Manalyze report for bb0855993ed42c9b3948cdc293c66638

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-Jul-09 16:36:50
Detected languages	English - United States
Debug artifacts	##################RRRRRRRRRRRRRRRRRR.pdb
CompanyName	Ddfdgf dgdsger
FileDescription	dfew fw plugin image d
FileVersion	`10.00.9600.16428 (winblue_gdr.131013`
InternalName	sfwfw
LegalCopyright	© wfw fwfw. f wfw f
OriginalFilename	wfw.fwf
ProductName	fwfw f
ProductVersion	`10.00.9600.16`

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: .crt1` `Unusual section name found: .qdata` `The PE only has 9 import(s).`
Info	The PE contains common functions which appear in legitimate applications.	`Can access the registry: RegRestoreKeyA`
Info	The PE is digitally signed.	`Signer: SARI SEFWI LIMITED` `Issuer: COMODO RSA Code Signing CA`
Malicious	VirusTotal score: 7/67 (Scanned on 2018-07-10 01:49:34)	`CAT-QuickHeal: Trojan.Drixed.100454` `Cylance: Unsafe` `Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9999` `Endgame: malicious (high confidence)` `Microsoft: Trojan:Win32/Fuery.B!cl` `VBA32: BScope.Trojan.Hlux.01739` `Qihoo-360: HEUR/QVM20.1.6571.Malware.Gen`

Hashes

MD5	`bb0855993ed42c9b3948cdc293c66638`
SHA1	`21262d863fcc1f4981f989b3bc631b3b0cad005c`
SHA256	`53c27190e74dc27d34fb701d7199df8ed6b45fe010c5282122a75644632d1556`
SHA3	`8713a614518c7942877960f841bf2c03415c8555f10bfc0c0d379220a4344562`
SSDeep	`3072:2p68MVcca3So4NLySUB40UQqp+IAtgvE38Mg+PUY03MTaETK0/SryFoWiYc+/vc7:Pf+3SVySUBfI+ILvEMvaUYFTpbN+`
Imports Hash	`0a64cb474767e0d04dc85d3633c68e80`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xa0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2018-Jul-09 16:36:50
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`12.1`
SizeOfCode	`0x8000`
SizeOfInitializedData	`0x6e000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000020CE (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0`
ImageBase	`0x1000000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`5.0`
ImageVersion	`0.1`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x73000`
SizeOfHeaders	`0x1000`
Checksum	`0x76aac`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE` `IMAGE_LIBRARY_PROCESS_INIT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`fd1ed8ead4b63f6bb2e61465e30cf14b`
SHA1	`edfca972114306d90226718953e42eba7d30a43c`
SHA256	`b7fd0ac0d222707e1ffe0e71a960bc7ebaa7d80938ac1abb8dbc21c147d7bdb3`
SHA3	`4ff1130c6d8a7962e4d35b11f920937b145766012c3c2f6263816e3c63412e60`
VirtualSize	`0x3bfa`
VirtualAddress	`0x1000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.94181`

.data

MD5	`6fbebc5f180971f27a16cae2f8b5a43e`
SHA1	`7c15cf7aefc83211c6bd510e393cd6a87e4ac2f0`
SHA256	`e1976fab3f908c7a2fb4e536e8fb11d6d423eb61f02bfe150086aff2ff1a7c50`
SHA3	`ed14d4a535f4ff87f6e4c5a027f9c3952836fbf094143bce1353f2632664d052`
VirtualSize	`0x20b88`
VirtualAddress	`0x5000`
SizeOfRawData	`0x1f000`
PointerToRawData	`0x5000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.25537`

.crt1

MD5	`f9d3825cdb33a5cc4e7fa52dfbf23526`
SHA1	`7784cc23437f5eaebd1f538390334128274660e0`
SHA256	`78edb383036c994b867796750a6071a609cb39cc2b1bb9b716024a2231915700`
SHA3	`26f4af90a0046554daf318ac84c934615f9dc1268cc5787b4ffe4d6ae4f62ca1`
VirtualSize	`0x3dd5`
VirtualAddress	`0x26000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x24000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.92388`

.qdata

MD5	`e5f7169ab292c80cba053bd43f2a2aa4`
SHA1	`3f801af7c25fc64bfb17c52d297634175aad3381`
SHA256	`aabffd88bce34721318e57d9f995c1bbd89ebf1a052017420e077493076480f2`
SHA3	`9c5ff1d56869f51b593fdf539d2d73ebed7f00000b3cd171f4ff811ef1f9a2c8`
VirtualSize	`0x4c2`
VirtualAddress	`0x2a000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x28000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.63446`

.rsrc

MD5	`ceb6f65a2189f65f4147087c146c5357`
SHA1	`f07eda6c24a83209a91bf3fbc2c9bdb63420b910`
SHA256	`1433a58d66da344fa6d0a6a85ac35d9490dadffd34729524ab956ce94765f403`
SHA3	`ecb5799b034c7a7fea6402e08d2bc4f86ba43af7b98beaf001b320076703b97d`
VirtualSize	`0x46db0`
VirtualAddress	`0x2b000`
SizeOfRawData	`0x47000`
PointerToRawData	`0x29000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.87752`

.reloc

MD5	`13a910e804ec32d96def38509160127c`
SHA1	`a8efa4445e587d9caef85f81d29d61c03a96de8c`
SHA256	`bff1c64ac03c756f5eb370ff145097e28df84580c40f3b4f16501100c067f73d`
SHA3	`176e1ac03126f05bb4038c45a74b71cf3ff9ea8e0acc506da1e786b1c4378bd1`
VirtualSize	`0x61c`
VirtualAddress	`0x72000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x70000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.16506`

Imports

msvcrt.dll	`memcpy`
KERNEL32.dll	`GetNativeSystemInfo` `GetUserDefaultLCID` `IsSystemResumeAutomatic` `CreateTimerQueue` `GetVersion`
USERENV.dll	`ProcessGroupPolicyCompleted`
MPRAPI.dll	`MprConfigInterfaceCreate`
ADVAPI32.dll	`RegRestoreKeyA`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x42028`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.79956`
MD5	`05362ee15d7d4b0a06549faacba425f0`
SHA1	`e5100dd773cbe46f2a5a9decf080f8bafdc5743f`
SHA256	`d25f73bc7f3208be279965dad033c4d73aeb7d04cb4972da380498332a2cfce5`
SHA3	`12868ffea8b89da79671ef430880c8760f485128cebb6e25604bcc10740920d7`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.19235`
MD5	`cc1f1e4f602fab470974818f6eaa3707`
SHA1	`df9a8e5e9e0cf2e919a93fa71ca6ab604fa8fcc2`
SHA256	`981c53ea6e403739039214cffc1ebec547fda2b41320949accb9aff48a701739`
SHA3	`952d70573f55a2c4e4c9282547272dd155405691f93816f30977da2b2cb40eb7`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.10756`
MD5	`5d8621e8648619b5aabbc232cfae9040`
SHA1	`26829278bde592181733640edbd28ad5e06d93ea`
SHA256	`3cb4686d8b0c7c21d66133dc0ce1c530eb804b3ff1e854711b3bcc86ef3e3df5`
SHA3	`183c1cc1a6030ca00b7baa93d6c4178b978c8549e190c664424fc93f95d0ef58`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.53899`
MD5	`1a18859809f98262179033502db8221b`
SHA1	`f9275e1cd9a71a91c317ecf5cecd9bf04e13c762`
SHA256	`63af73817c98f33f67680ec0b3edb45bd199385a2e565e47926898c5d3a36364`
SHA3	`89fbc8ef1cb7df7f5fb44e2994716e10512138aeb1bc93d4833ae0eecdd6166b`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.56713`
MD5	`c966e07a57af9891b8eee137d1fbff14`
SHA1	`cdc02a0b7a900c75fb4dd1a2d0808dee1f1d629e`
SHA256	`564929852be44a774084170d8afa4c8c1e2360044f362f607d1de456c9e76983`
SHA3	`55cc2fe8edd4f8c81f437a61562c5043f54e7b785fc0204cef9c84f64eed1fc5`

1 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x4c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.64216`
Detected Filetype	Icon file
MD5	`dfbd71100ff6a295522cf5d0e5b23e7f`
SHA1	`60b5c1c18ecd775275b174e67d57f68361750b91`
SHA256	`5a20c79c0dbc9b4d82452d98bafc8fb2c607e9945b9b4f45175d2e2e37ecd5c2`
SHA3	`79758ffd46eafa5447b6af70288c138130d3071b21269df28713916a8d9af7f5`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x300`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.44368`
MD5	`188971665052e2f68b0a31658e6c05ef`
SHA1	`afc8f678d60ff2139af2b24804422356cdda3144`
SHA256	`937c967c6ad71e1c8d53db4956783d61099764b1a046985d562c4ce95d8d993d`
SHA3	`f6cd6c010db680bf303c78c6fdaeb9120d3108cda5842adab9c426cca7304ebe`

1 (#4)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x402`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.82956`
MD5	`ae42096cb5f89722c5f104ba8158651d`
SHA1	`94af58c2871c929ab61c69b165ab6220a8d13d80`
SHA256	`bb0673ddfcbe62f210ce82831e59e1c17354d675741a8540cba15b6d870ae796`
SHA3	`763b69b319f517fa466c79cd716c017ca32904e2c0dad58757572bdce47e5aa0`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.1.7600.16385
ProductVersion	6.1.7600.16385
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Ddfdgf dgdsger
FileDescription	dfew fw plugin image d
FileVersion (#2)	10.00.9600.16428 (winblue_gdr.131013
InternalName	sfwfw
LegalCopyright	© wfw fwfw. f wfw f
OriginalFilename	wfw.fwf
ProductName	fwfw f
ProductVersion (#2)	10.00.9600.16

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2018-Jul-09 16:36:50
Version	`0.0`
SizeofData	`3979604539`
AddressOfRawData	`0x2a284`
PointerToRawData	`0x28284`
Referenced File	##################RRRRRRRRRRRRRRRRRR.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2018-Jul-09 16:36:50
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x2a300`
PointerToRawData	`0x28300`

TLS Callbacks

Load Configuration

RICH Header

Errors

[!] Error: directory 0 has a RVA of 0 but a non-null size.