Manalyze report for a7b71ae87e24b876d61c51c431ee7f99

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-Apr-03 12:45:36
Detected languages	English - United States Russian - Russia
TLS Callbacks	1 callback(s) detected.
Debug artifacts	D:\Build\desktop_apps\_out\naps.pdb
CompanyName	Mail.Ru
FileDescription	Mail.Ru Naps
FileVersion	`3.13.3.76`
InternalName	naps
LegalCopyright	Copyright 2015
OriginalFilename	naps.exe
ProductName	Mail.Ru Naps
ProductVersion	`3.13.3.76`
Comments

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ v6.0 DLL` `Microsoft Visual C++ 6.0 - 8.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to internet browsers: chrome.exe firefox.exe iexplore.exe`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to Blowfish` `Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryW LoadLibraryA GetProcAddress LoadLibraryExW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot SwitchToThread` `Can access the registry: RegCreateKeyExW RegSetValueExW RegOpenKeyExW RegQueryValueExW RegCloseKey` `Possibly launches other programs: CreateProcessW` `Uses Microsoft's cryptographic API: CryptGenRandom CryptGetHashParam CryptVerifySignatureW CryptDestroyHash CryptHashData CryptCreateHash CryptDestroyKey CryptReleaseContext CryptAcquireContextW CryptDecodeObjectEx CryptImportPublicKeyInfo CryptStringToBinaryA CryptBinaryToStringW` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Has Internet access capabilities: WinHttpCloseHandle WinHttpSetStatusCallback WinHttpOpenRequest WinHttpAddRequestHeaders WinHttpSendRequest WinHttpReceiveResponse WinHttpQueryHeaders WinHttpOpen WinHttpConnect WinHttpReadData WinHttpWriteData WinHttpQueryDataAvailable WinHttpSetOption` `Functions related to the privilege level: OpenProcessToken` `Manipulates other processes: Process32FirstW Process32NextW OpenProcess`
Info	The PE is digitally signed.	`Signer: LLC Mail.Ru` `Issuer: thawte SHA256 Code Signing CA`
Malicious	VirusTotal score: 18/69 (Scanned on 2019-08-24 12:37:08)	`MicroWorld-eScan: Gen:Variant.Ursu.214266` `FireEye: Gen:Variant.Ursu.214266` `Qihoo-360: Win32/Trojan.95a` `ALYac: Gen:Variant.Ursu.214266` `Arcabit: Trojan.Ursu.D344FA` `Cyren: W32/Trojan.TEJD-9087` `BitDefender: Gen:Variant.Ursu.214266` `Avast: FileRepMetagen [PUP]` `Ad-Aware: Gen:Variant.Ursu.214266` `Emsisoft: Gen:Variant.Ursu.214266 (B)` `McAfee-GW-Edition: BehavesLike.Win32.BadFile.th` `GData: Gen:Variant.Ursu.214266` `McAfee: Artemis!A7B71AE87E24` `TrendMicro-HouseCall: TROJ_GEN.R002H09HM19` `Ikarus: PUA.MailRu` `Fortinet: W32/Agent.9306!tr` `AVG: FileRepMetagen [PUP]` `Cybereason: malicious.87e24b`

Hashes

MD5	`a7b71ae87e24b876d61c51c431ee7f99`
SHA1	`8ab85ed18f25a8b9c11984c4fa7aa80dc9aa1f7a`
SHA256	`41a3b49116106380856a4fd567e02252968dad1c17debcd3aa80b11d65dd9306`
SHA3	`5eec8c8d5001773bdf22281a327e7ceca35375d6d2013901adb9e37070223743`
SSDeep	`24576:71M7vjXpNokqTLeFScN0yabdAxCD46WI4l5omsybee:OjXPcLeccNDaRAQEImomsybee`
Imports Hash	`bec515d92a28ca61bbf629b1d09778e8`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2018-Apr-03 12:45:36
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`12.0`
SizeOfCode	`0xcee00`
SizeOfInitializedData	`0x3fa00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00089E62 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xd0000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x113000`
SizeOfHeaders	`0x400`
Checksum	`0x114791`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`dc99be82e202c7a2abba370356c9f852`
SHA1	`ff9f2909af308385b3ddbf335eb4175ccfb7d7cf`
SHA256	`150189a325c377e8c0d06995483aa50da08e8191e077f5a15905d4c82f9a1be4`
SHA3	`78329ff44752f74a7c8ef2bf396c07f29f80e49eecde2963b2fc520a1e92d8aa`
VirtualSize	`0xced2a`
VirtualAddress	`0x1000`
SizeOfRawData	`0xcee00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.59222`

.rdata

MD5	`f368f1bda8f8478cb7aadbaafffa5474`
SHA1	`3a6c605478ba7144dd7b420753f994d4f447d4d7`
SHA256	`632b5e74b91f0066d04f2126675bc204e6a1525c26d889abe1994af7abe9b83c`
SHA3	`f6da475468b38967a5ddd895d2215048a6a8451cb448a449a07d26faa0e8a302`
VirtualSize	`0x28b4e`
VirtualAddress	`0xd0000`
SizeOfRawData	`0x28c00`
PointerToRawData	`0xcf200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.64162`

.data

MD5	`1685d5e37f143fb2fd529675f253113f`
SHA1	`8b1875aea856ef06a76c4a56e49e6a378c71a610`
SHA256	`ab31004f27b1f048a8569611e51112e0d1cccc56239113340b3aba8153ec10ba`
SHA3	`75eb7387a1cb08a5537acc916e344742a6ef52434d3a0867104e24653ded9f1e`
VirtualSize	`0xb1ac`
VirtualAddress	`0xf9000`
SizeOfRawData	`0x6800`
PointerToRawData	`0xf7e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.63417`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x2`
VirtualAddress	`0x105000`
SizeOfRawData	`0x200`
PointerToRawData	`0xfe600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`072c8b54b9f6e375adf92946ca68d7ff`
SHA1	`b210d3f452326131c5ccd2dbe98719d3f1bb15ea`
SHA256	`3673fbbee6d886603176505c20cf4dc68506ef698482948e60c661d9a9be346f`
SHA3	`25bb4a04093081a643f95263da0531c6dcfb1f9f6b61549cf3e4be2ae396de2c`
VirtualSize	`0x588`
VirtualAddress	`0x106000`
SizeOfRawData	`0x600`
PointerToRawData	`0xfe800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.20854`

.reloc

MD5	`4083a2633da1a1df3739965615a33aff`
SHA1	`35b1d3f1e81dcbb04ceae3ea310f3c60342c415b`
SHA256	`b42d96f12d177b6577a3851e55c471d822268e79deff0287a69cc0f982c2e278`
SHA3	`635264fff9d855187af1f7c0281020f8b65e1bad33a84d603a630f5dfa786e74`
VirtualSize	`0xb3c8`
VirtualAddress	`0x107000`
SizeOfRawData	`0xb400`
PointerToRawData	`0xfee00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.62431`

Imports

KERNEL32.dll	`ResumeThread` `WaitForSingleObject` `LoadLibraryW` `CreateToolhelp32Snapshot` `Process32FirstW` `Process32NextW` `CreateSemaphoreA` `GetModuleHandleA` `WaitForSingleObjectEx` `DuplicateHandle` `GetSystemTimeAsFileTime` `ReleaseSemaphore` `GetCommandLineW` `FormatMessageW` `GetExitCodeProcess` `CreateProcessW` `GetStartupInfoW` `DeviceIoControl` `GetSystemDirectoryW` `GetComputerNameW` `SystemTimeToFileTime` `CreateEventW` `GetCurrentThreadId` `GetStringTypeW` `GetCurrentThread` `EnterCriticalSection` `LeaveCriticalSection` `EncodePointer` `Sleep` `LoadLibraryA` `GetStringTypeExW` `LCMapStringW` `GetUserDefaultLCID` `GetEnvironmentVariableW` `CreateDirectoryW` `DeleteFileW` `FindClose` `FindFirstFileW` `FindNextFileW` `RemoveDirectoryW` `SetEndOfFile` `SetFilePointerEx` `SetFileTime` `GetWindowsDirectoryW` `CreateDirectoryExW` `CopyFileW` `AreFileApisANSI` `FormatMessageA` `IsDebuggerPresent` `OutputDebugStringW` `SetStdHandle` `SetEnvironmentVariableA` `UnregisterWaitEx` `QueryDepthSList` `InterlockedFlushSList` `TerminateProcess` `FreeLibrary` `GetVersionExW` `GetBinaryTypeW` `GetFileAttributesW` `CreateFileW` `WriteFile` `GetTickCount` `SetEvent` `CreateEventA` `GetCurrentProcess` `LocalFree` `WideCharToMultiByte` `MultiByteToWideChar` `ExpandEnvironmentStringsW` `GetModuleFileNameW` `GetACP` `GetModuleHandleW` `SetLastError` `GetProcAddress` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `GetLastError` `RaiseException` `GetProcessHeap` `HeapSize` `HeapFree` `HeapReAlloc` `InterlockedPushEntrySList` `InterlockedPopEntrySList` `InitializeSListHead` `VirtualProtect` `VirtualFree` `VirtualAlloc` `FreeLibraryAndExitThread` `GetThreadTimes` `GetTimeZoneInformation` `GetOEMCP` `IsValidCodePage` `ReadConsoleW` `ReadFile` `GetConsoleMode` `GetConsoleCP` `FlushFileBuffers` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `QueryPerformanceCounter` `ExitProcess` `EnumSystemLocalesW` `IsValidLocale` `GetLocaleInfoW` `CompareStringW` `GetTimeFormatW` `GetDateFormatW` `LoadLibraryExW` `ExitThread` `CreateSemaphoreW` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `UnregisterWait` `RegisterWaitForSingleObject` `SetThreadAffinityMask` `GetProcessAffinityMask` `GetNumaHighestNodeNumber` `DeleteTimerQueueTimer` `ChangeTimerQueueTimer` `CreateTimerQueueTimer` `GetThreadPriority` `SetThreadPriority` `CreateThread` `SwitchToThread` `SignalObjectAndWait` `CreateTimerQueue` `HeapAlloc` `DecodePointer` `CloseHandle` `GetCurrentProcessId` `OpenProcess` `GlobalMemoryStatusEx` `GetCPInfo` `IsProcessorFeaturePresent` `OpenEventA` `WaitForMultipleObjectsEx` `ResetEvent` `SetWaitableTimer` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `GetLogicalProcessorInformation` `CreateWaitableTimerA` `GetStdHandle` `GetFileType` `GetModuleHandleExW` `WriteConsoleW` `RtlUnwind`
USER32.dll	`LoadStringW` `wsprintfW`
ADVAPI32.dll	`RegCreateKeyExW` `RegSetValueExW` `RegOpenKeyExW` `RegQueryValueExW` `OpenProcessToken` `GetTokenInformation` `LookupAccountSidW` `CryptGenRandom` `CryptGetHashParam` `CryptVerifySignatureW` `CryptDestroyHash` `CryptHashData` `CryptCreateHash` `CryptDestroyKey` `CryptReleaseContext` `CryptAcquireContextW` `LookupAccountNameW` `FreeSid` `AllocateAndInitializeSid` `EqualSid` `ConvertSidToStringSidW` `RegCloseKey`
ole32.dll	`CoTaskMemFree` `StringFromCLSID` `CoCreateGuid`
SHELL32.dll	`SHGetFolderPathW` `CommandLineToArgvW`
PSAPI.DLL	`GetProcessMemoryInfo`
WTSAPI32.dll	`WTSQueryUserToken` `WTSFreeMemory` `WTSEnumerateSessionsW`
VERSION.dll	`GetFileVersionInfoW` `VerQueryValueW` `GetFileVersionInfoSizeW`
WINHTTP.dll	`WinHttpCloseHandle` `WinHttpSetStatusCallback` `WinHttpOpenRequest` `WinHttpAddRequestHeaders` `WinHttpSendRequest` `WinHttpReceiveResponse` `WinHttpQueryHeaders` `WinHttpOpen` `WinHttpConnect` `WinHttpReadData` `WinHttpWriteData` `WinHttpQueryDataAvailable` `WinHttpSetOption`
CRYPT32.dll	`CryptDecodeObjectEx` `CryptImportPublicKeyInfo` `CryptStringToBinaryA` `CryptBinaryToStringW`

Delayed Imports

1

Type	`RT_VERSION`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x2bc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.39682`
MD5	`2552e033b9bae0f4e160f9c7c4bff6b9`
SHA1	`f38b85b5299761c29b2381f7922f3cb70ea77795`
SHA256	`eee26a56facb3a51e3fd02d28eaae2fd6600b4cafb099c81a9a300bad59df8ab`
SHA3	`c37809b2cc4ddcd4bc2ad076c1bfd244bef6e079665420b060db6355efe8dc84`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x224`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.04378`
MD5	`245b863be176aab16ef1dbe168defe03`
SHA1	`c0a369f6f0e77b89c5d9d37fb94e1d5e2d431b5b`
SHA256	`59ba97d56a01766792386c3b379946bb613c8921e3daf8a878855a268ad5e4aa`
SHA3	`7efbe82f17422b353f747a146c1e8f1b9df37e90648150f2020442ff9477341e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	3.13.3.76
ProductVersion	3.13.3.76
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	English - United States
CompanyName	Mail.Ru
FileDescription	Mail.Ru Naps
FileVersion (#2)	3.13.3.76
InternalName	naps
LegalCopyright	Copyright 2015
OriginalFilename	naps.exe
ProductName	Mail.Ru Naps
ProductVersion (#2)	3.13.3.76
Comments

Resource LangID	Russian - Russia

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2018-Apr-03 12:45:36
Version	`0.0`
SizeofData	`60`
AddressOfRawData	`0xe22b0`
PointerToRawData	`0xe14b0`
Referenced File	D:\Build\desktop_apps\_out\naps.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2018-Apr-03 12:45:36
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0xe22ec`
PointerToRawData	`0xe14ec`

TLS Callbacks

StartAddressOfRawData	`0x505000`
EndAddressOfRawData	`0x505001`
AddressOfIndex	`0x5022a8`
AddressOfCallbacks	`0x4d0654`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_1BYTES`
Callbacks	`0x00489CA0`

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x4f95e0`
SEHandlerTable	`0x4e7cd0`
SEHandlerCount	`802`

RICH Header

XOR Key	`0xae339d5`
Unmarked objects	`0`
ASM objects (VS2013 build 21005)	`38`
Imports (VS2008 SP1 build 30729)	`29`
Total imports	`275`
C++ objects (20806)	`2`
C objects (VS2008 SP1 build 30729)	`2`
C++ objects (VS2013 build 21005)	`137`
C objects (VS2013 build 21005)	`245`
C++ objects (VS2013 UPD5 build 40629)	`69`
Resource objects (VS2013 build 21005)	`1`
151	`1`
Linker (VS2013 UPD5 build 40629)	`1`

a7b71ae87e24b876d61c51c431ee7f99

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.tls

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_VC_FEATURE

TLS Callbacks

Load Configuration

RICH Header

Errors