Manalyze report for 959f770895133edc4cf65a4a02d12da8

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2009-Dec-05 22:50:52
Detected languages	English - United States

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: http://nsis.sf.net http://nsis.sf.net/NSIS_Error nsis.sf.net`
Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA LoadLibraryExA GetProcAddress` `Can access the registry: RegQueryValueExA RegSetValueExA RegEnumKeyA RegEnumValueA RegOpenKeyExA RegDeleteKeyA RegDeleteValueA RegCloseKey RegCreateKeyExA` `Possibly launches other programs: CreateProcessA ShellExecuteA` `Can create temporary files: CreateFileA GetTempPathA` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The file contains overlay data.	`5919332 bytes of data starting at offset 0xc200.` `The overlay data has an entropy of 7.99766 and is possibly compressed or encrypted.` `Overlay data amounts for 99.168% of the executable.`
Malicious	VirusTotal score: 3/71 (Scanned on 2024-06-08 04:34:46)	`Bkav: W32.AIDetectMalware` `DrWeb: Trojan.DownLoader27.38220` `Gridinsoft: Malware.Win32.Downloader.cc`

Hashes

MD5	`959f770895133edc4cf65a4a02d12da8`
SHA1	`4a1fb796d6774cfc63d75ed6d9e7ccb7919d1c88`
SHA256	`c43d3617944be2e78b133379db8128d76ee07165fb6388d8a535dd770398c3ae`
SHA3	`47444f73af952253c5844de68d93f85be39c188be521ce5d8cf2103811781cf7`
SSDeep	`98304:ijW+OQ8WHbQKxErgypLy2LqlO4Djko9m6ez66U8M6EMhbmWch9sqJnv7SyXWfOkv:ijWvur6g2LynlO8koMFzZU8mYSn9sWDM`
Imports Hash	`7fa974366048f9c551ef45714595665e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2009-Dec-05 22:50:52
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x5e00`
SizeOfInitializedData	`0x28400`
SizeOfUninitializedData	`0x400`
AddressOfEntryPoint	`0x000030FA (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x40000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`856b32eb77dfd6fb67f21d6543272da5`
SHA1	`6597c511c2ee72f68f5246460f0683dae16dcade`
SHA256	`c6c2b4f41d6598b94106de36b422dd84534fd9a11d84b2b6a47b3be49524c750`
SHA3	`649e621f7eb7edb175d8285b7c35de1209efc88af5abb31f95bab19076fff3b4`
VirtualSize	`0x5c4c`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.44011`

.rdata

MD5	`dc77f8a1e6985a4361c55642680ddb4f`
SHA1	`3d397ee25b2dd83ab741c67375880151cae94ed8`
SHA256	`576cdd5bc72421d008c86f056d0727c54cc8b3ec0961e5d0462af48278543d51`
SHA3	`d419a2c597e2f7a8a19b7c5c2090a93c78625e69629ff7d66a5359bfd614a8f4`
VirtualSize	`0x129c`
VirtualAddress	`0x7000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.04684`

.data

MD5	`7922d4ce117d7d5b3ac2cffe4b0b5e4f`
SHA1	`4e56bb1994226ae0285c7adee470777262de2c99`
SHA256	`97773fd68ac3aebb9795c59dc00c5dbc0c992ce0c3c2ef90bfff27eb1cd72b3d`
SHA3	`2a1aceed5a92a7ab4f568335758aa6da79df1e2fe50997652ea0f52f0813bead`
VirtualSize	`0x25c58`
VirtualAddress	`0x9000`
SizeOfRawData	`0x400`
PointerToRawData	`0x7600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.801`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xc000`
VirtualAddress	`0x2f000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`d7247b227c621981a40b7ca07e8169b8`
SHA1	`b0b5438956d1e3df75916c25fbb6c71d10963056`
SHA256	`8957807dbfe9204a21ba9c34e1a7a82baf5de77d309a1b750f9d504b12510004`
SHA3	`dbc022b33f55c98cd2734e261b0cdf10600e372c6caf307b8fb8a31949b2e3aa`
VirtualSize	`0x4788`
VirtualAddress	`0x3b000`
SizeOfRawData	`0x4800`
PointerToRawData	`0x7a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.30886`

Imports

KERNEL32.dll	`CompareFileTime` `SearchPathA` `GetShortPathNameA` `GetFullPathNameA` `MoveFileA` `SetCurrentDirectoryA` `GetFileAttributesA` `GetLastError` `CreateDirectoryA` `SetFileAttributesA` `Sleep` `GetTickCount` `GetFileSize` `GetModuleFileNameA` `GetCurrentProcess` `CopyFileA` `ExitProcess` `GetWindowsDirectoryA` `SetFileTime` `GetCommandLineA` `SetErrorMode` `LoadLibraryA` `lstrcpynA` `GetDiskFreeSpaceA` `GlobalUnlock` `GlobalLock` `CreateThread` `CreateProcessA` `RemoveDirectoryA` `CreateFileA` `GetTempFileNameA` `lstrlenA` `lstrcatA` `GetSystemDirectoryA` `GetVersion` `CloseHandle` `lstrcmpiA` `lstrcmpA` `ExpandEnvironmentStringsA` `GlobalFree` `GlobalAlloc` `WaitForSingleObject` `GetExitCodeProcess` `GetModuleHandleA` `LoadLibraryExA` `GetProcAddress` `FreeLibrary` `MultiByteToWideChar` `WritePrivateProfileStringA` `GetPrivateProfileStringA` `WriteFile` `ReadFile` `MulDiv` `SetFilePointer` `FindClose` `FindNextFileA` `FindFirstFileA` `DeleteFileA` `GetTempPathA`
USER32.dll	`EndDialog` `ScreenToClient` `GetWindowRect` `EnableMenuItem` `GetSystemMenu` `SetClassLongA` `IsWindowEnabled` `SetWindowPos` `GetSysColor` `GetWindowLongA` `SetCursor` `LoadCursorA` `CheckDlgButton` `GetMessagePos` `LoadBitmapA` `CallWindowProcA` `IsWindowVisible` `CloseClipboard` `SetClipboardData` `EmptyClipboard` `RegisterClassA` `TrackPopupMenu` `AppendMenuA` `CreatePopupMenu` `GetSystemMetrics` `SetDlgItemTextA` `GetDlgItemTextA` `MessageBoxIndirectA` `CharPrevA` `DispatchMessageA` `PeekMessageA` `DestroyWindow` `CreateDialogParamA` `SetTimer` `SetWindowTextA` `PostQuitMessage` `SetForegroundWindow` `wsprintfA` `SendMessageTimeoutA` `FindWindowExA` `SystemParametersInfoA` `CreateWindowExA` `GetClassInfoA` `DialogBoxParamA` `CharNextA` `OpenClipboard` `ExitWindowsEx` `IsWindow` `GetDlgItem` `SetWindowLongA` `LoadImageA` `GetDC` `EnableWindow` `InvalidateRect` `SendMessageA` `DefWindowProcA` `BeginPaint` `GetClientRect` `FillRect` `DrawTextA` `EndPaint` `ShowWindow`
GDI32.dll	`SetBkColor` `GetDeviceCaps` `DeleteObject` `CreateBrushIndirect` `CreateFontIndirectA` `SetBkMode` `SetTextColor` `SelectObject`
SHELL32.dll	`SHGetPathFromIDListA` `SHBrowseForFolderA` `SHGetFileInfoA` `ShellExecuteA` `SHFileOperationA` `SHGetSpecialFolderLocation`
ADVAPI32.dll	`RegQueryValueExA` `RegSetValueExA` `RegEnumKeyA` `RegEnumValueA` `RegOpenKeyExA` `RegDeleteKeyA` `RegDeleteValueA` `RegCloseKey` `RegCreateKeyExA`
COMCTL32.dll	`ImageList_AddMasked` `ImageList_Destroy` `#17` `ImageList_Create`
ole32.dll	`CoTaskMemFree` `OleInitialize` `OleUninitialize` `CoCreateInstance`
VERSION.dll	`GetFileVersionInfoSizeA` `GetFileVersionInfoA` `VerQueryValueA`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.28158`
MD5	`eae543e6c576c8452a290d9db9eabfc6`
SHA1	`38ba2c5397820a4fbb14f7ec91f17bfca748f6f0`
SHA256	`22b231a93aa565e1c262de167488980b00812aabfd85f4e4a03caf3c9745d591`
SHA3	`c7ae1e6b03ce6d6e14f1270e4fa51d0afeea6518dec2d78fb443b1f156869a35`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.25181`
MD5	`2c8e20e34b6beafde29dccc9e3a2c682`
SHA1	`86a9d11797524d7827b3cfb29658104161e52473`
SHA256	`029e0edd5940f62b569fa0fd67085c9e0e419a9a34744dfeb37b96f5403e4dc5`
SHA3	`060bc258e5e7bf2800bdec532005227e426d33dbb3a90466abe31c7ec72dd7fb`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.69824`
MD5	`2bdf32ea84e918e4671606488ee0d94c`
SHA1	`7082d2d2f43c062b73f43d55a7c194e973e36977`
SHA256	`aad234879c4dfcd4558b8f8161c9d165b9c62722ae6439b5062eaaf832bf44a6`
SHA3	`a5d0e1e5ff0b9ca04737f65d5aa371e904e33b941b82b1701d163ab36eca8d76`

102

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xb4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.71813`
MD5	`7add80697358fcc3e63354d269ea5ac9`
SHA1	`72c0a1363b9b4fee0a4acb42b31cd9b5e0664c4c`
SHA256	`b29c7a1301ddb0e896faf944d8ea8f4e57ff4f3d5fc3e5dc5bf3e64ed6be2fdd`
SHA3	`40a0e6b6b579b110550a4c3304eb33293a293d9aa288b02b11750143b52423fe`

103

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x120`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.56193`
MD5	`db6dd0434da4d7cac564518725167e09`
SHA1	`a65a1367d7cd96450f089a8f8108239bbcea9f5b`
SHA256	`c50631fc1f8425a95fd1edcc8e730d339e193a38f18d42372c32847a5ad2c016`
SHA3	`4e3be5455c51e1cb04836e318cb69ecdffd2deadd0f338d4bc985d8f5ca653ff`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x200`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.67385`
MD5	`d1a92272fbd597e1aa19021483110d5a`
SHA1	`9f75072682b37c6c52361d8c988ebd06dd003f63`
SHA256	`15663576584c947d634dab9848defcc7d8f05eb0b7e7c6d52d81eca695fc7a6e`
SHA3	`704756797695ae34f6fae500852bca70e5066a1d1993348fe40ccf626235d0d6`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xf8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.91148`
MD5	`fa83652660409e90e0db9731ad2adb17`
SHA1	`0a8f0af67723c87fe26ccf676b8e19ec6357b4dc`
SHA256	`4a55bd714f5d50cd8eabba10e57f0618f1842717dcfa582d73a917b1933cd1d4`
SHA3	`5b3e1cb25be7a2dbae4f08f0d4794ed23dbd6ea37a3f9702be12dba588f42a7b`

107

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xa0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.52183`
MD5	`6ffba239dcfcab2080195f23947b70aa`
SHA1	`bcda1ca8ee9bb9878bde83aa06c670bb5a4d5843`
SHA256	`a7e5ea849cb343e9b58de221aeb25c9dd4a3748070bfba879a30c4265fc39023`
SHA3	`a75544b4c3fcbcb32fe4e02d1a631e045b2e58516aa1065bb96cce681aea7030`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xee`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.92787`
MD5	`5dfa289639a3bcc0497da8db163f01fe`
SHA1	`6e2c6ea1e2594b66f563fb589276642c127e875f`
SHA256	`18466509968c3c0bf92ba410fea075def2b257a5a799a113cbc60f13e75f4b01`
SHA3	`85abdc8c431d91c72f3595a39881c96637ead09a0278d3cec0c1c9a8d873f031`

103 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x30`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.45849`
Detected Filetype	Icon file
MD5	`1ec6a7b3300970378c29695a6cc13d36`
SHA1	`99ce74251d19d800608e30bed6e0d793931da56e`
SHA256	`77a1efb6136f52dd2372987b13bf486aa75baeacb93bad009aa3e284c57b8694`
SHA3	`7a94ba315b3ab461cec9dad3048599d32b0e597047f9655159bd6dfdc694e4a3`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3ba`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.22452`
MD5	`36fa456edbbee6d20949940185441563`
SHA1	`2edddfb8653be66d03a82bb4445cc8c5a7cba20b`
SHA256	`958f2b0e480643650c30d7382a8ecb9ce16148af09a9dbf67442c823cbeed156`
SHA3	`b3eda766e5c7b5ba9b0608c99bda516d7e0a2570f1e58c0cb41714baa4cd0432`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x69ead975`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`155`
Imports (VS2003 (.NET) build 4035)	`17`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!