Manalyze report for caf7012559df9685fe680512be2ad34e

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2016-Jul-25 00:55:47
Detected languages	English - United States
FileDescription	description
FileVersion	`7.0.0.0`
LegalCopyright

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for VirtualPC presence: 0f 3f 07 0b`
Suspicious	The PE is possibly packed.	`Unusual section name found: \x00` `Section \x00 is both writable and executable.` `Unusual section name found: .idata` `Unusual section name found:` `Section is both writable and executable.` `Unusual section name found: hrpkzzlw` `Section hrpkzzlw is both writable and executable.` `Unusual section name found: wnezzwsy` `Section wnezzwsy is both writable and executable.` `The PE only has 1 import(s).`
Info	The PE's resources present abnormal characteristics.	`Resource 105 is possibly compressed or encrypted.` `Resource 106 is possibly compressed or encrypted.`
Suspicious	The file contains overlay data.	`4643420 bytes of data starting at offset 0x277600.` `The overlay data has an entropy of 7.99996 and is possibly compressed or encrypted.`
Malicious	VirusTotal score: 47/68 (Scanned on 2018-11-25 21:41:41)	`Bkav: W32.HfsAutoB.` `MicroWorld-eScan: Gen:Variant.Ursu.233216` `CAT-QuickHeal: Trojan.IGENERIC` `McAfee: Artemis!CAF7012559DF` `Cylance: Unsafe` `BitDefender: Gen:Variant.Ursu.233216` `K7GW: Trojan ( 0053f90e1 )` `K7AntiVirus: Trojan ( 0053f90e1 )` `Invincea: heuristic` `Cyren: W32/Trojan.NFLW-5550` `Symantec: Trojan.Gen.2` `ESET-NOD32: NSIS/TrojanDropper.Agent.CQ` `TrendMicro-HouseCall: TROJ_GEN.R062C0WKB18` `Paloalto: generic.ml` `Kaspersky: HEUR:Trojan.Win32.Generic` `ViRobot: Trojan.Win32.Z.Ursu.7229532` `Rising: Trojan.Tiggre!8.ED98 (CLOUD)` `Ad-Aware: Gen:Variant.Ursu.233216` `Sophos: Mal/Generic-S` `Comodo: Malware@#15te94j3w0ppd` `F-Secure: Gen:Variant.Ursu.233216` `Zillya: Trojan.Generic.Win32.293950` `TrendMicro: TROJ_GEN.R062C0WKB18` `McAfee-GW-Edition: RDN/Generic Dropper` `Trapmine: malicious.high.ml.score` `Emsisoft: Gen:Variant.Ursu.233216 (B)` `SentinelOne: static engine - malicious` `Webroot: W32.Trojan.Gen` `Avira: HEUR/AGEN.1012007` `MAX: malware (ai score=100)` `Antiy-AVL: Trojan/Win32.AGeneric` `Microsoft: Trojan:Win32/Occamy.C` `Endgame: malicious (high confidence)` `Arcabit: Trojan.Ursu.D38F00` `AegisLab: Trojan.Win32.Generic.4!c` `ZoneAlarm: HEUR:Trojan-Downloader.Win32.Agent.gen` `GData: Gen:Variant.Ursu.233216` `AhnLab-V3: Malware/Win32.Generic.C974742` `ALYac: Gen:Variant.Ursu.233216` `VBA32: TScope.Malware-Cryptor.SB` `Malwarebytes: Trojan.Dropper.Themida` `Panda: Trj/CI.A` `Ikarus: Trojan-Spy.Agent` `AVG: Win32:Trojan-gen` `Avast: Win32:Trojan-gen` `CrowdStrike: malicious_confidence_100% (W)` `Qihoo-360: Win32/Trojan.801`

Hashes

MD5	`caf7012559df9685fe680512be2ad34e`
SHA1	`c7fcdcf2406fb9251d7df58ca2a88cb9acd4f219`
SHA256	`441726e4e74e7fea558d9e3443f78eed18389bf878f0dd1d1c6631d08c761c31`
SHA3	`7c00b798f8d4f334b6910c8568f860fb4e72be83dd811b9cea5d851a762c1623`
SSDeep	`196608:5/LHAMyJbZFgPFZbdoN13iw1EbfkV5zyTMxgk6yBOIsQnQc1Lw:5jHvKgPP5g13iw1EbfknWMxvFnPLw`
Imports Hash	`2eabe9054cad5152567f0699947a2c5b`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2016-Jul-25 00:55:47
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x5e00`
SizeOfInitializedData	`0x1d000`
SizeOfUninitializedData	`0x400`
AddressOfEntryPoint	`0x00653000 (Section: wnezzwsy)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x654000`
SizeOfHeaders	`0x400`
Checksum	`0x6ebf88`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

\x00

MD5	`7da91cfc6f49fdb2b14947b8cf7a4030`
SHA1	`1c4a10121bfe4601ff3c9397452565a54f5b827c`
SHA256	`d0a66026a1ac14bf51b27f2f39cd0994c954db9fdafc16e981e2f76155da50dc`
SHA3	`164b27445a014a2523115bd4d304c8af1aa6b2342cf95043703c090ec61cc7bc`
VirtualSize	`0x2b000`
VirtualAddress	`0x1000`
SizeOfRawData	`0x4200`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.95136`

.rsrc

MD5	`d3ef5724380b752e1cfa4d54f8acc9e9`
SHA1	`cd816dc8d8c6bbaa1ffdc71c2501e2a4d8e8af9d`
SHA256	`33f03114e01711476bb2becaae23d8c0893dd23315bfb55760ad4eefe3f93002`
SHA3	`f2db929eccba46335459473551588f3294c74695c738ec7158ab52adc1151d4a`
VirtualSize	`0x42950`
VirtualAddress	`0x2c000`
SizeOfRawData	`0x5a00`
PointerToRawData	`0x5200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.91283`

.idata

MD5	`1a60f6d3f481b9e7e12b5f547a3c071a`
SHA1	`d1ebb02165ef1388d7472bd1d12468e0f9c6c322`
SHA256	`a78ee7270a2c14cf548e36368d8a9c77b0f532c038b63c38208d5c75bf304c0a`
SHA3	`0102de31fd94ca56ab10641d64035e3ee28fe7e7deb0835562102af8b7f2f70d`
VirtualSize	`0x1000`
VirtualAddress	`0x6f000`
SizeOfRawData	`0x200`
PointerToRawData	`0xac00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.979579`

MD5	`3b1e1c7efe6402866fdefce7985a044c`
SHA1	`1e84f347a1cceb5db11e7d8aa13b471c1f120ce6`
SHA256	`1c7e09178d449aa49a40e2f8ede2aa289ea06c8a5d3910d2e035f893bcd6fc6f`
SHA3	`e4b036d8c6ec9f82abf13a03762ffbb2cf2b9e2e4459ec43e5953f3ed678c4bc`
VirtualSize	`0x376000`
VirtualAddress	`0x70000`
SizeOfRawData	`0x200`
PointerToRawData	`0xae00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.256865`

hrpkzzlw

MD5	`074ec4ad05f7e954128517a9d284a2cd`
SHA1	`15a76ec0a776fb06bc6f7705ce48bea9035b2480`
SHA256	`220df87326cb767ae7bfda66cab414666146a26e95382d6bf1caace667d40b69`
SHA3	`2296021174ad7b6737d352909e86e2005b66aa174df869be213a7fd06fc072b0`
VirtualSize	`0x26d000`
VirtualAddress	`0x3e6000`
SizeOfRawData	`0x26c200`
PointerToRawData	`0xb000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.76998`

wnezzwsy

MD5	`cf48bdebd2c76c9e873a30d55969e6f7`
SHA1	`bf5adda949c5a2a22ba6e7d081bf3605eb8e4484`
SHA256	`d90d8a9d4ad19dd51abed5245838e4ccc85788630f1990bb3cde19a0263e52dc`
SHA3	`f588838b0732f91cfeaaea3dbfb940c1a9c38519d593bbb140622bd5fdba62ed`
VirtualSize	`0x1000`
VirtualAddress	`0x653000`
SizeOfRawData	`0x400`
PointerToRawData	`0x277200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.25071`

Imports

kernel32.dll	`lstrcpy`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x42028`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.91823`
MD5	`04d05309b5ae10677f5bb61c883b1329`
SHA1	`e054e6d40092b6f8b3957c8b9be2acecd0d53801`
SHA256	`3ec52b98aca6cf9a5f8ff76f61850c59361d1ad5e3a0620bc614a7793000dce1`
SHA3	`ec70ebb0dff17754d467fed0cb9ebdc6194fd7b7a2acfafcd18e948bb103a71a`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.02745`
MD5	`296d15aef8fe81d0592a9af1352355e8`
SHA1	`ee95aaed031cc548a1796f4317c43221c23a54b8`
SHA256	`38f3217c79de0c22a2a45a45bef1fa8f442dee469933320392c9c21ba36eb68b`
SHA3	`5b8157cec7f76db83a366da2b72e213e6b6c333527cbfdc07aeee6e46b199bdd`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x11c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.19291`
MD5	`8b92c29275210b0b697a8f1d27b415cf`
SHA1	`d7a1e3fc62abcac8afc14cc46880394de816b544`
SHA256	`70fa974e7e62e668b351705560eeeedc69f363a9b801ebb15d79da5c7b4010df`
SHA3	`45d01b73f5ab6eaf3cc8e7e216b26ccc614d430141975ee7880d9e18799f3412`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x60`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.19934`
MD5	`dd6bb5e987364ae3fd0fb8c71ba71c63`
SHA1	`014e75f4a4f483cddaad0538ba2bc88fe9c3c93e`
SHA256	`61c7404fb8fa7aed6a77392d9cd09bc2c352bacf01ebe66c374239f131df1e33`
SHA3	`cf8a19376b9082b6e1043cecc8ecfdee13c4327c266e6ef3494de24de73affa9`

103

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.67095`
Detected Filetype	Icon file
MD5	`464cb94db3a2622922a9562865009ae8`
SHA1	`dbe17c767d942f219df59f9eae77b213c15eab70`
SHA256	`8affd1fa69a6c5a5b54e504d72d4e9a0eba9b7d702a445ea1399a5978794719a`
SHA3	`3e0e32110c6c0f3323eeeb5e4a6cbb7a8db52ab14e0f065384fb4eedac4fbcda`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x174`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.94077`
MD5	`0d1de95d1c2ed144b5a9ee034c4c7ef7`
SHA1	`070a7d753a27137815b1b46759200f52cdf70b22`
SHA256	`c658fa7910d58d7841c85980c61b6a18d69c75b04409673283d96b4ca372b55e`
SHA3	`fa375c90f9b90187398d436661eda3d6a3d1a0430a06f58971d11cd11778fdf1`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x33d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.29829`
MD5	`3001ef505879c7c3d9f9cda38a4cff40`
SHA1	`1de9a45a1d23078ff6165fd7d471126172b887a0`
SHA256	`0e59f791068a3dc2df353d852171bb1aa6f77d90d34c96a99636d0b02a172f8f`
SHA3	`1bfe145fd5386b22b8a5a91c89a3d7d40ef9382327bb150189c8c2a168ddd67d`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0`
FileVersion	7.0.0.0
ProductVersion	7.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
FileDescription	description
FileVersion (#2)	7.0.0.0
LegalCopyright

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd246d0e9`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`159`
Imports (VS2003 (.NET) build 4035)	`15`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

caf7012559df9685fe680512be2ad34e

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

\x00

.rsrc

.idata

hrpkzzlw

wnezzwsy

Imports

Delayed Imports

1

105

106

111

103

1 (#2)

1 (#3)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors