Manalyze report for db92f4ac8e714c7c3be9601b6ada4fbb

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2012-Jul-13 22:47:16
Debug artifacts
Comments
CompanyName	.getlucky project
FileDescription	.getlucky Loader
FileVersion	`1.3.3.7`
InternalName	festive.exe
LegalCopyright	Copyright © 2020
LegalTrademarks
OriginalFilename	festive.exe
ProductName	.getlucky
ProductVersion	`1.3.3.7`
Assembly Version	1.3.3.7

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for Qemu presence: QeMu`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot`
Suspicious	The PE is possibly a dropper.	`Resource __ is possibly compressed or encrypted.` `Resources amount for 95.5732% of the executable.`
Malicious	VirusTotal score: 36/71 (Scanned on 2021-02-21 12:21:34)	`Bkav: W32.AIDetectGBM.malware.02` `MicroWorld-eScan: Gen:Variant.MSILPerseus.226220` `FireEye: Generic.mg.db92f4ac8e714c7c` `CAT-QuickHeal: Trojan.Wacatac` `McAfee: Artemis!DB92F4AC8E71` `Cylance: Unsafe` `Sangfor: Trojan.Win32.Save.a` `Alibaba: Trojan:Win32/Symmi.dfb00ca8` `Cybereason: malicious.c8e714` `Cyren: W32/Symmi.O.gen!Eldorado` `Symantec: ML.Attribute.HighConfidence` `APEX: Malicious` `Avast: Win32:MdeClass` `BitDefender: Gen:Variant.MSILPerseus.226220` `Paloalto: generic.ml` `Rising: Malware.Heuristic!ET#100% (RDMK:cmRtazrejNQaOody5LC+SX4hAa0g)` `Ad-Aware: Gen:Variant.MSILPerseus.226220` `Sophos: ML/PE-A` `McAfee-GW-Edition: BehavesLike.Win32.Generic.wc` `Emsisoft: Gen:Variant.MSILPerseus.226220 (B)` `GData: Gen:Variant.MSILPerseus.226220` `eGambit: Unsafe.AI_Score_99%` `MAX: malware (ai score=86)` `Arcabit: Trojan.MSILPerseus.D373AC` `AegisLab: Trojan.Win32.Perseus.4!c` `Microsoft: HackTool:Win32/AutoKMS!ml` `Cynet: Malicious (score: 100)` `BitDefenderTheta: Gen:NN.ZexaF.34574.at0@aGGAqNe` `ALYac: Gen:Variant.MSILPerseus.226220` `Malwarebytes: Generic.Malware/Suspicious` `TrendMicro-HouseCall: TROJ_GEN.R002H09BH21` `SentinelOne: Static AI - Malicious PE` `Fortinet: W32/PossibleThreat` `AVG: Win32:MdeClass` `CrowdStrike: win/malicious_confidence_90% (W)` `Qihoo-360: Win32/Trojan.Generic.HgIASPMA`

Hashes

MD5	`db92f4ac8e714c7c3be9601b6ada4fbb`
SHA1	`4195662caf93544c8b2edfb9d9bb21b44eabf0b5`
SHA256	`499c423143c00feb4a2a1c135afcc29d51fc893e357a5bc259efc1862399c2e3`
SHA3	`b8e62a9d33303cb6deb6eefaefde5b54a55fa0ac22f7261297d50e377aef1e2e`
SSDeep	`49152:vkQTAN3jIwIOfi9WTLAh+wAwrPbKXZkcJ49MkQEqEEG/TMrtnDHoxaxeYA8o+:va5rf8AJw7bKJk842kQiTOpjovs`
Imports Hash	`9ea46ae554999dda2f4d4894bb0ed40d`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2012-Jul-13 22:47:16
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x19800`
SizeOfInitializedData	`0x2e8e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000CD2F (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x1b000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x307000`
SizeOfHeaders	`0x400`
Checksum	`0x23bfb`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`c1b3dba5960674179627df816fbabf0a`
SHA1	`f94b1f483e0bfa24fdd3b23a40e2cc957a7b904e`
SHA256	`7def3931d69777706ebd715275d41e8b52d03782bf58ce2b8adba481ba4d7928`
SHA3	`8b288030e59645c9552a0e4d119ca475a703fb2002377a76352fe755c73f4c6f`
VirtualSize	`0x19718`
VirtualAddress	`0x1000`
SizeOfRawData	`0x19800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.74859`

.rdata

MD5	`5826801f33fc1b607aa8e942aa92e9fa`
SHA1	`ac050a1809ae127615e1683adb73d87013096d10`
SHA256	`883d62172f028223b48e9799e430669bf920590072b1c6fa120cf98290af6c3f`
SHA3	`fbac6a647fe46b9b39e1d94eefe9663774fe59c7c15f8d5cabcd736f7db2fcaf`
VirtualSize	`0x6db4`
VirtualAddress	`0x1b000`
SizeOfRawData	`0x6e00`
PointerToRawData	`0x19c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.44296`

.data

MD5	`2fe51a72ede820cd7cf55a77ba59b1f4`
SHA1	`c5c9b70d1fbe0cb0f1d48ea41ef1cd0da70d708d`
SHA256	`40feedd8e8e7c2749517280e0dcbc0723f1e57640c936a122a3371b101d1de24`
SHA3	`54f23141fe42bbada8a56b6b11bd5d2b7f387233df49d6fc9a5d1521d0dab3ad`
VirtualSize	`0x30c0`
VirtualAddress	`0x22000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x20a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.26259`

.rsrc

MD5	`75d594df42a798b9f15e086e4680cb5f`
SHA1	`f5d826449deb347e46be37ab278473c9cb74bd55`
SHA256	`abebc478bc53b01a91f5d3b182fdb1432c5e0c78d75b1fa4b5b0c88a3b9e3a67`
SHA3	`88101ef7899c1e397040236e5912e617aeddbaf7081e2fdac340777587d1594d`
VirtualSize	`0x2e09b0`
VirtualAddress	`0x26000`
SizeOfRawData	`0x2e0a00`
PointerToRawData	`0x22000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.75805`

Imports

KERNEL32.dll	`RaiseException` `GetLastError` `MultiByteToWideChar` `lstrlenA` `InterlockedDecrement` `GetProcAddress` `LoadLibraryA` `FreeResource` `SizeofResource` `LockResource` `LoadResource` `FindResourceA` `GetModuleHandleA` `Module32Next` `CloseHandle` `Module32First` `CreateToolhelp32Snapshot` `GetCurrentProcessId` `SetEndOfFile` `GetStringTypeW` `GetStringTypeA` `LCMapStringW` `LCMapStringA` `GetLocaleInfoA` `HeapFree` `GetProcessHeap` `HeapAlloc` `GetCommandLineA` `HeapCreate` `VirtualFree` `DeleteCriticalSection` `LeaveCriticalSection` `EnterCriticalSection` `VirtualAlloc` `HeapReAlloc` `HeapSize` `TerminateProcess` `GetCurrentProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `GetModuleHandleW` `Sleep` `ExitProcess` `WriteFile` `GetStdHandle` `GetModuleFileNameA` `WideCharToMultiByte` `GetConsoleCP` `GetConsoleMode` `ReadFile` `TlsGetValue` `TlsAlloc` `TlsSetValue` `TlsFree` `InterlockedIncrement` `SetLastError` `GetCurrentThreadId` `FlushFileBuffers` `SetFilePointer` `SetHandleCount` `GetFileType` `GetStartupInfoA` `RtlUnwind` `FreeEnvironmentStringsA` `GetEnvironmentStrings` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `QueryPerformanceCounter` `GetTickCount` `GetSystemTimeAsFileTime` `InitializeCriticalSectionAndSpinCount` `GetCPInfo` `GetACP` `GetOEMCP` `IsValidCodePage` `CompareStringA` `CompareStringW` `SetEnvironmentVariableA` `WriteConsoleA` `GetConsoleOutputCP` `WriteConsoleW` `SetStdHandle` `CreateFileA`
ole32.dll	`OleInitialize`
OLEAUT32.dll	`#15` `#23` `#24` `#16` `#411` `#9` `#8` `#6` `#2`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x42028`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0.964172`
MD5	`8bd2ec02a29e1f8099fdc529d83dc345`
SHA1	`da13ad5572e43dc43ba16d24d994dffec86d4bbe`
SHA256	`3d5de0991890779aa8eecf53b77c230e3301c684033f014d350290ee1ff2249a`
SHA3	`836915d79309d3257f28a4cd21d67a1c3ce4fdff0592c5174a6de9cd1060d09c`

__

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x29d850`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99993`
MD5	`8d8438cde68ce71b039d9cdc5cb7da63`
SHA1	`c8dabd067e4aaa0a1177db631c30aa0949583adb`
SHA256	`5c199746e3ccd0d30b421177e4c68dc29e9d9d5e48de5566cd05f1018d734204`
SHA3	`d7568a21f7847762e8e12d6ce84ce37908301eb0f02d691d5c64344d741276b6`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.67095`
Detected Filetype	Icon file
MD5	`464cb94db3a2622922a9562865009ae8`
SHA1	`dbe17c767d942f219df59f9eae77b213c15eab70`
SHA256	`8affd1fa69a6c5a5b54e504d72d4e9a0eba9b7d702a445ea1399a5978794719a`
SHA3	`3e0e32110c6c0f3323eeeb5e4a6cbb7a8db52ab14e0f065384fb4eedac4fbcda`

1 (#3)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x344`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.38266`
MD5	`f4e44e59c1b0db8ac8387aed5ac5b4f3`
SHA1	`4ce0f3fd87c755bc38fa47a775e7596ae9e9dd1a`
SHA256	`9a1b0fc9482429dceb40e567cf59cd3528cec4e45081189ee4cec6fa2a9bc534`
SHA3	`7393082cf30e932f3270464adf83e39dee45aa039739e462e7e2328e592290a5`

1 (#4)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xc5d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.01615`
MD5	`15bef11da2e4a13fdc6caae856d2d0c6`
SHA1	`fdd48c59b80c61622ed4bdf738f4c24def30a866`
SHA256	`97e2bb39746b7d0c4e5f6c9a0f2ca316398500fa6ef69ebab1a1b2e05e8bf399`
SHA3	`861f741a11256851ab8aecb3c97dc714496f5f8b3b37fac6037074ac33f0eb6f`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.3.3.7
ProductVersion	1.3.3.7
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
Comments
CompanyName	.getlucky project
FileDescription	.getlucky Loader
FileVersion (#2)	1.3.3.7
InternalName	festive.exe
LegalCopyright	Copyright © 2020
LegalTrademarks
OriginalFilename	festive.exe
ProductName	.getlucky
ProductVersion (#2)	1.3.3.7
Assembly Version	1.3.3.7

Resource LangID	UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2012-Jul-13 22:47:16
Version	`0.0`
SizeofData	`129`
AddressOfRawData	`0x20de8`
PointerToRawData	`0x1f9e8`
Referenced File

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x422234`
SEHandlerTable	`0x420f50`
SEHandlerCount	`3`

RICH Header

XOR Key	`0x7eea712c`
Unmarked objects	`0`
ASM objects (VS2008 build 21022)	`19`
Imports (VS2012 build 50727 / VS2005 build 50727)	`7`
Total imports	`112`
C++ objects (VS2008 build 21022)	`48`
C objects (VS2008 build 21022)	`142`
Resource objects (VS2008 build 21022)	`1`

db92f4ac8e714c7c3be9601b6ada4fbb

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

1

__

1 (#2)

1 (#3)

1 (#4)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors