Manalyze report for a7e5833fbcab29e3968d9dc6b5c0208fba2f000dd2180380daedc864a1a1d01d

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Jan-01 00:00:00
TLS Callbacks	1 callback(s) detected.

Plugin Output

Suspicious	PEiD Signature:	`UPX -> www.upx.sourceforge.net` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256` `Uses known Mersenne Twister constants`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `The PE only has 9 import(s).`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress`
Info	The PE's resources present abnormal characteristics.	`Resource CORE is possibly compressed or encrypted.` `Resource 1 is possibly compressed or encrypted.` `Resource 500 is possibly compressed or encrypted.`
Malicious	VirusTotal score: 36/68 (Scanned on 2026-05-20 08:21:12)	`APEX: Malicious` `Alibaba: Trojan:Win32/MalwareX.720ede31` `Antiy-AVL: GrayWare/Win32.Contebrew` `Avira: TR/Crypt.ULPM.Gen2` `Bkav: W32.Malware.A587F712` `CTX: exe.trojan.crypt` `CrowdStrike: win/grayware_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `F-Secure: Trojan.TR/Crypt.ULPM.Gen2` `Fortinet: W32/PossibleThreat` `GData: Win32.Trojan.Agent.0Q01C4` `Google: Detected` `Gridinsoft: Trojan.Win32.Agent.oa!s2` `Ikarus: Trojan.Crypt` `K7AntiVirus: Trojan ( 0051918e1 )` `K7GW: Trojan ( 0051918e1 )` `Kingsoft: Win32.Troj.Undef.a` `Lionic: Worm.Win32.Picsys.tsim` `Malwarebytes: Malware.AI.4191781691` `MaxSecure: Trojan.Malware.324995110.susgen` `McAfeeD: ti!A7E5833FBCAB` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Paloalto: generic.ml` `Sangfor: Trojan.Win32.Agent.Vtrj` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win32.Dropper.cc` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `TrellixENS: Artemis!AABA9788307B` `TrendMicro: Trojan.Win32.ZYX.USBLEJ26` `TrendMicro-HouseCall: Trojan.Win32.ZYX.USBLEJ26` `Varist: W32/ABlTrojan.NUGR-7006` `Webroot: W32.Trojan.Gen` `alibabacloud: RansomWare:Win/ULPM.Gyf7`

Hashes

MD5	`aaba9788307b309a89ee0aced25d2327`
SHA1	`0828a1cde5219cd1e1c9fbaa6f57a9450fd2d2ff`
SHA256	`a7e5833fbcab29e3968d9dc6b5c0208fba2f000dd2180380daedc864a1a1d01d`
SHA3	`79812a4618b7d58f698724cf32237e1029021c16c0310c688ed7095b9def5278`
SSDeep	`1536:gkrTCztpTTRWAl70k2UZSGP0Xm8bsIXtjjABNHhXH1r7OXn9htjQBcRCqLQoQq:z6fIFUZSGsjQSjjAvHVVsjBicRCmQo`
Imports Hash	`c4251fce4ef450f46183b03a03d5a994`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`3.0`
SizeOfCode	`0x1d000`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0x54000`
AddressOfEntryPoint	`0x00071760 (Section: UPX1)`
BaseOfCode	`0x55000`
BaseOfData	`0x72000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`1.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x73000`
SizeOfHeaders	`0x200`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x1000000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x54000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`1c970499bb9b3ad7bded7cf547201c79`
SHA1	`bb733c22653320413f51963579dfa9c0e4731474`
SHA256	`3b3d12ef446455fdb8b356c7bc4bbac3ef5be43c14fc5603efde05d9ba9eb7b7`
SHA3	`5f60e7b3a354f48d717e2a6ad3f4b8c5d8d1ce0dc3e1983b9de45775c8cdf0e1`
VirtualSize	`0x1d000`
VirtualAddress	`0x55000`
SizeOfRawData	`0x1ca00`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.91224`

.rsrc

MD5	`89407b6c1573919c0f179a5bbb078ff5`
SHA1	`cea4d60333bb43800b1b8294cbb2d16505e5a036`
SHA256	`732e9a7b8543ef7abdae835d76bfddc93bd4cf2d13d2fcfd8a626c420b710b74`
SHA3	`2ede20883d35966aface8168b13b86d02a327c3b4641e603902e4ccd53ab5969`
VirtualSize	`0x1000`
VirtualAddress	`0x72000`
SizeOfRawData	`0x400`
PointerToRawData	`0x1cc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.41623`

Imports

comdlg32.dll	`GetSaveFileNameW`
gdi32.dll	`CreatePen`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
oleaut32.dll	`SysFreeString`
user32.dll	`EndPaint`
winmm.dll	`waveOutOpen`

Delayed Imports

CORE

Type	`RT_BITMAP`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0xeae0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.90965`
MD5	`af3f257236a66bd39c22b16d0bdd4b82`
SHA1	`43eaab359a53a1c5d0c06360d5674d4700689c83`
SHA256	`a11e9c115c60080c3d741f8b4451e6c852a3694aac626ec55e10a4e0be17034f`
SHA3	`8139cc9536b359598b3f9f7f4c1f3a5d9646843bab760e7f31c72a8e8a8f079a`
Preview

1

Type	`RT_DIALOG`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x170`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.1564`
MD5	`ec4c0d57ebcfeea2f52b25b8c52aa12e`
SHA1	`1b461dcdaa2c0c637a52f33e1e0d5330a5bbb3af`
SHA256	`2982fd10c0fd2fd358285749112a3f84797fec4afa8d3fc4f99a72ffc17f616e`
SHA3	`ce6f8eb021d148b64d1798a4560ca985310ccdc77fde07a8b29d821f0d2dc016`

500

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x6204`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.80453`
MD5	`57ed6f06d4b17ed0955951667244f853`
SHA1	`87df28b8a402f36dbcf42a2e6e9cdb1b507b1c04`
SHA256	`b6c9c7ef63ddeada7a400ce22d0f8d3335f577418efa4b19ee70c7655d4423d0`
SHA3	`8ea956400ebc4cafb03e61601e3c659bec566c10ab325724aebb4f2a660873fb`

Version Info

TLS Callbacks

StartAddressOfRawData	`0x471940`
EndAddressOfRawData	`0x471940`
AddressOfIndex	`0x435de8`
AddressOfCallbacks	`0x471940`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x00471908`

Load Configuration

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!

Leave a comment

No comments yet.