Manalyze report for a4977a10850455f6d3144aa4ea7958a8

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2019-Jul-09 14:23:33
Detected languages	English - United States
CompanyName	Net Framework Svc
ProductName	Net Framework Svc Service
ProductVersion	`2, 0, 4, 21`
InternalName	NetFrameworkSvc.exe
OriginalFilename	NetFrameworkSvc.exe
FileVersion	`2, 0, 4, 21`
FileDescription	Net Framework Svc Service Loader
LegalCopyright	Net Framework Svc
LegalTrademarks	Net Framework Svc INC

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW LoadLibraryA` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Leverages the raw socket API to access the Internet: ntohl` `Enumerates local disk drives: GetDriveTypeW`
Suspicious	The file contains overlay data.	`1633465 bytes of data starting at offset 0x3d800.` `The overlay data has an entropy of 7.99967 and is possibly compressed or encrypted.` `Overlay data amounts for 86.639% of the executable.`
Malicious	VirusTotal score: 53/71 (Scanned on 2025-02-03 15:45:34)	`ALYac: Trojan.Autoruns.GenericKD.41938141` `APEX: Malicious` `AVG: Win32:Trojan-gen` `AhnLab-V3: Malware/Win32.Generic.C3460484` `Alibaba: Trojan:Win32/DefenseEvasion.305cc889` `Arcabit: Trojan.Autoruns.Generic.D27FECDD` `Avast: Win32:Trojan-gen` `Avira: TR/Spy.Gen` `BitDefender: Trojan.Autoruns.GenericKD.41938141` `Bkav: W32.AIDetectMalware` `CAT-QuickHeal: Trojan.Ghanarava.17317545787958a8` `CTX: exe.trojan.clipbanker` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 99)` `DeepInstinct: MALICIOUS` `DrWeb: Python.ClipBanker.26` `ESET-NOD32: Python/ClipBanker.E` `Elastic: malicious (high confidence)` `Emsisoft: Trojan.Autoruns.GenericKD.41938141 (B)` `F-Secure: Trojan.TR/Spy.Gen` `FireEye: Trojan.Autoruns.GenericKD.41938141` `Fortinet: W32/ClipBanker.E!tr` `GData: Trojan.Autoruns.GenericKD.41938141` `Google: Detected` `Ikarus: Trojan.Python.Clipbanker` `K7AntiVirus: Trojan ( 005281b21 )` `K7GW: Trojan ( 005281b21 )` `Kaspersky: Trojan.Win32.Scar.sokv` `Lionic: Trojan.Win32.ClipBanker.Z!c` `Malwarebytes: Neshta.Virus.FileInfector.DDS` `MaxSecure: Trojan.Malware.1728101.susgen` `McAfee: GenericR-QRZ!A4977A108504` `McAfeeD: ti!EE0153AAEC5E` `MicroWorld-eScan: Trojan.Autoruns.GenericKD.41938141` `Microsoft: Trojan:Win32/DefenseEvasion!rfn` `NANO-Antivirus: Trojan.Win32.Scar.fyqzbt` `Paloalto: generic.ml` `Panda: Trj/CI.A` `SUPERAntiSpyware: Trojan.Agent/Gen-Scar` `Skyhigh: BehavesLike.Win32.Dropper.tc` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `Tencent: Win32.Trojan.Scar.Fwnw` `TrendMicro: Trojan.Win32.CLIPBANKER.AC` `TrendMicro-HouseCall: Trojan.Win32.CLIPBANKER.AC` `VBA32: Trojan.Bitrep` `VIPRE: Trojan.Autoruns.GenericKD.41938141` `Varist: W32/ABTrojan.QKHQ-2341` `VirIT: Trojan.Win32.PSWStealer.QK` `Xcitium: Malware@#2r4enef8rw3pb` `Yandex: Trojan.Igent.bYOs3Q.3` `alibabacloud: Trojan[spy]:Python/ClipBanker.E`

Hashes

MD5	`a4977a10850455f6d3144aa4ea7958a8`
SHA1	`e1aeecd1a2b049d39e9a25da67a09453f5283b7c`
SHA256	`ee0153aaec5e9a526ce5761a2d48a4eaff2335f7f04e86b0b6d540e70064e57f`
SHA3	`3f1bcb3c5befc5f05ac66c6e6f717f2cfa41273d9b66fadae83dd5ce79153141`
SSDeep	`49152:f++DTPsul2kl4/CdJ8aCGvKu9oL5a6206Su3RrEx2/gz7iJD:fgul27/Cb+5u9oVa6Tud3YyJD`
Imports Hash	`91ae93ed3ff0d6f8a4f22d2edd30a58e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2019-Jul-09 14:23:33
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x1ee00`
SizeOfInitializedData	`0x1e600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00007B43 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x20000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x4f000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`4ade2bca04773f952182e320bf119a44`
SHA1	`48887d6bd9457f438c98a7c0ca84133c161ae060`
SHA256	`7c8aef91384611dcb810ebd4dad72dc9cd81e2343db448f55ea6d2be26197776`
SHA3	`1337e8737e998c444300661c33f9e499b87750c7aba79a699f4e116328776354`
VirtualSize	`0x1eca4`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1ee00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.64533`

.rdata

MD5	`ec5475b3d80c124faab088a6318411f6`
SHA1	`2ca65fdda962968ea763dd2703a877207338c875`
SHA256	`5099f6dfadf8d790291366f706a5c4709f99bc890e4ead0d6a1f337ed1187ca7`
SHA3	`6ddef4df1a88c0db7b4993b7c8cba791bf21b71856e6ee6b62a18bc2ecd9cd2f`
VirtualSize	`0xb164`
VirtualAddress	`0x20000`
SizeOfRawData	`0xb200`
PointerToRawData	`0x1f200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.10043`

.data

MD5	`0a359bf3e4d26b21bd09e8defb96cfda`
SHA1	`4fe0db425b66d58bf84cdccb3d6c63f16f5d4a84`
SHA256	`a72186c2f468a74134738e6d80362db4581e7fbb5a65e8ed6cc4c59ce258f141`
SHA3	`88e46d1b182af692341eb2763b2dc367cacba7df1c2623a043f74e333147f37c`
VirtualSize	`0xe688`
VirtualAddress	`0x2c000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x2a400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.92387`

.gfids

MD5	`e6ec6ed11ae6bc8cf76a2ad0518c0fa4`
SHA1	`d3332c4a1520ba392b44ace3eaf30ccceca23e42`
SHA256	`5592bd536bbae9954b032c066a7b30eec7192956141a328b18c96c49e9f25979`
SHA3	`1b1e815e1bb3419fe23e806e1f4aaeef021364f457b539654f7c6b03fc645b31`
VirtualSize	`0xb8`
VirtualAddress	`0x3b000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2ae00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.85181`

.rsrc

MD5	`4080c3df25e748f6e7b22ffe4f71016d`
SHA1	`35e21a08a1d0c89630fac08ee5097e60f6ae8dfc`
SHA256	`2b2578dcebef2d0e9996aa1ebfcb9e2afd3d46065161e7e84298de5a4fb72617`
SHA3	`f91d65fbddec70807af59304005b3fb506f65b19e0296d71aafdc617807507fd`
VirtualSize	`0x10f60`
VirtualAddress	`0x3c000`
SizeOfRawData	`0x11000`
PointerToRawData	`0x2b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.21144`

.reloc

MD5	`c3b6988d45e77ae79c7976cbb59e7cfc`
SHA1	`e622e45f7aedb63d6100b542dfc5f247a38286fd`
SHA256	`68dba170d550822808b0b56c41ec86a8b20d0a8afac9c428915fba091b28ea0c`
SHA3	`f0d23aabfe3813593f2f7f903d6420f9dadcb9d905f3297db5790b038c4ba687`
VirtualSize	`0x17b8`
VirtualAddress	`0x4d000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x3c000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.65903`

Imports

USER32.dll	`MessageBoxW` `MessageBoxA`
KERNEL32.dll	`SystemTimeToTzSpecificLocalTime` `DecodePointer` `GetLastError` `SetDllDirectoryW` `GetModuleFileNameW` `GetProcAddress` `GetCommandLineW` `GetEnvironmentVariableW` `SetEnvironmentVariableW` `ExpandEnvironmentStringsW` `GetTempPathW` `WaitForSingleObject` `Sleep` `GetExitCodeProcess` `CreateProcessW` `GetStartupInfoW` `LoadLibraryExW` `GetShortPathNameW` `FormatMessageW` `LoadLibraryA` `MultiByteToWideChar` `WideCharToMultiByte` `SetEndOfFile` `HeapReAlloc` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetModuleHandleW` `RtlUnwind` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `GetCommandLineA` `ReadFile` `CreateFileW` `GetDriveTypeW` `GetFileType` `CloseHandle` `PeekNamedPipe` `RaiseException` `FileTimeToSystemTime` `GetFullPathNameW` `GetFullPathNameA` `CreateDirectoryW` `RemoveDirectoryW` `FindClose` `FindFirstFileExW` `FindNextFileW` `SetStdHandle` `SetConsoleCtrlHandler` `DeleteFileW` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `GetACP` `HeapFree` `HeapAlloc` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleCP` `CompareStringW` `LCMapStringW` `GetCurrentDirectoryW` `FlushFileBuffers` `SetEnvironmentVariableA` `GetFileAttributesExW` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetStringTypeW` `GetProcessHeap` `WriteConsoleW` `GetTimeZoneInformation` `HeapSize`
WS2_32.dll	`ntohl`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.01487`
MD5	`74a417a64096a2b94bd36494ba4100d4`
SHA1	`f7b13d60d087a12eb8ad2c9bb98e9901fec8831d`
SHA256	`145e4129c2984abff8fbbe20a2274f2ffd1ee0afa2a4bba33007073205131ad2`
SHA3	`c10861e760105c96374b716b47b6851cd1b086e5a9ddc8e19af2444a8e9415e6`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.44895`
MD5	`1c06420cfb94514d35c088699a04774d`
SHA1	`2c23d7df4bc8ce3fb15f33e78c042b12814aea3b`
SHA256	`d73c1848a067a0fd094423213dc1e855b5b29b0b441f0bcb315feb90d662972e`
SHA3	`a630c0bd054ccf853d3673897d2a553e10797d288b3f09898503304ecec7d7f3`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.77742`
MD5	`db1208cf5d76055be1c3a34567af9f5a`
SHA1	`c5adcd7407c8b18459e4b4ce96fb70ecf5701a97`
SHA256	`5a008270f7254f5ca861e9936f4b5b7a23c04d63165895234fd1782bc03ec0e5`
SHA3	`549076010917e74ff3fe656848779d90468b96740184b07016dbf2833e9abf99`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x952c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.95095`
Detected Filetype	PNG graphic file
MD5	`f6fbada22d6a6c07ef8fdaa504f117d5`
SHA1	`591a723501eff1a4920462f8efcaf3715e829450`
SHA256	`3919b11194f130d310dfe08bdce2891c5b64f2703107f53a5a1cbc016fdb609f`
SHA3	`ceca597fff3f436773eb9e48be245ce9d24439b9527a0d3aedaa1469e49d3f5c`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.0521`
MD5	`86ce219c337119fe35646823cb56d091`
SHA1	`74d3090f01f3128bda93a3a7525f139c495bffbd`
SHA256	`7ef5a24efde1748c0eb12c5817b14cfe1397ae968489a7824a269d02c8223cee`
SHA3	`8daaa7aab035df895cb478d3b92385d12aebd96c8bbde3a05a615ff56d41aebf`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.15081`
MD5	`58b7700e8f20d0a3c77021eb7e7019dc`
SHA1	`87f7668b96ab48bd6ba5c8b9968dbb024a028407`
SHA256	`c5536b396be6dcfc96f4e4f77cc7007b2a56730ee57598a6979cc1c1c71c920a`
SHA3	`13bb36cea0c569109ddca6560016003d3ce662f8e0bc189e9750019ccdc7bc72`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.39466`
MD5	`9de69c1c4b3a06597da9c275b38bffb6`
SHA1	`a4ed3bd1bb4edc0eaa187b68929f596906e9ee87`
SHA256	`ac2e25dc4a4f7bd96a0bcf3ea63cd1bcf26a6f6a05835e32f96ef99cb4323f30`
SHA3	`6ff197b54509b5c0fa643d6bdbc756cccec2b5bc8495c770883c021e833f7509`

0

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.83321`
Detected Filetype	Icon file
MD5	`d0fcd8e10579a14672ed42032d02476f`
SHA1	`2706d157140d30f5e354f87eb41bf8d69338c5e6`
SHA256	`654c8194c975a5f8dfbfb4b09a324b0e5502ab46569032e65fb28754c4344444`
SHA3	`91e69608275097f18e3ebae36ff5d7ad36a3b0884a64edc8b08931af638b9719`

101

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.71858`
Detected Filetype	Icon file
MD5	`cd3a631eace19041876b4c4c6ec8461a`
SHA1	`d4b3f99c4d648e3446dc05e7fb6e444e42dfed01`
SHA256	`f5b94a42f1c77c9eef858a0dfd656419fea900b00318c2c0bf49c2fce345d838`
SHA3	`b6dcbb1b4c262eb5aee12773a52c29ff20fef809a4e61822700d005457944b9f`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x388`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.37731`
MD5	`812e50876b007d9861c01e17112558ca`
SHA1	`0483c1d4ff93305d94170fbbff0379d24013b019`
SHA256	`607fd52c223ce4a2db8f4aaa9c500b3599776a0e52f7eb44bdf76f3dc3209beb`
SHA3	`87f3080e81871240c3b9255fdb818a0c65f62d4d43abd1f4e298fb9161900289`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x53d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.28281`
MD5	`1b53cc1b7f4611c8b554a48352ca5659`
SHA1	`b6a539f8f949078a2cb7d6f54fe5e5c675c81207`
SHA256	`6f98b5bc60714e26b322f0971500403dcfa8d2c54a0514e3eae5b67f80642d18`
SHA3	`6a0c42bc0f1f234e1c9e8fc99ca2fce6caf7a8fbc0a741e3ddaed4d1424c4c96`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.14.1
ProductVersion	1.0.14.1
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Net Framework Svc
ProductName	Net Framework Svc Service
ProductVersion (#2)	2, 0, 4, 21
InternalName	NetFrameworkSvc.exe
OriginalFilename	NetFrameworkSvc.exe
FileVersion (#2)	2, 0, 4, 21
FileDescription	Net Framework Svc Service Loader
LegalCopyright	Net Framework Svc
LegalTrademarks	Net Framework Svc INC

Resource LangID	UNKNOWN

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2019-Jul-09 14:23:33
Version	`0.0`
SizeofData	`696`
AddressOfRawData	`0x29f3c`
PointerToRawData	`0x2913c`

TLS Callbacks

Load Configuration

Size	`0x5c`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x42c008`
SEHandlerTable	`0x429f30`
SEHandlerCount	`3`

RICH Header

XOR Key	`0x906c598`
Unmarked objects	`0`
241 (40116)	`12`
243 (40116)	`172`
242 (40116)	`24`
ASM objects (VS2015 UPD3 build 24123)	`18`
C++ objects (VS2015 UPD3 build 24123)	`29`
C objects (VS2015 UPD3 build 24123)	`18`
Imports (65501)	`7`
Total imports	`115`
C objects (VS2015 UPD3 build 24210)	`17`
Resource objects (VS2015 UPD3 build 24210)	`1`
Linker (VS2015 UPD3 build 24210)	`1`

Errors

[*] Warning: Raw bytes from section .text could not be obtained.