Manalyze report for 896b2d4e183f01d806abc7ecb8f7fb9f

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2012-May-25 09:26:27

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryExA LoadLibraryW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathA CreateFileA CreateFileW` `Leverages the raw socket API to access the Internet: #14` `Enumerates local disk drives: GetDriveTypeA GetDriveTypeW`
Suspicious	The file contains overlay data.	`2574716 bytes of data starting at offset 0x2ac00.` `The overlay data has an entropy of 7.99848 and is possibly compressed or encrypted.` `Overlay data amounts for 93.6322% of the executable.`
Suspicious	VirusTotal score: 2/61 (Scanned on 2017-06-06 11:01:34)	`TheHacker: Backdoor/Swrort.xx` `Ikarus: Trojan.Win32.Rozena`

Hashes

MD5	`896b2d4e183f01d806abc7ecb8f7fb9f`
SHA1	`1a1c42f1b11e2baab63c025723b0f7a5536ae9c8`
SHA256	`4377b5827de0a31462cf138760d865faa58815e073e58467086c95515715c462`
SHA3	`582061a43426d91c2c4480221aea13c26a9dbfbe571e5cc43238ec48a277233d`
SSDeep	`49152:TB1vTRMqV4qfL5fZXoFfSbqgG23TSPfxWw8zJFtoTMarvBFHBJsFeZ:5Mg4qlhoFfSbqgGEGPfx1cdfabXHAFeZ`
Imports Hash	`f7dc793714baacbb19b7e8e0b75e1520`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2012-May-25 09:26:27
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`10.0`
SizeOfCode	`0x12e00`
SizeOfInitializedData	`0x19a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000090A5 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x14000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x30000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`5b1cc10c8ca4cd45142164e392555134`
SHA1	`8b325de1fe5bb2a315915e1d76fb590add049573`
SHA256	`bc5fe8c887f72d0a222a117e6c6e451cd5bfc31f5a36e2cf75daa0247abeafb0`
SHA3	`d2846149ffe56a1607d701824df03b77b5f1875e357ab5a8a70f6784d58af5e2`
VirtualSize	`0x12da7`
VirtualAddress	`0x1000`
SizeOfRawData	`0x12e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.6211`

.rdata

MD5	`9e6630364272930f6e32b35917364f5f`
SHA1	`106cdd3088ca2c0f032dfa281cff4f357f8f7fb6`
SHA256	`b27438dbe8fc203556643d2c60c3cf33e97a98a14ab173eb4c22c22d49ed81ee`
SHA3	`9397c9dfc0cca58f41d94cc0612f75d17591bae61f5abdc0cccaa8b98cf8b1c0`
VirtualSize	`0x6438`
VirtualAddress	`0x14000`
SizeOfRawData	`0x6600`
PointerToRawData	`0x13200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.39579`

.data

MD5	`3ecbde031d43bb78b5f14dd296ef2a80`
SHA1	`b6ea1bb1ff6fee456f8b553674a85b67f23f8568`
SHA256	`56920996b39fdd298ea82f82fc02a2cf7cdb903893952f034c0699cd6d786b0c`
SHA3	`8998833edaf304a76e98b5adc49e2716dd94f41ab0213f17036627be89dff481`
VirtualSize	`0x3168`
VirtualAddress	`0x1b000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x19800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.05835`

.rsrc

MD5	`41f68afb8277dffe2fb6dd0e5ff81c29`
SHA1	`856016b366f871316bc0f28720ef54bba08e7b26`
SHA256	`de978c2d04017b3e14e521eeaaf5f9268a717c9a01bc4c8ac3c0b47f6219f535`
SHA3	`33860eac3057475096f7f664757dcebbb5f6a674751838eabc0711786e4a2c57`
VirtualSize	`0xea38`
VirtualAddress	`0x1f000`
SizeOfRawData	`0xec00`
PointerToRawData	`0x1aa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.29695`

.reloc

MD5	`a19fb5ab87d01625441fe2904afdd3d4`
SHA1	`bbeefc1ddb1405afb28ab68c751eab556312260c`
SHA256	`9672f883455d9fc411dbd4c7f332aa8c2702c11e21da364b961324d0cd9d954e`
SHA3	`94b7f78d1754df52d5c73b2781a09c60e3f8e5e74abbe965298fdcce44f6879a`
VirtualSize	`0x1444`
VirtualAddress	`0x2e000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x29600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.04304`

Imports

KERNEL32.dll	`GetVersionExA` `GetProcAddress` `LoadLibraryA` `GetModuleFileNameA` `GetModuleFileNameW` `GetExitCodeProcess` `WaitForSingleObject` `CreateProcessW` `GetCommandLineW` `GetStartupInfoW` `GetTempPathA` `GetLastError` `LoadLibraryExA` `Sleep` `RemoveDirectoryA` `CreateDirectoryA` `SetStdHandle` `EnterCriticalSection` `InitializeCriticalSectionAndSpinCount` `LeaveCriticalSection` `GetFileType` `DecodePointer` `EncodePointer` `SetConsoleCtrlHandler` `HeapFree` `FindClose` `FileTimeToSystemTime` `FileTimeToLocalFileTime` `GetDriveTypeA` `FindFirstFileExA` `HeapAlloc` `DeleteFileA` `FindNextFileA` `GetCommandLineA` `HeapSetInformation` `TerminateProcess` `GetCurrentProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `IsProcessorFeaturePresent` `RtlUnwind` `SetHandleCount` `GetStdHandle` `DeleteCriticalSection` `GetModuleHandleW` `ExitProcess` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `InterlockedIncrement` `SetLastError` `GetCurrentThreadId` `InterlockedDecrement` `HeapCreate` `WideCharToMultiByte` `GetFullPathNameA` `CloseHandle` `GetFileInformationByHandle` `PeekNamedPipe` `CreateFileA` `GetCurrentDirectoryW` `GetFileAttributesA` `MultiByteToWideChar` `ReadFile` `SetFilePointer` `WriteFile` `GetConsoleCP` `GetConsoleMode` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `QueryPerformanceCounter` `GetTickCount` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `GetCPInfo` `GetACP` `GetOEMCP` `IsValidCodePage` `HeapReAlloc` `LoadLibraryW` `FlushFileBuffers` `CompareStringW` `SetEnvironmentVariableA` `GetDriveTypeW` `SetEndOfFile` `GetProcessHeap` `GetTimeZoneInformation` `LCMapStringW` `WriteConsoleW` `GetStringTypeW` `HeapSize` `CreateFileW` `SetEnvironmentVariableW`
WS2_32.dll	`#14`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.58652`
MD5	`008578f1b7acebecd90bf1f3ac6ee061`
SHA1	`a013b9ba662b5244fd84a9d09404e999dc6333ad`
SHA256	`e77bc44fd6a201637eac3e56a126a84580ab6b33761957d65207c55029764b96`
SHA3	`1538f6df4b7b6c5c7824eea77b2d381650c4cfae7bce052c6d387b2497e839c4`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.05629`
MD5	`5096923956b255386181e7c44af9b552`
SHA1	`9d3f9d245fd7721707ad0dda9d133bc9398684af`
SHA256	`46c2b0eb26f174d48398a544b85203ec233adb7e17d1ced37c888eff8fcfd4c5`
SHA3	`d03024b793e39522b3ee98a5f6e0f548a989115ac2614924a5cfa436c2070a6b`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.5741`
MD5	`5a64b725f24048ed51af35b9ee7d2fff`
SHA1	`a7bc3d4bf5cc5c36d68c78a5f5b323fcd59ee53e`
SHA256	`c46f3921297eea0c08a032e0d0e0378643892fd1e95814fe6728c944574399cc`
SHA3	`4aec1e212baa392dfd28bceb7027f12f5767f9337caea3a3f5a22c8cdcef2164`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x909b`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.95079`
Detected Filetype	PNG graphic file
MD5	`20d36c0a435caad0ae75d3e5f474650c`
SHA1	`e9e536a2c9d009666e5de2b3e5823269204aabb6`
SHA256	`c3d7626d87aa28c33a054d30be26108fd09ea01ba470d41c94d7bdf6b80b83f2`
SHA3	`a842fc9423038b5b29fc431bb998e715979788e40d387431f74457de25a57fac`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.29119`
MD5	`b21a1cea6c1a6796700a0c7ee394ff2b`
SHA1	`c9b5246eddedabf11534c9c984e305a86151be9f`
SHA256	`01e270742614e92e2a2252ba46cee5b95ad5f13448ac3516f48fb3ee0af3e6c8`
SHA3	`9f392589e26f353c6962e2b9055ac344bfbfe2d82b95cce9441273a296beff95`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.43869`
MD5	`a12bdfb484bb481e1f106beb19aa4765`
SHA1	`18228c2e61981dd29f67cd938ef2a2303d75b81b`
SHA256	`b0835a0afca51295ee6e3827b5e4f79f0632f353c9d10dd78c0dcec478fab8b8`
SHA3	`01196ee531896c2f7ab6c87039bc68252b76609e8e0a26f63a0571485e3b506e`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.89356`
MD5	`3343c0fa901ae372eb7c9d1159386193`
SHA1	`16944a8dcace69148c0628b723e0fa124279a79d`
SHA256	`0cd74e1b2fd85cc9e251e8ab5aca5a303329809c6b0ab70a3e440f9df1aab2be`
SHA3	`a7f6a8159086a1eac7b0d564a6c2f3ccc302ff083602fcb01d9b09a3f45b9a22`

101

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.71858`
Detected Filetype	Icon file
MD5	`d06bb5f499a7e63fdebdde478b53af68`
SHA1	`f4b46ca808dc838d436be1d2c13a40d51bdd8f4f`
SHA256	`038506ab04814afcdce660ffc0de198ebe40a5b0d8e090799549e208c689fed5`
SHA3	`af3d6a80a0ad9e117953a9e1466a44d29b3d32a19a456a9297995e94ead2efd7`

Version Info

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x41b010`
SEHandlerTable	`0x419560`
SEHandlerCount	`3`

RICH Header

XOR Key	`0x1e1cefe9`
Unmarked objects	`0`
152 (20115)	`5`
C++ objects (VS2010 build 30319)	`35`
ASM objects (VS2010 build 30319)	`18`
Imports (VS2008 SP1 build 30729)	`7`
Total imports	`109`
C objects (VS2010 build 30319)	`151`
Resource objects (VS2010 build 30319)	`1`
Linker (VS2010 build 30319)	`1`

896b2d4e183f01d806abc7ecb8f7fb9f

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

1

2

3

4

5

6

7

101

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors