Manalyze report for 9e46efcec495876d0b1740cb8c5d5023

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2020-Jul-31 23:30:26
Detected languages	English - United States
FileDescription	NSIS Setup
FileVersion	`3.06`
LegalCopyright	http://nsis.sf.net/License

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: http://nsis.sf.net http://nsis.sf.net/License http://nsis.sf.net/NSIS_Error nsis.sf.net`
Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Can access the registry: RegCreateKeyExW RegEnumKeyW RegQueryValueExW RegSetValueExW RegCloseKey RegDeleteValueW RegDeleteKeyW RegOpenKeyExW RegEnumValueW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Changes object ACLs: SetFileSecurityW` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The file contains overlay data.	`1483501 bytes of data starting at offset 0xce00.` `The overlay data has an entropy of 7.99988 and is possibly compressed or encrypted.` `Overlay data amounts for 96.5672% of the executable.`
Suspicious	VirusTotal score: 2/70 (Scanned on 2020-08-01 15:09:12)	`APEX: Malicious` `MaxSecure: Trojan.Malware.300983.susgen`

Hashes

MD5	`9e46efcec495876d0b1740cb8c5d5023`
SHA1	`c2eb54cf48489930da99821c4c043492743608e9`
SHA256	`d3141aa7eaa365054ac7539373fbe82e6b728f07b21269d1f4dcb3b77fcce669`
SHA3	`7ecd5ca3f3c7af4efa04533eb832542931c12730118fbb3a9051fe0d8a2fc970`
SSDeep	`24576:jgZGdzX5LrCSqB6kv+tJ56Qs9XyyhEL2+JgRSVwCrVi+Oj3UpP8PJD/aJu1nA6/o:jgQzX5XYv+tf6QsrhELRTVXrj+3UpPiw`
Imports Hash	`f02b76fecfb28296248f20f8106100cb`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2020-Jul-31 23:30:26
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x6600`
SizeOfInitializedData	`0x22a00`
SizeOfUninitializedData	`0x800`
AddressOfEntryPoint	`0x000035D8 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x5e000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`869e1d11bbf88d92521c022fa6f3d4f0`
SHA1	`3442c1bb49ba3c7bfc46618255cc471a7e3e3bb7`
SHA256	`7a538c35c247872f01b15c7f6c3ef38e2beb898ed0ee2831791dc252f682d7e4`
SHA3	`18176b457042f120366c90c49be5dfbfd7c65ac06c739b685d60bb7038e8d9a2`
VirtualSize	`0x6572`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.45392`

.rdata

MD5	`79e286249499b713a2ddbee33baa50da`
SHA1	`fe2bedee8c2ca0b3a39a9a62d201d08eee8b3f17`
SHA256	`83bea15184035cd426d88b077d6973382cb3ec99b72dda413183a0d751fcab2c`
SHA3	`12c7013e4c1c09d5a669b32a2e022721f8916191a733fbcdb2f1894d6a86c61c`
VirtualSize	`0x1398`
VirtualAddress	`0x8000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.13672`

.data

MD5	`b6d02c867f7bfbcf68de2cfeea94fd73`
SHA1	`ac77cc46ab8d1809c15541e5c084c069a6bf8107`
SHA256	`c49462737ce149cb4c498bfa3d56d6883dca161155785402c8af95c10e3d7e29`
SHA3	`ecd4b42a60e0ce1edc396ff446f1b645da4584097cd55da5e4ef561ef43a6174`
VirtualSize	`0x20378`
VirtualAddress	`0xa000`
SizeOfRawData	`0x600`
PointerToRawData	`0x7e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.09681`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x2e000`
VirtualAddress	`0x2b000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`074901065bb22177c251d733f00d17cd`
SHA1	`e72f3d6a2cb00b4647043c9488a7799214375e84`
SHA256	`1d35d8334b231681dbe7c7edcde03739744f8fb230a32b43999f02d1095ccf14`
SHA3	`ac44546afc81fa2bb51bc1d5f36b217ea287aee7d75f41ee3625f4a1e1c6e0f1`
VirtualSize	`0x48b8`
VirtualAddress	`0x59000`
SizeOfRawData	`0x4a00`
PointerToRawData	`0x8400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.59459`

Imports

ADVAPI32.dll	`RegCreateKeyExW` `RegEnumKeyW` `RegQueryValueExW` `RegSetValueExW` `RegCloseKey` `RegDeleteValueW` `RegDeleteKeyW` `AdjustTokenPrivileges` `LookupPrivilegeValueW` `OpenProcessToken` `SetFileSecurityW` `RegOpenKeyExW` `RegEnumValueW`
SHELL32.dll	`SHGetSpecialFolderLocation` `SHFileOperationW` `SHBrowseForFolderW` `SHGetPathFromIDListW` `ShellExecuteExW` `SHGetFileInfoW`
ole32.dll	`OleInitialize` `OleUninitialize` `CoCreateInstance` `IIDFromString` `CoTaskMemFree`
COMCTL32.dll	`#17` `ImageList_Create` `ImageList_Destroy` `ImageList_AddMasked`
USER32.dll	`GetClientRect` `EndPaint` `DrawTextW` `IsWindowEnabled` `DispatchMessageW` `wsprintfA` `CharNextA` `CharPrevW` `MessageBoxIndirectW` `GetDlgItemTextW` `SetDlgItemTextW` `GetSystemMetrics` `FillRect` `AppendMenuW` `TrackPopupMenu` `OpenClipboard` `SetClipboardData` `CloseClipboard` `IsWindowVisible` `CallWindowProcW` `GetMessagePos` `CheckDlgButton` `LoadCursorW` `SetCursor` `GetWindowLongW` `GetSysColor` `SetWindowPos` `PeekMessageW` `SetClassLongW` `GetSystemMenu` `EnableMenuItem` `GetWindowRect` `ScreenToClient` `EndDialog` `RegisterClassW` `SystemParametersInfoW` `CreateWindowExW` `GetClassInfoW` `DialogBoxParamW` `CharNextW` `ExitWindowsEx` `DestroyWindow` `CreateDialogParamW` `SetTimer` `SetWindowTextW` `PostQuitMessage` `SetForegroundWindow` `ShowWindow` `wsprintfW` `SendMessageTimeoutW` `FindWindowExW` `IsWindow` `GetDlgItem` `SetWindowLongW` `LoadImageW` `GetDC` `ReleaseDC` `EnableWindow` `InvalidateRect` `SendMessageW` `DefWindowProcW` `BeginPaint` `EmptyClipboard` `CreatePopupMenu`
GDI32.dll	`SetBkMode` `SetBkColor` `GetDeviceCaps` `CreateFontIndirectW` `CreateBrushIndirect` `DeleteObject` `SetTextColor` `SelectObject`
KERNEL32.dll	`GetExitCodeProcess` `WaitForSingleObject` `GetModuleHandleA` `GetProcAddress` `GetSystemDirectoryW` `lstrcatW` `Sleep` `lstrcpyA` `WriteFile` `GetTempFileNameW` `lstrcmpiA` `RemoveDirectoryW` `CreateProcessW` `CreateDirectoryW` `GetLastError` `CreateThread` `GlobalLock` `GlobalUnlock` `GetDiskFreeSpaceW` `WideCharToMultiByte` `lstrcpynW` `lstrlenW` `SetErrorMode` `GetVersion` `GetCommandLineW` `GetTempPathW` `GetWindowsDirectoryW` `SetEnvironmentVariableW` `ExitProcess` `CopyFileW` `GetCurrentProcess` `GetModuleFileNameW` `GetFileSize` `CreateFileW` `GetTickCount` `MulDiv` `SetFileAttributesW` `GetFileAttributesW` `SetCurrentDirectoryW` `MoveFileW` `GetFullPathNameW` `GetShortPathNameW` `SearchPathW` `CompareFileTime` `SetFileTime` `CloseHandle` `lstrcmpiW` `lstrcmpW` `ExpandEnvironmentStringsW` `GlobalFree` `GlobalAlloc` `GetModuleHandleW` `LoadLibraryExW` `MoveFileExW` `FreeLibrary` `WritePrivateProfileStringW` `GetPrivateProfileStringW` `lstrlenA` `MultiByteToWideChar` `ReadFile` `SetFilePointer` `FindClose` `FindNextFileW` `FindFirstFileW` `DeleteFileW`

Delayed Imports

110

Type	`RT_BITMAP`
Language	English - United States
Codepage	UNKNOWN
Size	`0x666`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.82633`
MD5	`b6bf70baab40fe438feff063bfb9ff6f`
SHA1	`7d4659d43e08d368ddacd31945872461c0b06253`
SHA256	`0e90a9e4b8f3a5bf990e8aadfd8096ad7aeaf1a4e032ac7b6395ce191d61c142`
SHA3	`cab98fabaf20118d9a8a4d2bcff4383a7291a0e04ff11a8690e71eed619c75e7`
Preview

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xfc7`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.51949`
MD5	`65b77edd36704cbe29c0b168a6ccf47f`
SHA1	`995d53c9a78d28e0973139b8f4b87ea65edbd322`
SHA256	`7f8a3e1c9ee850605f6175f21bf88cd40d49e7bdfc200e3866c8e39c6d40cd63`
SHA3	`6eb82ba9029d2890ebeedc7b574ef1889df2ceba0d0f44c74e3784354d3b0c04`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.78498`
Detected Filetype	PNG graphic file
MD5	`1b448ba9d7178ab1caca84438cf522fd`
SHA1	`5ba04deb55a743762c3f034a238102cc0279fe22`
SHA256	`b0971209827eafff03ba71a90dbee9c1896e332409d9d081ef60828a61f052d4`
SHA3	`59b153b346c25fc18e4f8a437dd996c5638d49cf048c1bc963c0bb8190eb4e2b`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.03712`
MD5	`1b10c503b07d4926c4957ceddde0b96f`
SHA1	`0c7634b4d6b5aa07a13a0e36da22688432ac91ea`
SHA256	`6bc0beddb95bd26562f87cca594cc02fb78c957c56a2f7a732500bba629f5e95`
SHA3	`372a8fd2bd791b8f83478c96ae79d5c2d57cda39f3acef451385fc6c2c3e7daf`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.61802`
MD5	`1da84a20b955bbabeda91a69698a116d`
SHA1	`a22e30d5443ecd94ef030cc73f299d664b03c1a5`
SHA256	`b79bef6eb630506bf224463ed7b9082c04bc49bc5cdf5c83f5600eb070c51e89`
SHA3	`e957fe9070b3b92d92c2d032356d2cf177726acf576b0184e7d9c832079219f0`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.17226`
MD5	`1b9c8605217cdb8c6cf625938010f4fd`
SHA1	`17d80344b23631b629e33385cf3a7a0b003c3c64`
SHA256	`179ed86c558e0214fa9ea6d8639f5d73f8114c8f0cabb80a5be3d6b83f771bdc`
SHA3	`d78854ea1aad8fb9594d931f4572e88f75aa1f363189a5079814ac5156925d77`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.24703`
MD5	`e920c7ffd0b6fcdb146b22389b10ba60`
SHA1	`d0e9b9b4c87ecfbd8ed7089296aff453e20ea719`
SHA256	`ceddbf68cb38a7394b9cdc81c586b0b1d6fd0f46b671f1bd3bfe9d40f545e265`
SHA3	`85834d7af536add8633497acd35cf361ebf2181a3d6215825f84283b3b322d0d`

102

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xb4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.71813`
MD5	`a69caf66f3f899403f8b25b02dc61908`
SHA1	`3e5db9186cf0f75be24676462d88170e5950d9c8`
SHA256	`7854e8d67a11148566ad37c5d23e1534e0990fe31a160e0e7da3ca751830bb50`
SHA3	`1eea945e3712b317143e07560f54b0b9a13b1fd6c2b57cab9176181a9aaf4f79`

103

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x120`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.56193`
MD5	`db6dd0434da4d7cac564518725167e09`
SHA1	`a65a1367d7cd96450f089a8f8108239bbcea9f5b`
SHA256	`c50631fc1f8425a95fd1edcc8e730d339e193a38f18d42372c32847a5ad2c016`
SHA3	`4e3be5455c51e1cb04836e318cb69ecdffd2deadd0f338d4bc985d8f5ca653ff`

104

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x158`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.67285`
MD5	`e3db3f64c2592f8f5ff3aa9b6a4e99a8`
SHA1	`9691472bf6bcd563c29dd85f15caada030380d52`
SHA256	`5fa7add88fb2e0d095207c87603cfe3339f6211ce67900a0cf5af4253ba0bcb3`
SHA3	`2111ca69a593e96fbe3e61701d36ae172bb4744984fdec6db51b0cb7bf0eb67b`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x200`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.67385`
MD5	`d1a92272fbd597e1aa19021483110d5a`
SHA1	`9f75072682b37c6c52361d8c988ebd06dd003f63`
SHA256	`15663576584c947d634dab9848defcc7d8f05eb0b7e7c6d52d81eca695fc7a6e`
SHA3	`704756797695ae34f6fae500852bca70e5066a1d1993348fe40ccf626235d0d6`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xf8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.91148`
MD5	`fa83652660409e90e0db9731ad2adb17`
SHA1	`0a8f0af67723c87fe26ccf676b8e19ec6357b4dc`
SHA256	`4a55bd714f5d50cd8eabba10e57f0618f1842717dcfa582d73a917b1933cd1d4`
SHA3	`5b3e1cb25be7a2dbae4f08f0d4794ed23dbd6ea37a3f9702be12dba588f42a7b`

107

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xa0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.52183`
MD5	`6ffba239dcfcab2080195f23947b70aa`
SHA1	`bcda1ca8ee9bb9878bde83aa06c670bb5a4d5843`
SHA256	`a7e5ea849cb343e9b58de221aeb25c9dd4a3748070bfba879a30c4265fc39023`
SHA3	`a75544b4c3fcbcb32fe4e02d1a631e045b2e58516aa1065bb96cce681aea7030`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xee`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.89887`
MD5	`663040d6315b1d6ce8c0334d182ed8fc`
SHA1	`ebcfff801a12fb8ad1200a4526fca8bd2c3e96cf`
SHA256	`cb3c86cbcb579244a6f819f9c1807a7e89b6e600982ec6ea0841fcdcb16a9efd`
SHA3	`6a25a2cb16aeb17693f10e8aaa0245c701701db571b458fde7830291a4a01cfc`

103 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.79755`
Detected Filetype	Icon file
MD5	`a6f1cb96df057d6cc290b224466178c4`
SHA1	`89ad83ce09d1f77727db37c7deb3568d7c971b29`
SHA256	`f4b76ba95920a3f4b07b8a52f01e57363ed3889bafbbe4680be6cd6be4571a36`
SHA3	`f0b34d79894335f2f122381bfb7fe3fdff101e761da72906014d72f59657b77d`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x1a4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.14972`
MD5	`2177ad6769abfed80af097fdda10476c`
SHA1	`ee032e4a3f4a22403cb8ad4a55b69bdb1d3660c5`
SHA256	`332e9deba4b7423033cd7057ddb7b5b0f7038b88c4a58adcefcd5ec04e069870`
SHA3	`c65baac809806e667534fe8923e57272042084de5e1864cf0960afecccc464b2`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x42e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.28847`
MD5	`dd7e4a8076613566efb8005b67de40c9`
SHA1	`2c18da7591f0e8233bfb8929e82c16a2915f4561`
SHA256	`1ea1232ada8e9dc1d5383c0ff874c945807e280d5e731eceeb88e46b280e19cf`
SHA3	`163cd513fa9dc7b68c0b714424d3034816cb9c657093d66d754af793b1fcf1d8`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0`
FileVersion	3.6.0.0
ProductVersion	3.6.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
FileDescription	NSIS Setup
FileVersion (#2)	3.06
LegalCopyright	http://nsis.sf.net/License

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd26650e9`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`165`
Imports (VS2003 (.NET) build 4035)	`15`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!