Manalyze report for bfb3730a8e10eff61b9453638775c05c94e90fb6c5bacafc120065de854d4244

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2008-Aug-16 20:26:20
Detected languages	English - United States

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: http://nsis.sf.net http://nsis.sf.net/NSIS_Error nsis.sf.net`
Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA LoadLibraryExA GetProcAddress` `Can access the registry: RegQueryValueExA RegSetValueExA RegEnumKeyA RegEnumValueA RegOpenKeyExA RegDeleteKeyA RegDeleteValueA RegCloseKey RegCreateKeyExA` `Possibly launches other programs: CreateProcessA ShellExecuteA` `Can create temporary files: CreateFileA GetTempPathA` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The file contains overlay data.	`537123 bytes of data starting at offset 0xc400.` `The overlay data has an entropy of 7.99812 and is possibly compressed or encrypted.` `Overlay data amounts for 91.4565% of the executable.`
Malicious	VirusTotal score: 28/71 (Scanned on 2026-05-29 15:48:14)	`AVG: FileRepMalware [Misc]` `Antiy-AVL: Trojan/Win32.Agent` `Avast: FileRepMalware [Misc]` `CTX: exe.trojan.generic` `CrowdStrike: win/malicious_confidence_60% (W)` `Cylance: Unsafe` `DeepInstinct: MALICIOUS` `Fortinet: W32/Malware_fam.NB` `Google: Detected` `Kingsoft: malware.kb.a.988` `Lionic: Trojan.Win32.Generic.4!c` `Malwarebytes: Generic.Malware/Suspicious` `MaxSecure: Trojan.Malware.681456343.susgen` `McAfeeD: ti!BFB3730A8E10` `Microsoft: Trojan:Win32/Wacatac.B!ml` `NANO-Antivirus: Trojan.Win32.Bumat.kyueb` `Paloalto: generic.ml` `Rising: Trojan.Win32.Generic.152A3A9D (C64:YzY0OvO5eSlTEwCp)` `Sangfor: Trojan.Win32.Agent.Vuo1` `Skyhigh: BehavesLike.Win32.Dropper.hc` `Symantec: Packed.Generic.114` `TrellixENS: Artemis!B10E630B28C1` `TrendMicro: TROJ_GEN.R002C0OD226` `TrendMicro-HouseCall: TROJ_GEN.R002C0OD226` `Varist: W32/Trojan.IMJF-8450` `VirIT: Trojan.Win32.Generic.BFTA` `Xcitium: Packed.Win32.Packer.~GEN@1oh172` `Zoner: Probably Heur.ExeHeaderL`

Hashes

MD5	`b10e630b28c1165ac37b69c70f842450`
SHA1	`7dc9084804c0e2571535885e1f9e9348219a2445`
SHA256	`bfb3730a8e10eff61b9453638775c05c94e90fb6c5bacafc120065de854d4244`
SHA3	`5756076b069c55239725cfa478329a2929ed5e5fa9e9b87c62eade3b920784e3`
SSDeep	`12288:X9uh1VNbaWxBIwX5yvNcb9SLWnItvfB2HlGe/5qa7qVk:X9uhFbaWxBvyI9KzB4XRqamVk`
Imports Hash	`7fa974366048f9c551ef45714595665e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2008-Aug-16 20:26:20
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x5c00`
SizeOfInitializedData	`0x28400`
SizeOfUninitializedData	`0x400`
AddressOfEntryPoint	`0x000030E3 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x3c000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`6bfa289fc453f683cf6ad42723acbb61`
SHA1	`49def3a9797292d7b65c2880035ab49b845b288b`
SHA256	`37fa86c42a797d209b1fed280d07d24b697069557bc5f6c6925f6e5462e07459`
SHA3	`88fd59be3159f6cd25de2e18e6f17a8114d426e3c9e0d37ef08dd5d775e68f03`
VirtualSize	`0x5b68`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.48747`

.rdata

MD5	`165e3e874dc59c8a96748c6f4d0f4207`
SHA1	`7ce62859d5000412e0a43d57e8fff28589eb1d92`
SHA256	`8d09ea6556ae9bc179da5270ce38390a8efe19dfd37ea44e8cc5a2daf29bc527`
SHA3	`3b12b48eb0ee8bdcf2b63d11cc11e1a6764f09150d0aff72e49e68bd660cc609`
VirtualSize	`0x129c`
VirtualAddress	`0x7000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.04904`

.data

MD5	`78a50275610b8d77577a9aaa1957d1b6`
SHA1	`939aba8dceb30086c9bf84238d952121d389627a`
SHA256	`2028f56e17dbeea682e04474545b55e38118c5395d588fdfc82dd64e09342d2c`
SHA3	`1d577bc47d1b3130b0bf7a712fc249522152efaa0601c81d01b619764b96db17`
VirtualSize	`0x25c58`
VirtualAddress	`0x9000`
SizeOfRawData	`0x400`
PointerToRawData	`0x7400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.76996`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x8000`
VirtualAddress	`0x2f000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`e4491c7ddeeaf7533e029439f27aa3fe`
SHA1	`737d7c231c533d768988d7efd57328233bdeae2f`
SHA256	`3f87cb719bde02b40549c7da7acde89cee5eefda872e229073fa731541bd8c7f`
SHA3	`736eab96308681b3a4678eb5d40e770673cdd6fa075befeadf74fea6a36078b0`
VirtualSize	`0x4a50`
VirtualAddress	`0x37000`
SizeOfRawData	`0x4c00`
PointerToRawData	`0x7800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.50798`

Imports

KERNEL32.dll	`CompareFileTime` `SearchPathA` `GetShortPathNameA` `GetFullPathNameA` `MoveFileA` `SetCurrentDirectoryA` `GetFileAttributesA` `GetLastError` `CreateDirectoryA` `SetFileAttributesA` `Sleep` `GetTickCount` `GetFileSize` `GetModuleFileNameA` `GetCurrentProcess` `CopyFileA` `ExitProcess` `GetWindowsDirectoryA` `SetFileTime` `GetCommandLineA` `SetErrorMode` `LoadLibraryA` `lstrcpynA` `GetDiskFreeSpaceA` `GlobalUnlock` `GlobalLock` `CreateThread` `CreateProcessA` `RemoveDirectoryA` `CreateFileA` `GetTempFileNameA` `lstrlenA` `lstrcatA` `GetSystemDirectoryA` `GetVersion` `CloseHandle` `lstrcmpiA` `lstrcmpA` `ExpandEnvironmentStringsA` `GlobalFree` `GlobalAlloc` `WaitForSingleObject` `GetExitCodeProcess` `GetModuleHandleA` `LoadLibraryExA` `GetProcAddress` `FreeLibrary` `MultiByteToWideChar` `WritePrivateProfileStringA` `GetPrivateProfileStringA` `WriteFile` `ReadFile` `MulDiv` `SetFilePointer` `FindClose` `FindNextFileA` `FindFirstFileA` `DeleteFileA` `GetTempPathA`
USER32.dll	`EndDialog` `ScreenToClient` `GetWindowRect` `EnableMenuItem` `GetSystemMenu` `SetClassLongA` `IsWindowEnabled` `SetWindowPos` `GetSysColor` `GetWindowLongA` `SetCursor` `LoadCursorA` `CheckDlgButton` `GetMessagePos` `LoadBitmapA` `CallWindowProcA` `IsWindowVisible` `CloseClipboard` `SetClipboardData` `EmptyClipboard` `RegisterClassA` `TrackPopupMenu` `AppendMenuA` `CreatePopupMenu` `GetSystemMetrics` `SetDlgItemTextA` `GetDlgItemTextA` `MessageBoxIndirectA` `CharPrevA` `DispatchMessageA` `PeekMessageA` `DestroyWindow` `CreateDialogParamA` `SetTimer` `SetWindowTextA` `PostQuitMessage` `SetForegroundWindow` `wsprintfA` `SendMessageTimeoutA` `FindWindowExA` `SystemParametersInfoA` `CreateWindowExA` `GetClassInfoA` `DialogBoxParamA` `CharNextA` `OpenClipboard` `ExitWindowsEx` `IsWindow` `GetDlgItem` `SetWindowLongA` `LoadImageA` `GetDC` `EnableWindow` `InvalidateRect` `SendMessageA` `DefWindowProcA` `BeginPaint` `GetClientRect` `FillRect` `DrawTextA` `EndPaint` `ShowWindow`
GDI32.dll	`SetBkColor` `GetDeviceCaps` `DeleteObject` `CreateBrushIndirect` `CreateFontIndirectA` `SetBkMode` `SetTextColor` `SelectObject`
SHELL32.dll	`SHGetPathFromIDListA` `SHBrowseForFolderA` `SHGetFileInfoA` `ShellExecuteA` `SHFileOperationA` `SHGetSpecialFolderLocation`
ADVAPI32.dll	`RegQueryValueExA` `RegSetValueExA` `RegEnumKeyA` `RegEnumValueA` `RegOpenKeyExA` `RegDeleteKeyA` `RegDeleteValueA` `RegCloseKey` `RegCreateKeyExA`
COMCTL32.dll	`ImageList_AddMasked` `ImageList_Destroy` `#17` `ImageList_Create`
ole32.dll	`CoTaskMemFree` `OleInitialize` `OleUninitialize` `CoCreateInstance`
VERSION.dll	`GetFileVersionInfoSizeA` `GetFileVersionInfoA` `VerQueryValueA`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.44611`
MD5	`56204e4822e3a68c776dd6431e558ddd`
SHA1	`aa5f45c5a25cb8a8f8890b342a6b4c3099051c84`
SHA256	`7b234b3f1756ed2d6c27b10de439b900c11f2397a91cff91c194b7928179dae0`
SHA3	`e7ec6debbd5e919b51a06cd6a0abad573c7b1433341f0cd10046d607a48e314b`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.47379`
MD5	`cf145afc4b67d72829746658de713724`
SHA1	`315f5330a2210f94babe9dbb19cc567a2186417d`
SHA256	`a088b6794896a9de8a6196165a367af816082ae7493458335191fd59ba4876b7`
SHA3	`4af917380623538402084c61042aeaad0cbff94ef5c3d633ee1888a57adcefc7`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.4534`
MD5	`cca9854484bb17226150ed6dfabf247b`
SHA1	`28f27333306c9f7b59828a85c9c32a359d19de8c`
SHA256	`9356469c7b241a6d65fbdfe944a9bb07adeecd8b74f0606f07562231509a220d`
SHA3	`2a33a4eaa35dffc37c1076adf2c3865d6fd2b4408208ccfcf9fce99855db664e`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.42964`
MD5	`bd6ba28b02c6f9e695a1a2432dfb34be`
SHA1	`1bd0eedea0fb47edfce38efca31ddff2cddeedfe`
SHA256	`c73203064a3e75f1df00497bb06ec6487194e28976a88ebf2f646501e15bee8e`
SHA3	`c48118f0f0ca7ef10778bf4ab2a892ceb4f71936de7fad4da0dcf647a6f36931`

103

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x144`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.61782`
MD5	`46e58d12697ed2f2a218e47ae5bcfa3c`
SHA1	`1b5cde960720d5c1a9c26ded031e89d9e9ec2ecb`
SHA256	`18cfaba468cd4b07a8909fc3273f06302319b7963f75c4dda78b688c576511f0`
SHA3	`b08f048407ff29a6cadc4ed351fb591beeb4ccb1a0be22148fc38832807cb1b3`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.66174`
MD5	`3409f314895161597f3c395cc5f65525`
SHA1	`1a99d016d65e567f24449d9362afb6ac44006d0b`
SHA256	`fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96`
SHA3	`b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x11c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.88094`
MD5	`2d12c45dc2c029044aaff357141cb900`
SHA1	`083db861ab3c7db23c6257878296e73a89a74b8b`
SHA256	`69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729`
SHA3	`349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x60`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.48825`
MD5	`8d228d5978c74cbfef0257cf84d375a1`
SHA1	`07e2947cfa6ccb88b64c5b4749eb794a5564b209`
SHA256	`8a7e3e401446753e95d40e79c35aca9ce1747517c384096551981211020e5054`
SHA3	`8b1ebe1cfd819066a41a106dd379cb00937bb4c2a2adb9faf0f136fec06436bc`

103 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.67969`
Detected Filetype	Icon file
MD5	`849bf2a84ab564b927cb0a24e5ea447f`
SHA1	`869c1434a1f57cddf4404a85fc16c012749d0b4a`
SHA256	`2930c33052208e27845b3485def15d348d439fd93f2da68640c4beafcbcd2f6d`
SHA3	`9a0d287638cfbc647fec0a7755df0d4b57bc1c8019087d905e5fd761ec71c36b`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xfb2414a1`
Unmarked objects	`0`
C objects (2190)	`2`
Total imports	`155`
Imports (2179)	`17`
48 (9044)	`9`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!

Leave a comment

No comments yet.