd5a0e325f2f004b5ec45aa6`
SHA256	`3c649797450a54378282f73b969938638c2435b29ace31fb88f0f2caaca0d493`
SHA3	`d9e081dcf887883e112a61cdd5a9db20a0396d1c38193466491eb432f266fdec`
VirtualSize	`0x70e8`
VirtualAddress	`0x19000`
SizeOfRawData	`0x7200`
PointerToRawData	`0x15600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.13844`

Imports

MSVCRT.dll	`memset` `wcsncmp` `memmove` `wcsncpy` `wcsstr` `_wcsnicmp` `_wcsdup` `free` `_wcsicmp` `wcslen` `wcscpy` `wcscmp` `memcpy` `tolower` `wcscat` `malloc`
KERNEL32.dll	`GetModuleHandleW` `HeapCreate` `GetStdHandle` `HeapDestroy` `ExitProcess` `WriteFile` `GetTempFileNameW` `LoadLibraryExW` `EnumResourceTypesW` `FreeLibrary` `RemoveDirectoryW` `GetExitCodeProcess` `EnumResourceNamesW` `GetCommandLineW` `LoadResource` `SizeofResource` `FreeResource` `FindResourceW` `GetNativeSystemInfo` `GetShortPathNameW` `GetWindowsDirectoryW` `GetSystemDirectoryW` `EnterCriticalSection` `CloseHandle` `LeaveCriticalSection` `InitializeCriticalSection` `WaitForSingleObject` `TerminateThread` `CreateThread` `Sleep` `GetProcAddress` `GetVersionExW` `WideCharToMultiByte` `HeapAlloc` `HeapFree` `LoadLibraryW` `GetCurrentProcessId` `GetCurrentThreadId` `GetModuleFileNameW` `GetEnvironmentVariableW` `SetEnvironmentVariableW` `GetCurrentProcess` `TerminateProcess` `SetUnhandledExceptionFilter` `HeapSize` `MultiByteToWideChar` `CreateDirectoryW` `SetFileAttributesW` `GetTempPathW` `DeleteFileW` `GetCurrentDirectoryW` `SetCurrentDirectoryW` `CreateFileW` `SetFilePointer` `TlsFree` `TlsGetValue` `TlsSetValue` `TlsAlloc` `HeapReAlloc` `DeleteCriticalSection` `InterlockedCompareExchange` `InterlockedExchange` `GetLastError` `SetLastError` `UnregisterWait` `GetCurrentThread` `DuplicateHandle` `RegisterWaitForSingleObject`
USER32.DLL	`CharUpperW` `CharLowerW` `MessageBoxW` `DefWindowProcW` `DestroyWindow` `GetWindowLongW` `GetWindowTextLengthW` `GetWindowTextW` `UnregisterClassW` `LoadIconW` `LoadCursorW` `RegisterClassExW` `IsWindowEnabled` `EnableWindow` `GetSystemMetrics` `CreateWindowExW` `SetWindowLongW` `SendMessageW` `SetFocus` `CreateAcceleratorTableW` `SetForegroundWindow` `BringWindowToTop` `GetMessageW` `TranslateAcceleratorW` `TranslateMessage` `DispatchMessageW` `DestroyAcceleratorTable` `PostMessageW` `GetForegroundWindow` `GetWindowThreadProcessId` `IsWindowVisible` `EnumWindows` `SetWindowPos`
GDI32.DLL	`GetStockObject`
COMCTL32.DLL	`InitCommonControlsEx`
SHELL32.DLL	`ShellExecuteExW` `SHGetFolderLocation` `SHGetPathFromIDListW`
WINMM.DLL	`timeBeginPeriod`
OLE32.DLL	`CoInitialize` `CoTaskMemFree`
SHLWAPI.DLL	`PathAddBackslashW` `PathRenameExtensionW` `PathQuoteSpacesW` `PathRemoveArgsW` `PathRemoveBackslashW`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.62919`
MD5	`5687641d0f66886722e10bb1443be26d`
SHA1	`552ef4cb10ea8edb5d93b36865947d1ece08d1c1`
SHA256	`1814a90319520ba7bd7ac6332d740237db1c76a718a2ad361f65564b721c399d`
SHA3	`cb10ce6046b475eb9fae2e15328008a99e6a2abc79931e3121337b3b10a438c2`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.56168`
MD5	`cf69ee2fc39eeaf449f513ef5d0044f2`
SHA1	`a845c069e8486eec8f21e48b8d91ed51850c9c9e`
SHA256	`9c8c36dbb566e266d7e167bbb016a181853332f275e94856736bfc5945fe4fa0`
SHA3	`612d0e1118a7d7e55bc3618667102d329c9a2ef6f117a4d42fbecf18379cc61d`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.41676`
MD5	`29ad3301ae43897623b186a64966a019`
SHA1	`0226057295175ce9a0919721db7167990b1cfa03`
SHA256	`3759b4809c423fe0534cfca17ebc9ec4b5f93b4450db8bfdb421ff390a78581b`
SHA3	`d6337a397a5ea04bd4463ec1995a8a393362d6970e7051998e74716ebd967c56`

0256A04424CAB3A75690AF3B63B5031702F4559E

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xf5`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.11999`
MD5	`bfed99cf52ac027622c730feec146253`
SHA1	`488be1ece7574b9cf3aea135eeb63fbdce71dca1`
SHA256	`3b48aa99dded305758c4deda5247cbae1b073696ed341dada07cfe50d29e8951`
SHA3	`d418f1ab717dac6460d74eeac5c20a3dc1ef627af69af4455e8c0fcb010870c8`

3DB7B3749A03076549FE34E65D4BD31BA7F13F53

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x3f`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.75506`
MD5	`a0c15fdff2a18253ce17ef6a85d18ee6`
SHA1	`55ba6d4bf9b91a5e2cbe7e8127fa6c4690ae335f`
SHA256	`bd5f7d67d4e69786e157050e41adf7ad802e1533fcd2200563a6d544f80620bb`
SHA3	`699beb7b75632bbf433aa475874988e3544ea496541f810e259b397ea22c3e48`

60CD3802805DBF1718D70DBC8988601ECF793B78

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x216e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.97955`
MD5	`837d7cfe4a8fb32ed736859cf108fe0a`
SHA1	`1090866f06efbc4f2c5b3564a416eab8169e4fac`
SHA256	`8fd17999a5979e55ad183497dae30fa901ac18b70349d85dc58d5bbfd3ddf005`
SHA3	`0e6b383145ae72211cbba638584ab2fd2803abaea15461c6aac9a55f97739442`

B699AD5A7948B10D279682D73A615D4173FE02F1

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xa`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.32193`
MD5	`64bd597c46149ad27448ef2ed8f4dfa5`
SHA1	`d8e15949b40ae775bafa91cb3422c36be1ac2ed9`
SHA256	`28236fc122a37799c856afa8e35643c4a6eb8e3836411934084be32d7e7e0dff`
SHA3	`d1220a1f7524e402f99ff181e1a0239fdbca5053a06e0e8889649c78c39e4c7d`

D5AD77F94A

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`55a54008ad1ba589aa210d2629c1df41`
SHA1	`bf8b4530d8d246dd74ac53a13471bba17941dff7`
SHA256	`4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a`
SHA3	`2767f15c8af2f2c7225d5273fdd683edc714110a987d1054697c348aed4e6cc7`

E56318EDBD2F856D98421CB8090A6207

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x8d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.79725`
MD5	`0478dc3142082637c3ceaf946fca2ace`
SHA1	`2eaf41c217d7c27753d4827f77470773ee20f42e`
SHA256	`3bd63c9688ba0700983b0020959ded76eac91896335d00a2fb267bfa3bc26681`
SHA3	`3b7441cebb078bb67c9b5a1510b93559e22f516850ad70f877c005eeaf7c2453`

F18BB1E049B96733E3956474BF76577A

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xa94`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.93572`
MD5	`348f2e46397a12e56c70d2877258d173`
SHA1	`440a8cb1618ed757c2760c842d5ed6481af51f93`
SHA256	`21bd1a097cdf37f7f12a1947a2fed2eb589aad889d0fee677f4e24f5b3f1191e`
SHA3	`750f76d8915fba73dbf724a5faa1c1513607f87008c536ae99e80726003ce56e`

FE0DFBBC8DDB9D6F6FDE5DC83A53C1E8

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x7e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.57446`
MD5	`65e2c4803857a9e17e53896e8255df9f`
SHA1	`dc19015f41f9209a33fb8a296bab9ce996dd357c`
SHA256	`e99078c2fb5f8e48e11280ce80afebdeba18c94106e4addb5ead17bdb5036d3f`
SHA3	`93ef69e08f0ade6d34d877ee9318dee4116a3019650aac939b50dc191a7b381c`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x30`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.45849`
Detected Filetype	Icon file
MD5	`409e1724611e0bc39356e2f58888db55`
SHA1	`c06c0e66cc2f7956256e2f018aa0294bfa914960`
SHA256	`6ab18c3b81a5d30c5a190a4504cae807d73b1a4d02d56ffddf641abbb62b7210`
SHA3	`315b2ad40793f4ef885ff4c878169b02c62f619b57780a98a76c8538cd0ee5c9`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2a0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.08821`
MD5	`ffd3b06250ba95d239365ef050b3627b`
SHA1	`16e3981245d8dbd44f33d93b203c02a44f3c2b95`
SHA256	`1c3703755b6e9a690e8eafaa0cc318f667cd5d4c06935b6e3cd07296df9e9dcd`
SHA3	`2c6baa84c172762978837565c2b2ed4f7716c0edaab79bda3a3ef74724426773`

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

Leave a comment

No comments yet.