Manalyze report for a193184e61e34e2bc36289deaafdec37

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Jan-01 00:00:00
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Leverages the raw socket API to access the Internet: #3 getaddrinfo #115 #19 #23 #4 #16 freeaddrinfo #21 #111` `Manipulates other processes: Process32First OpenProcess Process32Next`
Malicious	VirusTotal score: 48/68 (Scanned on 2019-03-01 03:39:50)	`MicroWorld-eScan: Trojan.GenericKD.5333249` `CAT-QuickHeal: Trojan.Endowerpo` `McAfee: Trojan-FNDH!A193184E61E3` `K7GW: Trojan ( 00510ef01 )` `K7AntiVirus: Trojan ( 00510ef01 )` `TrendMicro: TROJ_INDUSTROYER.C` `F-Prot: W32/Industroyer.B.gen!Eldorado` `Symantec: Backdoor.Industroyer` `TrendMicro-HouseCall: TROJ_INDUSTROYER.C` `Paloalto: generic.ml` `Kaspersky: Trojan.Win32.Industroyer.c` `BitDefender: Trojan.GenericKD.5333249` `NANO-Antivirus: Trojan.Win32.Industroyer.errctz` `Avast: Win32:Malware-gen` `Rising: Trojan.Industroyer!8.E852 (CLOUD)` `Endgame: malicious (high confidence)` `Emsisoft: Trojan.GenericKD.5333249 (B)` `Comodo: Malware@#3e6e8fsjode2u` `F-Secure: Trojan.TR/Agent.ntnvk` `DrWeb: Trojan.Industroyer.5` `Zillya: Trojan.Industroyer.Win32.3` `McAfee-GW-Edition: Trojan-FNDH!A193184E61E3` `Fortinet: W32/Industroyer.A!tr` `Cyren: W32/Industroyer.B.gen!Eldorado` `Webroot: W32.Trojan.Gen` `Avira: TR/Agent.ntnvk` `MAX: malware (ai score=100)` `Antiy-AVL: Trojan/Win32.Industroyer` `Arcabit: Trojan.Generic.D516101` `ViRobot: Trojan.Win32.Industroyer.136704.A` `ZoneAlarm: Trojan.Win32.Industroyer.c` `Microsoft: Trojan:Win32/CrashOverride.A` `Sophos: Troj/Idtroyer-H` `AhnLab-V3: Trojan/Win32.Industroyer.R202380` `VBA32: Trojan.Industroyer` `ALYac: Trojan.Agent.Endowerpo` `TACHYON: Trojan/W32.Industroyer.136704` `Ad-Aware: Trojan.GenericKD.5333249` `ESET-NOD32: a variant of Win32/Industroyer.A` `Tencent: Win32.Trojan.Industroyer.Klbs` `Yandex: Trojan.Industroyer!` `Ikarus: Trojan.Industroyer` `eGambit: Trojan.Generic` `GData: Win32.Backdoor.Industroyer.F` `AVG: Win32:Malware-gen` `Panda: Trj/GdSda.A` `CrowdStrike: win/malicious_confidence_100% (W)` `Qihoo-360: Trojan.Generic`

Hashes

MD5	`a193184e61e34e2bc36289deaafdec37`
SHA1	`94488f214b165512d2fc0438a581f5c9e3bd4d4c`
SHA256	`7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad`
SHA3	`41e14184a62586466ed2e57bccbbbefae804264b4d5475bd3b7164d54d484750`
SSDeep	`3072:McaprOfoaXmgD31r4VWBvRZoiTprUZNZ9VQ6s6W9:McuOJ2gD31QW51pgE6st9`
Imports Hash	`d2b465d6595e8cf3197d045c9c081e67`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x118`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x17400`
SizeOfInitializedData	`0xa800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00005658 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x19000`
ImageBase	`0x10000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x27000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`edbc3326130d90b2f27839f5c7d2459d`
SHA1	`63a342c3fd5ea4a0700f1dc789e02e710118654a`
SHA256	`4abb48b6c831c88e97c98402fe5bc50e47648d29cf3b95b5a13226cdcd78ed41`
SHA3	`cd882be275f191570570531228dda6584b698b572c4b9aec7c27225dd1dedbe0`
VirtualSize	`0x17275`
VirtualAddress	`0x1000`
SizeOfRawData	`0x17400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.6655`

.rdata

MD5	`f2379bbe1def3d287f98c8b66c2cb365`
SHA1	`5fd4a935e42f6c84284f886d78423c49e57b114c`
SHA256	`10b3e6f07d0a7762abd32d9b2798115faa1ddd393f7d71dc7e50c3719447d61e`
SHA3	`97dde1a5279a3dedfd01344e8e9675cb14ce088169e0d390a8e182f4c7b1b543`
VirtualSize	`0x7918`
VirtualAddress	`0x19000`
SizeOfRawData	`0x7a00`
PointerToRawData	`0x17800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.3916`

.data

MD5	`26bfc131cc1f6a9331dd1811617ac5c2`
SHA1	`1c93391be2a94b26613723424f650009bbee2d54`
SHA256	`bd349745fdd464870ce1c40c8c78c94103699be6da905380d0bd4348a226c434`
SHA3	`8cb1335d258ea217609d3cf4d840f15b297f804a2b1448b8ea0606f817eaf53e`
VirtualSize	`0x13bc`
VirtualAddress	`0x21000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x1f200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.5358`

.gfids

MD5	`8a00be9b93fae3d52b578f84000a7248`
SHA1	`c0f9bc745e4e1b358e1f10d1f1bd9f8c52971b7a`
SHA256	`fd8ecc70c9c93c9feea72f3646696aeecfbb41e777cac9219958bbe1632ee79a`
SHA3	`f6ea5ed5deb7ea858ae7d5a55f7753d1e760149e33187a9ccadcd1e032fae918`
VirtualSize	`0x100`
VirtualAddress	`0x23000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1fc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.94658`

.rsrc

MD5	`daefabcc5853733844632a0d26725281`
SHA1	`ab4d6846de72fb7bc11deb2570b6189dbedae77e`
SHA256	`204308c824f32ed4bb88eee5c37161f2fc974a3f75ee0ee8a4564c093c6efe1d`
SHA3	`b02f986e47faa1c832cd37c8c8335e926df333d96f45138e19f7fed713ef61da`
VirtualSize	`0x1e0`
VirtualAddress	`0x24000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1fe00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.72082`

.reloc

MD5	`123ad46f18c8e23cafabd1f48294a734`
SHA1	`12cdf63b7ce8349799a279b3c0b01da0d6115197`
SHA256	`498d08cfc3c93992b9f9ce98c8d538338300e5be0d5d127287a229c4d5ee49df`
SHA3	`ca78ab987c0a7f3d19e87ab083c7fe75dd9b08bcf6e496d187eb6a8af2ba3536`
VirtualSize	`0x14f8`
VirtualAddress	`0x25000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x20000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.44828`

Imports

KERNEL32.dll	`Process32First` `SetConsoleTextAttribute` `GetStdHandle` `TerminateProcess` `WaitForMultipleObjects` `SetThreadPriority` `OpenProcess` `CreateToolhelp32Snapshot` `Sleep` `Process32Next` `CloseHandle` `CreateThread` `ReadConsoleW` `ReadFile` `SetEndOfFile` `HeapReAlloc` `HeapSize` `WriteConsoleW` `SetFilePointerEx` `SetStdHandle` `FlushFileBuffers` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `IsProcessorFeaturePresent` `IsDebuggerPresent` `GetStartupInfoW` `GetModuleHandleW` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `EncodePointer` `RaiseException` `InterlockedFlushSList` `GetLastError` `SetLastError` `RtlUnwind` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `GetProcAddress` `LoadLibraryExW` `ExitProcess` `GetModuleHandleExW` `GetModuleFileNameA` `MultiByteToWideChar` `WideCharToMultiByte` `HeapFree` `HeapAlloc` `LCMapStringW` `GetFileType` `GetACP` `WriteFile` `GetConsoleCP` `GetConsoleMode` `GetStringTypeW` `FindClose` `FindFirstFileExA` `FindNextFileA` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `GetCommandLineA` `GetCommandLineW` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetProcessHeap` `CreateFileW` `DecodePointer`
WS2_32.dll	`#3` `getaddrinfo` `#115` `#19` `#23` `#4` `#16` `freeaddrinfo` `#21` `#111`

Delayed Imports

Crash

Ordinal	`1`
Address	`0x14e0`

2

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2016-Dec-18 02:48:22
Version	`0.0`
SizeofData	`764`
AddressOfRawData	`0x1f5f4`
PointerToRawData	`0x1ddf4`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2016-Dec-18 02:48:22
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0x5c`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x10021008`
SEHandlerTable	`0x1001f5c0`
SEHandlerCount	`13`

RICH Header

XOR Key	`0x4a345c9e`
Unmarked objects	`0`
241 (40116)	`10`
243 (40116)	`137`
242 (40116)	`24`
199 (41118)	`2`
ASM objects (VS2015 UPD3 build 24123)	`18`
C++ objects (VS2015 UPD3 build 24123)	`29`
C objects (VS2015 UPD3 build 24123)	`16`
Imports (VS2008 SP1 build 30729)	`5`
Total imports	`106`
265 (VS2015 UPD3 build 24210)	`8`
Exports (VS2015 UPD3 build 24210)	`1`
Resource objects (VS2015 UPD3 build 24210)	`1`
Linker (VS2015 UPD3 build 24210)	`1`

a193184e61e34e2bc36289deaafdec37

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.gfids

.rsrc

.reloc

Imports

Delayed Imports

Crash

2

Version Info

IMAGE_DEBUG_TYPE_POGO

IMAGE_DEBUG_TYPE_ILTCG

TLS Callbacks

Load Configuration

RICH Header

Errors