Manalyze report for d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2020-Nov-29 09:09:24
Detected languages	English - United States
CompanyName	Endermanch
FileDescription	Windows Customization Tool
FileVersion	`6.6.6.6`
InternalName	WinCustomize.exe
LegalCopyright	Copyright (C) 2020
OriginalFilename	WinCustomize.exe
ProductName	Customization Tool
ProductVersion	`6.6.6.6`

Plugin Output

Suspicious	The PE is packed with mpress	`Unusual section name found: .MPRESS1` `Section .MPRESS1 is both writable and executable.` `Unusual section name found: .MPRESS2` `Section .MPRESS2 is both writable and executable.` `The PE's resources are bigger than it is.`
Suspicious	The PE contains functions most legitimate programs don't use.	`Possibly launches other programs: ShellExecuteW` `Can take screenshots: GetDC BitBlt`
Suspicious	The PE is possibly a dropper.	`Resource 102 is possibly compressed or encrypted.` `Resource 103 is possibly compressed or encrypted.` `Resources amount for 150.166% of the executable.`
Suspicious	The file contains overlay data.	`34975 bytes of data starting at offset 0x9e200.` `The overlay data has an entropy of 7.99394 and is possibly compressed or encrypted.`
Malicious	VirusTotal score: 56/68 (Scanned on 2021-08-29 13:35:14)	`Bkav: W32.AIDetect.malware2` `Lionic: Trojan.Win32.Gen.j!c` `Elastic: malicious (high confidence)` `DrWeb: Trojan.KillBoot.1513` `CAT-QuickHeal: Trojanransom.Gen` `ALYac: Trojan.Ransom.ScreenLocker` `Malwarebytes: Ransom.FileCryptor` `Zillya: Trojan.Ransom.Win32.1954` `Sangfor: Trojan.Win32.Save.a` `K7AntiVirus: Trojan ( 005764761 )` `Alibaba: Ransom:Win32/Cryptor.bec0bebc` `K7GW: Trojan ( 005764761 )` `CrowdStrike: win/malicious_confidence_100% (W)` `Cyren: W32/Ransom.GQCK-5858` `Symantec: ML.Attribute.HighConfidence` `ESET-NOD32: Win32/Disabler.NDL` `APEX: Malicious` `Paloalto: generic.ml` `Cynet: Malicious (score: 100)` `Kaspersky: HEUR:Trojan-Ransom.Win32.Gen.gen` `BitDefender: Trojan.GenericKD.45703777` `NANO-Antivirus: Trojan.Win32.KillBoot.iestim` `MicroWorld-eScan: Trojan.GenericKD.45703777` `Avast: Win32:MalwareX-gen [Trj]` `Ad-Aware: Trojan.GenericKD.45703777` `Sophos: Mal/Generic-S` `Comodo: Malware@#1sho60ur73gqq` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: Ransom_Gen.R005C0DF421` `McAfee-GW-Edition: BehavesLike.Win32.Dropper.jc` `FireEye: Generic.mg.989ae3d195203b32` `Emsisoft: Trojan.GenericKD.45703777 (B)` `Ikarus: Trojan-Ransom.Agent` `GData: Trojan.GenericKD.45703777` `Jiangmin: Trojan.Gen.bds` `Webroot: W32.Gen.BT` `Avira: TR/Ransom.Agent.ngrmb` `Antiy-AVL: Trojan/Generic.ASMalwS.330FC2B` `Kingsoft: Win32.Troj.Undef.(kcloud)` `Gridinsoft: Ransom.Win32.Ransom.sa` `Arcabit: Trojan.Generic.D2B96261` `Microsoft: Trojan:MSIL/Cryptor` `AhnLab-V3: Malware/Win32.RL_Generic.R364340` `McAfee: RDN/Ransom` `MAX: malware (ai score=99)` `VBA32: TrojanRansom.Gen` `Cylance: Unsafe` `TrendMicro-HouseCall: Ransom_Gen.R005C0DF421` `Tencent: Malware.Win32.Gencirc.11baf11a` `Yandex: Trojan.Agent!yCnQtJZKjtk` `SentinelOne: Static AI - Suspicious PE` `eGambit: Unsafe.AI_Score_58%` `Fortinet: PossibleThreat.PALLAS.H` `AVG: Win32:MalwareX-gen [Trj]` `Panda: Trj/CI.A` `MaxSecure: Trojan.Malware.73859634.susgen`

Hashes

MD5	`989ae3d195203b323aa2b3adf04e9833`
SHA1	`31a45521bc672abcf64e50284ca5d4e6b3687dc8`
SHA256	`d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f`
SHA3	`1466e4f10ecc266738984ca4f5bf3319b864e9fe5c6c6f0129de8a193de96d73`
SSDeep	`12288:85J5X487qJUtcWfkVJ6g5s/cD01oKHQyis2AePsr8nP712TB:s487pcZEgwcDpg1L2tbPR2t`
Imports Hash	`f400a8c725e9bcee856360087d72fec3`

DOS Header

e_magic	`MZ`
e_cblp	`0x40`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x2`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0xb400`
e_oeminfo	`0xcd09`
e_lfanew	`0x40`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2020-Nov-29 09:09:24
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x3c00`
SizeOfInitializedData	`0x1bf800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x001C640E (Section: .MPRESS2)`
BaseOfCode	`0x1000`
BaseOfData	`0x5000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x1cc000`
SizeOfHeaders	`0x200`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0xd000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.MPRESS1

MD5	`2943243b75d86836232c2d952b16f0bc`
SHA1	`54f9c43bfe6325b4dd5ea4caba4fd224bc4f8ed9`
SHA256	`2052670eb45533ed8c13a9040811468af0f5226187f900e6562b68340ae04cd6`
SHA3	`b97bff5376ab2c932e3906b1f3d20723b2ef8b6bb83ca5419bff0d9184f47501`
VirtualSize	`0x1c5000`
VirtualAddress	`0x1000`
SizeOfRawData	`0x98600`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99972`

.MPRESS2

MD5	`9923a8c15303e326094fe95215526939`
SHA1	`e463f2a1b4677454cfd2251173fe64d5faba7550`
SHA256	`8db87277fcf06f5f5481ea2d8c1df4140baeec298a72f669efb489e82cdfc249`
SHA3	`6176b173b657ded7a32e08e0b10b250fe564015b72ee54d33565565358914993`
VirtualSize	`0xf78`
VirtualAddress	`0x1c6000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x98800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.94591`

.rsrc

MD5	`38d78877f0f858140a40b8877a25eaf8`
SHA1	`99407bf4949106a7e928222a6d037582d6ac3eab`
SHA256	`67a2253106ad47ced721d9dd9011eb3d4360691870c94d2db117b50b9f19d97e`
SHA3	`610a902f0879dfc89cf289b9cf6ffb74e131f93cffc026b34cf4e7ee6336b3da`
VirtualSize	`0x4998`
VirtualAddress	`0x1c7000`
SizeOfRawData	`0x4a00`
PointerToRawData	`0x99800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.18654`

Imports

KERNEL32.DLL	`GetModuleHandleA` `GetProcAddress`
NETAPI32.dll	`NetUserAdd`
ntdll.dll	`RtlGetVersion`
USER32.dll	`GetDC`
GDI32.dll	`BitBlt`
ADVAPI32.dll	`FreeSid`
SHELL32.dll	`ShellExecuteW`
ole32.dll	`CoTaskMemFree`
bcrypt.dll	`BCryptGenRandom`
VCRUNTIME140.dll	`wcsstr`
api-ms-win-crt-string-l1-1-0.dll	`wmemcpy_s`
api-ms-win-crt-runtime-l1-1-0.dll	`exit`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr`
api-ms-win-crt-stdio-l1-1-0.dll	`_set_fmode`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`
api-ms-win-crt-heap-l1-1-0.dll	`_set_new_mode`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.08855`
MD5	`e1d71e2f419cb14fcd1a9958a9d24813`
SHA1	`bcd231879a440da358c1f5d08ab4fa199d8efa17`
SHA256	`1b0065c22f3d23119e90db688f76fb8ce3e37719ed910a30b9276f0d38ef22b8`
SHA3	`2d387ecb66365588d874351246342958aa304662339c14ef1b1afee2f2e5d46d`

102

Type	`RT_RCDATA`
Language	English - United States
Codepage	UNKNOWN
Size	`0x61ed9`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99955`
MD5	`5269795341676709f170837b77b9345d`
SHA1	`61805924cc729a89c6ef1f734513e313c3293668`
SHA256	`71512f7d4a324880a204d0cf1559dd5c730b300fb0bdbea7796ee720f09b697f`
SHA3	`095f76d63ff1e48db5015743d2c1d825d12d5ce7a82ee999e223937df02d4ede`

103

Type	`RT_RCDATA`
Language	English - United States
Codepage	UNKNOWN
Size	`0x93036`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.08156`
MD5	`908f7024b77c72e75ec10015e8c485d5`
SHA1	`3154cf993379b359401b31b3273a87e7ca0a977f`
SHA256	`6639484ce8d7e5df3532b8823d80152afd76f6700900d5e10f6b2df8a5fbd235`
SHA3	`1d26b8b1f9f0d5947c13da91fc12bd13b3d747c4da8834fdf32d24e3a9703019`

104

Type	`RT_RCDATA`
Language	English - United States
Codepage	UNKNOWN
Size	`0x5db`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`

105

Type	`RT_RCDATA`
Language	English - United States
Codepage	UNKNOWN
Size	`0xed`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`

106

Type	`RT_RCDATA`
Language	English - United States
Codepage	UNKNOWN
Size	`0x133`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`

107

Type	`RT_RCDATA`
Language	English - United States
Codepage	UNKNOWN
Size	`0x161`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`

108

Type	`RT_RCDATA`
Language	English - United States
Codepage	UNKNOWN
Size	`0x53a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`

101

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`3e1d980f0dc747eec9d946c155cb1498`
SHA1	`15414ced0202f709d400c957d441a8856dde8479`
SHA256	`027e12c81d53ebb492d0e1ce8166c0c004e135274105fb79465b6b97bc6c71cd`
SHA3	`11e83c27ff3b8cca2c537273338202138c94fb4b10a6b2daf0f7d23d177cc049`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2fc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.39361`
MD5	`cbdac8fe13612775ed7b845cbd020046`
SHA1	`98270f86083eeb7d542217f9339569a3d2c1395b`
SHA256	`68b2d3a1c20877b3f78fea333c736b10576088bb144a4d44702d1ec683c66c01`
SHA3	`952e69705fb1b89b45c740129e3e8fe5b5c47d0a2460d7ab56d8e8f44ff96d5a`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.6.6.6
ProductVersion	6.6.6.6
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Endermanch
FileDescription	Windows Customization Tool
FileVersion (#2)	6.6.6.6
InternalName	WinCustomize.exe
LegalCopyright	Copyright (C) 2020
OriginalFilename	WinCustomize.exe
ProductName	Customization Tool
ProductVersion (#2)	6.6.6.6

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Resource  is empty!
[*] Warning: Resource  is empty!
[*] Warning: Resource  is empty!
[*] Warning: Resource  is empty!
[*] Warning: Resource  is empty!

Leave a comment

No comments yet.