Manalyze report for 9676b403ae91208597c6139c8d6d85ea

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2019-Jan-24 23:00:05

Plugin Output

Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: CONST` `Unusual section name found: .crt2`
Malicious	The PE contains functions mostly used by malware.	`Functions which can be used for anti-debugging purposes: FindWindowW` `Code injection capabilities (PowerLoader): FindWindowW GetWindowLongW GetWindowLongA` `Possibly launches other programs: system` `Uses Microsoft's cryptographic API: CryptDestroyKey` `Interacts with services: EnumServicesStatusExW` `Can shut the system down or lock the screen: InitiateSystemShutdownA LockWorkStation`
Malicious	VirusTotal score: 52/70 (Scanned on 2019-02-08 14:26:08)	`MicroWorld-eScan: Trojan.GenericKD.40991140` `CAT-QuickHeal: Trojan.Emotet.X4` `ALYac: Trojan.Agent.Emotet` `Malwarebytes: Trojan.Emotet.Generic` `K7GW: Trojan ( 0053c4bc1 )` `K7AntiVirus: Trojan ( 0053c4bc1 )` `TrendMicro: TrojanSpy.Win32.EMOTET.THOBEAI` `Cyren: W32/Trojan.RAMG-2034` `Symantec: Trojan.Emotet` `TrendMicro-HouseCall: TrojanSpy.Win32.EMOTET.THOBEAI` `Paloalto: generic.ml` `Kaspersky: Trojan-Banker.Win32.Emotet.cbst` `BitDefender: Trojan.GenericKD.40991140` `NANO-Antivirus: Trojan.Win32.Emotet.fmlqbv` `Avast: Win32:Dropper-gen [Drp]` `Tencent: Win32.Trojan-banker.Emotet.Htlu` `Ad-Aware: Trojan.GenericKD.40991140` `Emsisoft: Trojan.GenericKD.40991140 (B)` `Comodo: Malware@#19i56f1c0vy3y` `F-Secure: Trojan.TR/AD.Emotet.yhvhw` `DrWeb: Trojan.DownLoader27.26274` `Zillya: Trojan.Emotet.Win32.12579` `Invincea: heuristic` `McAfee-GW-Edition: BehavesLike.Win32.Generic.dh` `Trapmine: malicious.high.ml.score` `Ikarus: Trojan-Banker.Emotet` `Webroot: W32.Trojan.Emotet` `Avira: TR/AD.Emotet.yhvhw` `Fortinet: W32/Emotet.BN!tr` `Antiy-AVL: Trojan[Banker]/Win32.Emotet` `Endgame: malicious (high confidence)` `Arcabit: Trojan.Generic.D27179A4` `ViRobot: Trojan.Win32.Z.Emotet.222208.C` `ZoneAlarm: Trojan-Banker.Win32.Emotet.cbst` `Microsoft: Trojan:Win32/Emotet.EF` `Sophos: Troj/Emotet-AWQ` `AhnLab-V3: Malware/Gen.Generic.C2971356` `Acronis: suspicious` `McAfee: Emotet-FLT!9676B403AE91` `MAX: malware (ai score=96)` `VBA32: BScope.Trojan.Refinka` `Cylance: Unsafe` `ESET-NOD32: Win32/Emotet.BN` `Rising: Trojan.Emotet!8.B95 (TFE:1:KvvtajH4ZtE)` `SentinelOne: static engine - malicious` `eGambit: Unsafe.AI_Score_99%` `GData: Trojan.GenericKD.40991140` `AVG: Win32:Dropper-gen [Drp]` `Cybereason: malicious.3ae912` `Panda: Trj/Genetic.gen` `CrowdStrike: malicious_confidence_100% (W)` `Qihoo-360: Win32/Trojan.Dropper.c9f`

Hashes

MD5	`9676b403ae91208597c6139c8d6d85ea`
SHA1	`692e26afb749ed56e6d52d1f47348a4ba1ecfb2b`
SHA256	`9cd0a2533aad434427d8f75f68ed876455197b1d28d9b99d510ae7affa2799cd`
SHA3	`932c2a7c46d66811d9d3f060caab2f04513d67afcfa7e7da81c4dabdcb65dee8`
SSDeep	`3072:11VEIrLOu4eHNzuaz3xvPa8VfGisTdZEyIQJ0RYqsuEcMMWvoXro4Uuetw40a95:P3tS8VfsPEIJBuEcMMWvoF4twX`
Imports Hash	`e26318534dbbf80508efb69f78477e0b`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2019-Jan-24 23:00:05
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED` `IMAGE_FILE_SYSTEM`

Image Optional Header

Magic	`PE32`
LinkerVersion	`12.0`
SizeOfCode	`0x1a200`
SizeOfInitializedData	`0x1e400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00013F6F (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x1c000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x3c000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`6485539244198c41f9e9db04054516af`
SHA1	`7e738dbd3b73a1bb6314100bfabf6566a4e00799`
SHA256	`c365a49e44d105096246a29c328eeec39a337a1a243be9609b46102a2a7b9a2a`
SHA3	`4ee724c87a5afe1fb35d0e948c40e39ba115abedf6d69a721be41502a7d02bc1`
VirtualSize	`0x1a198`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1a200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`4.53869`

CODE

MD5	`36813575ce9c60f359013edc6f44a50c`
SHA1	`d3c89487cfe0b27566d72b7e73fd7a995f099d8f`
SHA256	`ce90a5881f6cd3fea6e1bbdfcfef49c517972c0bdcf3af8a66ccce61b38c4edb`
SHA3	`2f541e1b6b217fd2030e1622ee864726c7a88b7a2b890ef598bbbdae5121a4bf`
VirtualSize	`0x42b8`
VirtualAddress	`0x1c000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x1a600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.73194`

CONST

MD5	`83f06c6accee8dc4851085689f7f4a74`
SHA1	`f03af92837e832c7d37409a6777271100f4a036b`
SHA256	`7b182d9f6be2eb9a02fef857634b4c652ee39463b0b3663586e642e19aa6718b`
SHA3	`64b6c8d2f0f76e823b8d5ba866bdf3fb5a77bade05963dad445ba5ef65039057`
VirtualSize	`0x1c1c`
VirtualAddress	`0x21000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x1c400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_GPREL` `IMAGE_SCN_LNK_COMDAT` `IMAGE_SCN_LNK_INFO` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_TYPE_GROUP` `IMAGE_SCN_TYPE_NOLOAD`
Entropy	`5.3795`

.crt2

MD5	`605dcf99b25389b2bc22398ef7a8d3d6`
SHA1	`f5917f191cfd2ccb45474d2ad0506dad789a8f3f`
SHA256	`243afd9b330442d1c0a904ee325cbb625626cca4313849267d7306b938950a21`
SHA3	`3e6472ed329a59862295699758333d3e3321db461c263a8bd1432dcae097cba6`
VirtualSize	`0x18010`
VirtualAddress	`0x23000`
SizeOfRawData	`0x18200`
PointerToRawData	`0x1e200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE` `IMAGE_SCN_TYPE_COPY` `IMAGE_SCN_TYPE_DSECT` `IMAGE_SCN_TYPE_GROUP` `IMAGE_SCN_TYPE_NOLOAD` `IMAGE_SCN_TYPE_NO_PAD`
Entropy	`7.97716`

Imports

Secur32.dll	`FreeCredentialsHandle`
ole32.dll	`CoUninitialize` `CoInitialize` `CoCreateInstance` `CoInitializeEx`
SHELL32.dll	`ExtractAssociatedIconA` `ExtractIconExA` `ExtractIconA`
msvcrt.dll	`ungetwc` `towupper` `system` `mbtowc` `strcspn` `strncmp`
mscms.dll	`GetColorDirectoryW` `GetColorProfileHeader` `GetColorProfileElement`
GDI32.dll	`StrokePath` `GetPixel` `GetRasterizerCaps` `GetTextCharset` `DeleteColorSpace` `GetTextExtentExPointI` `CreateCompatibleBitmap` `GetPolyFillMode` `GetTextExtentExPointW` `GetCharWidthW` `ExtEscape` `GetLogColorSpaceA` `GetTextExtentPointA` `GetTextCharsetInfo` `GetRegionData` `GetFontData` `GdiSetBatchLimit` `GetCurrentPositionEx` `GetCharWidthFloatA` `GetBkColor` `GetClipBox` `GetLayout` `InvertRgn` `SetROP2` `DescribePixelFormat`
WINSPOOL.DRV	`DeletePrinterDriverW` `FindClosePrinterChangeNotification` `DeletePrinter`
OLEAUT32.dll	`#309` `#162` `#183`
WININET.dll	`FindNextUrlCacheGroup` `GetUrlCacheEntryInfoA` `DeleteUrlCacheEntryW` `FindFirstUrlCacheEntryW`
KERNEL32.dll	`IsThreadAFiber` `LocaleNameToLCID` `GetPrivateProfileStringA` `GetUserDefaultLangID` `DefineDosDeviceW` `GetSystemWindowsDirectoryA` `GetSystemTimes` `CreateFileMappingW` `GlobalFindAtomA` `GetTimeFormatW` `GetModuleHandleW` `NotifyUILanguageChange` `TransmitCommChar` `GetConsoleMode` `GetSystemInfo` `LocalAlloc` `GlobalAddAtomW` `GetFileAttributesExW` `EnumResourceNamesW` `CreateThread` `FindActCtxSectionStringW` `FindAtomW` `WriteProfileSectionA` `GetProfileStringW` `EnumSystemGeoID` `lstrcpynA` `GetTempFileNameA` `GetAtomNameA` `VirtualFree` `lstrcpynW` `GetCurrentProcess` `WriteProfileStringW` `lstrcatW` `GetConsoleOutputCP` `FileTimeToDosDateTime` `GlobalHandle` `GetConsoleCursorInfo` `lstrcmpW` `MapViewOfFile` `DeviceIoControl` `GetSystemDirectoryA` `GetThreadSelectorEntry` `GetTempFileNameW` `GlobalFree` `GetTapeStatus` `GetDiskFreeSpaceExA` `MultiByteToWideChar` `GetPrivateProfileStructW` `GetCommTimeouts` `VirtualAlloc` `DeactivateActCtx` `GlobalGetAtomNameA` `GetProfileSectionA` `FindResourceExA` `GetStringTypeExW` `GetCurrentDirectoryA` `LoadLibraryExW` `GetPrivateProfileSectionNamesW` `EraseTape` `WriteProfileStringA` `FindVolumeClose` `FindNextFileA` `GetLocalTime` `GetCompressedFileSizeA` `GetShortPathNameA` `GetAtomNameW` `GlobalAddAtomA` `VirtualQuery` `GetSystemTime` `LocalFree` `UnmapViewOfFile` `GetConsoleDisplayMode` `EscapeCommFunction` `FindResourceA` `LoadLibraryW` `FormatMessageW` `FindFirstFileExW` `GetPrivateProfileSectionW`
ADVAPI32.dll	`LookupAccountNameA` `IsTextUnicode` `QueryUsersOnEncryptedFile` `CryptDestroyKey` `DecryptFileW` `GetFileSecurityW` `GetCurrentHwProfileA` `LookupPrivilegeDisplayNameW` `StartServiceA` `GetTokenInformation` `EnumServicesStatusExW` `GetCurrentHwProfileW` `GetSecurityDescriptorControl` `GetSidSubAuthorityCount` `GetSidIdentifierAuthority` `AccessCheckAndAuditAlarmA` `InitiateSystemShutdownA` `GetServiceDisplayNameA` `GetPrivateObjectSecurity` `GetUserNameA` `LookupPrivilegeNameW`
SHLWAPI.dll	`PathMakeSystemFolderW` `GetMenuPosFromID`
CLUSAPI.dll	`GetClusterFromResource`
NETAPI32.dll	`NetLocalGroupDel`
USER32.dll	`FillRect` `SetThreadDesktop` `BringWindowToTop` `CreateIconIndirect` `UnhookWindowsHookEx` `EnableScrollBar` `DrawStateW` `OpenClipboard` `SetWindowPos` `MessageBeep` `GetKeyboardLayout` `PostQuitMessage` `DestroyCaret` `FindWindowExW` `GetClassInfoExA` `RegisterClassExW` `GetSystemMetrics` `GetScrollPos` `GetMenuStringW` `DrawFocusRect` `FlashWindow` `GetWindowRect` `GetWindowPlacement` `FindWindowW` `CreateDialogParamW` `PhysicalToLogicalPoint` `GetPriorityClipboardFormat` `CreateIconFromResource` `DrawTextW` `SendMessageW` `LoadMenuIndirectA` `SetCursor` `LoadKeyboardLayoutW` `EnableMenuItem` `GetWindowLongW` `LockWindowUpdate` `EnumWindows` `CharNextW` `SetForegroundWindow` `GetWindowRgn` `DefWindowProcW` `GetSysColorBrush` `IsIconic` `DestroyWindow` `LoadImageA` `EnumWindowStationsA` `GetMessageExtraInfo` `SetActiveWindow` `GetMenuState` `InsertMenuItemA` `InvalidateRect` `DialogBoxParamW` `PeekMessageW` `IsRectEmpty` `GetProcessDefaultLayout` `GetShellWindow` `DeleteMenu` `GetCursorInfo` `CloseDesktop` `GetUpdateRect` `SetScrollPos` `GetMessageA` `GetForegroundWindow` `DrawIcon` `GetWindowTextW` `CreateWindowExW` `GetMenuStringA` `LockWorkStation` `LockSetForegroundWindow` `GetSubMenu` `UpdateWindow` `GetRawInputDeviceInfoW` `LookupIconIdFromDirectoryEx` `CharUpperW` `DestroyMenu` `EnableWindow` `GetMenuCheckMarkDimensions` `GetClipboardViewer` `LoadIconW` `LoadAcceleratorsW` `FreeDDElParam` `GetScrollInfo` `DestroyCursor` `GetDlgItem` `RegisterWindowMessageW` `GetSystemMenu` `GetWindowLongA` `MoveWindow` `LoadCursorW`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[!] Error: Could not reach the requested directory (offset=0x0).