Manalyze report for dd537b1fe5e80d0e9e44cde818e283a4

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2017-Sep-01 12:08:16
Detected languages	English - United States

Plugin Output

Suspicious	This PE is packed with VMProtect	`Unusual section name found: .nv_fatb` `Unusual section name found: .nvFatBi` `Unusual section name found: .vmp0` `Unusual section name found: .vmp1`
Suspicious	The PE contains functions most legitimate programs don't use.	`Can access the registry: RegQueryValueExA` `Leverages the raw socket API to access the Internet: #3` `Interacts with services: OpenSCManagerW EnumServicesStatusExW OpenServiceW QueryServiceConfigW`
Malicious	VirusTotal score: 39/64 (Scanned on 2017-09-21 16:06:23)	`MicroWorld-eScan: Application.BitCoinMiner.SL` `CAT-QuickHeal: RiskTool.Generic` `McAfee: Artemis!DD537B1FE5E8` `VIPRE: Trojan.Win32.Generic!BT` `K7AntiVirus: Unwanted-Program ( 004fc8511 )` `K7GW: Unwanted-Program ( 004fc8511 )` `TrendMicro: TROJ_GEN.R02KC0OIA17` `Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9995` `Symantec: PUA.Bitcoinminer` `ESET-NOD32: a variant of Win64/BitCoinMiner.BX potentially unsafe` `TrendMicro-HouseCall: TROJ_GEN.R02KC0OIA17` `Avast: FileRepMetagen [PUP]` `Kaspersky: not-a-virus:RiskTool.Win32.Generic` `BitDefender: Application.BitCoinMiner.SL` `NANO-Antivirus: Riskware.Win64.BitCoinMiner.esqcza` `Ad-Aware: Application.BitCoinMiner.SL` `Comodo: ApplicUnwnt` `F-Secure: Application.BitCoinMiner.SL` `Invincea: heuristic` `McAfee-GW-Edition: BehavesLike.Win64.BadFile.vc` `Emsisoft: Application.BitCoinMiner.SL (B)` `SentinelOne: static engine - malicious` `Cyren: W64/Trojan.OVJF-7130` `Jiangmin: RiskTool.Generic.fos` `Webroot: W32.Miner` `Avira: PUA/BitCoinMiner.C` `Antiy-AVL: RiskWare[RiskTool]/Win32.AGeneric` `Endgame: malicious (high confidence)` `Arcabit: Application.BitCoinMiner.SL` `ZoneAlarm: not-a-virus:RiskTool.Win32.Generic` `GData: Application.BitCoinMiner.SL` `AhnLab-V3: PUP/Win64.BitCoinMiner.R202810` `AVware: Trojan.Win32.Generic!BT` `Yandex: Riskware.Agent!` `Ikarus: PUA.BitCoinMiner` `Fortinet: Riskware/Generic` `AVG: FileRepMetagen [PUP]` `Panda: Trj/CI.A` `CrowdStrike: malicious_confidence_100% (D)`

Hashes

MD5	`dd537b1fe5e80d0e9e44cde818e283a4`
SHA1	`63d823c9e8620bf5f6f30276ff4dc8f4f512119e`
SHA256	`ab94374f5cca47b85f5859f22aad825fe9ff23b9fd0e7943a8b86cddc99bc5d0`
SHA3	`8cc77abe05c1c1978af79e8054837fcfe22f8a5218b5f6dce551fbb2e84af65f`
SSDeep	`49152:AKSPVzHy/Ss6R50QxjQNplPA1WMVQsY7xKFHQmzopPRCC5i7wuGG6yyTXLrUI:C9Ly/SsQ5IpPA1ldguQmzoPf3T7L4I`
Imports Hash	`cc019bc7d4837d678a37b681f0ba6a93`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`10`
TimeDateStamp	2017-Sep-01 12:08:16
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`11.0`
SizeOfCode	`0x66000`
SizeOfInitializedData	`0x2a6400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000005BEC3B (Section: .vmp1)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x89b000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x7a1200`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x65fc8`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.rdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1fe32`
VirtualAddress	`0x67000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x3ecf8`
VirtualAddress	`0x87000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.pdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x3e4c`
VirtualAddress	`0xc6000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.nv_fatb

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x23ee50`
VirtualAddress	`0xca000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.nvFatBi

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x18`
VirtualAddress	`0x309000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.vmp0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x290e35`
VirtualAddress	`0x30a000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.vmp1

MD5	`8ed89679bb0c81a2bc27e5634221fb7b`
SHA1	`02e1d62b799d9149073b32f4c9deba6d3cd2b159`
SHA256	`540e5b976fe049da69a1516e993c1674479daad66411dd5775016e776d1f3d21`
SHA3	`cfb66bda3781125cef8485ee4b624ffe5cd097a188c56edb1ec10cfab1e00cbc`
VirtualSize	`0x2fd81c`
VirtualAddress	`0x59b000`
SizeOfRawData	`0x2fda00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.98352`

.reloc

MD5	`dfcca0651b33fa15771043e3e01d3d6e`
SHA1	`6c450bb2a091285bef46267efcd405f3dcee921d`
SHA256	`3251aa4f4480ddbf23ab827efd1da2ab8fdaa0858116c68060eb3001bc776f75`
SHA3	`e70d6fb9c560765e0ac24dd1a78f1b555b0d51a7d1429e7572b463b88103696a`
VirtualSize	`0x18`
VirtualAddress	`0x899000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2fde00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0.256865`

.rsrc

MD5	`1fc656c871b06230c3d313d7ae0274e6`
SHA1	`b4861bce1a16a9b442e706bb89009b8d1d53cace`
SHA256	`ed7f0c1a06e84294745a91fe9780c5a38c8dfcc23acc1132abca7a59e1ca51ee`
SHA3	`f5bad58b83f755fcc87881a7705033cdac2b8c4c0324df292c018782f60ebee6`
VirtualSize	`0x27c`
VirtualAddress	`0x89a000`
SizeOfRawData	`0x400`
PointerToRawData	`0x2fe000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.85158`

Imports

WS2_32.dll	`#3`
libcurl.dll	`curl_slist_append`
OpenCL.dll	`clSetKernelArg`
KERNEL32.dll	`GetFileAttributesExW`
USER32.dll	`MessageBoxW`
cudart64_80.dll	`cudaGetLastError`
IPHLPAPI.DLL	`GetNetworkParams`
WTSAPI32.dll	`WTSSendMessageW`
KERNEL32.dll (#2)	`GetFileAttributesExW`
USER32.dll (#2)	`MessageBoxW`
ADVAPI32.dll	`RegQueryValueExA`
KERNEL32.dll (#3)	`GetFileAttributesExW`
ADVAPI32.dll (#2)	`RegQueryValueExA`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x224`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.04378`
MD5	`245b863be176aab16ef1dbe168defe03`
SHA1	`c0a369f6f0e77b89c5d9d37fb94e1d5e2d431b5b`
SHA256	`59ba97d56a01766792386c3b379946bb613c8921e3daf8a878855a268ad5e4aa`
SHA3	`7efbe82f17422b353f747a146c1e8f1b9df37e90648150f2020442ff9477341e`

Version Info

TLS Callbacks

Load Configuration

Size	`0x70`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140087ba8`

RICH Header

XOR Key	`0xfb94f68d`
Unmarked objects	`0`
199 (41118)	`4`
ASM objects (50929)	`21`
C++ objects (50929)	`76`
C objects (50929)	`265`
Imports (VS2010 SP1 build 40219)	`4`
Imports (VS2012 UPD4 build 61030)	`2`
185 (30716)	`9`
Total imports	`213`
C++ objects (61219)	`1`
211 (61219)	`39`
Resource objects (VS2012 UPD4 build 61030)	`1`
Linker (VS2012 UPD4 build 61030)	`1`

Errors

[!] Error: Could not read the exported DLL name.
[*] Warning: Section .text has a size of 0!
[*] Warning: Section .rdata has a size of 0!
[*] Warning: Section .data has a size of 0!
[*] Warning: Section .pdata has a size of 0!
[*] Warning: Section .nv_fatb has a size of 0!
[*] Warning: Section .nvFatBi has a size of 0!
[*] Warning: Section .vmp0 has a size of 0!