Manalyze report for b9ad0cc2a2e0f513ce716cdf037da907

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2019-Apr-10 13:31:52
Detected languages	English - United States

Plugin Output

Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress LoadLibraryExW` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Manipulates other processes: OpenProcess`
Info	The PE is digitally signed.	`Signer: ORDARA LTD` `Issuer: Symantec Class 3 Extended Validation Code Signing CA - G2`
Malicious	VirusTotal score: 42/69 (Scanned on 2019-08-20 04:19:39)	`MicroWorld-eScan: Trojan.GenericKD.32046559` `FireEye: Trojan.GenericKD.32046559` `CAT-QuickHeal: Trojan.Alreay` `McAfee: Generic Trojan.i` `Cylance: Unsafe` `Zillya: Trojan.Injector.Win64.152` `Alibaba: TrojanBanker:Win32/Injector.7582ac51` `K7GW: Trojan ( 005500881 )` `K7AntiVirus: Trojan ( 005500881 )` `Symantec: Trojan.Gen.MBT` `ESET-NOD32: Win64/Injector.BO` `Kaspersky: Trojan-Banker.Win32.Alreay.gen` `BitDefender: Trojan.GenericKD.32046559` `NANO-Antivirus: Trojan.Win64.Alreay.frfbdw` `Avast: Win64:Trojan-gen` `Sophos: Troj/Inject-EFP` `Comodo: Malware@#lbil9bkxlrt4` `F-Secure: Trojan.TR/Injector.zbrim` `DrWeb: Trojan.Siggen8.31628` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: Trojan.Win64.BANKER.AUSWM` `McAfee-GW-Edition: Generic Trojan.i` `Emsisoft: Trojan.GenericKD.32046559 (B)` `Cyren: W64/Trojan.WVUU-6963` `Jiangmin: Trojan.Banker.Alreay.bv` `Avira: TR/Injector.zbrim` `Fortinet: W32/Alreay.BO!tr` `Antiy-AVL: Trojan[Banker]/Win32.Alreay` `Arcabit: Trojan.Generic.D1E8FDDF` `ViRobot: Trojan.Win64.S.Agent.137080` `ZoneAlarm: Trojan-Banker.Win32.Alreay.gen` `AhnLab-V3: Trojan/Win64.Redbanc.R275085` `ALYac: Spyware.Banker.Alreay` `MAX: malware (ai score=100)` `Ad-Aware: Trojan.GenericKD.32046559` `TrendMicro-HouseCall: Trojan.Win64.BANKER.AUSWM` `Ikarus: Trojan.Win64.Injector` `GData: Trojan.GenericKD.32046559` `AVG: Win64:Trojan-gen` `Cybereason: malicious.2a2e0f` `Panda: Trj/CI.A` `Qihoo-360: Win32/Trojan.9db`

Hashes

MD5	`b9ad0cc2a2e0f513ce716cdf037da907`
SHA1	`1a50a7ea5ca105df504c33af1c0329d36f03715b`
SHA256	`db0f102af2d350aa1a63772e6ee9b211d78aa962a34f75c8702e71ccd261243e`
SHA3	`45debe02d9a7e1ee8d36d5963d7ccb4bf07ca2130c844a467965eb06efa3d710`
SSDeep	`3072:+ks0j77Ql0cYxresWJzVd6xJQunXWgCWqhRrp1b:+g7QldgTio/hQ1p`
Imports Hash	`6c814b8e6422de9f5263f950c4041e9f`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x118`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	2019-Apr-10 13:31:52
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x12600`
SizeOfInitializedData	`0xde00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000002434 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x26000`
SizeOfHeaders	`0x400`
Checksum	`0x2ce9d`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`4eeb3681f3bb080bf87cb811f6325333`
SHA1	`b1c8313bd213197a89304a56bf2c9f9d6209db0d`
SHA256	`3343a941d1270eff711a6c8767c0bd26e91e113fa6b3be21e2ef35a710944bd4`
SHA3	`a55a9c6fac3579a858c6dee2b46bd75fc6bb8dea36944490b1be9346480a22c7`
VirtualSize	`0x12410`
VirtualAddress	`0x1000`
SizeOfRawData	`0x12600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.44001`

.rdata

MD5	`a467022857590bb0e11c45cc8dd4afe4`
SHA1	`d61ae81a1ae47240d894eac7b083e59816a269a3`
SHA256	`17f086686882a7f764b01d4f1ebb58b36a721cb7b80a420dead3c23950a3b02c`
SHA3	`581bdfbbc455dac99ea17f603acda40cde071fa35023660f66c3bfe98a90fee5`
VirtualSize	`0x9d08`
VirtualAddress	`0x14000`
SizeOfRawData	`0x9e00`
PointerToRawData	`0x12a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.12694`

.data

MD5	`d521135f8a72be1254f0c5b150fca78d`
SHA1	`9748504a2fae971391e08c16cda843c4d9b5c26d`
SHA256	`f06f5e78a935440191964671953bc45f55243f0ffd22c0865935c4b82cd6213d`
SHA3	`a073fb964dd3f2b044b73e68221f9ee6ccd7c0d307b9400747c71f71bfb223f1`
VirtualSize	`0x1da8`
VirtualAddress	`0x1e000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x1c800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.81653`

.pdata

MD5	`54838e9830b67dae36f5976ab0007775`
SHA1	`6006c237311155eb548d523a0fc2769cf8f2d826`
SHA256	`f9c9a9dd8d28c11548f3fc1b1db72d6111da205328dd7e2e87ff51cb8f05ec88`
SHA3	`481a9ce165ffacd010c6451caf897f1c930b7d5c72337e886a394d5d86fb7a98`
VirtualSize	`0x1140`
VirtualAddress	`0x20000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x1d400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.84627`

.tls

MD5	`1f354d76203061bfdd5a53dae48d5435`
SHA1	`aa0d33a0c854e073439067876e932688b65cb6a9`
SHA256	`4c6474903705cb450bb6434c29e8854f17d8324efca1fdb9ee9008599060883a`
SHA3	`991fbbd46bbd69198269fe6c247d440e0f8a7d38259b7a1e04b74790301d1d2b`
VirtualSize	`0x9`
VirtualAddress	`0x22000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1e600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0203931`

.gfids

MD5	`9d00c02a581a07f3f8f603b38bd24334`
SHA1	`86ebf3d18e6c6c33dbb1f0425ce9e36efff8a5bc`
SHA256	`b5dd79fee7e0a36401f87fb25f6e278203e89817919cb3abf5fe6610ec516c51`
SHA3	`9a7a5ebed803e4f584be57a9d704bbbfb055278837ee06c59c27f546bdcd4898`
VirtualSize	`0xb0`
VirtualAddress	`0x23000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1e800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.42714`

.rsrc

MD5	`00045b363478b5aebefbf36e6e77491e`
SHA1	`087a90dcf034051edf65e4c3132516ac5e79797b`
SHA256	`3302d5e4a65bf861d56020cd020b1fb0bb8422886b8e5fec2b859816950daa88`
SHA3	`78b38545ccbf37d4d6784c77791271a61e055166deeea44cc605acfbdf2d9ae7`
VirtualSize	`0x230`
VirtualAddress	`0x24000`
SizeOfRawData	`0x400`
PointerToRawData	`0x1ea00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.10187`

.reloc

MD5	`88e601965a01a74fbdab53d4e0c59d01`
SHA1	`6cd8c937b9fef0fe40ccb98f8685c96c0ed0b2e5`
SHA256	`0f8ac9e1e7b5bd07f3dbf360bd479dcfafc0b6af0c75b47cfd08486f2f8e12b5`
SHA3	`2d1cdad58beccd78c17b4043e749d30e42eccd85385cf92098c2658a1a0c40d5`
VirtualSize	`0x61c`
VirtualAddress	`0x25000`
SizeOfRawData	`0x800`
PointerToRawData	`0x1ee00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.76618`

Imports

WTSAPI32.dll	`WTSFreeMemory` `WTSEnumerateProcessesA`
KERNEL32.dll	`OpenProcess` `GetModuleHandleA` `VirtualAllocEx` `WaitForSingleObject` `LocalFree` `GetCurrentProcess` `CloseHandle` `LoadLibraryA` `Sleep` `CreateFileA` `GetFileSize` `ReadFile` `WriteFile` `DeleteFileA` `GetProcAddress` `ReadConsoleW` `RaiseException` `GetCommandLineW` `SetEndOfFile` `HeapReAlloc` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `SetEvent` `ResetEvent` `WaitForSingleObjectEx` `CreateEventW` `GetModuleHandleW` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `IsDebuggerPresent` `GetStartupInfoW` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `GetLastError` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `LoadLibraryExW` `GetModuleFileNameW` `RtlUnwindEx` `SetLastError` `GetStdHandle` `MultiByteToWideChar` `WideCharToMultiByte` `ExitProcess` `GetModuleHandleExW` `GetACP` `HeapFree` `HeapAlloc` `GetFileType` `GetConsoleCP` `GetConsoleMode` `FindClose` `FindFirstFileExW` `FindNextFileW` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `GetCommandLineA` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `LCMapStringW` `SetStdHandle` `GetStringTypeW` `GetProcessHeap` `CreateFileW` `SetFilePointerEx` `WriteConsoleW` `FlushFileBuffers` `HeapSize`
ADVAPI32.dll	`SystemFunction036` `AdjustTokenPrivileges` `LookupPrivilegeValueA` `OpenProcessToken`
SHELL32.dll	`CommandLineToArgvW`

Delayed Imports

109

Type	`RT_ACCELERATOR`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.79879`
MD5	`3d2b1af3424dbcd504f73918619c7d99`
SHA1	`10d6ed54ea742211a14a05414883f6c00c03080a`
SHA256	`c2f0c188d6c493d7827bf83fb89c704815796445a0178bb2ae79658d96703a3c`
SHA3	`b8c5f28d2c132e5bc304e4dc1b314a3f32a2e48675c06828a2a8a014ea05e7fb`

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2019-Apr-10 13:31:52
Version	`0.0`
SizeofData	`944`
AddressOfRawData	`0x1c064`
PointerToRawData	`0x1aa64`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2019-Apr-10 13:31:52
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

StartAddressOfRawData	`0x140022000`
EndAddressOfRawData	`0x140022008`
AddressOfIndex	`0x14001f088`
AddressOfCallbacks	`0x140014358`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x94`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14001e008`

RICH Header

XOR Key	`0x3314303e`
Unmarked objects	`0`
241 (40116)	`5`
243 (40116)	`129`
242 (40116)	`13`
199 (41118)	`1`
ASM objects (23907)	`7`
C++ objects (23907)	`31`
C objects (23907)	`18`
Imports (65501)	`9`
Total imports	`108`
265 (VS2015 UPD2 build 23918)	`4`
Resource objects (VS2015 UPD2 build 23918)	`1`
151	`1`
Linker (VS2015 UPD2 build 23918)	`1`

b9ad0cc2a2e0f513ce716cdf037da907

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.tls

.gfids

.rsrc

.reloc

Imports

Delayed Imports

109

1

Version Info

IMAGE_DEBUG_TYPE_POGO

IMAGE_DEBUG_TYPE_ILTCG

TLS Callbacks

Load Configuration

RICH Header

Errors