aa86219f1bb5f0be3469231359fbbce6

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2012-Feb-24 19:19:54
Detected languages English - United States

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • http://nsis.sf.net
  • http://nsis.sf.net/NSIS_Error
  • nsis.sf.net
Suspicious The PE is an NSIS installer Unusual section name found: .ndata
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • GetProcAddress
  • LoadLibraryA
  • LoadLibraryExW
 Can access the registry:
  • RegEnumKeyW
  • RegOpenKeyExW
  • RegCloseKey
  • RegDeleteKeyW
  • RegDeleteValueW
  • RegCreateKeyExW
  • RegSetValueExW
  • RegQueryValueExW
  • RegEnumValueW
 Possibly launches other programs:
  • CreateProcessW
  • ShellExecuteW
 Can create temporary files:
  • GetTempPathW
  • CreateFileW
 Manipulates other processes:
  • OpenProcess
 Can shut the system down or lock the screen:
  • ExitWindowsEx
Suspicious The file contains overlay data. 1060277 bytes of data starting at offset 0x78a00.
The overlay data has an entropy of 7.9994 and is possibly compressed or encrypted.
Malicious VirusTotal score: 34/71 (Scanned on 2025-03-09 08:02:16) AVG: Win32:Malware-gen
Antiy-AVL: Trojan/Win64.LummaStealer
Avast: Win32:Malware-gen
Avira: TR/AVI.Agent.xptjb
Bkav: W32.AIDetectMalware
CAT-QuickHeal: Trojan.Ghanarava.1741346231fbbce6
CTX: exe.trojan.nsis
CrowdStrike: win/grayware_confidence_60% (W)
Cylance: Unsafe
Cynet: Malicious (score: 99)
DeepInstinct: MALICIOUS
ESET-NOD32: NSIS/Runner.LG
Elastic: malicious (high confidence)
F-Secure: Trojan.TR/AVI.Agent.xptjb
Fortinet: NSIS/Packed.CR!tr
GData: Win32.Trojan.Agent.0CI3F5
Google: Detected
K7AntiVirus: Trojan ( 005c2e221 )
K7GW: Trojan ( 005c2e221 )
Kaspersky: HEUR:Backdoor.Win32.Agent.gen
Kingsoft: Win32.Troj.agent.v
Lionic: Trojan.Win32.Agent.Y!c
McAfee: Artemis!AA86219F1BB5
McAfeeD: ti!1E0C8A7C530F
Microsoft: Trojan:Win32/Wacatac.B!ml
Paloalto: generic.ml
Panda: Trj/Chgt.AD
Rising: Trojan.Runner/NSIS!1.128CD (CLASSIC)
Skyhigh: BehavesLike.Win32.Dropper.tc
Sophos: Mal/Generic-S
Symantec: ML.Attribute.HighConfidence
Tencent: Win32.Backdoor.Agent.Zmhl
Trapmine: suspicious.low.ml.score
Varist: W32/ABRisk.TVCT-7099

Hashes

MD5 aa86219f1bb5f0be3469231359fbbce6
SHA1 49aceec46e341cf65b310600455b822b82ddd5b7
SHA256 1e0c8a7c530f21d5b9c6eb5ae45c05598ed5d04a50c8cbf4c1775167f142f201
SHA3 a21f034737605e97532a626d96d2f0612d7773810c9167539d14c67f0f9cb1f0
SSDeep 24576:Au45dD1HIxt3ZBMvrdz0pbGMM6lwEtiRcburm11lm2/0bKpv0N1YuuD0:RAibJImbYKiyyaDllcbLHxF
Imports Hash be41bf7b8cc010b614bd36bbca606973

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 6
TimeDateStamp 2012-Feb-24 19:19:54
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x6e00
SizeOfInitializedData 0x6ce00
SizeOfUninitializedData 0x4200
AddressOfEntryPoint 0x00003883 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x8000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 6.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x164000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 00499a6f70259150109c809d6aa0e6ed
SHA1 3f4c995439cec283f1f51d71acb1f25bef740b63
SHA256 6cbf0a221c26d69af8cab6a9925b0b331082df7f79d671fafe3f4942145c76a3
SHA3 9814f097c5c850a11325bf8b38383840a282b01bbafea9c988eafda679ad68ba
VirtualSize 0x6dae
VirtualAddress 0x1000
SizeOfRawData 0x6e00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.50853

.rdata

MD5 07990aaa54c3bc638bb87a87f3fb13e3
SHA1 05985b7f60a664d2595e9406ae3b208c97597bbc
SHA256 b38b34dfbb61b5fc0659b9861f09dfdaaa743cb97bf0134e7bab66a75ddc940e
SHA3 4cc20177bb566f32aa9f09f66bdbdba6a077ea30c631e8878aadeed4b1deac0a
VirtualSize 0x2a62
VirtualAddress 0x8000
SizeOfRawData 0x2c00
PointerToRawData 0x7200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.39054

.data

MD5 014871d9a00f0e0c8c2a7cd25606c453
SHA1 92d7e0d8d66861f702d867dac616b7d02bca94ec
SHA256 637a3943c555de3601588a8398252a905d18c17f9d49f750b812daa630abac68
SHA3 22b0d415f4dc124ad5b9d275f0f8800bdbe8d279eda712443fa71fb899497305
VirtualSize 0x67ebc
VirtualAddress 0xb000
SizeOfRawData 0x200
PointerToRawData 0x9e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.43086

.ndata

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x81000
VirtualAddress 0x73000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc

MD5 3a74333a0ce58f2563366f81ac771220
SHA1 28f1d1f5a4cbe0a204a5da318816cbb4af1913cb
SHA256 d0a4c2de9324ed0b925df83c6a8fcff00ac02ed67287cb34ce99586e430dfa32
SHA3 0088fcb1e134c0d6e66dc6e8ea4100350aeedd3313613ced2d82f3df08722170
VirtualSize 0x6e838
VirtualAddress 0xf4000
SizeOfRawData 0x6ea00
PointerToRawData 0xa000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.84723

.reloc

MD5 cebf07dac8bd4fcfdfb16ca5445da12f
SHA1 1663c1eb4862a7aa730ea3d70326cd45b321b2d7
SHA256 a98d8a341b18b081e4aed038a1bfabbc09edf91728bdbfdff94c660ec91eb020
SHA3 22ef24ffa8f292291eba3da2b0839482151381e197f36182c24a8124bacf824a
VirtualSize 0xf32
VirtualAddress 0x163000
SizeOfRawData 0x1000
PointerToRawData 0xb200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 7.90839

Imports

KERNEL32.dll SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
GetLastError
CreateDirectoryW
SetFileAttributesW
Sleep
GetTickCount
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
SetErrorMode
lstrcpynA
CloseHandle
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
LoadLibraryW
CreateProcessW
lstrcmpiA
CreateFileW
GetTempFileNameW
lstrcatW
GetProcAddress
LoadLibraryA
GetModuleHandleA
OpenProcess
lstrcpyW
GetVersionExW
GetSystemDirectoryW
GetVersion
lstrcpyA
RemoveDirectoryW
lstrcmpA
lstrcmpiW
lstrcmpW
ExpandEnvironmentStringsW
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GlobalFree
GetModuleHandleW
LoadLibraryExW
FreeLibrary
WritePrivateProfileStringW
GetPrivateProfileStringW
WideCharToMultiByte
lstrlenA
MulDiv
WriteFile
ReadFile
MultiByteToWideChar
SetFilePointer
FindClose
FindNextFileW
FindFirstFileW
DeleteFileW
lstrlenW
USER32.dll GetAsyncKeyState
IsDlgButtonChecked
ScreenToClient
GetMessagePos
CallWindowProcW
IsWindowVisible
LoadBitmapW
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
GetWindowRect
AppendMenuW
CreatePopupMenu
GetSystemMetrics
EndDialog
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
DialogBoxParamW
CheckDlgButton
CreateWindowExW
SystemParametersInfoW
RegisterClassW
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharNextA
CharUpperW
CharPrevW
wvsprintfW
DispatchMessageW
PeekMessageW
wsprintfA
DestroyWindow
CreateDialogParamW
SetTimer
SetWindowTextW
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfW
SendMessageTimeoutW
LoadCursorW
SetCursor
GetWindowLongW
GetSysColor
CharNextW
GetClassInfoW
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongW
LoadImageW
GetDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
GetClientRect
FillRect
DrawTextW
EndPaint
FindWindowExW
GDI32.dll SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectW
SetBkMode
SetTextColor
SelectObject
SHELL32.dll SHBrowseForFolderW
SHGetPathFromIDListW
SHGetFileInfoW
ShellExecuteW
SHFileOperationW
SHGetSpecialFolderLocation
ADVAPI32.dll RegEnumKeyW
RegOpenKeyExW
RegCloseKey
RegDeleteKeyW
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegQueryValueExW
RegEnumValueW
COMCTL32.dll ImageList_AddMasked
ImageList_Destroy
#17
ImageList_Create
ole32.dll CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance
VERSION.dll GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x5f680
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.84795
Detected Filetype PNG graphic file
MD5 3f3bd33ee441b342ac35b3d384d63a83
SHA1 78730a2d169206711000cece633c00598158448f
SHA256 b086f9770bb6d5fea2eff6ab08aa06577fe3f416e4a239b2433cc689c1839023
SHA3 63d17d9dc2ebf19fc9b485db3fec7ded13f7e45b31689a46faf821f065056669

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x5b85
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.97296
Detected Filetype PNG graphic file
MD5 5d976bc25ac2a64c63169800c060bd48
SHA1 e05f602be5289dcdb03436e86ada69e6ebc7bb74
SHA256 f23784ddd9a83d70e2377dc391ee7636e608c2e94fcd233344a01074a93ed601
SHA3 081065b51941500dfd5198131601ec04b3f412faf0b64adab52eb70018bb68c4

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x36c2
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.97495
Detected Filetype PNG graphic file
MD5 7d55c64417d12a6d220596a147abec1c
SHA1 4d34a36301e0a863302b5577e8abb91dc7804b79
SHA256 b48c4e3959120423eff04410634928803a19fefc85953d80396487ecacc4630f
SHA3 dfb17ee19a1fe1c675f2acc745712ef5a798b23ed1d8cdb3198b9d092c05f324

4

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x2c5f
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.96281
Detected Filetype PNG graphic file
MD5 0faabf55df08d84d8187e54a4684408f
SHA1 dc693787e082c30929da3d31623037de411fe970
SHA256 3bc91aafde1b9d58e70ec9ae7907072ba16a3e6f399c5b988c79423ab7feab0d
SHA3 55a3721aad919fc088b4cd2b5e12dc7130700cb8b4f45368d7c103a9dada95d9

5

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x2668
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.42493
MD5 fbed307c5990f76d667af04638eebd75
SHA1 3ed12e7e6a6471b46db205dcc982cb1d0a7ad400
SHA256 24f5912255d1703bb82429784de8a6fd77006f61acd6ca47907a529b655e6bb8
SHA3 196ae6908aa1ea4bd46e6ebeb3a12bbe4af052c6958260ca000aaac91858c567

6

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.94358
MD5 853e9db06cad20b93c380bad3d74e4be
SHA1 70c176cca0ad794e5130888cbea64b9bb9b0c4c4
SHA256 0a026012eae885af42a35971ce35a4ed58e1ee08ccb3bd9dc7c64b9f558edc1a
SHA3 f7ca841dd436d4f471ae4bac539d93263421a854cc4fb2b87d807789059f378e

105

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x100
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.66174
MD5 3409f314895161597f3c395cc5f65525
SHA1 1a99d016d65e567f24449d9362afb6ac44006d0b
SHA256 fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96
SHA3 b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26

106

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x11c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.88094
MD5 2d12c45dc2c029044aaff357141cb900
SHA1 083db861ab3c7db23c6257878296e73a89a74b8b
SHA256 69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729
SHA3 349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442

111

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x60
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.48825
MD5 6be4e1387d369cf86e68eacbdd0e81dd
SHA1 351970fe2681b9b35b5d59ad052011ed96a96e17
SHA256 85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0
SHA3 45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb

103

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x5a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.95213
Detected Filetype Icon file
MD5 4d12ef0daf6c50cf8e2912ec355c523b
SHA1 2d938e7956639ae2fb0ba1db309ff054fa2d9378
SHA256 566398b22cf634fdeed9fb33bdabddb1b684d28e6d0f8a68aa61cc31684d1b62
SHA3 15a6bffc5070d85c47dc95745d37560703ec448a7d30ded6f4e0880569336ac3

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x2d6
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.21266
MD5 8ac7761540a25f0e446671e95051ad9d
SHA1 dc2cbe444228a356272452dcda6a5f4f58bec4f7
SHA256 46e35d3bb4e0d1dd59f3321fa8b908e7202b9bdf70151f941d58f9bee9c0ba67
SHA3 f8b37c5b1f6bbe37022e4fa171341b311127a6675e700216af3aebc33070e1b2

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x38bf1a05
Unmarked objects 0
C objects (VS2008 SP1 build 30729) 3
Imports (VS2008 SP1 build 30729) 17
Total imports 172
C objects (VS2010 SP1 build 40219) 12
Resource objects (VS2010 SP1 build 40219) 1
Linker (VS2010 SP1 build 40219) 1

Errors

[!] Error: Could not read an IMAGE_BASE_RELOCATION! [*] Warning: Section .ndata has a size of 0!
<-- -->