Manalyze report for daa8404adc661cd4a5302270384d546c

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2019-Dec-16 00:50:47
Detected languages	English - United States

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: http://nsis.sf.net http://nsis.sf.net/NSIS_Error nsis.sf.net`
Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Can access the registry: RegCreateKeyExW RegOpenKeyExW RegEnumValueW RegDeleteKeyW RegDeleteValueW RegCloseKey RegSetValueExW RegQueryValueExW RegEnumKeyW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Changes object ACLs: SetFileSecurityW` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The file contains overlay data.	`8137101 bytes of data starting at offset 0xc600.` `The overlay data has an entropy of 7.99982 and is possibly compressed or encrypted.` `Overlay data amounts for 99.3809% of the executable.`
Malicious	VirusTotal score: 5/70 (Scanned on 2021-01-15 06:45:29)	`Bkav: W32.AIDetectVM.malware1` `APEX: Malicious` `McAfee-GW-Edition: BehavesLike.Win32.ICLoader.wc` `Microsoft: Trojan:Win32/Wacatac.B!ml` `SentinelOne: Static AI - Suspicious PE`

Hashes

MD5	`daa8404adc661cd4a5302270384d546c`
SHA1	`0a6616c72fac6e9ed8d24b7edd5fc440a07364b3`
SHA256	`d86c0d3d73b1b74e615405c364d37510d173645c00adb0fd041a54b682c68872`
SHA3	`f5611b03f8c698834241c2daae8ca98eeb629897fb0864f8477895e6e13f228b`
SSDeep	`196608:knO4pI/6octnyQZKv5CQx+PljenEKpfRaJuG:Q9M6oEnxZKv5Cw+PonEKppy`
Imports Hash	`9118c6d2a93f3885f2880499003c5ba2`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xc8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2019-Dec-16 00:50:47
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x6400`
SizeOfInitializedData	`0x22a00`
SizeOfUninitializedData	`0x800`
AddressOfEntryPoint	`0x000033C4 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x4c000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`b9a0ea92dbff7b8cf52347383336a3dc`
SHA1	`11aa0dabc96b3020383542e71dbe24a1dd516634`
SHA256	`9684ef72d7c5ed9ebfb0908c2d4e70ec37727f24ae1f38efcf6a44a46c409ba5`
SHA3	`3ab522339bbb10c6373f5e52d5bafe66b4f7f9e8563d1ef8bca193443be09579`
VirtualSize	`0x631a`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.44843`

.rdata

MD5	`bb435fcb938c1a5f089b4ee558d07923`
SHA1	`03abbbbcb6f2b34c6a7b978c66759d6f760f7811`
SHA256	`662e3f17f23e135e9d52002fb7cd43a41966dec884400ce036f6a4cf081e4000`
SHA3	`d2a70b56e66606b573e0fc4b925f5ea78d2fed3ff023164db44ce10bd89c3868`
VirtualSize	`0x1384`
VirtualAddress	`0x8000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.13881`

.data

MD5	`bd634113cb1268c0ad509c44dec68a13`
SHA1	`0da987ff33ffe2ba82a14950806a6ca342949a40`
SHA256	`d5af8f3e2a268253a03eefc99083c79cbafed2fd0420ad525bdd9b6287cd1824`
SHA3	`367d67d384ea19033b12c382d45032570eaac434782aff2c712514b60600b813`
VirtualSize	`0x20318`
VirtualAddress	`0xa000`
SizeOfRawData	`0x600`
PointerToRawData	`0x7c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.90283`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1c000`
VirtualAddress	`0x2b000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`d6f8daec030e5f55e18ce5703c8db9ca`
SHA1	`ff92b9f8f86384004072aa90f3fd1e789561387d`
SHA256	`2d696bd19953bd8c2a94945e1b6e1f99acd3e1bf5ff58cce7fc4a6744a4ed740`
SHA3	`ad37b45d8584c03716f3d014d0ba51717d61d200c440882d19cc60f60ec9c451`
VirtualSize	`0x4260`
VirtualAddress	`0x47000`
SizeOfRawData	`0x4400`
PointerToRawData	`0x8200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.92182`

Imports

KERNEL32.dll	`SetEnvironmentVariableW` `SetFileAttributesW` `Sleep` `GetTickCount` `GetFileSize` `GetModuleFileNameW` `GetCurrentProcess` `CopyFileW` `SetCurrentDirectoryW` `GetFileAttributesW` `GetWindowsDirectoryW` `GetTempPathW` `GetCommandLineW` `GetVersion` `SetErrorMode` `lstrlenW` `lstrcpynW` `GetDiskFreeSpaceW` `ExitProcess` `MoveFileW` `CreateThread` `GetLastError` `CreateDirectoryW` `CreateProcessW` `RemoveDirectoryW` `lstrcmpiA` `CreateFileW` `GetTempFileNameW` `WriteFile` `lstrcpyA` `MoveFileExW` `lstrcatW` `GetSystemDirectoryW` `GetProcAddress` `GetModuleHandleA` `GetExitCodeProcess` `WaitForSingleObject` `lstrcmpiW` `lstrcmpW` `GetFullPathNameW` `GetShortPathNameW` `SearchPathW` `CompareFileTime` `SetFileTime` `CloseHandle` `ExpandEnvironmentStringsW` `GlobalFree` `GlobalLock` `GlobalUnlock` `GlobalAlloc` `DeleteFileW` `FindFirstFileW` `FindNextFileW` `FindClose` `SetFilePointer` `ReadFile` `MulDiv` `lstrlenA` `WideCharToMultiByte` `MultiByteToWideChar` `WritePrivateProfileStringW` `FreeLibrary` `GetPrivateProfileStringW` `GetModuleHandleW` `LoadLibraryExW`
USER32.dll	`GetWindowRect` `GetSystemMenu` `SetClassLongW` `IsWindowEnabled` `SetWindowPos` `GetSysColor` `GetWindowLongW` `SetCursor` `LoadCursorW` `CheckDlgButton` `GetMessagePos` `CallWindowProcW` `IsWindowVisible` `CloseClipboard` `SetClipboardData` `EmptyClipboard` `OpenClipboard` `TrackPopupMenu` `ScreenToClient` `EnableMenuItem` `GetDlgItem` `SetDlgItemTextW` `GetDlgItemTextW` `MessageBoxIndirectW` `CharPrevW` `CharNextA` `wsprintfA` `DispatchMessageW` `PeekMessageW` `GetDC` `ReleaseDC` `EnableWindow` `InvalidateRect` `SendMessageW` `DefWindowProcW` `BeginPaint` `GetClientRect` `FillRect` `SystemParametersInfoW` `EndDialog` `RegisterClassW` `DialogBoxParamW` `CreateWindowExW` `GetClassInfoW` `DestroyWindow` `CharNextW` `ExitWindowsEx` `SetWindowTextW` `LoadImageW` `SetTimer` `ShowWindow` `PostQuitMessage` `wsprintfW` `SetWindowLongW` `FindWindowExW` `IsWindow` `CreatePopupMenu` `AppendMenuW` `GetSystemMetrics` `DrawTextW` `EndPaint` `CreateDialogParamW` `SendMessageTimeoutW` `SetForegroundWindow`
GDI32.dll	`SelectObject` `SetTextColor` `SetBkMode` `CreateFontIndirectW` `CreateBrushIndirect` `DeleteObject` `GetDeviceCaps` `SetBkColor`
SHELL32.dll	`ShellExecuteExW` `SHGetPathFromIDListW` `SHGetSpecialFolderLocation` `SHGetFileInfoW` `SHFileOperationW` `SHBrowseForFolderW`
ADVAPI32.dll	`AdjustTokenPrivileges` `RegCreateKeyExW` `RegOpenKeyExW` `SetFileSecurityW` `OpenProcessToken` `LookupPrivilegeValueW` `RegEnumValueW` `RegDeleteKeyW` `RegDeleteValueW` `RegCloseKey` `RegSetValueExW` `RegQueryValueExW` `RegEnumKeyW`
COMCTL32.dll	`ImageList_Create` `ImageList_AddMasked` `#17` `ImageList_Destroy`
ole32.dll	`OleUninitialize` `OleInitialize` `CoTaskMemFree` `CoCreateInstance`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.26612`
MD5	`0ec0a0948a526b9c7eebe39bb02b6b0b`
SHA1	`867b304f20fd74abeb5c30515837f1c41cd3bf8f`
SHA256	`d442adb90ba296c7e617d2f58d6fa6f308bcd8ef65e5e9c66db4dd27f93fcfbe`
SHA3	`5bc458755a2ca5c7475620389d9b6b67952973c4366c6777d45c969b8bc67cd4`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.9993`
MD5	`6b224e01af48ec8e4c17a59d9534e885`
SHA1	`de787d2a1e840618ba2c7eb69d28f6966c404d1d`
SHA256	`50279c9885b490e74b49ac0273940b6e0891b62fc9ffb5c52e35422a694f248b`
SHA3	`71b543301bccda64ba61a27873c952890233e0cbec10e0b59245fc303bcfadbc`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.24459`
MD5	`ca82d899b1d402941b5c92ed9028cd95`
SHA1	`fb329ec4455d5caf1753305debcc14ab6ebb9015`
SHA256	`9da1013c864092e49c2676b3ba68a0d4513457d77d251730ed73cc5f4a4813b1`
SHA3	`768277223731ffdcb799e50961d0afccf23bbae54118d53b834617ccbd0c5cd9`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.01502`
MD5	`05e60fd47096a729dda2aaa4ab05ebc7`
SHA1	`de8ec9b484fa4f565b14f55503c9cd95231b633b`
SHA256	`61f762babde9942f43ee97154b8734efeed0632a6ea778dc395793ae3e3e7507`
SHA3	`f8ba0d4a91389414904cc66226099f27f482055e90ba449e2396193f139713d8`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.16057`
MD5	`d9ee3a2962251a241bce41b0524cfc0e`
SHA1	`2ba919aaa7237367a158e4b95385ab1ee07643d8`
SHA256	`69e6579a37fcaec037634e7fecbfc6a26093ea81dc4bd555d8a12187d2cd0866`
SHA3	`a1699668464f7edf9a748dfc264f9d30e3c69a228be0a18cade30c14aa6c77ba`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.34146`
MD5	`53482d364aa2d4ae7ca05199dad7651a`
SHA1	`ccb213408acc7f5ddb94753e6410be23aab5cedd`
SHA256	`ff06189b43a5c1d6cc5d1b7cbf6ab56b1157ec52807945d652274a211462cba5`
SHA3	`60659e39ef3f267c267093f8bc4c87ed61eea4ef96ac0f583184f580844573e5`

7

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.04232`
MD5	`636ad42555a835e3a94209043df4a45a`
SHA1	`c878613bda5cba6cb5769846e60229890c5df248`
SHA256	`491e52ded039ec6684277e6f1f820e288763ae6d20e682bcfffb6cee4518ac23`
SHA3	`4b79e60727e0f7be7495c59fb949e22bd753cff6e145e4694257a21a7b5dba8c`

103

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x120`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.56193`
MD5	`db6dd0434da4d7cac564518725167e09`
SHA1	`a65a1367d7cd96450f089a8f8108239bbcea9f5b`
SHA256	`c50631fc1f8425a95fd1edcc8e730d339e193a38f18d42372c32847a5ad2c016`
SHA3	`4e3be5455c51e1cb04836e318cb69ecdffd2deadd0f338d4bc985d8f5ca653ff`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x202`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.73893`
MD5	`386770584473e271f23dced36427f4ff`
SHA1	`d14ce95f784b35e4e3ebee535476ebcd3e380c19`
SHA256	`425b8270f7ca42a927eae6bea468acf414a3e4b58b5ba2c56aaae4d1b2c11014`
SHA3	`db13e5969376b27e8443eebff685230e2b74685aeb2fba73973f06e5cddc8662`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xf8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.91148`
MD5	`fa83652660409e90e0db9731ad2adb17`
SHA1	`0a8f0af67723c87fe26ccf676b8e19ec6357b4dc`
SHA256	`4a55bd714f5d50cd8eabba10e57f0618f1842717dcfa582d73a917b1933cd1d4`
SHA3	`5b3e1cb25be7a2dbae4f08f0d4794ed23dbd6ea37a3f9702be12dba588f42a7b`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xee`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.89887`
MD5	`663040d6315b1d6ce8c0334d182ed8fc`
SHA1	`ebcfff801a12fb8ad1200a4526fca8bd2c3e96cf`
SHA256	`cb3c86cbcb579244a6f819f9c1807a7e89b6e600982ec6ea0841fcdcb16a9efd`
SHA3	`6a25a2cb16aeb17693f10e8aaa0245c701701db571b458fde7830291a4a01cfc`

103 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.6691`
Detected Filetype	Icon file
MD5	`e624f041c921d299a6da3a8c5f48f989`
SHA1	`ffa07c86ac3dac45398ee07b26610dfb5c99d8ea`
SHA256	`fed46e06346fb8f64b14c18408a82caf955929ac0e65151630539dc5bd194584`
SHA3	`b51d47dbe9cbe18b1f520275504256022a827f919672b081943ae45cd4ff44c9`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x42e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.28847`
MD5	`c2b030a8cb1ae2b511e6a2d838b3400f`
SHA1	`6f0b1c3efeabd56e0baada3ee760fd584c0a1634`
SHA256	`b58662a05f0b78fd4fad3834fbca87bd11ff898f3b8bced9735d892068b3df0a`
SHA3	`13b99fbacaf0a28ac1289baae903f0347340b4fb5ce3c39c2f78755f1c65ba1b`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd25650e9`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`164`
Imports (VS2003 (.NET) build 4035)	`15`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!