Manalyze report for a2929a61e4d63dd3c15749b2b7ed74ae

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Mar-07 10:30:28
Detected languages	English - United Kingdom

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to security software: msinfo32.exe` `Tries to detect virtualized environments: b3 eb 36 e4 4f 52 ce 11 9f 53 00 20 af 0b a7 70 d1 29 06 e3 e5 27 ce 11 87 5d 00 60 8c b7 80 66` `May have dropper capabilities: CurrentControlSet\Services` `Contains another PE executable: This program cannot be run in DOS mode.` `Contains domain names: http://www.rockstargames.com http://www.rockstargames.com/sanandreas http://www.rockstarnorth.com http://www.securom.com http://www.securom.com/link_to_faq rockstargames.com rockstarnorth.com securom.com www.rockstargames.com www.rockstarnorth.com www.securom.com`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to DES`
Suspicious	The PE is possibly packed.	`Unusual section name found: _rwcseg` `Unusual section name found: _TEXT_HA` `Unusual section name found: _rwdseg` `Section .text is both writable and executable.` `Section .data is both writable and executable.` `Unusual section name found: .dev1` `Section .dev1 is both writable and executable.` `Unusual section name found: .dev2`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: FindWindowA` `Code injection capabilities (PowerLoader): GetWindowLongA FindWindowA` `Can access the registry: RegCloseKey RegCreateKeyExA RegOpenKeyExA RegQueryValueExA RegOpenKeyA RegSetValueExA` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Leverages the raw socket API to access the Internet: #16 #19 #3 #9 #11 #4 #111 #115 #116 #23` `Enumerates local disk drives: GetVolumeInformationA GetDriveTypeA GetLogicalDriveStringsA`
Malicious	VirusTotal score: 3/66 (Scanned on 2020-08-20 14:35:54)	`Bkav: W32.AIDetectVM.malware2` `FireEye: Generic.mg.a2929a61e4d63dd3` `APEX: Malicious`

Hashes

MD5	`a2929a61e4d63dd3c15749b2b7ed74ae`
SHA1	`3a184bf69104e52e8396261432d9324211ef74bc`
SHA256	`af63c3b85c5a30a1fb4318ede6add911933ccc63ddac2f57eb63b7fbe212b8e2`
SHA3	`8a06f1d63b696972b81b66ac29b1f1178d94cdaa8970104fb53c0c041b8a7bb8`
SSDeep	`196608:B/DilPG7k1Cv4CJmV/UT5c2dFmSfyL3cC5kjzC5TnZHCtpAdjOAZ/ss:B/ulPG7wCACJmV/UTa0pLPMZ/X`
Imports Hash	`40e136b25c083bd1c043fd89de8b4fd5`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x138`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`11`
TimeDateStamp	1970-Mar-07 10:30:28
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`7.0`
SizeOfCode	`0x458000`
SizeOfInitializedData	`0x45a000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00425330 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x459000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x20e0000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`28142b397a344e71f992449b67a8d7fd`
SHA1	`ed0f66b8da275c3e596273ecab7ccbd29c21b699`
SHA256	`53ae4dc5154c9fa26add945821373a402257cfd64495f5cab0398f2ae1985d93`
SHA3	`176345a1237f2b38dd4cee94c44f055d9162c441556e6bf55cf69650d0e180c2`
VirtualSize	`0x457000`
VirtualAddress	`0x1000`
SizeOfRawData	`0x45656a`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.69957`

_rwcseg

MD5	`f83d20b9c53f03555f49f20473281380`
SHA1	`da3c31bc554f634a13fbf80a5c16cb14ede53450`
SHA256	`680c50f5b14681ecd6c6cc49fc9422231228a6c27f6db848c6b6d3e64458acae`
SHA3	`803dcd419ed3e1044bf010f6c97a9a025769974322949acaf7cf6d2fdd0f561c`
VirtualSize	`0x1000`
VirtualAddress	`0x458000`
SizeOfRawData	`0x451`
PointerToRawData	`0x458000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`4.93956`

.rdata

MD5	`6ce3cbdbc0f898ea9ebfe43f50b4a490`
SHA1	`3ca8fe6a1baa1856f8501895032b73a9f1b9ff11`
SHA256	`3ae04ebd979e1281a0f916e4390035ba15fb3ce91aa90cbe1c2f6de47a404b09`
SHA3	`04d8a91effdaeebc886e86bb839f149f53befc598c8078e685f392413b3c37fa`
VirtualSize	`0x4c000`
VirtualAddress	`0x459000`
SizeOfRawData	`0x4b2b4`
PointerToRawData	`0x459000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.59106`

.data

MD5	`82f9db78e8480c0b3f40835cada2aca3`
SHA1	`fe916f9eea7f9b6fe16af8006138670adb28dd35`
SHA256	`a9ee3281d8c3a3db29fbfba78604388f10b1e43f572f0f2b0c298cb25eee2600`
SHA3	`8673553be1bd9dc63040497535085a84bec46f696f5033afffe2f412ecb0d65b`
VirtualSize	`0x3fb000`
VirtualAddress	`0x4a5000`
SizeOfRawData	`0x41558`
PointerToRawData	`0x4a5000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.83253`

_TEXT_HA

MD5	`66493140ee2c08e11feec07efbc2be24`
SHA1	`9feef46f2211b61fe8f4046029022f9bf7b5c69d`
SHA256	`55dce9b25c3f5599d4c8850c577ab3bd72d1554549840bd8ffb4d30050579248`
SHA3	`d10ebb821c672a21505283137670f4bf21d3612387909d349bdbc9a96c27ba5d`
VirtualSize	`0x11000`
VirtualAddress	`0x8a0000`
SizeOfRawData	`0x10a82`
PointerToRawData	`0x4e7000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.6357`

_rwdseg

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1000`
VirtualAddress	`0x8b1000`
SizeOfRawData	`0`
PointerToRawData	`0x8b1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`38b317a39f3c40f22118a557328881c5`
SHA1	`ee57ca7fd7d39d3c0e0a7db6ac03c1afff0a6781`
SHA256	`da1000fec47ba2535fcaea3835c918b6382716dfb32485fc83f9a61d6f8faa19`
SHA3	`07baa2e852030117a935fba5f0b5f686525f3be4e74f8daee7c26a09ae080ccf`
VirtualSize	`0x1000`
VirtualAddress	`0x8b2000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x4f8000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.67488`

.text (#2)

MD5	`4c82413fd45ef2a7e08263eec66fb6dc`
SHA1	`349b6bf730dd5fa4e14a1ac08299a5ce08958c84`
SHA256	`b7b520df349f91cc8185dde5c07e8e27d1ed4bdb6b9cf68fae0435dd4caff450`
SHA3	`c44af2b5864c142978fa0fcb2c782ab6b0f583498513654004c246a0f5e77d3f`
VirtualSize	`0x528000`
VirtualAddress	`0x8b3000`
SizeOfRawData	`0x51ad70`
PointerToRawData	`0x4f9000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.4431`

.data (#2)

MD5	`9bf65b736dd25c397492bfd76a33d618`
SHA1	`a3e228ad2c5a00a72dc020b19713f84d2adf33bc`
SHA256	`6c1ebf106b5988e357744bee6d4925bbe35ea66ec50d124b98ba56911cfb1f73`
SHA3	`80692caaac60fc6893e41bb45d2bc508209645189e01a03ce2a6641130b7ee07`
VirtualSize	`0x2b8000`
VirtualAddress	`0xddb000`
SizeOfRawData	`0x2b6b66`
PointerToRawData	`0xa14000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.43323`

.dev1

MD5	`18a49707f2a486b59326f43cea56b030`
SHA1	`a11b717f1a626621a8040e41a1e830e56e455d27`
SHA256	`f2095024370d20010f067a3394f3ed25b6f45ddb4d8f76407476253e1787621c`
SHA3	`ea246551bdd4b65ce4bb642dd21b0dfd5c9d63f04d4b2060dbddcd57515a7ede`
VirtualSize	`0xc4d000`
VirtualAddress	`0x1093000`
SizeOfRawData	`0x9270c`
PointerToRawData	`0xccb000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.00527`

.dev2

MD5	`fcc4e59844ee66de2b55d6e5f6005199`
SHA1	`8576e4be11d2db6bd645a63b49e7ee82682dc0bd`
SHA256	`a21fa98b4f6416c118aec5869adc7789b6403b4697aa5e28f3fe2185065e9082`
SHA3	`92e9e196ba7e381a8ce18a40a121b00e5af64cebbfb7617f9a6ba36980d0a07c`
VirtualSize	`0x400000`
VirtualAddress	`0x1ce0000`
SizeOfRawData	`0x1b5000`
PointerToRawData	`0xd5e000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.5627`

Imports

WINMM.dll	`timeEndPeriod` `timeGetTime` `timeBeginPeriod` `timeGetDevCaps`
vorbisfile.dll	`ov_open_callbacks` `ov_clear` `ov_time_total` `ov_time_tell` `ov_read` `ov_info` `ov_time_seek`
WS2_32.dll	`#16` `#19` `#3` `#9` `#11` `#4` `#111` `#115` `#116` `#23`
EAX.DLL	`#6`
KERNEL32.dll	`VirtualProtect` `GetOEMCP` `GetACP` `IsBadCodePtr` `IsBadReadPtr` `GetStringTypeW` `GetStringTypeA` `IsValidCodePage` `IsValidLocale` `EnumSystemLocalesA` `GetLocaleInfoA` `GetCPInfo` `GetDateFormatA` `VirtualQuery` `GetTickCount` `GetModuleHandleA` `GetProcAddress` `LoadLibraryA` `GetFileSize` `CloseHandle` `LocalFree` `WaitForSingleObjectEx` `GetOverlappedResult` `WaitForSingleObject` `ReleaseSemaphore` `SetFilePointer` `GetLastError` `ReadFile` `SetLastError` `CreateFileA` `ResumeThread` `SetThreadPriority` `GetThreadPriority` `GetCurrentThread` `CreateThread` `LocalAlloc` `CreateSemaphoreA` `GetDiskFreeSpaceA` `Sleep` `QueryPerformanceCounter` `InterlockedIncrement` `InterlockedDecrement` `lstrcatA` `lstrcpyA` `lstrlenA` `DeleteCriticalSection` `SuspendThread` `LeaveCriticalSection` `EnterCriticalSection` `InitializeCriticalSection` `MultiByteToWideChar` `DeleteFileA` `TerminateThread` `FindClose` `FindNextFileA` `GetFileAttributesA` `FindFirstFileA` `FreeLibrary` `QueryPerformanceFrequency` `OutputDebugStringA` `GetLocalTime` `CreateDirectoryA` `GetUserDefaultLCID` `SetStdHandle` `CreateEventA` `GetVolumeInformationA` `GetDriveTypeA` `GetLogicalDriveStringsA` `SetErrorMode` `GlobalMemoryStatus` `GetVersionExA` `GetCommandLineA` `GetFullPathNameA` `WideCharToMultiByte` `lstrcmpiA` `GetSystemInfo` `IsProcessorFeaturePresent` `LockResource` `LoadResource` `SizeofResource` `FindResourceA` `FindResourceW` `MapViewOfFile` `CreateFileMappingA` `CreateFileW` `UnmapViewOfFile` `ReleaseMutex` `CreateMutexA` `GetCurrentProcessId` `GetSystemDirectoryA` `GetModuleFileNameA` `FreeEnvironmentStringsA` `UnhandledExceptionFilter` `IsBadWritePtr` `VirtualAlloc` `VirtualFree` `HeapCreate` `HeapDestroy` `GetFileType` `GetStdHandle` `SetHandleCount` `FlushFileBuffers` `LCMapStringW` `LCMapStringA` `WriteFile` `FatalAppExitA` `SetUnhandledExceptionFilter` `HeapSize` `TlsAlloc` `TlsGetValue` `TlsSetValue` `GetCurrentThreadId` `TlsFree` `GetStartupInfoA` `HeapReAlloc` `HeapAlloc` `HeapFree` `GetSystemTimeAsFileTime` `GetCurrentProcess` `TerminateProcess` `ExitProcess` `RtlUnwind` `RaiseException` `InterlockedExchange` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `SetConsoleCtrlHandler` `GetTimeFormatA` `CompareStringA` `CompareStringW` `SetEnvironmentVariableA` `GetTimeZoneInformation` `SetEndOfFile` `GetLocaleInfoW` `GetCurrentDirectoryA` `GetSystemDefaultLCID` `SetCurrentDirectoryA` `GetEnvironmentStrings`
USER32.dll	`wsprintfA` `IsIconic` `GetWindowLongA` `GetMenu` `AdjustWindowRectEx` `SystemParametersInfoA` `DestroyWindow` `SetWindowLongA` `ShowWindow` `LoadIconA` `LoadCursorA` `RegisterClassA` `ReleaseCapture` `GetWindowPlacement` `SetTimer` `ClipCursor` `PostQuitMessage` `SetCursor` `SetCapture` `DefWindowProcA` `MapVirtualKeyA` `UpdateWindow` `GetKeyState` `FindWindowA` `SetForegroundWindow` `PeekMessageA` `DispatchMessageA` `TranslateMessage` `GetKeyboardLayout` `DialogBoxParamA` `EndDialog` `GetDlgItem` `SetFocus` `SendMessageA` `SetWindowPos` `AdjustWindowRect` `CreateWindowExA` `ShowCursor` `GetWindowRect` `MessageBoxA` `SetWindowTextA` `ClientToScreen` `SetCursorPos` `GetClientRect`
GDI32.dll	`DeleteObject`
ADVAPI32.dll	`RegCloseKey` `RegCreateKeyExA` `RegOpenKeyExA` `RegQueryValueExA` `RegOpenKeyA` `RegSetValueExA`
ole32.dll	`CoCreateInstance` `CoInitialize` `CoUninitialize`
d3d9.dll (delay-loaded)	`Direct3DCreate9`

Delayed Imports

Attributes	`0x1`
Name	`d3d9.dll`
ModuleHandle	`0x89ce7c`
DelayImportAddressTable	`0x4e6554`
DelayImportNameTable	`0x4a2fb0`
BoundDelayImportTable	`0x4a2ff8`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

1

Type	`RT_ICON`
Language	English - United Kingdom
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.26682`
MD5	`fc68ba237e908cf829e29de0836713bc`
SHA1	`ded3095a8dce64c5a8bbe44d505d4c0c44cb836f`
SHA256	`55f26b64c0b072c8b33b6e250b1a13e6e351f46fef2975f93542ff7c2b94d1e6`
SHA3	`89c60cddf73385b46656eca556a9e9e1e796334b131487dcdc13d34529dc74b4`

104

Type	`RT_DIALOG`
Language	English - United Kingdom
Codepage	UNKNOWN
Size	`0x138`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.01767`
MD5	`d9c6ead0dce188b414c310eed365a020`
SHA1	`c4ed7497b2e64cdc961c7722ae307ae7beed4f1f`
SHA256	`a72f36872f57d8a298ff6c28230e54cb4c71b6d35ce265d3803f378139d9773b`
SHA3	`42b2c93bfc3d9409bbdf6564e62eeccde961ecf1955f0f22b6de240798d748eb`

100

Type	`RT_GROUP_ICON`
Language	English - United Kingdom
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.16096`
Detected Filetype	Icon file
MD5	`42cf62b780813706e75fb9f2b2e8c258`
SHA1	`a022d5c1cfdd8aace0089f3e72f2eedd41bda464`
SHA256	`a0c9d012e2bf6b2fe05c2d97cb5594d97cf2f539e97935c12abd7a3562f4d9bf`
SHA3	`0aafc8e3d8b6bde595537da4ffe0efc5fe53f01dafe336a2a5828b6a71283d3c`

Version Info

IMAGE_DEBUG_TYPE_UNKNOWN

Characteristics	`0`
TimeDateStamp	1970-Jan-01 00:00:00
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x5ca67d0`
Unmarked objects	`0`
39 (9162)	`8`
ASM objects (VS2002 (.NET) build 9466)	`49`
C objects (VS2002 (.NET) build 9466)	`165`
Linker (VC++ 6.0 SP5 imp/exp build 8447)	`2`
C objects (VS98 build 8168)	`5`
Linker (VS98 build 8168)	`2`
C objects (9178)	`5`
Imports (9210)	`15`
Total imports	`218`
42 (8803)	`3`
18 (8444)	`6`
C++ objects (9178)	`48`
48 (9044)	`121`
Unmarked objects (#2)	`2`
C++ objects (VS2002 (.NET) build 9466)	`469`
Resource objects (VS2002 (.NET) build 9466)	`1`
Linker (VS2002 (.NET) build 9466)	`1`

Errors

[*] Warning: Section _rwdseg has a size of 0!
[!] Error: Yara error: ERROR_TOO_MANY_MATCHES