Manalyze report for cc161b0c683d34286657e1c2e3da84c4

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2011-Mar-25 13:17:51
Detected languages	English - United States
CompanyName	Trend Micro Incorporated
FileVersion	`3,0,0,0`
ProductName	Trend Micro Agent Deploy Tool - modified
ProductVersion	`1,0,0,0`

Plugin Output

Suspicious	The PE is packed with mpress	`Unusual section name found: .MPRESS1` `Section .MPRESS1 is both writable and executable.` `Unusual section name found: .MPRESS2` `Section .MPRESS2 is both writable and executable.` `The PE only has 9 import(s).`
Malicious	VirusTotal score: 23/64 (Scanned on 2022-02-02 03:35:11)	`Lionic: Trojan.Win32.Agent.a!c` `MicroWorld-eScan: Trojan.GenericKD.48218371` `FireEye: Generic.mg.cc161b0c683d3428` `McAfee: Artemis!CC161B0C683D` `Cylance: Unsafe` `Sangfor: Trojan.Win32.Agent.xxzwht` `Symantec: ML.Attribute.HighConfidence` `Paloalto: generic.ml` `Cynet: Malicious (score: 100)` `Kaspersky: Trojan-Downloader.Win32.Agent.xxzwht` `BitDefender: Trojan.GenericKD.48218371` `Tencent: Win32.Trojan-downloader.Agent.Syhq` `Ad-Aware: Trojan.GenericKD.48218371` `Sophos: Generic ML PUA (PUA)` `McAfee-GW-Edition: BehavesLike.Win32.Generic.dc` `Emsisoft: Trojan.GenericKD.48218371 (B)` `Jiangmin: Trojan.Agent.cjpq` `MAX: malware (ai score=82)` `ZoneAlarm: Trojan-Downloader.Win32.Agent.xxzwht` `GData: Trojan.GenericKD.48218371` `Rising: Downloader.Agent!8.B23 (CLOUD)` `SentinelOne: Static AI - Malicious PE` `Panda: Trj/CI.A`

Hashes

MD5	`cc161b0c683d34286657e1c2e3da84c4`
SHA1	`c21edb1b24a667d5480a96b30efb47bc84e08646`
SHA256	`626c7adda3674c07338f487029f3032bffb2145f733b9b8ea35d789ab1657024`
SHA3	`25d2451648cbd85891a504e4cecd3031584750a0ee757ab275ba87b26d62db9d`
SSDeep	`24576:YEHbyieWIDG5Oo9etNzMWV3yKc05TCYKPFI21baV0:v7Xk49XdMGvVFaV0`
Imports Hash	`691f1193f16065947032ace3a2329e55`

DOS Header

e_magic	`MZ`
e_cblp	`0x40`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x2`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0xb400`
e_oeminfo	`0xcd09`
e_lfanew	`0x40`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2011-Mar-25 13:17:51
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x8400`
SizeOfInitializedData	`0x30c600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x003181E7 (Section: .MPRESS2)`
BaseOfCode	`0x1000`
BaseOfData	`0xa000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x31b000`
SizeOfHeaders	`0x200`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0xd000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.MPRESS1

MD5	`8d4a794c9bfcfb9eec851796288fdbed`
SHA1	`148f7a468d136a6fb6946e19d4af607905c08a17`
SHA256	`6c1886c57dcbe0b2fad0da7f7b4f52cef9707a0928949870b9eace8f8105adf6`
SHA3	`71d194898084b11abf9d41ec065829d4c24f9e72a4d78c8edddafadda6d7cc63`
VirtualSize	`0x317000`
VirtualAddress	`0x1000`
SizeOfRawData	`0xee200`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99983`

.MPRESS2

MD5	`dc34951f91a07c93bac1840be849d442`
SHA1	`cb86be1fe2fe4d94b55c8cefe1941e60c7efa48e`
SHA256	`5fe4c39b8924d1ea146aedbca9bdbc524382dd7da7f68cbb7ac3530bcf715b12`
SHA3	`549fed817cf61935fc821c907f7e4bda9010ca9e4f5a9c87eb6c72309c978175`
VirtualSize	`0xd51`
VirtualAddress	`0x318000`
SizeOfRawData	`0xe00`
PointerToRawData	`0xee400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.8644`

.rsrc

MD5	`5654c0a5d6ec76c796d35bb6682833e9`
SHA1	`9719708ec96f6978e72c4d3569af1eb7fa345c91`
SHA256	`d9a03a1210279a113e2d5325dabdf0035e8e7036ef4cee9c34c39499259c1557`
SHA3	`9885c5d047ec98acbc8cb107b637aae791a16a4ad60583c3b2f65056ba085b99`
VirtualSize	`0x19e0`
VirtualAddress	`0x319000`
SizeOfRawData	`0x1a00`
PointerToRawData	`0xef200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.92732`

Imports

KERNEL32.DLL	`GetModuleHandleA` `GetProcAddress`
MSVCRT.dll	`fabs`
COMCTL32.DLL	`InitCommonControls`
USER32.DLL	`IsChild`
GDI32.DLL	`BitBlt`
OLE32.DLL	`CoInitialize`
SHELL32.DLL	`ShellExecuteExA`
SHLWAPI.DLL	`PathQuoteSpacesA`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.72725`
MD5	`0c0e9a40c12b5764e4bcfb9e424bfbc7`
SHA1	`a7f41724543034747ba2638fdd82acefe1ba3689`
SHA256	`5c4d9b5af06dda509391cd1159a4288421e4c6007e798994fee853682fe57dc7`
SHA3	`487fc39722be855fdb2521173a9588ce37fc76cda7dae310a0a5a09333c56c57`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.69528`
MD5	`353b9d7a320208cdd68cd31ccf72134a`
SHA1	`871827b10e6a3c562ccb4d3189ad1d6d638bdd46`
SHA256	`8791e64f8f03927a45097778966b4ed854c160cdd25a16214042c3ddd927bd2e`
SHA3	`acbce4ea22263bfc2583fded9c98aaa818c5df8def93f8e5822464a00431453c`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.08282`
MD5	`7849cd6bbe32c769e4e31433eded8214`
SHA1	`56d9d530f9c9e39ffcfe2bdf1303550ab3a63f4e`
SHA256	`d47afc6efcfe1a6945616f5474a27dfdd21cd381b9a1cd89dd7b0b378fdbf41d`
SHA3	`a0de8707f3d0b2a3158c9c0872a45b85eb86c287841df21d5ed345e9e4428085`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.66932`
MD5	`a9b3846efd9e75fbfa786210b50f14f5`
SHA1	`4d4d80a5b0ad567532dab227dcc86fc1af792c97`
SHA256	`47d9a8fe7a16335a93f65e2b2bd64a59c571ba2301d23142aeb33332c5e5206a`
SHA3	`32275f11abc94811fe4d393f3a45f8cd6f29d8367eb6ebbfbb238ec5a677fd11`

B

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x3719`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.98704`
Detected Filetype	E-mail
MD5	`aa4c75d8d1b4eebb22a2a7d76e332565`
SHA1	`f747383f67af8bc2c75eef9ff7e7f3ce406d93c5`
SHA256	`d8b15702c49c83afd2662ccff9a2813e028d036fc7ea586945938525e813b5d4`
SHA3	`79ecca7f3eaa9a67af7664ec8210c429a70856b523b052128a9274133ad8ff9e`

I

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xb8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`

N

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xf`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`

O

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x6`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x3e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.21733`
Detected Filetype	Icon file
MD5	`a062cce2553d04760bed1b8fdb4bd03d`
SHA1	`85e75204eee88be178f2920dfa04dac529247bb0`
SHA256	`2e6e78a3b9225e3ca720f5fc9d659f3544141ab956a65e0722b15accbc207642`
SHA3	`8837d98bfd1f520a85d7123f717270de183ef69fc5de617b589bac6cafa8ae6f`

1 (#3)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x208`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.22965`
MD5	`287d75b5a924b81f8091ef7c419553db`
SHA1	`c48d13d8abe8011cd2939a04dbb90f37e648f8e3`
SHA256	`1fac688fb1480fa3573fb6e07a19a4d3377d4019d9b27c334ae164d7bbc07cef`
SHA3	`5c1c059b7f19fb5093dff666af071515ea50ba6a9ecbf7f90fae487d0f253b83`

1 (#4)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x29c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.09999`
MD5	`3df1be5b119989ee3061fb3f3759d3fd`
SHA1	`2826967a233634277c39075ad3b4ac99d32e2acd`
SHA256	`cbb90bd969933f7ddfe27fad7c3649f1f1bdaf2ffcaa1ffc4eb7a96376bd49c8`
SHA3	`54d306c8d89ab29a564c4c67b384dafa665b3b994627ea189f9ffffd7b48df94`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	3.0.0.0
ProductVersion	1.0.0.0
FileFlags	`VS_FF_DEBUG` `VS_FF_PRERELEASE` `VS_FF_PRIVATEBUILD`
FileOs	`VOS_DOS` `VOS_DOS_WINDOWS16` `VOS_DOS_WINDOWS32` `VOS_OS232` `VOS_OS232_PM32` `VOS_WINCE` `VOS__PM32` `VOS__WINDOWS16`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Trend Micro Incorporated
FileVersion (#2)	3,0,0,0
ProductName	Trend Micro Agent Deploy Tool - modified
ProductVersion (#2)	1,0,0,0

Resource LangID	UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Ignored an invalid IMAGE_RESOURCE_DATA_ENTRY
[*] Warning: Resource I is empty!
[*] Warning: Resource N is empty!
[*] Warning: Resource O is empty!