89081f2e14e9266de8c042629b764926

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2018-Jun-13 06:17:06
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
  • LoadLibraryW
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
Code injection capabilities:
  • OpenProcess
  • VirtualAllocEx
  • WriteProcessMemory
Functions related to the privilege level:
  • OpenProcessToken
  • AdjustTokenPrivileges
Manipulates other processes:
  • OpenProcess
  • WriteProcessMemory
Info The PE is digitally signed. Signer: ORDARA LTD
Issuer: Symantec Class 3 Extended Validation Code Signing CA - G2
Malicious VirusTotal score: 42/70 (Scanned on 2019-10-08 00:34:06) MicroWorld-eScan: Trojan.GenericKD.41843578
CAT-QuickHeal: Trojan.Alreay
McAfee: Trojan-Banking
Cylance: Unsafe
Zillya: Trojan.Alreay.Win32.96
K7AntiVirus: Riskware ( 0040eff71 )
Alibaba: TrojanBanker:Win32/Alreay.53f12375
K7GW: Riskware ( 0040eff71 )
TrendMicro: TROJ_FRS.VSNTIU19
Symantec: Trojan Horse
Paloalto: generic.ml
ClamAV: Win.Trojan.Alreay-7189192-0
Kaspersky: Trojan-Banker.Win32.Alreay.gen
BitDefender: Trojan.GenericKD.41843578
Emsisoft: Trojan.GenericKD.41843578 (B)
VIPRE: Trojan.Win32.Generic!BT
McAfee-GW-Edition: Trojan-Banking
MaxSecure: Trojan.Malware.9448723.susgen
Trapmine: malicious.high.ml.score
Sophos: Mal/Generic-S
SentinelOne: DFI - Suspicious PE
Cyren: W32/Trojan.QCFO-5814
Jiangmin: Trojan.Banker.Alreay.cg
Fortinet: W32/Alreay.A!tr
Arcabit: Trojan.Generic.D27E7B7A
ZoneAlarm: Trojan-Banker.Win32.Alreay.gen
Microsoft: Trojan:Win32/LazInjector.DD!MSR
AhnLab-V3: HackTool/Win32.Injector.C3480956
ALYac: Spyware.Banker.Alreay
MAX: malware (ai score=89)
VBA32: TrojanBanker.Alreay
Panda: Trj/GdSda.A
ESET-NOD32: a variant of Generik.CWSORYC
TrendMicro-HouseCall: TROJ_FRS.VSNTIU19
Tencent: Win32.Trojan.Falsesign.Dyzw
Ikarus: Trojan.Inject
GData: Trojan.GenericKD.41843578
Ad-Aware: Trojan.GenericKD.41843578
AVG: Win32:Malware-gen
Avast: Win32:Malware-gen
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.9db

Hashes

MD5 89081f2e14e9266de8c042629b764926
SHA1 730c1b9e950932736fc4b02cbdb4e4e891485ac2
SHA256 39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655
SHA3 1835a486aa47afe235e57c576d259cfab0a9defeed5e4f77528faa0bfecd8b23
SSDeep 768:aQ1PWoWzXyjJsTKJUniYs1pdLn4nDT622YuYDIhscWTJqLPNofEDy9nAXmIEHbKa:aQ5WDziX+nD0LWT6FYZDgs5ULPIJEYp
Imports Hash c9febdea3218b92a46f739082f26471e

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2018-Jun-13 06:17:06
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x9800
SizeOfInitializedData 0x4a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001FD7 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xb000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x13000
SizeOfHeaders 0x400
Checksum 0x14afd
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 a8c0a36524287fef367821e833a68350
SHA1 bbf7b5e1a0969a8bfc27ae91c7f4aade01ee1dc0
SHA256 2dee95905aec27baf31cef6f10814a955c0106858ebe8faab7c37b14235ada1a
SHA3 965354c676cca2baea1d362ee344de8843f863622bf57257b860982eeb958994
VirtualSize 0x9748
VirtualAddress 0x1000
SizeOfRawData 0x9800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.51866

.rdata

MD5 e1c66ff8e5f0e1909e2691360c974420
SHA1 d05cf35c6368efd03d5932e7fb71ba59e209c974
SHA256 469eddd23fd14758b18cba12f8c7867845c444961166f9ba98b502436e33d050
SHA3 1b4d013446e9f564bd205133c33b12784da5c730772c17b04b0706d643066cf3
VirtualSize 0x28ca
VirtualAddress 0xb000
SizeOfRawData 0x2a00
PointerToRawData 0x9c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.87802

.data

MD5 22783e6c2539d6828f3d42b030ca08e9
SHA1 ab79ef52468d346d2ee2c0df995c5dcc09d3848e
SHA256 30bcff74dd148f790aef0db7afbc35d687bb7a3141cfb3571b24321a25f0f52b
SHA3 dcc6fe6876d7f0cd5c40ab2727b7966edf37429468b5d8ee3601f6223e49bf83
VirtualSize 0x2cc4
VirtualAddress 0xe000
SizeOfRawData 0x1000
PointerToRawData 0xc600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.11793

.rsrc

MD5 81195ca9b22c050f79e44175e9e7150e
SHA1 c5ab2bb5fd494c24e57c83dc6bb902eaa0dc7c30
SHA256 3329dcfd3c785098e3d024dda1387ee950cdd4a2a857337a8006952114611c09
SHA3 97bccdfe004270d5acf25793824aae6354bbc9b178b4150052a389dea07aad30
VirtualSize 0x1b4
VirtualAddress 0x11000
SizeOfRawData 0x200
PointerToRawData 0xd600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.10501

.reloc

MD5 36571bcb45b1ae18dfcf7edc8c5c3d4a
SHA1 ea18da9874bb483a66f3cc79472efa461aafae28
SHA256 f41adf6fec6bf1ce08e52f5c7429add84ffe4a12065611b3840bf3b25aa5fdb9
SHA3 2fa24b803491cb54838390bc263cc2dfabd51aa8767a9286c99258e7c4b7e162
VirtualSize 0xd46
VirtualAddress 0x12000
SizeOfRawData 0xe00
PointerToRawData 0xd800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.79123

Imports

KERNEL32.dll LoadLibraryA
GetLastError
OpenProcess
VirtualAllocEx
WriteProcessMemory
GetProcAddress
WaitForSingleObject
CreateToolhelp32Snapshot
Module32First
Module32Next
CloseHandle
GetCurrentProcess
GetModuleHandleA
GetLocalTime
GetModuleHandleW
ExitProcess
DecodePointer
GetCommandLineA
HeapSetInformation
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
RtlUnwind
SetHandleCount
GetStdHandle
GetFileType
DeleteCriticalSection
HeapFree
LoadLibraryW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
WriteFile
GetModuleFileNameW
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
SetFilePointer
GetConsoleCP
GetConsoleMode
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
Sleep
CreateFileA
SetStdHandle
FlushFileBuffers
HeapSize
WriteConsoleW
MultiByteToWideChar
LCMapStringW
GetStringTypeW
HeapAlloc
HeapReAlloc
IsProcessorFeaturePresent
SetEndOfFile
GetProcessHeap
ReadFile
CreateFileW
ADVAPI32.dll LookupPrivilegeValueA
OpenProcessToken
AdjustTokenPrivileges
SHLWAPI.dll PathFileExistsA

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

Version Info

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x40e004
SEHandlerTable 0x40cdb0
SEHandlerCount 3

RICH Header

XOR Key 0x557b9d30
Unmarked objects 0
152 (20115) 1
C++ objects (VS2010 build 30319) 25
ASM objects (VS2010 build 30319) 14
C objects (VS2010 build 30319) 98
Imports (VS2008 SP1 build 30729) 7
Total imports 92
175 (VS2010 build 30319) 2
Linker (VS2010 build 30319) 1

Errors