Manalyze report for 89081f2e14e9266de8c042629b764926

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-Jun-13 06:17:06
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress LoadLibraryW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Code injection capabilities: OpenProcess VirtualAllocEx WriteProcessMemory` `Functions related to the privilege level: OpenProcessToken AdjustTokenPrivileges` `Manipulates other processes: OpenProcess WriteProcessMemory`
Info	The PE is digitally signed.	`Signer: ORDARA LTD` `Issuer: Symantec Class 3 Extended Validation Code Signing CA - G2`
Malicious	VirusTotal score: 46/70 (Scanned on 2019-10-22 06:21:33)	`MicroWorld-eScan: Trojan.GenericKD.41843578` `CAT-QuickHeal: Trojan.Alreay` `McAfee: Trojan-Banking` `Cylance: Unsafe` `Zillya: Trojan.Alreay.Win32.96` `K7AntiVirus: Riskware ( 0040eff71 )` `BitDefender: Trojan.GenericKD.41843578` `K7GW: Riskware ( 0040eff71 )` `CrowdStrike: win/malicious_confidence_100% (W)` `TrendMicro: TROJ_NOROINHECTOR.ZKGJ` `Symantec: Trojan Horse` `ESET-NOD32: a variant of Generik.CWSORYC` `Paloalto: generic.ml` `ClamAV: Win.Trojan.Alreay-7189192-0` `Kaspersky: Trojan-Banker.Win32.Alreay.gen` `Alibaba: TrojanBanker:Win32/Alreay.53f12375` `Avast: Win32:Malware-gen` `Ad-Aware: Trojan.GenericKD.41843578` `Sophos: Troj/Banker-GYS` `DrWeb: Trojan.Inject3.28611` `VIPRE: Trojan.Win32.Generic!BT` `Invincea: heuristic` `McAfee-GW-Edition: Trojan-Banking` `Trapmine: malicious.high.ml.score` `FireEye: Trojan.GenericKD.41843578` `Emsisoft: Trojan.GenericKD.41843578 (B)` `SentinelOne: DFI - Suspicious PE` `Cyren: W32/Trojan.QCFO-5814` `Jiangmin: Trojan.Banker.Alreay.cg` `Antiy-AVL: Trojan[Banker]/Win32.Alreay` `Microsoft: Trojan:Win32/LazInjector.DD!MSR` `Arcabit: Trojan.Generic.D27E7B7A` `ZoneAlarm: Trojan-Banker.Win32.Alreay.gen` `GData: Trojan.GenericKD.41843578` `AhnLab-V3: HackTool/Win32.Injector.C3480956` `ALYac: Spyware.Banker.Alreay` `MAX: malware (ai score=89)` `VBA32: TrojanBanker.Alreay` `TrendMicro-HouseCall: TROJ_NOROINHECTOR.ZKGJ` `Yandex: Trojan.PWS.Alreay!` `Ikarus: Trojan.Inject` `MaxSecure: Trojan.Malware.9448723.susgen` `Fortinet: W32/Alreay.A!tr` `AVG: Win32:Malware-gen` `Panda: Trj/GdSda.A` `Qihoo-360: Win32/Trojan.9db`

Hashes

MD5	`89081f2e14e9266de8c042629b764926`
SHA1	`730c1b9e950932736fc4b02cbdb4e4e891485ac2`
SHA256	`39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655`
SHA3	`1835a486aa47afe235e57c576d259cfab0a9defeed5e4f77528faa0bfecd8b23`
SSDeep	`768:aQ1PWoWzXyjJsTKJUniYs1pdLn4nDT622YuYDIhscWTJqLPNofEDy9nAXmIEHbKa:aQ5WDziX+nD0LWT6FYZDgs5ULPIJEYp`
Imports Hash	`c9febdea3218b92a46f739082f26471e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2018-Jun-13 06:17:06
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`10.0`
SizeOfCode	`0x9800`
SizeOfInitializedData	`0x4a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00001FD7 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xb000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x13000`
SizeOfHeaders	`0x400`
Checksum	`0x14afd`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`a8c0a36524287fef367821e833a68350`
SHA1	`bbf7b5e1a0969a8bfc27ae91c7f4aade01ee1dc0`
SHA256	`2dee95905aec27baf31cef6f10814a955c0106858ebe8faab7c37b14235ada1a`
SHA3	`965354c676cca2baea1d362ee344de8843f863622bf57257b860982eeb958994`
VirtualSize	`0x9748`
VirtualAddress	`0x1000`
SizeOfRawData	`0x9800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.51866`

.rdata

MD5	`e1c66ff8e5f0e1909e2691360c974420`
SHA1	`d05cf35c6368efd03d5932e7fb71ba59e209c974`
SHA256	`469eddd23fd14758b18cba12f8c7867845c444961166f9ba98b502436e33d050`
SHA3	`1b4d013446e9f564bd205133c33b12784da5c730772c17b04b0706d643066cf3`
VirtualSize	`0x28ca`
VirtualAddress	`0xb000`
SizeOfRawData	`0x2a00`
PointerToRawData	`0x9c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.87802`

.data

MD5	`22783e6c2539d6828f3d42b030ca08e9`
SHA1	`ab79ef52468d346d2ee2c0df995c5dcc09d3848e`
SHA256	`30bcff74dd148f790aef0db7afbc35d687bb7a3141cfb3571b24321a25f0f52b`
SHA3	`dcc6fe6876d7f0cd5c40ab2727b7966edf37429468b5d8ee3601f6223e49bf83`
VirtualSize	`0x2cc4`
VirtualAddress	`0xe000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xc600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.11793`

.rsrc

MD5	`81195ca9b22c050f79e44175e9e7150e`
SHA1	`c5ab2bb5fd494c24e57c83dc6bb902eaa0dc7c30`
SHA256	`3329dcfd3c785098e3d024dda1387ee950cdd4a2a857337a8006952114611c09`
SHA3	`97bccdfe004270d5acf25793824aae6354bbc9b178b4150052a389dea07aad30`
VirtualSize	`0x1b4`
VirtualAddress	`0x11000`
SizeOfRawData	`0x200`
PointerToRawData	`0xd600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.10501`

.reloc

MD5	`36571bcb45b1ae18dfcf7edc8c5c3d4a`
SHA1	`ea18da9874bb483a66f3cc79472efa461aafae28`
SHA256	`f41adf6fec6bf1ce08e52f5c7429add84ffe4a12065611b3840bf3b25aa5fdb9`
SHA3	`2fa24b803491cb54838390bc263cc2dfabd51aa8767a9286c99258e7c4b7e162`
VirtualSize	`0xd46`
VirtualAddress	`0x12000`
SizeOfRawData	`0xe00`
PointerToRawData	`0xd800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.79123`

Imports

KERNEL32.dll	`LoadLibraryA` `GetLastError` `OpenProcess` `VirtualAllocEx` `WriteProcessMemory` `GetProcAddress` `WaitForSingleObject` `CreateToolhelp32Snapshot` `Module32First` `Module32Next` `CloseHandle` `GetCurrentProcess` `GetModuleHandleA` `GetLocalTime` `GetModuleHandleW` `ExitProcess` `DecodePointer` `GetCommandLineA` `HeapSetInformation` `GetStartupInfoW` `TerminateProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `EncodePointer` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSectionAndSpinCount` `RtlUnwind` `SetHandleCount` `GetStdHandle` `GetFileType` `DeleteCriticalSection` `HeapFree` `LoadLibraryW` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `InterlockedIncrement` `SetLastError` `GetCurrentThreadId` `InterlockedDecrement` `WriteFile` `GetModuleFileNameW` `GetModuleFileNameA` `FreeEnvironmentStringsW` `WideCharToMultiByte` `GetEnvironmentStringsW` `HeapCreate` `QueryPerformanceCounter` `GetTickCount` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `SetFilePointer` `GetConsoleCP` `GetConsoleMode` `GetCPInfo` `GetACP` `GetOEMCP` `IsValidCodePage` `Sleep` `CreateFileA` `SetStdHandle` `FlushFileBuffers` `HeapSize` `WriteConsoleW` `MultiByteToWideChar` `LCMapStringW` `GetStringTypeW` `HeapAlloc` `HeapReAlloc` `IsProcessorFeaturePresent` `SetEndOfFile` `GetProcessHeap` `ReadFile` `CreateFileW`
ADVAPI32.dll	`LookupPrivilegeValueA` `OpenProcessToken` `AdjustTokenPrivileges`
SHLWAPI.dll	`PathFileExistsA`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x40e004`
SEHandlerTable	`0x40cdb0`
SEHandlerCount	`3`

RICH Header

XOR Key	`0x557b9d30`
Unmarked objects	`0`
152 (20115)	`1`
C++ objects (VS2010 build 30319)	`25`
ASM objects (VS2010 build 30319)	`14`
C objects (VS2010 build 30319)	`98`
Imports (VS2008 SP1 build 30729)	`7`
Total imports	`92`
175 (VS2010 build 30319)	`2`
Linker (VS2010 build 30319)	`1`

89081f2e14e9266de8c042629b764926

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors