Manalyze report for b8946d3329e56a3f3e52547aac913e8e

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2016-Jun-28 14:30:02
Detected languages	English - United States
Debug artifacts	ghvb.pdb
CompanyName	Pahom Corporation
FileDescription	Send Mail
FileVersion	`6.1.7600.16385 (win7_rtm.090713-1255)`
InternalName	sendmail
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	SENDMAIL.DLL
ProductName	Microsoft® Windows® Operating System
ProductVersion	`6.1.7600.16385`

Plugin Output

Suspicious	The PE is packed or was manually edited.	`The number of imports reported in the RICH header is inconsistent.`
Suspicious	The PE contains functions most legitimate programs don't use.	`Uses Windows's Native API: NtCreateSemaphore NtTerminateThread NtWaitForSingleObject NtReadVirtualMemory NtOpenProcess NtQueryVirtualMemory ZwAllocateVirtualMemory NtSetInformationProcess NtDeviceIoControlFile` `Manipulates other processes: NtOpenProcess`
Malicious	VirusTotal score: 51/70 (Scanned on 2019-02-08 21:02:32)	`Bkav: HW32.Packed.` `MicroWorld-eScan: Trojan.GenericKD.3359743` `CAT-QuickHeal: Trojan.Gamarue.100106` `ALYac: Trojan.GenericKD.3359743` `Cylance: Unsafe` `K7GW: Trojan ( 004f31ae1 )` `K7AntiVirus: Trojan ( 004f31ae1 )` `Invincea: heuristic` `Symantec: Trojan.Gen` `TrendMicro-HouseCall: BKDR_DRIXED.LG` `Paloalto: generic.ml` `Kaspersky: Trojan.Win32.Pincav.bqnhx` `BitDefender: Trojan.GenericKD.3359743` `NANO-Antivirus: Trojan.Win32.Inject.eedcde` `ViRobot: Trojan.Win32.S.Dridex.129536` `Avast: Win32:Evo-gen [Susp]` `Tencent: Win32.Trojan.Pincav.Pgwi` `Ad-Aware: Trojan.GenericKD.3359743` `Emsisoft: Trojan.GenericKD.3359743 (B)` `Comodo: Malware@#2x4qcnd5g277v` `F-Secure: Heuristic.HEUR/AGEN.1017420` `DrWeb: Trojan.Dridex.433` `Zillya: Trojan.Pincav.Win32.26545` `TrendMicro: BKDR_DRIXED.LG` `McAfee-GW-Edition: BehavesLike.Win32.Generic.cc` `Trapmine: malicious.high.ml.score` `SentinelOne: static engine - malicious` `Webroot: W32.Trojan.Gen` `Avira: HEUR/AGEN.1017420` `Fortinet: W32/Kryptik.GGRY!tr` `Antiy-AVL: Trojan/Win32.BTSGeneric` `Endgame: malicious (high confidence)` `Arcabit: Trojan.Generic.D3343FF` `ZoneAlarm: Trojan.Win32.Pincav.bqnhx` `Microsoft: Backdoor:Win32/Drixed` `Sophos: Mal/EncPk-ANR` `AhnLab-V3: Backdoor/Win32.Drixed.C1553523` `Acronis: suspicious` `McAfee: Artemis!B8946D3329E5` `MAX: malware (ai score=100)` `VBA32: Trojan.Pincav` `ESET-NOD32: Win32/Dridex.AR` `Rising: Trojan.Kryptik!8.8 (CLOUD)` `Yandex: Trojan.Pincav!ZWMgcysQnYg` `Ikarus: Trojan.Win32.Dridex` `GData: Trojan.GenericKD.3359743` `AVG: FileRepMalware` `Cybereason: malicious.329e56` `Panda: Trj/CI.A` `CrowdStrike: malicious_confidence_100% (D)` `Qihoo-360: HEUR/QVM20.1.204E.Malware.Gen`

Hashes

MD5	`b8946d3329e56a3f3e52547aac913e8e`
SHA1	`8dda6643074fc4c08e621b06a4b9ba2b02307462`
SHA256	`10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4`
SHA3	`084d7f5cbcd12e4983e82c954d8895822b23319bab54bd7436ce2084393a908b`
SSDeep	`1536:Z32O+JJPXrosvIHAQWNRiKkt7LubuEDOMRefwp2g2B+IbZJ2PJdvOB7wXBzD:x2OQzBr/kt7wuw3U4cPB+IbZJ2hdnt`
Imports Hash	`7f925477bc7a0e890a59d51fa3a0bf3a`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xc0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2016-Jun-28 14:30:02
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`8.0`
SizeOfCode	`0xb400`
SizeOfInitializedData	`0x14600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00003010 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xd000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x22000`
SizeOfHeaders	`0x400`
Checksum	`0x2206bc27`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NO_SEH`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`f0e1f6f0895ef7c5a14f1ef86fc613d8`
SHA1	`b0e6b916b6dc7a2adb698429efc78d5cecda760c`
SHA256	`411231318e9d52f4ccc533da5bf87ea81fe6d8ce59af7a7799a7f9b838aa8d2f`
SHA3	`7637865f3672b0158c5788e5cea3cb44e9e00508adec14ca9d8b623f0e055a39`
VirtualSize	`0xb3ae`
VirtualAddress	`0x1000`
SizeOfRawData	`0xb400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.47644`

.data

MD5	`091243caa98b8b1fbffa38cb3e95f380`
SHA1	`bc238cc7e1b4680223cc9169dfcacaaa48afed1d`
SHA256	`b2830debcf2a542fa89014c45f2f62b19749f46f2365e4144fa6458a3cd916b0`
SHA3	`6ff8d177d06b3725f6301ec9d9e2c5ade6d493d97729257863b8865c7440883d`
VirtualSize	`0xe698`
VirtualAddress	`0xd000`
SizeOfRawData	`0xe400`
PointerToRawData	`0xb800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.52173`

.rsrc

MD5	`3b86803713d245446da6b578135533c5`
SHA1	`0124d8fb62175cf52cbcdc950ea70ee19501ac2c`
SHA256	`2f4dbc1a340ad31d4922349550dde6592bc002eb4f4838712ec868400e2f522f`
SHA3	`20ba4316f3b7eb292cc57673da3b7b49c941912daded64caf26e4760c312b17f`
VirtualSize	`0x5d14`
VirtualAddress	`0x1c000`
SizeOfRawData	`0x5e00`
PointerToRawData	`0x19c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.12174`

Imports

KERNEL32.dll	`GetModuleFileNameW` `CompareStringA` `LocalAlloc` `LocalFree` `GetStartupInfoA` `GetConsoleWindow`
USER32.dll	`ShowWindow`
SHLWAPI.dll	`PathRelativePathToA` `UrlIsA`
msvcrt.dll	`memset`
SETUPAPI.dll	`SetupQueueDeleteSectionA` `SetupDiGetClassDescriptionW` `InstallHinfSectionA` `SetupDiDestroyClassImageList` `SetupQueueCopyA` `SetupDiCreateDeviceInfoW` `SetupDiGetClassDevsA` `SetupInstallFileExW` `SetupDiSetDeviceInstallParamsW` `SetupDiRegisterCoDeviceInstallers` `SetupDiOpenDeviceInfoW` `SetupPromptForDiskA` `SetupDiClassNameFromGuidA` `SetupGetIntField` `SetupDiCreateDeviceInfoListExA` `SetupInstallFilesFromInfSectionA`
RPCRT4.dll	`RpcCancelThreadEx` `NdrXmitOrRepAsUnmarshall` `NdrEncapsulatedUnionMarshall` `I_RpcServerRegisterForwardFunction` `NdrMapCommAndFaultStatus` `NdrNonConformantStringUnmarshall` `RpcMgmtEpUnregister` `IUnknown_Release_Proxy` `NdrServerUnmarshall` `RpcBindingSetAuthInfoW` `NdrPointerMarshall` `RpcSmDisableAllocate` `NdrFreeBuffer` `RpcBindingInqAuthInfoW` `NdrConformantVaryingArrayFree` `RpcServerUseProtseqExA` `I_RpcPauseExecution` `RpcBindingSetObject` `RpcMgmtSetCancelTimeout` `NdrEncapsulatedUnionMemorySize` `RpcBindingInqAuthClientA` `RpcServerUseProtseqEpA` `RpcRevertToSelfEx` `RpcAsyncCancelCall` `RpcSsFree` `RpcServerUseAllProtseqsIf` `NdrRpcSmSetClientToOsf`
ntdll.dll	`NtCreateSemaphore` `RtlCompareUnicodeString` `RtlOemStringToUnicodeString` `RtlDowncaseUnicodeString` `NtTerminateThread` `NtWaitForSingleObject` `NtReadVirtualMemory` `RtlNtStatusToDosError` `NtOpenProcess` `NtQueryVirtualMemory` `ZwAllocateVirtualMemory` `RtlCompareMemory` `NtSetInformationProcess` `RtlFreeUnicodeString` `NtDeviceIoControlFile`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.00674`
MD5	`90760ae21928a75e8101e434c363801e`
SHA1	`b897a165d544285a6dd54c08cfce95b6080cead4`
SHA256	`26b4aa92ce5287f926cad3420d2e35622847e619f41b41e8cbaceb36deb5a8f9`
SHA3	`69cdec800b798444e2e3ea85ccf8e45daf14d0b175fd487857fffce230d22293`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.23274`
MD5	`a9899114136b0eae1133a8fead5b6bbe`
SHA1	`3d1979542d8acc0de1b6e857e9fb629ca5fa3670`
SHA256	`c976b916824cd101a3761670431f8d420dc11ff6f26359ae5ec3e661163c8a93`
SHA3	`72326ac7a1a9dee881f57b8d184b51a9d464ea32b406cb123b811c5543eacbc5`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.93837`
MD5	`08e08594f615f11e267fd02300d4efe3`
SHA1	`b75bf3d62b96875f9894f58a7f0c206256e6fcf1`
SHA256	`0c8a35087b844433f46eaa730471aa512ad579c805929f38fa1066b78bd07b70`
SHA3	`52f9a9f9eeb07a001c44135a604e274f5294d63d0f5a904915dc14a7d026dce6`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.18954`
MD5	`fdea5e327c6e904ad3a4caf570512c9a`
SHA1	`f22d92609c3355866cd40da0248bf9da4c7ff16f`
SHA256	`1f320c7ae8ecac7c70d6f612d4337cda254e625ad50cde0f78a83fbdfccfbe31`
SHA3	`6a66b9e60dddd81f95d612c76e119afeff753e5e4d4e0310cc854e2f93adbd8d`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.53057`
MD5	`2ccbeea79d82d47d7af3d62ff7a7d60e`
SHA1	`6573c15fc3b4a58373c05c3acc43b149a9c7f361`
SHA256	`dba1a727aa285bf042ef09ede6b76545a11a49e1df5731f31565d0062c17ac95`
SHA3	`a568651f7a22183772486962d4ac4789c0f097a27e2a5934d8ebcfe7407040cb`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.87542`
MD5	`b699bf416a2feb6320e6d1a1fd869d58`
SHA1	`fcd596874bd49edd99e4843b0e0979562be2a5d1`
SHA256	`aa91e45257aba1561e703cb36b4d6074b179ae0da7d4e6e36ca7b3fcee2e72c3`
SHA3	`78b132da4383aa6cfaed628b71eb8828191556437123b9a48e2e8f3704b22d2b`

2001

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.69913`
Detected Filetype	Icon file
MD5	`fc8846589a152507308beb48ead7a796`
SHA1	`787c24f9fbf50523b34bcb328ed56d33c4e7ffd7`
SHA256	`4a2d022975e1b62b89e1e757b73f563b68b21b71edf8cac8dbbf062b2cb2d2fe`
SHA3	`8ddbf8de92320682fb04bf04b166aab2b443a9fd6055b504b0c29ee44468a9c9`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x370`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.54145`
MD5	`45b3c14a37c742a289c010720ed187a1`
SHA1	`4ed90ce4f9dddd99aed0f62e473b2ad489cbd854`
SHA256	`f8f5688a0f04da7a1ab9858f865d19382ebc24245e169db6554d5392bf259522`
SHA3	`3b741cfef351d815f91b9c94c3ce73ab8e3e756c2c44754e33f548d5c9ef9cb6`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.1.7600.16385
ProductVersion	6.1.7600.16385
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	English - United States
CompanyName	Pahom Corporation
FileDescription	Send Mail
FileVersion (#2)	6.1.7600.16385 (win7_rtm.090713-1255)
InternalName	sendmail
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	SENDMAIL.DLL
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	6.1.7600.16385

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2016-Jun-28 14:31:09
Version	`0.0`
SizeofData	`33`
AddressOfRawData	`0x11dc`
PointerToRawData	`0x5dc`
Referenced File	ghvb.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x4a0cf939`
Unmarked objects	`0`
Total imports	`23`
Imports (30806)	`3`
C objects (30826)	`15`
94 (2179)	`1`
Linker (30806)	`1`

b8946d3329e56a3f3e52547aac913e8e

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.data

.rsrc

Imports

Delayed Imports

1

2

3

4

5

6

2001

1 (#2)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors