Manalyze report for dbf64c0bcb9a554271f9237da770a9d0

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2013-Jan-02 09:46:37
Debug artifacts	X:\dev\_exploits\_Local\WindowsRegistryRootkit\bin\rootkit_installer.pdb

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `MASM/TASM - sig2(h)` `Microsoft Visual C++`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: bcdedit.exe` `Contains another PE executable: This program cannot be run in DOS mode.` `Miscellaneous malware strings: cmd.exe` `Contains domain names: riseup.net`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExA LoadLibraryA GetProcAddress` `Can access the registry: RegDeleteValueA RegCloseKey RegSetValueExA RegOpenKeyA` `Possibly launches other programs: CreateProcessA` `Functions related to the privilege level: OpenProcessToken AdjustTokenPrivileges` `Can shut the system down or lock the screen: ExitWindowsEx`
Malicious	VirusTotal score: 50/73 (Scanned on 2020-03-02 17:41:26)	`MicroWorld-eScan: Trojan.Generic.8814730` `FireEye: Trojan.Generic.8814730` `McAfee: Artemis!DBF64C0BCB9A` `Cylance: Unsafe` `VIPRE: Rootkit.Win32.Agent.Gen (fs)` `Sangfor: Malware` `K7AntiVirus: Riskware ( 0040eff71 )` `Alibaba: Trojan:Win32/Diple.228f9700` `K7GW: Riskware ( 0040eff71 )` `Cybereason: malicious.bcb9a5` `Arcabit: Trojan.Generic.D86808A` `TrendMicro: TROJ_GEN.R002C0DBT20` `Symantec: Trojan.Gen.2` `Kaspersky: Trojan.Win32.Diple.fzxp` `BitDefender: Trojan.Generic.8814730` `NANO-Antivirus: Trojan.Win32.Swrort.cylunw` `Rising: Trojan.Win32.Generic.148A80CB (C64:YzY0Ol75g2fxYVfK)` `Ad-Aware: Trojan.Generic.8814730` `Emsisoft: Trojan.Generic.8814730 (B)` `Comodo: Malware@#2eohwuae0cmy9` `F-Secure: Trojan.TR/Swrort.A.8471` `Zillya: Trojan.Diple.Win32.78248` `McAfee-GW-Edition: Artemis!Trojan` `Sophos: Mal/Generic-S` `SentinelOne: DFI - Suspicious PE` `Jiangmin: Trojan/Generic.autgc` `Avira: TR/Swrort.A.8471` `Fortinet: W32/Diple.FZXP!tr` `Antiy-AVL: Trojan/Win32.AGeneric` `Endgame: malicious (high confidence)` `Microsoft: Trojan:Win32/Leivion.I` `AegisLab: Trojan.Win32.Diple.4!c` `ZoneAlarm: Trojan.Win32.Diple.fzxp` `TACHYON: Trojan/W32.Diple.155136` `ALYac: Trojan.Generic.8814730` `MAX: malware (ai score=100)` `VBA32: Backdoor.Swrort` `Panda: Generic Malware` `ESET-NOD32: a variant of Generik.CNEOVNE` `TrendMicro-HouseCall: TROJ_GEN.R002C0DBT20` `Tencent: Win32.Trojan.Diple.Wweg` `Yandex: Trojan.Diple!fmId3uybRkY` `Ikarus: Trojan.Veil` `MaxSecure: Trojan.Malware.10368649.susgen` `GData: Trojan.Generic.8814730` `Webroot: W32.Trojan.Gen` `AVG: Multi:Swrort-A [Trj]` `Avast: Multi:Swrort-A [Trj]` `CrowdStrike: win/malicious_confidence_100% (W)` `Qihoo-360: Win32/Trojan.fb5`

Hashes

MD5	`dbf64c0bcb9a554271f9237da770a9d0`
SHA1	`ec8626dd173be06abdc0ef6a6045c0cdda1570a7`
SHA256	`d5d79212939f3976805b6576795e6689f4cc9fa607565f5491156687fe1dcb91`
SHA3	`2bb57f1ad4e6518bd9512a65588965ec4af0a52dcaec6d5fb4ebb95e8c05f1ed`
SSDeep	`1536:Ko8JiXnbbQakmNoBJMDG7HuyAuOs2HaJ8kq2+cqk0qjRVfG8MZRlCa5uS6vj1:KXJiX4akfBiqubur+iy8M7lCa5y`
Imports Hash	`f3d7e0ef0ea093f772ccaceb0277aaa6`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2013-Jan-02 09:46:37
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x19000`
SizeOfInitializedData	`0xe600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00006D2A (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x1a000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x2a000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`2cd3466f82dfdaadd151fde71281a3e3`
SHA1	`484d5d04b9f3aa58d8d9807854c1508e0944f0b2`
SHA256	`b89c49318ca77fd0a35a129a2ef03bedc9d151e445dc7c26562b9717c7ea23d3`
SHA3	`1685a5d1e40ca1eafba87dfaaac57a6b5cab55b429bfa4a3836175443187b307`
VirtualSize	`0x18e90`
VirtualAddress	`0x1000`
SizeOfRawData	`0x19000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.57344`

.rdata

MD5	`08bcf77326ee95cfed793cc074246e19`
SHA1	`7f3f7ddf758ad6e71015afe53483921015916b2f`
SHA256	`0e5ebd166b535084941cb9b57ee11d0309253e1192bb2d32e28fe21b8af0755f`
SHA3	`d865e748d16068b47c228b4c8cbe4b82144b1fd78bce24640dbe916a7f08caec`
VirtualSize	`0x4980`
VirtualAddress	`0x1a000`
SizeOfRawData	`0x4a00`
PointerToRawData	`0x19400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.61155`

.data

MD5	`e5cdcc3732e435a601d901e88fbfe8cb`
SHA1	`5f5ed12e3f14647b2368fcabc6a66b96754bed48`
SHA256	`c3f5062fba419f53092880c03c3723d32513fd2e448b9578c98baa74e8e15c47`
SHA3	`67a4e5d66ab06b7dd023a6b09fa7524f1c572d21dfaac46b068348a9d52f70ee`
VirtualSize	`0x874c`
VirtualAddress	`0x1f000`
SizeOfRawData	`0x6c00`
PointerToRawData	`0x1de00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.65436`

.reloc

MD5	`c59001aed69bd578a220af9f1d9aec6a`
SHA1	`2b1fea21a12778f519319cecfa88e099ec08a367`
SHA256	`eb483e42d97334e103cd20f2d1660eb50100123a2275a6b444eefb463f3f038e`
SHA3	`ed90c4900a1ea725b7e05aba5ecbe86f67c9db85d5f51138e053e0ca33bf3622`
VirtualSize	`0x1270`
VirtualAddress	`0x28000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x24a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.37317`

Imports

KERNEL32.dll	`FreeLibrary` `LoadLibraryExA` `IsBadStringPtrW` `GetSystemDirectoryA` `lstrlenA` `GetVersionExA` `WriteFile` `lstrcpynA` `OutputDebugStringA` `GetCurrentProcessId` `LoadLibraryA` `SetStdHandle` `SetEnvironmentVariableA` `CompareStringW` `GetModuleHandleA` `GetProcAddress` `LocalAlloc` `LocalFree` `GetCurrentProcess` `GetLastError` `GetStdHandle` `CloseHandle` `ReadConsoleInputA` `SetConsoleMode` `GetConsoleMode` `PeekConsoleInputA` `GetNumberOfConsoleInputEvents` `HeapFree` `HeapAlloc` `GetCommandLineA` `TerminateProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `CreateFileA` `DeleteCriticalSection` `LeaveCriticalSection` `FatalAppExitA` `EnterCriticalSection` `HeapCreate` `HeapDestroy` `VirtualFree` `VirtualAlloc` `HeapReAlloc` `GetModuleHandleW` `Sleep` `ExitProcess` `GetModuleFileNameA` `GetFileAttributesA` `FreeEnvironmentStringsA` `GetEnvironmentStrings` `FreeEnvironmentStringsW` `WideCharToMultiByte` `GetEnvironmentStringsW` `SetHandleCount` `GetFileType` `GetStartupInfoA` `TlsGetValue` `TlsAlloc` `TlsSetValue` `TlsFree` `InterlockedIncrement` `SetLastError` `GetCurrentThreadId` `InterlockedDecrement` `GetCurrentThread` `QueryPerformanceCounter` `GetTickCount` `GetSystemTimeAsFileTime` `WriteConsoleA` `GetConsoleOutputCP` `WriteConsoleW` `MultiByteToWideChar` `InitializeCriticalSectionAndSpinCount` `RtlUnwind` `GetCPInfo` `GetACP` `GetOEMCP` `IsValidCodePage` `SetConsoleCtrlHandler` `InterlockedExchange` `GetExitCodeProcess` `WaitForSingleObject` `CreateProcessA` `GetConsoleCP` `FlushFileBuffers` `LCMapStringA` `LCMapStringW` `GetStringTypeA` `GetStringTypeW` `GetTimeFormatA` `GetDateFormatA` `GetUserDefaultLCID` `GetLocaleInfoA` `EnumSystemLocalesA` `IsValidLocale` `SetFilePointer` `HeapSize` `GetLocaleInfoW` `CompareStringA` `GetTimeZoneInformation`
USER32.dll	`ExitWindowsEx` `MessageBoxA`
ADVAPI32.dll	`RegDeleteValueA` `RegCloseKey` `RegSetValueExA` `OpenProcessToken` `LookupPrivilegeValueA` `AdjustTokenPrivileges` `RegOpenKeyA`

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2013-Jan-02 09:46:37
Version	`0.0`
SizeofData	`97`
AddressOfRawData	`0x1d7f0`
PointerToRawData	`0x1cbf0`
Referenced File	X:\dev\_exploits\_Local\WindowsRegistryRootkit\bin\rootkit_installer.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x1041fc85`
Unmarked objects	`0`
ASM objects (VS2008 SP1 build 30729)	`17`
C objects (VS2008 SP1 build 30729)	`101`
18 (8444)	`1`
Imports (VS2012 build 50727 / VS2005 build 50727)	`7`
Total imports	`110`
C++ objects (VS2008 SP1 build 30729)	`36`
Resource objects (VS2008 SP1 build 30729)	`1`

dbf64c0bcb9a554271f9237da770a9d0

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.reloc

Imports

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors