Manalyze report for b4164149ffc43c2bf55cb66922e738b0

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2020-May-19 17:04:14
Detected languages	English - United States

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: http://207.154.235.218 http://207.154.235.218/campo/z/z`
Suspicious	The PE is possibly packed.	`The PE only has 6 import(s).`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA`
Malicious	VirusTotal score: 50/69 (Scanned on 2021-06-22 14:17:05)	`Lionic: Trojan.Win32.Tiny.a!c` `Elastic: malicious (high confidence)` `MicroWorld-eScan: Gen:Variant.Bulz.221695` `CAT-QuickHeal: TrojanDownloader.Tiny` `ALYac: Spyware.Ursnif` `Cylance: Unsafe` `Sangfor: Trojan.Win32.Tiny.SS` `CrowdStrike: win/malicious_confidence_100% (W)` `Alibaba: TrojanDownloader:Win32/TrojanX.ff57a4ac` `K7GW: Trojan-Downloader ( 0056a18b1 )` `K7AntiVirus: Trojan-Downloader ( 0056a18b1 )` `Cyren: W32/Trojan.YJVU-0889` `Symantec: W97M.Downloader` `ESET-NOD32: a variant of Win32/TrojanDownloader.Tiny.NRN` `APEX: Malicious` `Paloalto: generic.ml` `Kaspersky: Trojan-Downloader.Win32.Tiny.rky` `BitDefender: Gen:Variant.Bulz.221695` `NANO-Antivirus: Trojan.Win32.Tiny.icgzcd` `ViRobot: Trojan.Win32.S.Downloader.4096.BA` `Avast: Win32:TrojanX-gen [Trj]` `Tencent: Win32.Trojan-downloader.Tiny.Pcig` `Ad-Aware: Gen:Variant.Bulz.221695` `Emsisoft: Gen:Variant.Bulz.221695 (B)` `Comodo: Malware@#26zey2asvtk2k` `DrWeb: Trojan.DownLoader36.6331` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: TROJ_GEN.R002C0DE321` `McAfee-GW-Edition: RDN/Generic Downloader.x` `FireEye: Generic.mg.b4164149ffc43c2b` `Sophos: Mal/Generic-R + Troj/Agent-BHAQ` `GData: Gen:Variant.Bulz.221695` `Kingsoft: Win32.Troj.Generic_a.a.(kcloud)` `Gridinsoft: Trojan.Win32.Downloader.oa` `Arcabit: Trojan.Bulz.D361FF` `ZoneAlarm: Trojan-Downloader.Win32.Tiny.rky` `Microsoft: TrojanDownloader:Win32/Tiny.SS!MTB` `Cynet: Malicious (score: 100)` `AhnLab-V3: Malware/Win32.RL_Generic.R357606` `McAfee: RDN/Generic Downloader.x` `MAX: malware (ai score=100)` `VBA32: TrojanDownloader.Tiny` `TrendMicro-HouseCall: TROJ_GEN.R002C0DE321` `Rising: Trojan.Generic@ML.94 (RDML:jOB06nEpYUUqChITPn0yEQ)` `Yandex: Trojan.Igent.bUQtMA.4` `Ikarus: Trojan-Downloader.Win32.Tiny` `Fortinet: W32/Agent.6509!tr.dldr` `AVG: Win32:TrojanX-gen [Trj]` `Panda: Trj/GdSda.A` `MaxSecure: Trojan.Malware.1728101.susgen`

Hashes

MD5	`b4164149ffc43c2bf55cb66922e738b0`
SHA1	`78c01aa4f88d35acfbc3d7142232cd1aa7682a6e`
SHA256	`800e1192e5ec3d2d9b17a3e2d8996cadbdd96ac6d8c59dfcf989264a956eb8d4`
SHA3	`5908118a585dce2076ca1015d9cb9c46b7039635b1f44573d9cf6968dbad0281`
SSDeep	`48:aOYItNcalsIk6B82DyWVyzKZ+uhFJheDrJsRuUTe:frlsIv+khQlrJMdT`
Imports Hash	`00efe7c5f7ae0f17696c089cc9514203`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2020-May-19 17:04:14
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x400`
SizeOfInitializedData	`0xa00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000 (Section: ?)`
BaseOfCode	`0x1000`
BaseOfData	`0x2000`
ImageBase	`0x10000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x6000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`46b98569e7e52761ae7ba619daab5cf1`
SHA1	`83084f153fda6f5b86f3efb6ca49782a72d5ce59`
SHA256	`1c771892d39ede757a0944d25a125b8eefc0c94f529ae2a2dc0756fd35560102`
SHA3	`abc62f2749d79fead96cd19294565d2afdcd251801c19f01fbbd47c4e5196474`
VirtualSize	`0x288`
VirtualAddress	`0x1000`
SizeOfRawData	`0x400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`4.0703`

.rdata

MD5	`c489c1319d231dda79fe2e65b81f0ad8`
SHA1	`b1c204b661d72c14f44f906bf18109e01732aef5`
SHA256	`1d27d8c1ac5d55bdfbae92d16d6eebf411f7e21105ff2a77f02ac88d187a09d0`
SHA3	`ed7aa4bb8d66c0c9ef6d135e68a08409d98046e8459dc85eb2ec3cf1cabe25a1`
VirtualSize	`0x380`
VirtualAddress	`0x2000`
SizeOfRawData	`0x400`
PointerToRawData	`0x800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.45929`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x18`
VirtualAddress	`0x3000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`b4fdcfb09f1721ed2d7a171560e42bb5`
SHA1	`6d491583414a53bdab26fdcc53b412e97d37dac0`
SHA256	`d4ff91793a3bddb22abe80beb851b24e90c92b482577d2e8d3a81fe6336c212d`
SHA3	`0024e82751f384c8580d7bcd615d10d3233aee9b0ac32f3f22a76958f7f62d0a`
VirtualSize	`0xf8`
VirtualAddress	`0x4000`
SizeOfRawData	`0x200`
PointerToRawData	`0xc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.51196`

.reloc

MD5	`14935ddbefa92b638893f3f64eb0a324`
SHA1	`2ec7118c2a15eed0a96e742c1a5908fa9a4936ba`
SHA256	`0da69494719001248732fa9380bc0c1500a94db48966dd1d38a27842b0a67c39`
SHA3	`f9aff8a5336aab25417e85d2f860f0887f91a6b724470e5ba2e138b410b50672`
VirtualSize	`0x58`
VirtualAddress	`0x5000`
SizeOfRawData	`0x200`
PointerToRawData	`0xe00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.32066`

Imports

KERNEL32.dll	`GetProcAddress` `LoadLibraryA` `LocalAlloc` `lstrlenA` `CloseHandle`
VCRUNTIME140.dll	`memset`

Delayed Imports

D

Ordinal	`1`
Address	`0x1110`

2

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x91`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.8858`
MD5	`f7ad1eab748bc07570a57ec87787cf90`
SHA1	`0b1608da9fef218386e825db575c65616826d9f4`
SHA256	`d2952e57023848a37fb0f21f0dfb38c9000f610ac2b00c2f128511dfd68bde04`
SHA3	`6c9541b36948c19ae507d74223621875b3af4064f7cd8200bdb97e15a047e96a`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2020-May-19 17:04:14
Version	`0.0`
SizeofData	`236`
AddressOfRawData	`0x21c4`
PointerToRawData	`0x9c4`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2020-May-19 17:04:14
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xaafbe1a9`
Unmarked objects	`0`
Imports (VS 2015/2017/2019 runtime 28619)	`2`
Imports (26715)	`3`
Total imports	`6`
C++ objects (VS2019 Update 6 (16.6.1-5) compiler 28806)	`4`
Exports (VS2019 Update 6 (16.6.1-5) compiler 28806)	`1`
Resource objects (VS2019 Update 6 (16.6.1-5) compiler 28806)	`1`
Linker (VS2019 Update 6 (16.6.1-5) compiler 28806)	`1`

Errors

[*] Warning: Section .data has a size of 0!