Manalyze report for b59b71515091f8cea154332b5b70defd

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Nov-17 15:02:02
Detected languages	Chinese - PRC English - United States
CompanyName	Safengine
FileDescription	Safengine - Professional Software Protection Tool
FileVersion	`2.4.0.0`
LegalCopyright	2007 - 2014 Safengine
ProductName	Safengine
ProductVersion	`2.4.0.0`

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for VirtualPC presence: 0f 3f 07 0b` `Contains domain names: crl.symauth.com http://pki-crl.symauth.com http://pki-crl.symauth.com/ca_3e5451d77b370c64c3bd39d10f35bd21/LatestCRL.crl07 http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0 http://pki-ocsp.symauth.com0 pki-crl.symauth.com safengine.com symauth.com`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to SHA256` `Uses constants related to AES`
Suspicious	The PE is possibly packed.	`Section .text is both writable and executable.` `Unusual section name found: .sedata` `Section .sedata is both writable and executable.` `Unusual section name found: .sedata` `The PE only has 7 import(s).`
Info	The PE contains common functions which appear in legitimate applications.	`Can access the registry: RegOpenKeyExA`
Info	The PE is digitally signed.	`Signer: Shanghai Bo Yi Information Technology Co. Ltd.` `Issuer: Symantec Class 3 SHA256 Code Signing CA`
Malicious	VirusTotal score: 31/71 (Scanned on 2023-05-28 17:31:03)	`APEX: Malicious` `AVG: Win32:Malware-gen` `Alibaba: Packed:Win32/NoobyProtect.52f9188f` `Avast: Win32:Malware-gen` `ClamAV: Win.Malware.Noobyprotect-6622929-0` `CrowdStrike: win/malicious_confidence_90% (D)` `Cylance: unsafe` `Cynet: Malicious (score: 100)` `Cyren: W32/Trojan.DZQ.gen!Eldorado` `DeepInstinct: MALICIOUS` `ESET-NOD32: a variant of Win32/Packed.NoobyProtect.M suspicious` `Elastic: malicious (high confidence)` `FireEye: Generic.mg.b59b71515091f8ce` `Fortinet: W32/Injector.FKM!tr` `Google: Detected` `Gridinsoft: Trojan.Win32.Agent.dg` `K7AntiVirus: Trojan ( 004c2dc01 )` `K7GW: Trojan ( 004c2dc01 )` `Lionic: Trojan.Win32.Generic.4!c` `Malwarebytes: Malware.AI.553877653` `McAfee: Artemis!B59B71515091` `McAfee-GW-Edition: Artemis` `Microsoft: PUA:Win32/Creprote` `Rising: PUA.Creprote!8.F617 (CLOUD)` `SUPERAntiSpyware: Trojan.Agent/Generic` `SentinelOne: Static AI - Suspicious PE` `Sophos: Mal/Generic-S` `Webroot: Pua.Gen` `Yandex: Trojan.GenAsa!U55TAxxnrH0` `Zillya: Downloader.GenericCRTD.Win32.4770` `tehtris: Generic.Malware`

Hashes

MD5	`b59b71515091f8cea154332b5b70defd`
SHA1	`007a809e84b362c08c398f18f42fb28c8cf2c628`
SHA256	`07eda2020ff34ff8ed1f24a71305839bd5054b6635d3999b66823c850589d21c`
SHA3	`a2de40aabc11eb7a84e28cebe99e7e7548ac0182225919828f9fb3372f68a2c1`
SSDeep	`49152:RGwW4YB4CNywnP6xKQ8Uk5gnd/v/V9hLx4bE:RGwOB4CN1nyKAd/vt9Zx4bE`
Imports Hash	`a71af8d28e4f11654e9be52ad1ec4b34`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2017-Nov-17 15:02:02
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0`
SizeOfInitializedData	`0`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x001971F5 (Section: .sedata)`
BaseOfCode	`0`
BaseOfData	`0`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x1f6000`
SizeOfHeaders	`0x400`
Checksum	`0x19c912`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`39b662b17af3e6e6231f27378e1e6887`
SHA1	`6bfe99f6a78464b4a4b20d8e80c0a7b6c339db39`
SHA256	`833c0987e2e5c991ec4c3315d88dba05d9a2bcb7d89d34c5964ac0c7d6be7eb1`
SHA3	`549db26929da4ba8fd948a083d2708cc2a451d42174ff81b4533d6b60b4f6fe8`
VirtualSize	`0x5e000`
VirtualAddress	`0x1000`
SizeOfRawData	`0x600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.2199`

.sedata

MD5	`767e96f77af4aaca17b42938b4e96356`
SHA1	`62a73371cebf6d0650f44b51224b54b684af671f`
SHA256	`11330e74810cfb1dfb4b418e605f8a67df055b6fba4d8dfd4df97a56e0f111eb`
SHA3	`3e9cfa1a5cd80ecce19695dcc17f4162a7f86d0f067624ba2fa962fb54eb2c42`
VirtualSize	`0x13a000`
VirtualAddress	`0x5f000`
SizeOfRawData	`0x139600`
PointerToRawData	`0xa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.86339`

.idata

MD5	`116a8c4e0e80471f9fd4a251fc021ec9`
SHA1	`cd947745a0e2a0c7b7633878c7208d31c703605d`
SHA256	`6a6418da15b14bb71542542f25da004f7f36c37b45bc610cf4837c09a227f2f4`
SHA3	`3f7b495fec9e5d4e511358a783d2b6b241664ec93565c9e116a2db0267de7e82`
VirtualSize	`0x1000`
VirtualAddress	`0x199000`
SizeOfRawData	`0x200`
PointerToRawData	`0x13a000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.95561`

.rsrc

MD5	`c8f82a112f0340440ef22e0d6ed3e410`
SHA1	`50929d83baf7a9132fcad0f7d4263e381c677ddb`
SHA256	`9f9d155eeff2efc9e187402fb4ed64bd9fe7141b789c3ee7b97cd7fb42fce27f`
SHA3	`b4cc7c5e30e99a471369a5ea86f759945d42bcba19980b2e1caedddd3b9e0fd5`
VirtualSize	`0x5b000`
VirtualAddress	`0x19a000`
SizeOfRawData	`0x5ac00`
PointerToRawData	`0x13a200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.11951`

.sedata (#2)

MD5	`e59c89f1510292c3045621e4562760bf`
SHA1	`63a5071e53c3f3a4f9275f8ddbff3d8bd6d96d2c`
SHA256	`da20593697463b66384de9f7280d49e209a5f490bc34a27d905806a995bc6f78`
SHA3	`2a93c581d24c610c36fb5fba8dc74353f25601279290fb5c7fd517f146711d0b`
VirtualSize	`0x1000`
VirtualAddress	`0x1f5000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x194e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.9875`

Imports

KERNEL32.dll	`IsDebuggerPresent`
USER32.dll	`CloseClipboard`
MSVCRT.dll	`malloc`
IPHLPAPI.DLL	`GetInterfaceInfo`
PSAPI.DLL	`GetMappedFileNameW`
ADVAPI32.dll	`RegOpenKeyExA`
SHELL32.dll	`SHGetFolderPathW`

Delayed Imports

1

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.72983`
MD5	`6dc35cfe61b123c854b55aaa47b579cc`
SHA1	`ced70bcca5b897f98bdc5b4f90604928192d340c`
SHA256	`2ee40281541f8de573c7090a2c408b92a26a010081637ab85b0a1a15846da3d1`
SHA3	`333e6b4bf2006a9540c32469a6a74b15a45a60fffe07d1cf63ab6fd37d5ec2b5`

2

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.49203`
MD5	`2fa39155ea10816d8edfdc9c7d25db31`
SHA1	`01d2c299a2f9f3e657faac8619b8a945cfbc38ae`
SHA256	`da18f824ca0e65ef1ed79202fedd58f43273326940c7ed55c0067ab3322932d9`
SHA3	`5d1a64be5282fd1f718b95b8f43f161a3fa9e67b4e3cafae5a379f940d679ec1`

3

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.36709`
MD5	`66225691029456e0cac3700180bf6402`
SHA1	`7a177e9a788e3bad529f3aed25a6a9c52861f112`
SHA256	`31f48868b4614beed257832a4c6adc1c09765d7fdcf46944b2e38d73b0974039`
SHA3	`2e0220b1d06451142ea3cb79a467e378456ae6f1369a7610ff6245d90e3b1e2e`

4

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.28265`
MD5	`ca05431c341a366bffe52cbcb1920cee`
SHA1	`f292cdd52f0e198406527dfc98b2d8e789ce979e`
SHA256	`8a08857d20a5493823ef2ed44a1499d748e77a6e98bb0ba3a533cae354ea6ec3`
SHA3	`965213b097b447e5374257f8f321064e56d5ac20448cf1874a2ab273f4012570`

5

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.1513`
MD5	`5952d914e0af5e877b6582b4a958eb5f`
SHA1	`9d4305ba8209f91bcb8d035d3d24653f41d60a43`
SHA256	`4e9fde02849b381562e3d83f6a8eef248cee98c281af2d45c1a47977a0367931`
SHA3	`659c189d9c84af03f25a537c4908412cb35c68a70b16805f68b8e4d30edca913`

6

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x42028`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.06396`
MD5	`97eceb00bbcb86e5f79e88de85cef219`
SHA1	`730650618213c64ffe74c78a2bcac5f9e1f1d05c`
SHA256	`43d6690a3834bf487df84c9f3408fed5fffb61a2abf2eeae276d33b4ebb13397`
SHA3	`16bc1c126f50efd407c1f4647c242cb1815930ae9590c5060c45012fb3ff29c5`

IDR_MAINFRAME

Type	`RT_GROUP_ICON`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.76511`
Detected Filetype	Icon file
MD5	`61e58469fe660c213ebc6e2cc66cbafc`
SHA1	`c47479da87d8390f935b337e91bdbedcc739b3eb`
SHA256	`c369bebe3271775e43301281caa7efcd03938e3bc1f620212d6c5617edaad403`
SHA3	`7c04647ad931cbf1b5c005cebc686d11b461a50e14ba9aa560e6cc1749adcb2f`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x284`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.29222`
MD5	`fe2c01439fdd8ef6769d6d28ca280aec`
SHA1	`b25332945b2a5bbb248760e76cc704d19872452f`
SHA256	`29be18edd70c5f9c3e9c7be2bd516d847d506000874dd908a3ac518b4c3ad97b`
SHA3	`f044b597d3027a098ace8a9f0304ac323374e83bbc26ecf5c09eef2fca638616`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	2.4.0.0
ProductVersion	2.4.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Safengine
FileDescription	Safengine - Professional Software Protection Tool
FileVersion (#2)	2.4.0.0
LegalCopyright	2007 - 2014 Safengine
ProductName	Safengine
ProductVersion (#2)	2.4.0.0

Resource LangID	UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xe16d5bc9`
Unmarked objects	`0`
C objects (VS2008 SP1 build 30729)	`4`
Imports (VS2012 build 50727 / VS2005 build 50727)	`4`
Imports (VS2008 SP1 build 30729)	`3`
Total imports	`14`
138 (VS2008 SP1 build 30729)	`1`
Linker (VS2008 build 21022)	`1`
151	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

b59b71515091f8cea154332b5b70defd

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.sedata

.idata

.rsrc

.sedata (#2)

Imports

Delayed Imports

1

2

3

4

5

6

IDR_MAINFRAME

1 (#2)

1 (#3)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors