Manalyze report for 9f58af0317a7e2ed4783ebe99a508ffd

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2019-Feb-01 19:40:43
Detected languages	English - United States
Comments	Built-in compression
CompanyName	Microsoft Corporation
FileDescription	lispfile
FileVersion	`2.0`
InternalName	amstoune
LegalCopyright	Copyright © 1995 Microsoft Corporation
OriginalFilename	kbdinguj.dl
ProductName
rosoft® W	tore
ProductVersion	`6.`

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Malicious	The file headers were tampered with.	`The RICH header checksum is invalid.`
Suspicious	The PE contains functions most legitimate programs don't use.	`Uses Microsoft's cryptographic API: CryptProtectData` `Leverages the raw socket API to access the Internet: #112`
Suspicious	The file contains overlay data.	`121560 bytes of data starting at offset 0x4528.` `The overlay data has an entropy of 7.51767 and is possibly compressed or encrypted.` `Overlay data amounts for 87.2875% of the executable.`
Malicious	VirusTotal score: 47/70 (Scanned on 2019-02-08 14:26:47)	`Bkav: HW32.Packed.` `MicroWorld-eScan: Trojan.GenericKD.31618437` `CAT-QuickHeal: Trojan.Emotet` `McAfee: Emotet-FLI!9F58AF0317A7` `Cylance: Unsafe` `K7GW: Trojan ( 00546d1d1 )` `K7AntiVirus: Trojan ( 00546d1d1 )` `Invincea: heuristic` `Symantec: Trojan.Emotet` `TrendMicro-HouseCall: TROJ_GEN.R03FC0DB219` `Paloalto: generic.ml` `Kaspersky: Trojan-Banker.Win32.Emotet.cdeq` `BitDefender: Trojan.GenericKD.31618437` `NANO-Antivirus: Trojan.Win32.EmotetENT.fmpqec` `Avast: Win32:BankerX-gen [Trj]` `Tencent: Win32.Trojan-banker.Emotet.Hwcu` `Ad-Aware: Trojan.GenericKD.31618437` `Emsisoft: Trojan.GenericKD.31618437 (B)` `Comodo: Malware@#ycuqajzvgnn7` `DrWeb: Trojan.EmotetENT.372` `Zillya: Trojan.Kryptik.Win32.1575124` `TrendMicro: TROJ_GEN.R03FC0DB219` `McAfee-GW-Edition: BehavesLike.Win32.Emotet.cc` `Trapmine: malicious.moderate.ml.score` `SentinelOne: static engine - malicious` `Cyren: W32/Trojan.OQDM-7903` `Webroot: W32.Trojan.Emotet` `Fortinet: W32/Fareit.L` `Endgame: malicious (high confidence)` `Arcabit: Trojan.Generic.D1E27585` `ZoneAlarm: Trojan-Banker.Win32.Emotet.cdeq` `Microsoft: Trojan:Win32/Emotet!rfn` `Sophos: Mal/Emotet-Q` `AhnLab-V3: Trojan/Win32.Emotet.R254353` `Acronis: suspicious` `VBA32: TScope.Malware-Cryptor.SB` `ALYac: Trojan.Agent.Emotet` `MAX: malware (ai score=100)` `Malwarebytes: Trojan.Emotet` `ESET-NOD32: a variant of Win32/Kryptik.GPGZ` `Rising: Malware.Heuristic.MLite(100%) (AI-LITE:Kk25qDiRi1j9SyH5HnA40g)` `Ikarus: Trojan-Banker.Emotet` `GData: Trojan.GenericKD.31618437` `AVG: Win32:BankerX-gen [Trj]` `Panda: Trj/GdSda.A` `CrowdStrike: malicious_confidence_100% (W)` `Qihoo-360: Win32/Trojan.e7f`

Hashes

MD5	`9f58af0317a7e2ed4783ebe99a508ffd`
SHA1	`32bc598956aa8b64289642608631db46f68396a3`
SHA256	`b8cd0fd3f9d5b69fff150847c44aa4ffb476d21312fc166a71a8ca2d6d5836e3`
SHA3	`8193f0b48a276b6c68e4581eb2c18ff2bd9cf7cf55936067271ad2c1cf29b384`
SSDeep	`1536:ghxno2IpNoteXykuJB2Ukyk2C7MayLa3/ZEUfPYrXMJaX2f/lPq7z7TpZbnSei2:oxIvLUE2C7YavCCGMaGHAPvH/GLxaE`
Imports Hash	`2c1bc5f83c2e089f93c7d6b644d47a73`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xc4`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2019-Feb-01 19:40:43
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`12.0`
SizeOfCode	`0x3000`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0x19000`
AddressOfEntryPoint	`0x00002705 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x4000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`6.0`
ImageVersion	`6.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x23000`
SizeOfHeaders	`0x1000`
Checksum	`0xcdd86667`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d314a8f7420cdfe89a3490ae25ea01e0`
SHA1	`2250e8be6cc65eae12eb9883b269aa6b6d311894`
SHA256	`8ceea3d254fe25ad861fd67c6838c22dc659bdeed5c46c3826a6739a107d5ea3`
SHA3	`12ef7c826c7361b95f9a8f3af472dd357b283e1c8702db189c9a6fdf624c4fc3`
VirtualSize	`0x2c56`
VirtualAddress	`0x1000`
SizeOfRawData	`0x3000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.46435`

.rdata

MD5	`2495d6dee8e84be7a3b7a1d279069eb9`
SHA1	`1cd8106286aaaa27b5d9b45c14e8e3fbdee57770`
SHA256	`2b297aaf28a582d199c85270ec63b42cccae263e8a895cf0a1566d804c0f3542`
SHA3	`c465e74041b838feb2807a1371738c76b0607ae05d34484212940633d240bf74`
VirtualSize	`0x1a66a`
VirtualAddress	`0x4000`
SizeOfRawData	`0x1b000`
PointerToRawData	`0x4000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.87929`

.data

MD5	`d4355dafa34fdf3905b8d9f722152538`
SHA1	`c5dc21cf5d5da4c6f431236d76ae8c90f6bcb017`
SHA256	`2c9c103b2556d3323d10b9b59a62e67a3955f5f850a15c60095aa544d93bcf80`
SHA3	`44ff4a95162d865d247d2df8e8eeb47bf814b2c101c07fadd3f61724fd75fefe`
VirtualSize	`0x1a18`
VirtualAddress	`0x1f000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x1f000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.82958`

.rsrc

MD5	`0c9d096f33be2f389b7d5a8007b972f5`
SHA1	`2c87f94f1fa8244106abc3d79427f980c124a839`
SHA256	`783ef1bf43ceb393e217ae8ca4ac3462666e24a4360d40823ad144f4eddd1bd6`
SHA3	`3e1dc920f5667dd89e05c8a72cc71d096f6f5a3ee4f79f970d279444186af694`
VirtualSize	`0x390`
VirtualAddress	`0x21000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x20000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0.934128`

.reloc

MD5	`e3cdffdc22f267af031790a2f5fcbb3c`
SHA1	`bcf03ee55bd08198fcfea68d8da9ee5ffe62fbf5`
SHA256	`6532733dcb1f90a39eaa65c2f7212dc9b3bc1653c667eab10af6c13f36e76ae8`
SHA3	`41c0310874bc9c07610313765a2d2aa8cb184567e0b33960d08e4bd45c9fb606`
VirtualSize	`0x154`
VirtualAddress	`0x22000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x21000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.823291`

Imports

WS2_32.dll	`#112`
ADVAPI32.dll	`IsTokenRestricted` `GetSecurityDescriptorControl`
WINMM.dll	`mixerGetControlDetailsW`
KERNEL32.dll	`GetCommandLineW` `GetCurrentProcessId` `GetThreadLocale` `GetTapePosition` `CloseHandle` `Heap32Next` `GetComputerNameA` `ReadConsoleA`
IMM32.dll	`ImmGetCandidateListW`
CRYPT32.dll	`CryptProtectData`
USER32.dll	`GetDesktopWindow` `UserHandleGrantAccess` `GetIconInfo` `UnhookWinEvent`
SHLWAPI.dll	`PathGetDriveNumberW`
GDI32.dll	`GetPath` `SelectObject`
WinSCard.dll	`SCardGetStatusChangeA`
ole32.dll	`CoFileTimeNow`
POWRPROF.dll	`GetActivePwrScheme`
msvcrt.dll	`memset`

Delayed Imports

1

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x330`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.31891`
MD5	`d4da91e398415d40438259c763ece8c8`
SHA1	`57d8d025879717901157962b75b1940c6dabe43b`
SHA256	`c55abd37ae18817c70804c4f0aa1f9a7e3a50b4df79835b107c5a8d83d740f70`
SHA3	`a7032182db5b73c84a62420e88e8281c8eaada76e195f468a3b3da6678fcfcfd`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	2.0.0.2
ProductVersion	2.0.2.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	English - United States
Comments	Built-in compression
CompanyName	Microsoft Corporation
FileDescription	lispfile
FileVersion (#2)	2.0
InternalName	amstoune
LegalCopyright	Copyright © 1995 Microsoft Corporation
OriginalFilename	kbdinguj.dl
ProductName
rosoft® W	tore
ProductVersion (#2)	6.

Resource LangID	UNKNOWN

UNKNOWN

Characteristics	`37527754`
TimeDateStamp	2077-Nov-10 06:37:34
Version	`34697.13672`
SizeofData	`3843880519`
AddressOfRawData	`0x52973ee5`
PointerToRawData	`0xf53f7c43`

UNKNOWN (#2)

Characteristics	`1370484768`
TimeDateStamp	2014-Aug-23 03:04:45
Version	`65418.19839`
SizeofData	`1533991832`
AddressOfRawData	`0x19bad29`
PointerToRawData	`0x5db08b44`

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x4fa4adae`
Unmarked objects	`0`
Imports (VS2015 UPD1 build 23506)	`11246875`
Imports (VS97 SP3 link 5.10.7303)	`13429659`
Exports (VS2013 build 21005)	`16735890`
Resource objects (VS2002 (.NET) build 9466)	`10133273`
Linker (VS2002 (.NET) build 9466)	`9654814`

Errors

[*] Warning: The WIN_CERTIFICATE appears to be invalid.