Manalyze report for 9146f21288ab749c4c729343f5f285a1

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2010-Feb-23 15:26:08
Detected languages	English - United Kingdom
Debug artifacts	Embedded COFF debugging symbols

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentVersion\Run`
Malicious	The PE contains functions mostly used by malware.	`Can access the registry: RegCloseKey RegDeleteValueW RegEnumValueW RegOpenKeyExW RegQueryInfoKeyW RegQueryValueExW RegSetValueExW` `Possibly launches other programs: CreateProcessW` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Interacts with services: ChangeServiceConfigW OpenSCManagerW OpenServiceW QueryServiceConfigW QueryServiceStatus` `Manipulates other processes: OpenProcess EnumProcesses` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The file contains overlay data.	`25901 bytes of data starting at offset 0x6000.`
Suspicious	VirusTotal score: 1/69 (Scanned on 2019-07-23 17:13:16)	`VBA32: TScope.Malware-Cryptor.SB`

Hashes

MD5	`9146f21288ab749c4c729343f5f285a1`
SHA1	`3d25e366c1195fc246f91c74d78163b9864db7cb`
SHA256	`acd6bb404942e46ec1072107908575c6873db789893102e34a49e9335b7354a3`
SHA3	`eb317b0a058b2849e935cb716f88d7cf49148775d0a01f58837fb63a88422756`
SSDeep	`768:kU4RhwrBHL6L3g05/43TDPo4eBoM+qrW4bxaeHefIwrQKmr:yRyVHmL3g05QHEBf5rvseHefI2Qt`
Imports Hash	`20eab2e5bf9e1ed56997ee7917857187`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2010-Feb-23 15:26:08
PointerToSymbolTable	`0x6000`
NumberOfSymbols	`1194`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x3200`
SizeOfInitializedData	`0x5c00`
SizeOfUninitializedData	`0x200`
AddressOfEntryPoint	`0x00001220 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x5000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`1.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0xb000`
SizeOfHeaders	`0x400`
Checksum	`0x1b022`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`5aef84287aadb3385b7b2f46d7ae3f67`
SHA1	`deba4f8a9329d16dc02787986a8726c6fb747075`
SHA256	`fc21af3be2e9519a9e4a099d7c046ec4da8accb783781deed1667799734eddf7`
SHA3	`b5d44c43fdbd181479b175de1d9b5398ee814e6eef398cfd51f66256a2cf23ec`
VirtualSize	`0x30d4`
VirtualAddress	`0x1000`
SizeOfRawData	`0x3200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.37716`

.data

MD5	`6c36ab33351b44901e89c97ec08acfa7`
SHA1	`4a8770240d5423078a43f7f6c005722832d27ac6`
SHA256	`3b26e4673c4bbd26116132de18f1b5f07f65542cc427af27dc44fcdb83c0e7a2`
SHA3	`dfe0c395553fd63421fd6d024ce651ff034a7c2af5618a309f1e59a05c2657e6`
VirtualSize	`0xa0`
VirtualAddress	`0x5000`
SizeOfRawData	`0x200`
PointerToRawData	`0x3600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.9073`

.rdata

MD5	`e84ef6eb52163c6e266da507eb6a0c2a`
SHA1	`2f57e65b7e5739854d51120c87cdce12d6d46c1e`
SHA256	`05894cb5ff4e4f8e43b11e53f363ab603586e0b2a55f40f0312f662933b34bf1`
SHA3	`70ea59842dc4da5c7641fcd26ffe12a94d159cae041be264d677f5349a825a8f`
VirtualSize	`0x16e0`
VirtualAddress	`0x6000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x3800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.36441`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xd0`
VirtualAddress	`0x8000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`2ba6261d8a39ffffd2728eaf114e2521`
SHA1	`027a94277cf65c903e57477d0ea40b982f6dbf9e`
SHA256	`eb1c0e80b70d7dce08407fd349742547727889295ee46a6a85495189ed713c05`
SHA3	`4ee0c23d814436d8d4d9bf83f98043ff99e31cfa47c1ae4b49fdc645b15c8405`
VirtualSize	`0x9bc`
VirtualAddress	`0x9000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x5000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.75524`

.rsrc

MD5	`cada56fa58356acc24bfa09a9e285f49`
SHA1	`1bc38ae42fc819b4ad0ccc7ccdb8c812c1d3a87d`
SHA256	`e6a8c8e397d4982e6ac9d80beecc010bc92f24696812d9e436b95e8dae104d8a`
SHA3	`30c2945d99a0b0a6541e7c1abfb25002a184d956b8f9eceea478969af2b36cf5`
VirtualSize	`0x540`
VirtualAddress	`0xa000`
SizeOfRawData	`0x600`
PointerToRawData	`0x5a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.86556`

Imports

ADVAPI32.DLL	`AdjustTokenPrivileges` `AllocateAndInitializeSid` `ChangeServiceConfigW` `EqualSid` `FreeSid` `GetTokenInformation` `LookupPrivilegeValueW` `OpenProcessToken` `OpenSCManagerW` `OpenServiceW` `QueryServiceConfigW` `QueryServiceStatus` `RegCloseKey` `RegDeleteValueW` `RegEnumValueW` `RegOpenKeyExW` `RegQueryInfoKeyW` `RegQueryValueExW` `RegSetValueExW`
KERNEL32.dll	`AddAtomA` `CloseHandle` `CreateMutexW` `CreateProcessW` `CreateThread` `DeleteFileW` `ExitProcess` `ExpandEnvironmentStringsW` `FindAtomA` `FindClose` `FindFirstFileW` `FindNextFileW` `GetAtomNameA` `GetConsoleWindow` `GetCurrentProcess` `GetLastError` `GetLocalTime` `OpenProcess` `SetLastError` `SetUnhandledExceptionFilter`
msvcrt.dll	`__getmainargs` `__p__environ` `__p__fmode` `__set_app_type` `_cexit` `_iob` `_onexit` `_setmode` `_wcsicmp` `_wfopen` `_wtoi` `abort` `atexit` `calloc` `fclose` `fflush` `fgetc` `fgetwc` `fprintf` `free` `fseek` `ftell` `fwprintf` `fwrite` `malloc` `memset` `rewind` `signal` `strlen` `wcscat` `wcschr` `wcscmp` `wcscpy` `wcslen`
PSAPI.DLL	`EnumProcesses` `GetModuleFileNameExW`
USER32.dll	`DialogBoxParamW` `EnableWindow` `EndDialog` `ExitWindowsEx` `GetDlgItem` `MessageBoxW` `ShowWindow` `wsprintfW`

Delayed Imports

101

Type	`RT_DIALOG`
Language	English - United Kingdom
Codepage	UNKNOWN
Size	`0x300`
TimeDateStamp	2010-Feb-23 15:26:08
Entropy	`3.37714`
MD5	`ba04ba1344e50aee648d06ee4d358cd8`
SHA1	`c92decdc0f548a340d0314b126ef67bb95b29f97`
SHA256	`acde68db0d1f600d49305178445ca02207084021b841f76877a06c1a47a5ee14`
SHA3	`b6548d08b21a41b3dc26e250fd7ad156c530c164952e230bfe2b7b83162424f8`

1

Type	`RT_MANIFEST`
Language	English - United Kingdom
Codepage	UNKNOWN
Size	`0x19e`
TimeDateStamp	2010-Feb-23 15:26:08
Entropy	`4.79649`
MD5	`3ef0a1202be0fbcb984e48a58ef4857f`
SHA1	`ba3b48a832a0673367bf0f85d8cc5d1c79c2c105`
SHA256	`e5d6ee2327449058c673492fafb47612ebd7a58a428d4dcbd4e26b144134deef`
SHA3	`1b629a84fe26a6dbfa26041bc169ca12566316b47cc996296bf87eff3ac7c6e9`

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF String Table's reported size is bigger than the remaining bytes!
[*] Warning: Section .bss has a size of 0!