Manalyze report for ac1a85d3ca1b6265cad4ed41b696f9b7

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2008-Apr-01 19:35:07

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to internet browsers: iexplore.exe` `May have dropper capabilities: CurrentControlSet\Services`
Malicious	The file headers were tampered with.	`Unusual section name found: .cdata` `The RICH header checksum is invalid.`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Code injection capabilities: OpenProcess WriteProcessMemory CreateRemoteThread VirtualAllocEx` `Can access the registry: RegQueryValueExA RegEnumValueA RegOpenKeyA RegDeleteValueA RegOpenKeyExA RegCloseKey` `Possibly launches other programs: CreateProcessA CreateProcessAsUserA` `Functions related to the privilege level: OpenProcessToken DuplicateTokenEx` `Manipulates other processes: OpenProcess WriteProcessMemory ReadProcessMemory`
Malicious	VirusTotal score: 15/67 (Scanned on 2019-10-08 22:16:35)	`Zillya: Trojan.GenericKD.Win32.115912` `F-Prot: W32/Backdoor.GV.gen!Eldorado` `APEX: Malicious` `Tencent: Win32.Trojan.Qwer.Ygca` `Cyren: W32/Backdoor.GV.gen!Eldorado` `Jiangmin: Backdoor.DoubleAgent.a` `Antiy-AVL: Trojan[Backdoor]/Win32.DoubleAgent` `ViRobot: Trojan.Win32.Agent.17408.EC` `TACHYON: Backdoor/W32.DoubleAgent.17408` `AhnLab-V3: Trojan/Win32.Agent.C2487603` `VBA32: Backdoor.DoubleAgent` `Zoner: Trojan.Win32.68260` `Rising: Trojan.Generic@ML.83 (RDMK:NfM8lUs5lfR4KRh9vUE4Sg)` `Yandex: Backdoor.DoubleAgent!` `Cybereason: malicious.efffad`

Hashes

MD5	`ac1a85d3ca1b6265cad4ed41b696f9b7`
SHA1	`8ff7b74efffadb3a102ed0ec614c918526d0ea6b`
SHA256	`32d8c36c829be1cdbed56201a0e663227fe74d479f1732a7974fb50fdf09c02e`
SHA3	`875980658ccef3761d4b031747487987b2ef3ed7d0d6a53d7fbc7ede04831626`
SSDeep	`384:R1Wx2a/j+HF400vvnIPxAvDJ1SvAPnXnG1l:R1I2ab+l400nnIpAN1SvAP36`
Imports Hash	`2d3a84dfeb99a2f4534843b7c5817fbc`

DOS Header

e_magic	`MZ`
e_cblp	`0x4`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0x1`
e_maxalloc	`0xffff`
e_ss	`0x6a06`
e_sp	`0xcb00`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xa8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2008-Apr-01 19:35:07
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`7.0`
SizeOfCode	`0x3600`
SizeOfInitializedData	`0xa00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000348D (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x5000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x8000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`a536203225a7074c37fff81d46687ec1`
SHA1	`20637d56544acc8a1070b9fb497bc9b91c55e999`
SHA256	`41b197c6460a065c96a8a6cbfeb3b6338c3d1277a435874cc326cd78700fde0b`
SHA3	`59418c3c36bc6cd5dc3dae65dc74689dbf8da975b273f832c3aa8e09ede59f5f`
VirtualSize	`0x35f6`
VirtualAddress	`0x1000`
SizeOfRawData	`0x3600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.40208`

.data

MD5	`4031479fbcd57a5f6c8dbf647bfcd376`
SHA1	`1ddbc29868bb42f598db5dcffdea0b1fe9f8d951`
SHA256	`0277c751df8e8abc55fe2bace1a2ca1292e96ef3de276706161d48d7bcd835bd`
SHA3	`a00ca26f5cacea198f45643320cf1c44b32d466dd089fca4d85887e141b14f4b`
VirtualSize	`0x164`
VirtualAddress	`0x5000`
SizeOfRawData	`0x200`
PointerToRawData	`0x3a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.00828`

.cdata

MD5	`948511b4a40017a4f17b5af4066e5e15`
SHA1	`f6bb08ea8fcf70da93ae5a03f1665cc08d43c6c4`
SHA256	`64849681744296a1582f67b47b63d0be61145eb3f473ba8e6198e43db7867e8d`
SHA3	`b774fb347aa6e18fbe8acd20d05245ac999e3ce8f1245c233921dd3e8d2a4fee`
VirtualSize	`0x23c`
VirtualAddress	`0x6000`
SizeOfRawData	`0x400`
PointerToRawData	`0x3c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_SHARED` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.32372`

.reloc

MD5	`7f5f3ba1ba90b8791121f26ba95facf6`
SHA1	`5999a0599cba75340c2726fc35949557be105cc2`
SHA256	`d8b9535677f13a3b4132313153fff2dc13f61f7267697361ae08a06e5db5135b`
SHA3	`9f70cc48fccb1a8f6890cc9be6ba2b399797a2c48d0d4aa114b765194beab5af`
VirtualSize	`0x338`
VirtualAddress	`0x7000`
SizeOfRawData	`0x400`
PointerToRawData	`0x4000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.79343`

Imports

WSOCK32.dll	`#11` `#115` `#116`
USER32.dll	`DefWindowProcA` `wsprintfA` `PostQuitMessage` `RegisterClassA` `TranslateMessage` `GetMessageA` `PeekMessageA` `PostMessageA` `DispatchMessageA` `CreateWindowExA` `SetTimer` `PostThreadMessageA` `KillTimer`
KERNEL32.dll	`VirtualFreeEx` `DeleteCriticalSection` `OpenProcess` `WriteFile` `CloseHandle` `RtlUnwind` `GetVersion` `LocalAlloc` `SetFilePointer` `CreateProcessA` `GetModuleHandleA` `GetLastError` `LocalFree` `ExitThread` `SetEvent` `ReadFile` `TerminateProcess` `WaitForSingleObject` `WriteProcessMemory` `ReadProcessMemory` `ResetEvent` `LeaveCriticalSection` `GetStdHandle` `TerminateThread` `ExitProcess` `InitializeCriticalSection` `GetModuleFileNameA` `GetProcAddress` `WaitForMultipleObjects` `CreateRemoteThread` `lstrlenA` `CreateEventA` `GetExitCodeThread` `CreateThread` `lstrcmpiA` `EnterCriticalSection` `GetCurrentProcessId` `CreateFileA` `SetThreadPriority` `ResumeThread` `lstrcpyA` `GetOverlappedResult` `FreeLibrary` `RaiseException` `GetCurrentThreadId` `lstrcatA` `GetEnvironmentVariableA` `SetStdHandle` `VirtualAllocEx` `Sleep` `CopyFileA` `LoadLibraryA`
ADVAPI32.dll	`RegQueryValueExA` `RegEnumValueA` `RegOpenKeyA` `RegDeleteValueA` `SetServiceStatus` `OpenProcessToken` `RegOpenKeyExA` `StartServiceCtrlDispatcherA` `SetTokenInformation` `RegCloseKey` `RegisterServiceCtrlHandlerA` `DuplicateTokenEx` `CreateProcessAsUserA`

Delayed Imports

rpcnetp

Ordinal	`1`
Address	`0x34e1`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x77224aa4`
Unmarked objects	`0`
Imports (2067)	`2`
Imports (2179)	`7`
Total imports	`82`
Unmarked objects (#2)	`5`
C objects (VS2003 (.NET) build 3077)	`14`
C++ objects (VS2003 (.NET) build 3077)	`1`
Exports (VS2003 (.NET) build 3077)	`1`
Linker (VS2003 (.NET) build 3077)	`1`

ac1a85d3ca1b6265cad4ed41b696f9b7

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.data

.cdata

.reloc

Imports

Delayed Imports

rpcnetp

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors