Manalyze report for 84882c9d43e23d63b82004fae74ebb61

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2010-Sep-28 01:00:25

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 DLL (Debug)` `Microsoft Visual C++ 6.0 DLL` `Microsoft Visual C++`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentControlSet\Services` `Miscellaneous malware strings: cmd.exe` `Contains domain names: practicalmalwareanalysis.com`
Suspicious	The PE is packed or was manually edited.	`The number of imports reported in the RICH header is inconsistent.`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can access the registry: RegOpenKeyExA RegQueryValueExA RegCloseKey RegCreateKeyA RegSetValueExA` `Possibly launches other programs: CreateProcessA` `Has Internet access capabilities: InternetCloseHandle InternetOpenA InternetConnectA InternetReadFile` `Leverages the raw socket API to access the Internet: inet_addr WSASocketA closesocket connect ioctlsocket send select __WSAFDIsSet recv shutdown WSAStartup gethostname WSACleanup htons` `Interacts with services: OpenServiceA DeleteService OpenSCManagerA CreateServiceA`
Suspicious	The file contains overlay data.	`1 bytes of data starting at offset 0x5e00.`
Malicious	VirusTotal score: 59/70 (Scanned on 2024-04-17 04:56:08)	`ALYac: Gen:Variant.Ulise.173672` `APEX: Malicious` `AVG: Win32:TrojanX-gen [Trj]` `AhnLab-V3: Trojan/Win32.Xema.C93063` `Alibaba: Backdoor:Win32/Connapts.eafdbb07` `Antiy-AVL: Trojan[Backdoor]/Win32.Agent` `Arcabit: Trojan.Ulise.D2A668` `Avast: Win32:TrojanX-gen [Trj]` `Avira: BDS/Backdoor.Gen` `BitDefender: Gen:Variant.Ulise.173672` `BitDefenderTheta: Gen:NN.ZedlaF.36802.bq5@aq5eUxk` `Bkav: W32.Common.2A32BB94` `ClamAV: Win.Trojan.Agent-385568` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `DrWeb: BackDoor.Siggen.38566` `ESET-NOD32: a variant of Win32/Small.NDX` `Emsisoft: Gen:Variant.Ulise.173672 (B)` `F-Secure: Backdoor.BDS/Backdoor.Gen` `FireEye: Generic.mg.84882c9d43e23d63` `Fortinet: W32/Small.NDX!tr` `GData: Gen:Variant.Ulise.173672` `Google: Detected` `Ikarus: Trojan.Win32.Small` `Jiangmin: Backdoor/Agent.csty` `K7AntiVirus: Trojan ( 00036ba91 )` `K7GW: Trojan ( 00036ba91 )` `Kaspersky: Backdoor.Win32.Agent.gmlh` `Kingsoft: malware.kb.a.1000` `MAX: malware (ai score=100)` `Malwarebytes: Trojan.Agent.LB` `MaxSecure: Trojan.Malware.2971735.susgen` `McAfee: GenericRXGO-KC!84882C9D43E2` `MicroWorld-eScan: Gen:Variant.Ulise.173672` `Microsoft: Trojan:Win32/Connapts` `NANO-Antivirus: Trojan.Win32.MLW.dylhy` `Rising: Backdoor.Agent!8.C5D (TFE:5:cnvQz3sOcPP)` `SUPERAntiSpyware: Backdoor.Bot/Variant` `Sangfor: Suspicious.Win32.Save.ins` `SentinelOne: Static AI - Malicious PE` `Skyhigh: GenericRXGO-KC!84882C9D43E2` `Sophos: Troj/Small-EVG` `Symantec: ML.Attribute.HighConfidence` `TACHYON: Backdoor/W32.Agent.24065` `Tencent: Malware.Win32.Gencirc.10bfa4ee` `TrendMicro: TROJ_GEN.R002C0DBA22` `TrendMicro-HouseCall: TROJ_GEN.R002C0DBA22` `VBA32: BScope.Trojan.Tiggre` `VIPRE: Gen:Variant.Ulise.173672` `Varist: W32/Small.RKJT-5458` `ViRobot: Backdoor.Win32.A.Agent.24064.B` `VirIT: Trojan.Win32.Generic.CABJ` `Webroot: W32.Malware.Gen` `Xcitium: TrojWare.Win32.Small.dy39@4owfj9` `Zillya: Backdoor.Agent.Win32.31812` `ZoneAlarm: Backdoor.Win32.Agent.gmlh` `alibabacloud: Backdoor:Win/Ulise`

Hashes

MD5	`84882c9d43e23d63b82004fae74ebb61`
SHA1	`c6fb3b50d946bec6f391aefa4e54478cf8607211`
SHA256	`5eced7367ed63354b4ed5c556e2363514293f614c2c2eb187273381b2ef5f0f9`
SHA3	`81adad8a1937d1ded3827cd9a01861777fb784bff1399ef1ce6744f4c03bf131`
SSDeep	`384:NcTA0TAKHWYvVvUYGXFgeJGjHwTACLPkIdSgbl/xAIrWdhoQsxRiAHz:NcTA0TAK2y2oBCbH4gtxrWd5sxRL`
Imports Hash	`3167552ee0bbbd4f5f440adf5f65bab8`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2010-Sep-28 01:00:25
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x4000`
SizeOfInitializedData	`0xca00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00004E4D (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x5000`
ImageBase	`0x10000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x13000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`188fa2537376e3fdf990f1a6efa2da14`
SHA1	`43a1ba459135f8051dd552e255b090b2018b440a`
SHA256	`995301cea5be7b49dca32740cf9531d93bcc33e4222e31e47bd3eaaaac608d82`
SHA3	`d2d6c857fb47514d5a57097ef887ce58666448f24081327d0986f3ef807b9e4f`
VirtualSize	`0x3f0a`
VirtualAddress	`0x1000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.33707`

.rdata

MD5	`f8f5fc8eff8ab73b75fe51a9fdfa8fed`
SHA1	`7cb25bb5d19a23a6bca09f7276508026b68348e6`
SHA256	`abc4e183a6f9f3db0030e27e43a7aa7a920d02814e33b5ad59f20a3475afdca1`
SHA3	`e714e1cf56a461c32d00c70ab8e2ed2206581466b13882c489017d7c317ddd79`
VirtualSize	`0x9a9`
VirtualAddress	`0x5000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x4400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.78487`

.data

MD5	`3826470c54ff98ca8bc080250599bd93`
SHA1	`389c020c28bc64a1e33a1fd620476bf5dd18674e`
SHA256	`c8fcb209673d0b572610bcb409fd8a0271cef27df0ede631001a3f49a11cb3d6`
SHA3	`8d4de4e7f57a18dd2c75eade86e83d6a7a5ce729c73315ac72b8f61b92ddc54c`
VirtualSize	`0xb5c8`
VirtualAddress	`0x6000`
SizeOfRawData	`0x600`
PointerToRawData	`0x4e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.91595`

.reloc

MD5	`be394ac1ebb22951e9e07ce1416a1524`
SHA1	`fa959884281b4dd9e81d1a6d0c8f185feb8537b5`
SHA256	`432ec450369af7dcde7b3948e926f4962c7bb6770b01cb9208cf475550bb4916`
SHA3	`b9a695cb804884dff29a9c57a0f6fce1845c8474cc08d2c8492997e6dc77bed7`
VirtualSize	`0x83c`
VirtualAddress	`0x12000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x5400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.58396`

Imports

KERNEL32.dll	`GetStartupInfoA` `CreatePipe` `GetCurrentDirectoryA` `CreateProcessA` `lstrlenA` `SetLastError` `OutputDebugStringA` `CloseHandle` `ReadFile` `GetTempPathA` `GetLongPathNameA` `LoadLibraryA` `GetProcAddress` `CreateThread` `GetSystemTime` `WaitForSingleObject` `TerminateThread` `Sleep` `GetLastError` `GetModuleFileNameA`
ADVAPI32.dll	`OpenServiceA` `DeleteService` `RegOpenKeyExA` `RegQueryValueExA` `RegCloseKey` `OpenSCManagerA` `CreateServiceA` `CloseServiceHandle` `RegCreateKeyA` `RegSetValueExA` `RegisterServiceCtrlHandlerA` `SetServiceStatus`
WS2_32.dll	`inet_addr` `WSASocketA` `closesocket` `connect` `ioctlsocket` `send` `select` `__WSAFDIsSet` `recv` `shutdown` `WSAStartup` `gethostname` `WSACleanup` `htons`
WININET.dll	`InternetCloseHandle` `InternetOpenA` `InternetConnectA` `HttpOpenRequestA` `HttpSendRequestA` `HttpQueryInfoA` `InternetReadFile`
MSVCRT.dll	`_chdir` `_strnicmp` `_adjust_fdiv` `malloc` `_initterm` `free` `??1type_info@@UAE@XZ` `_except_handler3` `_CxxThrowException` `_stricmp` `_EH_prolog` `__CxxFrameHandler` `strchr` `_itoa` `strstr` `strncat` `strlen` `sscanf` `atol` `??2@YAPAXI@Z` `memset` `wcstombs` `strncpy` `strcat` `strcpy` `atoi` `fclose` `fflush` `??3@YAXPAX@Z` `fwrite` `fopen` `strrchr`

Delayed Imports

Install

Ordinal	`1`
Address	`0x4706`

ServiceMain

Ordinal	`2`
Address	`0x3196`

UninstallService

Ordinal	`3`
Address	`0x4b18`

installA

Ordinal	`4`
Address	`0x4b0b`

uninstallA

Ordinal	`5`
Address	`0x4c2b`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x93f51bde`
Unmarked objects	`0`
12 (7291)	`4`
14 (7299)	`2`
C objects (VS98 build 8168)	`4`
Unmarked objects (#2)	`9`
Total imports	`80`
19 (8034)	`7`
C++ objects (VS98 build 8168)	`3`
Linker (VS98 build 8168)	`3`

84882c9d43e23d63b82004fae74ebb61

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.reloc

Imports

Delayed Imports

Install

ServiceMain

UninstallService

installA

uninstallA

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors