Manalyze report for af7edad6f219c27261ac442ae5e8ab6a

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2010-Jun-11 22:58:00
CompanyName	www.safe3.com.cn
FileDescription	Safe3WVS
FileVersion	`10.1.0.0`
InternalName	SafeVS.exe
LegalCopyright	Copyright (C)Safe3 2011
OriginalFilename	SafeVS.exe
ProductName	Safe3WVS
ProductVersion	`10.1.0.0`
Assembly Version	10.1.0.0

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Tries to detect virtualized environments: HARDWARE\DESCRIPTION\System` `Looks for VirtualPC presence: 0f 3f 07 0b`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to AES`
Suspicious	The PE is possibly packed.	`Section .text is both writable and executable.` `Unusual section name found: .52pojie` `Section .52pojie is both writable and executable.` `Unusual section name found: .52pojie` `The PE only has 6 import(s).`
Info	The PE contains common functions which appear in legitimate applications.	`Can access the registry: RegOpenKeyExA`
Info	The PE's resources present abnormal characteristics.	`Resource __ is possibly compressed or encrypted.`
Malicious	VirusTotal score: 50/70 (Scanned on 2019-11-11 06:19:51)	`MicroWorld-eScan: Gen:Variant.Razy.173794` `CAT-QuickHeal: Trojan.IGENERIC` `McAfee: Artemis!AF7EDAD6F219` `Cylance: Unsafe` `Zillya: Trojan.Black.Win32.35849` `SUPERAntiSpyware: Trojan.Agent/Generic` `CrowdStrike: win/malicious_confidence_90% (W)` `BitDefender: Gen:Variant.Razy.173794` `K7GW: Trojan ( 0037b52e1 )` `K7AntiVirus: Trojan ( 0037b52e1 )` `Arcabit: Trojan.Razy.D2A6E2` `Invincea: heuristic` `Symantec: Trojan.Gen` `ESET-NOD32: a variant of Win32/Packed.NoobyProtect.G suspicious` `APEX: Malicious` `Avast: Win32:Malware-gen` `ClamAV: Win.Trojan.Agent-467161` `Alibaba: Packed:Win32/NoobyProtect.9bf98e51` `NANO-Antivirus: Trojan.Win32.DDPL1769.desakh` `AegisLab: Trojan.Win32.Razy.4!c` `Ad-Aware: Gen:Variant.Razy.173794` `Sophos: Generic PUA PO (PUA)` `Comodo: TrojWare.Win32.Amtar.KNB@4wlm66` `F-Secure: Heuristic.HEUR/AGEN.1011909` `DrWeb: Trojan.Siggen6.36628` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: TROJ_GEN.R066C0OI619` `McAfee-GW-Edition: BehavesLike.Win32.Dropper.tc` `Trapmine: suspicious.low.ml.score` `FireEye: Generic.mg.af7edad6f219c272` `Emsisoft: Gen:Variant.Razy.173794 (B)` `SentinelOne: DFI - Malicious PE` `Webroot: W32.Malware.Gen` `Avira: HEUR/AGEN.1011909` `Microsoft: Trojan:Win32/Occamy.C` `Endgame: malicious (high confidence)` `GData: Win32.Riskware.NoobyProtect.B` `Acronis: suspicious` `VBA32: Trojan.Bitrep` `ALYac: Gen:Variant.Razy.173794` `MAX: malware (ai score=100)` `TrendMicro-HouseCall: TROJ_GEN.R066C0OI619` `Rising: Trojan.Generic@ML.98 (RDMK:kLLfFoo9ulin9r6J8FIkeA)` `Yandex: Riskware.NoobyProtect!` `Ikarus: Trojan.SuspectCRC` `eGambit: HackTool.Generic` `BitDefenderTheta: Gen:NN.ZexaF.32245.mr0@aCZEgGh` `AVG: Win32:Malware-gen` `Cybereason: malicious.6f219c` `MaxSecure: Trojan.Malware.2588.susgen`

Hashes

MD5	`af7edad6f219c27261ac442ae5e8ab6a`
SHA1	`fee3acacc763dc55df1373709a666d94c9364a7f`
SHA256	`b37754455c337f33d4262606ebd8f7a708e2d64197f7a8f73551ca153e312d4a`
SHA3	`170d4cbf8c48140b85462f72aef91c9b19fda1d271eaf6fbe2024b3d8494c2b4`
SSDeep	`24576:uTf4BCmHIlsNA25blas3cDB5Jz0j3DL2XWaJ0bRFXK0l:uTgBjHIIlSl5Jz0j3H2XWaqbRFP`
Imports Hash	`c49c525309bf9496e85c59eaced1ef43`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2010-Jun-11 22:58:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0`
SizeOfInitializedData	`0`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00130B60 (Section: .52pojie)`
BaseOfCode	`0`
BaseOfData	`0`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x135000`
SizeOfHeaders	`0x400`
Checksum	`0x1341b4`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`701fb6164481c1f6d99c6bb5ae626f61`
SHA1	`8118c4c24797796816ec4fd860dd8269753c41c3`
SHA256	`0ddcd8cb790c2c036b5763f03188d54d90e85367c2e2281ec7be0b0cf165c79e`
SHA3	`7d809540ee3cbfd497151cf2f53ddcda51a992da0f3f48f706b58715c324a36a`
VirtualSize	`0x54000`
VirtualAddress	`0x1000`
SizeOfRawData	`0x54000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.84344`

.52pojie

MD5	`4ea0455b68a795282e2f21d3e1c20c95`
SHA1	`51e921b3613b1754f059f1132e0753c73b682096`
SHA256	`6c3ee81a4b477b5e3a85e443e1fc77213ddd05e174454269327b30d00bea1c4f`
SHA3	`352bd2cd32e746a741603cadab567fc6387e0bd64d4477d4353dfde3fd8e0831`
VirtualSize	`0xde000`
VirtualAddress	`0x55000`
SizeOfRawData	`0xdd800`
PointerToRawData	`0x54400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.89597`

.idata

MD5	`79d39b70f1feb4a48a2a75412de96e1c`
SHA1	`ad774730a48b4ea6497b46264e31e03f80093355`
SHA256	`acef6d264a56ff146befb25d69f41c0c7c38c5804456019ec0d6d0eef030f245`
SHA3	`bde145641c686ec87b37125f27670d050665133762754701134b4f2ebfcf58c1`
VirtualSize	`0x1000`
VirtualAddress	`0x133000`
SizeOfRawData	`0x200`
PointerToRawData	`0x131c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.36248`

.52pojie (#2)

MD5	`fc1fa469d0dfee5e381fee5fc15400bb`
SHA1	`80cf5b1dd78291e2fed9bcaaac9e5a58dc03a662`
SHA256	`c855546c69746ae9ba9b36ddca89b8fc090f3eda2901894e96265f66237d2629`
SHA3	`778cb684940d05edef8ed4fd8e3c3535a41c0c26b07fac7d90644e970f8ebcc0`
VirtualSize	`0x1000`
VirtualAddress	`0x134000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x131e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.98337`

Imports

KERNEL32.dll	`RaiseException`
MSVCRT.dll	`malloc`
IPHLPAPI.DLL	`GetInterfaceInfo`
PSAPI.DLL	`GetMappedFileNameW`
USER32.dll	`IsWindow`
ADVAPI32.dll	`RegOpenKeyExA`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x3a48`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.0897`
MD5	`cd9eb547f6035d2c52d6ff62b1a1df57`
SHA1	`552b7ab92581011a0c1f25648df575da247e2421`
SHA256	`773fcb6b8cd0801d5956f741afc9f160888f018422045da03410e06549cbeb15`
SHA3	`7ad124947ff23b4237c31e9faff9efd5ebca67e8686bf4b8de1198dc7d65dfa0`

__

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2a9ac`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99906`
MD5	`a6decd5f2d9f4d0929214c1f2330dd6a`
SHA1	`06533b7f2a4321102db5481e6608a62796e09e12`
SHA256	`6a2847ad97129f9fd9a6ce2b9f2d047d621c9c176ac37282e9a162852a1bf6ea`
SHA3	`611db7db003e188cff353145739f2428953b813aeeee9702a21c2b80a6a1548e`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`8d09bcfac1a48eadf8e7bd4ef08b78ba`
SHA1	`cff659b1bc92ab0879cd54063b385d5880fa2f67`
SHA256	`7e7b6598cdc7506f771d7c2871ce580dd754be174584c5d1caed53db34344833`
SHA3	`72be476d5bbe609df26e89a804710997285f31250059a628ef0e0a2871dad8e7`

1 (#3)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x304`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.30014`
MD5	`860e6d666c8b4191430d72b6120bdf85`
SHA1	`93d590cb2355f235c419be22820bf420f51e8d81`
SHA256	`cbdc8282ed66c53a38a73fda296511fc40b7be6d639f9623cd455694d7116763`
SHA3	`31fbad4a6e461338e748d60a70a9d85535fef4967a6de40dcefd8de4320c18b2`

1 (#4)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1ea`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.00112`
MD5	`a19a2658ba69030c6ac9d11fd7d7e3c1`
SHA1	`879dcf690e5bf1941b27cf13c8bcf72f8356c650`
SHA256	`c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f`
SHA3	`93cbaf236d2d3870c1052716416ddf1c34f21532e56dd70144e9a01efcd0ce34`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.1.0.0
ProductVersion	10.1.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
CompanyName	www.safe3.com.cn
FileDescription	Safe3WVS
FileVersion (#2)	10.1.0.0
InternalName	SafeVS.exe
LegalCopyright	Copyright (C)Safe3 2011
OriginalFilename	SafeVS.exe
ProductName	Safe3WVS
ProductVersion (#2)	10.1.0.0
Assembly Version	10.1.0.0

Resource LangID	UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

Errors

[!] Error: Could not read PDB file information of invalid magic number.