Manalyze report for d2da675a8adfef9d0c146154084fff62

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Jul-14 22:40:25

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `MASM/TASM - sig1(h)` `Microsoft Visual C++` `Microsoft Visual C++ v6.0` `Microsoft Visual C++ v5.0/v6.0 (MFC)`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Can access the registry: SHDeleteKeyW` `Enumerates local disk drives: GetVolumeInformationW`
Malicious	VirusTotal score: 44/68 (Scanned on 2019-09-09 06:42:23)	`MicroWorld-eScan: Gen:Variant.Graftor.487501` `FireEye: Generic.mg.d2da675a8adfef9d` `McAfee: Trojan-FPIA!D2DA675A8ADF` `Cylance: Unsafe` `K7AntiVirus: Trojan ( 0052cf421 )` `Alibaba: Trojan:Win32/Autophyte.f462ec75` `K7GW: Trojan ( 0052cf421 )` `Cybereason: malicious.a8adfe` `Arcabit: Trojan.Graftor.D7704D` `TrendMicro: TROJ_GEN.R002C0DI819` `F-Prot: W32/Trojan3.AOLG` `Symantec: ML.Attribute.HighConfidence` `APEX: Malicious` `Paloalto: generic.ml` `Kaspersky: HEUR:Trojan.Win32.Generic` `BitDefender: Gen:Variant.Graftor.487501` `NANO-Antivirus: Trojan.Win32.NukeSped.fyopnf` `AegisLab: Trojan.Win32.Generic.4!c` `Ad-Aware: Gen:Variant.Graftor.487501` `Emsisoft: Gen:Variant.Graftor.487501 (B)` `F-Secure: Trojan.TR/NukeSped.nsanz` `McAfee-GW-Edition: Trojan-FPIA!D2DA675A8ADF` `Trapmine: malicious.moderate.ml.score` `Sophos: Mal/Generic-S` `SentinelOne: DFI - Suspicious PE` `Cyren: W32/Trojan.ATKI-5308` `Avira: TR/NukeSped.nsanz` `Fortinet: W32/NukeSped.AU!tr` `Antiy-AVL: Trojan/Win32.Autophyte` `Endgame: malicious (high confidence)` `Microsoft: Trojan:Win32/Autophyte.E!dha` `ViRobot: Trojan.Win32.Z.Graftor.139264.HN` `ZoneAlarm: HEUR:Trojan.Win32.Generic` `AhnLab-V3: Trojan/Win32.Akdoor.R207815` `VBA32: BScope.Trojan.Autophyte` `MAX: malware (ai score=100)` `ESET-NOD32: a variant of Win32/NukeSped.AU` `TrendMicro-HouseCall: TROJ_GEN.R002C0DI819` `Ikarus: Trojan.Win32.NukeSped` `GData: Gen:Variant.Graftor.487501` `AVG: FileRepMalware` `Panda: Trj/GdSda.A` `CrowdStrike: win/malicious_confidence_100% (W)` `Qihoo-360: HEUR/QVM07.1.BD6D.Malware.Gen`

Hashes

MD5	`d2da675a8adfef9d0c146154084fff62`
SHA1	`c55d080ea24e542397bbbfa00edc6402ec1c902c`
SHA256	`f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03`
SHA3	`189ba5cca73e66c1f0bbfc064045cb7b80380f07369b903598aa9e363c764e41`
SSDeep	`3072:1QGYFFzYCGUXBk/hbpjYr9Lde0NPV1Y88PxbE:1SFhYaXBkjYJLde0Nd1Hqb`
Imports Hash	`86e90e40d8e53d1e5b06a22353734ed4`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2017-Jul-14 22:40:25
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x1c000`
SizeOfInitializedData	`0x8000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0001CD2F (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x1d000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x25000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`66e2b83909b4d47d3e3d20ad44df1acc`
SHA1	`6c45db2f3c329c18abbbba48c3ca8d28f8620f72`
SHA256	`c934555557fa502839be5de8947adbcfeadf38d5d9085d6bf1825adb9472d9f6`
SHA3	`e3b14021e98f0f723fcf6cc8e8d1c24eff758391436b27bcfd1b9984b17ace79`
VirtualSize	`0x1bfe0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1c000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.66028`

.rdata

MD5	`d20ad0b8b42883ae6eb4c89cfbbd893b`
SHA1	`dc4261a17f3c64edf7af0c1f5ccc171e3aaf85e4`
SHA256	`c6b3c98e1be78bd2675d18069ed1ff7b33a09849763f3b85092f58c4b362057e`
SHA3	`e58d179512ba20125c68948407f6b51ec102b001e2bcae1379e010ed098c9214`
VirtualSize	`0x3892`
VirtualAddress	`0x1d000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x1d000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.0577`

.data

MD5	`5e1b09084dfc15dda52bdac606eaed3d`
SHA1	`19aabd457f5c0eec40344ac81d70c611b50fcf06`
SHA256	`0e5edfc0c85884234654e6efa424d70ce108cf44fe7f943718a745c0c7cbca90`
SHA3	`ecefae7fbfbfbaa33a0fc3788181cedec666d754b356ed96b07465f373594b22`
VirtualSize	`0x367c`
VirtualAddress	`0x21000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x21000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.82497`

Imports

KERNEL32.dll	`GetProcAddress` `LoadLibraryA` `CloseHandle` `GetModuleHandleW` `FreeLibrary` `GetVolumeInformationW` `Module32FirstW` `CreateToolhelp32Snapshot` `FileTimeToLocalFileTime` `GetTickCount` `GetSystemInfo` `GetVersionExW` `WideCharToMultiByte` `CreateDirectoryW` `Sleep` `CopyFileW` `FileTimeToSystemTime` `GetACP` `lstrlenW` `GetModuleHandleA` `FindFirstFileW` `FindNextFileW` `GetLastError` `FindClose` `UnmapViewOfFile` `WriteFile` `GetCurrentProcess` `DuplicateHandle` `CreateFileW` `CreateFileMappingW` `MapViewOfFile` `GetFileType` `GetFileInformationByHandle` `GetSystemTime` `GetLocalTime` `SystemTimeToFileTime` `GetFileSize` `SetFilePointer` `ReadFile` `FileTimeToDosDateTime` `GetStartupInfoA`
USER32.dll	`GetSystemMetrics`
SHLWAPI.dll	`SHDeleteKeyW`
MSVCRT.dll	`wcstombs` `memcpy` `strlen` `memset` `memmove` `memcmp` `malloc` `free` `strstr` `sscanf` `wcsrchr` `localtime` `time` `mktime` `??2@YAPAXI@Z` `_EH_prolog` `strcat` `strcpy` `_stricmp` `_tzset` `__dllonexit` `_onexit` `_exit` `_XcptFilter` `exit` `_acmdln` `__getmainargs` `_initterm` `__setusermatherr` `_adjust_fdiv` `__p__commode` `__p__fmode` `__set_app_type` `_except_handler3` `_controlfp` `_wfopen` `fwprintf` `fclose` `__CxxFrameHandler` `srand` `rand` `_vsnwprintf` `wcscmp` `wcschr` `_wcsicmp` `wcscat` `wcsncpy` `swprintf` `_wtoi` `_waccess` `wcscpy` `wcslen` `strncmp` `??3@YAXPAX@Z`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xb55b4bd4`
Unmarked objects	`0`
14 (7299)	`5`
Linker (VS98 build 8168)	`2`
12 (7291)	`2`
C objects (VS98 build 8168)	`25`
Imports (VS2003 (.NET) build 4035)	`7`
Total imports	`115`
C++ objects (VS98 build 8168)	`10`

d2da675a8adfef9d0c146154084fff62

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

Imports

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors