Manalyze report for 8fba76abdcfe0f2cf623f01086418638

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2012-May-22 14:47:29

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress LoadLibraryW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Code injection capabilities: VirtualAllocEx WriteProcessMemory OpenProcess CreateRemoteThread VirtualAlloc` `Code injection capabilities (mapping injection): CreateRemoteThread CreateFileMappingW MapViewOfFile` `Can access the registry: RegOpenKeyExW RegEnumKeyExW RegCloseKey RegCreateKeyExW RegQueryValueExW RegSetValueExW SHDeleteKeyW` `Possibly launches other programs: CreateProcessW CreateProcessAsUserW ShellExecuteW` `Uses Microsoft's cryptographic API: CryptGetHashParam CryptAcquireContextW CryptReleaseContext CryptCreateHash CryptDestroyHash CryptHashData CryptUnprotectData` `Can create temporary files: GetTempPathW CreateFileW` `Memory manipulation functions often used by packers: VirtualProtectEx VirtualAllocEx VirtualProtect VirtualAlloc` `Has Internet access capabilities: InternetSetStatusCallbackW InternetQueryOptionA InternetSetOptionA InternetQueryOptionW InternetReadFile InternetReadFileExA InternetQueryDataAvailable InternetCloseHandle InternetOpenA InternetCrackUrlA InternetConnectA` `Leverages the raw socket API to access the Internet: #20 #18 getaddrinfo #17 #5 #111 #19 #3 WSASend WSAIoctl #4 WSAAddressToStringW #115 #22 #21 #2 #23 #112 #13 #16 freeaddrinfo WSAEventSelect #6 #1` `Functions related to the privilege level: OpenProcessToken AdjustTokenPrivileges` `Manipulates other processes: ReadProcessMemory WriteProcessMemory Process32NextW Process32FirstW OpenProcess` `Changes object ACLs: SetNamedSecurityInfoW` `Can take screenshots: PrintWindow GetDCEx GetDC CreateCompatibleDC` `Reads the contents of the clipboard: GetClipboardData` `Interacts with the certificate store: CertOpenSystemStoreW` `Can shut the system down or lock the screen: ExitWindowsEx InitiateSystemShutdownExW`
Suspicious	The file contains overlay data.	`512 bytes of data starting at offset 0x22a00.` `The overlay data has an entropy of 7.59431 and is possibly compressed or encrypted.`
Malicious	VirusTotal score: 50/56 (Scanned on 2016-12-11 22:43:25)	`Bkav: W32.Clodaf0.Trojan.0b84` `MicroWorld-eScan: Gen:Variant.Kazy.165` `CAT-QuickHeal: Trojan.Zbot.AJ3` `McAfee: PWS-Zbot.gen.ds` `Malwarebytes: Trojan.Zbot` `VIPRE: Trojan-PWS.Win32.Zbot.aac (v)` `K7GW: Backdoor ( 04c4ee7b1 )` `K7AntiVirus: Backdoor ( 04c4ee7b1 )` `TrendMicro: Cryp_Xin1` `Baidu: Win32.Trojan.Zbot.a` `F-Prot: W32/Zbot.BR.gen!Eldorado` `Symantec: Infostealer` `ESET-NOD32: a variant of Win32/Spy.Zbot.YW` `TrendMicro-HouseCall: Cryp_Xin1` `Avast: Sf:Crypt-BT [Trj]` `ClamAV: Win.Spyware.Zbot-1275` `Kaspersky: HEUR:Trojan.Win32.Generic` `BitDefender: Gen:Variant.Kazy.165` `NANO-Antivirus: Trojan.Win32.Panda.crlabi` `Tencent: Win32.Trojan.Generic.Efli` `Ad-Aware: Gen:Variant.Kazy.165` `Sophos: Troj/PWS-BSF` `Comodo: UnclassifiedMalware` `F-Secure: Trojan-Spy:W32/Zbot.AVTH` `DrWeb: Trojan.PWS.Panda.2319` `Zillya: Trojan.Zbot.Win32.176075` `Invincea: trojanspy.win32.nivdort.dd` `McAfee-GW-Edition: BehavesLike.Win32.PWSZbot.ch` `Emsisoft: Gen:Variant.Kazy.165 (B)` `Cyren: W32/Zbot.BR.gen!Eldorado` `Jiangmin: Trojan/Generic.afsjy` `Avira: TR/Kazy.MK` `Antiy-AVL: Trojan[:HEUR]/Win32.Unknown` `Kingsoft: Win32.Troj.Undef.(kcloud)` `Microsoft: PWS:Win32/Zbot!CI` `Arcabit: Trojan.Kazy.165` `AegisLab: Troj.W32.Generic!c` `GData: Gen:Variant.Kazy.165` `AhnLab-V3: Trojan/Win32.Zbot.R4880` `ALYac: Gen:Variant.Kazy.165` `AVware: Trojan-PWS.Win32.Zbot.aac (v)` `VBA32: SScope.Trojan.FakeAV.01110` `Rising: Trojan.Generic-1gUnVBPjxwU (cloud)` `Yandex: TrojanSpy.Zbot!Jm6OqcJ0zBU` `Ikarus: Trojan-Spy.Banker.Citadel` `Fortinet: W32/Zbot.AT!tr` `AVG: Win32/Cryptor` `Panda: Generic Malware` `CrowdStrike: malicious_confidence_100% (D)` `Qihoo-360: HEUR/Malware.QVM20.Gen`

Hashes

MD5	`8fba76abdcfe0f2cf623f01086418638`
SHA1	`7683d209c3e743e4cafdfdf68c551b335071875a`
SHA256	`245c6816294ca374ba8a0ef57b85b20ff28c22222c13d83d913ea65a6bb6a9bb`
SHA3	`6e1cd6e9effb7d161af87735cb1889681cc2862133c3ea5c051ac7b134e1a03b`
SSDeep	`3072:2to8SmQmuKsg3Cw8OMduXlK8g6n4deylM/KzX3eQzTxk+QqU:2to8GmuKpRYuXlC6n4destT5Qx`
Imports Hash	`a0b277f00482315f894834c8bac6ea95`

DOS Header

e_magic	`MZ`
e_cblp	`0`
e_cp	`0`
e_crlc	`0`
e_cparhdr	`0`
e_minalloc	`0`
e_maxalloc	`0`
e_ss	`0`
e_sp	`0`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2012-May-22 14:47:29
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`10.0`
SizeOfCode	`0x20a00`
SizeOfInitializedData	`0x3a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0001BADD (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x22000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`1.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x27000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`83b6e51d38a3a34b9439466d2943fb72`
SHA1	`f44467f2d03d7ceb23a859a4386d8a6a488b4567`
SHA256	`f9159de8866a92e171a37a0b7c9551579f601354cb9004b84080159279f64ea9`
SHA3	`3bbac0f22cc4a169b02963198b782f73fa1ca9d4c15522371dd1fee502af45c0`
VirtualSize	`0x20884`
VirtualAddress	`0x1000`
SizeOfRawData	`0x20a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.70735`

.data

MD5	`6a8a0d12b8c64d3705d567de27b0e2e3`
SHA1	`3a3d57adaf35ab6f2308b5715ba0935e480e63e6`
SHA256	`c5ee5ad51d08aa1b26059320ac829f6c6f75957d45c4b61257912f816ca5764f`
SHA3	`5fea8ae402d9062b5d9e8f446dae70ba0e52a9b58b48301a2df5c1872806508a`
VirtualSize	`0x2064`
VirtualAddress	`0x22000`
SizeOfRawData	`0x400`
PointerToRawData	`0x20e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.62066`

.reloc

MD5	`cf28fe8e6f08d647a690a20597d49068`
SHA1	`0b6f4489a0367cc5f9c4f9d0e67f24dae59fccad`
SHA256	`1fece1810720ccea76a20808873366e74b709207f9eb4a720c7913aa71209365`
SHA3	`7285c86552a5e013596c9e548faeb854cc3590308f31ff73f1ea0015cee76a12`
VirtualSize	`0x168c`
VirtualAddress	`0x25000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x21200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.65689`

Imports

KERNEL32.dll	`FlushFileBuffers` `GetEnvironmentVariableW` `FileTimeToDosDateTime` `GetTempFileNameW` `HeapReAlloc` `FindFirstFileW` `SetEndOfFile` `CreateProcessW` `HeapAlloc` `SystemTimeToFileTime` `SetFilePointerEx` `HeapFree` `VirtualFree` `GetProcessHeap` `IsBadReadPtr` `SetFileTime` `VirtualQueryEx` `Thread32First` `WideCharToMultiByte` `ReadProcessMemory` `HeapDestroy` `HeapCreate` `Thread32Next` `ReadFile` `GetModuleFileNameW` `GetTimeZoneInformation` `GetPrivateProfileIntW` `MultiByteToWideChar` `WriteFile` `GetFileSizeEx` `OpenMutexW` `GetLastError` `VirtualProtectEx` `VirtualAllocEx` `FindClose` `RemoveDirectoryW` `FindNextFileW` `VirtualProtect` `GetFileTime` `FileTimeToLocalFileTime` `GetVolumeNameForVolumeMountPointW` `DeleteFileW` `GetFileInformationByHandle` `WriteProcessMemory` `GetCommandLineW` `SetErrorMode` `GetComputerNameW` `OpenEventW` `DuplicateHandle` `GetCurrentProcessId` `MoveFileExW` `GetUserDefaultUILanguage` `GetPrivateProfileStringW` `SetFileAttributesW` `GetVersionExW` `GetNativeSystemInfo` `ResetEvent` `TerminateProcess` `TlsSetValue` `TlsGetValue` `GetModuleHandleW` `GlobalUnlock` `GlobalLock` `lstrcmpiW` `WTSGetActiveConsoleSessionId` `ReleaseMutex` `SetLastError` `GetTickCount` `LoadLibraryA` `CreateToolhelp32Snapshot` `Process32NextW` `Process32FirstW` `OpenProcess` `CreateRemoteThread` `CreateThread` `GetSystemTime` `GetLocalTime` `ExpandEnvironmentStringsW` `GetTempPathW` `LocalFree` `GetProcAddress` `lstrcmpiA` `CreateFileW` `GetFileAttributesW` `Sleep` `LoadLibraryW` `CreateDirectoryW` `FreeLibrary` `ExitProcess` `WaitForMultipleObjects` `GetFileAttributesExW` `GetProcessId` `EnterCriticalSection` `VirtualAlloc` `LeaveCriticalSection` `VirtualFreeEx` `InitializeCriticalSection` `SetThreadContext` `GetThreadContext` `TlsFree` `CloseHandle` `TlsAlloc` `GetCurrentThreadId` `CreateEventW` `CreateFileMappingW` `SetThreadPriority` `GetCurrentThread` `SetEvent` `WaitForSingleObject` `UnmapViewOfFile` `MapViewOfFile` `CreateMutexW`
USER32.dll	`GetWindowInfo` `GetClassLongW` `GetCapture` `SetCursorPos` `GetWindowLongW` `GetAncestor` `PeekMessageW` `PeekMessageA` `SetWindowPos` `SendMessageTimeoutW` `IsWindow` `ReleaseCapture` `MapWindowPoints` `GetMessagePos` `IsRectEmpty` `DrawIcon` `GetIconInfo` `GetParent` `CharToOemW` `MapVirtualKeyW` `PostMessageW` `RegisterClassExA` `RegisterWindowMessageW` `GetThreadDesktop` `GetMenuItemID` `IntersectRect` `GetSubMenu` `DefDlgProcW` `DefFrameProcA` `OpenInputDesktop` `OpenDesktopW` `CharLowerW` `CharLowerBuffA` `DrawEdge` `CreateDesktopW` `SetProcessWindowStation` `CloseWindowStation` `CreateWindowStationW` `GetProcessWindowStation` `CloseDesktop` `SetThreadDesktop` `OpenWindowStationW` `GetTopWindow` `LoadImageW` `MsgWaitForMultipleObjects` `WindowFromPoint` `CharLowerA` `CharUpperW` `SetWindowLongW` `GetWindow` `DispatchMessageW` `ExitWindowsEx` `EqualRect` `PrintWindow` `GetMessageW` `EndPaint` `FillRect` `GetCursorPos` `GetUpdateRgn` `GetWindowDC` `BeginPaint` `SetCapture` `GetShellWindow` `RegisterClassA` `GetDCEx` `TranslateMessage` `GetKeyboardState` `GetClipboardData` `MenuItemFromPoint` `GetDC` `GetMenu` `RegisterClassExW` `GetMenuItemRect` `TrackPopupMenuEx` `SystemParametersInfoW` `GetClassNameW` `ReleaseDC` `GetMenuState` `DefWindowProcA` `DefMDIChildProcW` `SwitchDesktop` `GetMenuItemCount` `DefDlgProcA` `PostThreadMessageW` `DefMDIChildProcA` `HiliteMenuItem` `ToUnicode` `GetSystemMetrics` `GetMessageA` `GetWindowRect` `SetKeyboardState` `GetWindowThreadProcessId` `DefFrameProcW` `DefWindowProcW` `CallWindowProcW` `EndMenu` `CallWindowProcA` `SendMessageW` `GetUserObjectInformationW` `RegisterClassW` `GetUpdateRect`
ADVAPI32.dll	`EqualSid` `RegOpenKeyExW` `RegEnumKeyExW` `RegCloseKey` `GetLengthSid` `ConvertSidToStringSidW` `InitiateSystemShutdownExW` `CryptGetHashParam` `OpenProcessToken` `GetSidSubAuthority` `CryptAcquireContextW` `OpenThreadToken` `GetSidSubAuthorityCount` `GetTokenInformation` `RegCreateKeyExW` `CryptReleaseContext` `RegQueryValueExW` `CreateProcessAsUserW` `InitializeSecurityDescriptor` `SetSecurityDescriptorDacl` `SetNamedSecurityInfoW` `LookupPrivilegeValueW` `CryptCreateHash` `ConvertStringSecurityDescriptorToSecurityDescriptorW` `GetSecurityDescriptorSacl` `SetSecurityDescriptorSacl` `CryptDestroyHash` `AdjustTokenPrivileges` `RegSetValueExW` `CryptHashData` `IsWellKnownSid`
SHLWAPI.dll	`StrStrIW` `StrCmpNIW` `PathRenameExtensionW` `wvnsprintfA` `StrCmpNIA` `PathMatchSpecW` `PathRemoveBackslashW` `PathUnquoteSpacesW` `PathAddExtensionW` `PathCombineW` `SHDeleteKeyW` `PathSkipRootW` `SHDeleteValueW` `PathAddBackslashW` `PathFindFileNameW` `PathIsDirectoryW` `wvnsprintfW` `UrlUnescapeA` `PathIsURLW` `PathQuoteSpacesW` `StrStrIA` `PathRemoveFileSpecW`
SHELL32.dll	`ShellExecuteW` `SHGetFolderPathW` `CommandLineToArgvW`
Secur32.dll	`GetUserNameExW`
ole32.dll	`StringFromGUID2` `CLSIDFromString` `CoUninitialize` `CoCreateInstance` `CoInitializeEx`
GDI32.dll	`SetViewportOrgEx` `GdiFlush` `CreateDIBSection` `SetRectRgn` `SaveDC` `RestoreDC` `DeleteDC` `GetDeviceCaps` `DeleteObject` `SelectObject` `GetDIBits` `CreateCompatibleBitmap` `CreateCompatibleDC`
WS2_32.dll	`#20` `#18` `getaddrinfo` `#17` `#5` `#111` `#19` `#3` `WSASend` `WSAIoctl` `#4` `WSAAddressToStringW` `#115` `#22` `#21` `#2` `#23` `#112` `#13` `#16` `freeaddrinfo` `WSAEventSelect` `#6` `#1`
CRYPT32.dll	`CertDuplicateCertificateContext` `CertEnumCertificatesInStore` `CertCloseStore` `CertOpenSystemStoreW` `CertDeleteCertificateFromStore` `PFXImportCertStore` `CryptUnprotectData` `PFXExportCertStoreEx`
WININET.dll	`HttpAddRequestHeadersW` `InternetSetStatusCallbackW` `GetUrlCacheEntryInfoW` `InternetQueryOptionA` `InternetSetOptionA` `InternetQueryOptionW` `HttpSendRequestW` `InternetReadFile` `InternetReadFileExA` `InternetQueryDataAvailable` `HttpSendRequestExW` `HttpSendRequestExA` `InternetCloseHandle` `InternetOpenA` `HttpSendRequestA` `HttpAddRequestHeadersA` `HttpOpenRequestA` `InternetCrackUrlA` `InternetConnectA` `HttpQueryInfoA`
OLEAUT32.dll	`#8` `#2` `#9` `#6`
NETAPI32.dll	`NetApiBufferFree` `NetUserEnum` `NetUserGetInfo`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

8fba76abdcfe0f2cf623f01086418638

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.data

.reloc

Imports

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors