Manalyze report for de2d8e2a17572dfe06c5a44cb0ef61ca

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2016-Oct-26 22:27:26
Detected languages	Russian - Russia

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: .Text` `Unusual section name found: .qdata`
Info	The PE contains common functions which appear in legitimate applications.	`Possibly launches other programs: ShellExecuteA ShellExecuteW CreateProcessW`
Malicious	VirusTotal score: 45/63 (Scanned on 2018-03-20 10:06:18)	`Bkav: HW32.Packed.924C` `MicroWorld-eScan: Trojan.Agent.CWCK` `nProtect: Trojan/W32.Nymaim.519680.K` `McAfee: Trojan-FPIW!DE2D8E2A1757` `Cylance: Unsafe` `K7AntiVirus: Trojan ( 00515aa21 )` `K7GW: Trojan ( 00515aa21 )` `Arcabit: Trojan.Agent.CWCK` `Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9999` `Cyren: W32/Agent.AQW.gen!Eldorado` `Symantec: ML.Attribute.HighConfidence` `ESET-NOD32: Win32/TrojanDownloader.Nymaim.BA` `Kaspersky: Trojan.Win32.Nymaim.begd` `BitDefender: Trojan.Agent.CWCK` `NANO-Antivirus: Trojan.Win32.Nymaim.eyvsre` `Rising: Trojan.Kryptik!1.B0A8 (CLASSIC)` `Ad-Aware: Trojan.Agent.CWCK` `Emsisoft: Trojan.Agent.CWCK (B)` `F-Secure: Trojan.Agent.CWCK` `DrWeb: Trojan.MulDrop8.2771` `Zillya: Trojan.Nymaim.Win32.7088` `Invincea: heuristic` `McAfee-GW-Edition: BehavesLike.Win32.Generic.hc` `Sophos: Mal/Elenoocka-E` `SentinelOne: static engine - malicious` `F-Prot: W32/Agent.AQW.gen!Eldorado` `Jiangmin: Trojan.Nymaim.eas` `Fortinet: W32/GenKryptik.BTGN!tr` `Antiy-AVL: Trojan/Win32.Nymaim` `Endgame: malicious (high confidence)` `Microsoft: TrojanDownloader:Win32/Nymaim.K` `ZoneAlarm: Trojan.Win32.Nymaim.begd` `AhnLab-V3: Unwanted/Win32.Agent.R222588` `ALYac: Trojan.Agent.CWCK` `MAX: malware (ai score=85)` `Malwarebytes: Trojan.MalPack` `WhiteArmor: Malware.HighConfidence` `Panda: Trj/Genetic.gen` `Ikarus: Trojan-Downloader.Nymaim` `eGambit: Unsafe.AI_Score_98%` `GData: Trojan.Agent.CWCK` `AVG: Win32:Malware-gen` `Avast: Win32:Malware-gen` `CrowdStrike: malicious_confidence_100% (D)` `Qihoo-360: HEUR/QVM20.1.F271.Malware.Gen`

Hashes

MD5	`de2d8e2a17572dfe06c5a44cb0ef61ca`
SHA1	`a9dfa4533f9f2cf505abd8b3891e5b08628b5798`
SHA256	`fd9407ea53791983d32944d22fed2ff6fa287b5efb84812569bd36943c175113`
SHA3	`30ec1cf932a4156dbc57a283e6c1e1ac8d8f38173a8c057971b9275e639a336c`
SSDeep	`12288:h+79dSNVJP1i6mk2qC53GcVIO/oKmY8uUit+2Nd:ySNVJLBCBGcVLX8uUK+2`
Imports Hash	`268c38457fa3ca87ae9d052ec7cf4494`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2016-Oct-26 22:27:26
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`16.1`
SizeOfCode	`0x7d000`
SizeOfInitializedData	`0x1c00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000123B (Section: .Text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7e000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`5.1`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x81000`
SizeOfHeaders	`0x200`
Checksum	`0x8ab9e`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.Text

MD5	`3583151abf6b5a4fc1157dd4d581d8d4`
SHA1	`065f74b224405c770df3ed85b299933efb9e5cc7`
SHA256	`676149e85682456fa3268a139dd4244870ddf326efe3044a6d5311b51a2a5627`
SHA3	`198a964568d8fd60386adb4c9730f7a6ad1b7180c8af8e3eae17b1db3fb1f0dc`
VirtualSize	`0x7cece`
VirtualAddress	`0x1000`
SizeOfRawData	`0x7d000`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.99649`

.qdata

MD5	`2745d9a0eb0b2af56828dc7b1aa20be3`
SHA1	`217084a97e178a89590c189c4d1699f82d89df8a`
SHA256	`bf3056982cd87bc0d5e385b8d9861a2ec275f5b41975c34b4d83027f20ba12c3`
SHA3	`82e4c9cad7f35f9d5c7ca409091c42305f50b5f425f3ee49cae7387800d23fc9`
VirtualSize	`0x16d0`
VirtualAddress	`0x7e000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x7d200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.56551`

.rsrc

MD5	`e03226d1493eb0f4f1b1dd77f6096b81`
SHA1	`1bdfe8ecaf5196c65c20782deadd2b6e8602bc9f`
SHA256	`c3970fa351542df62ab25d55b0f5e6090196e4ac291f8a8c4e998ffe753e8851`
SHA3	`084dc69d82619012b5c03a3535ac13b223a8694e66081156cec69b17f5fe352e`
VirtualSize	`0x290`
VirtualAddress	`0x80000`
SizeOfRawData	`0x400`
PointerToRawData	`0x7ea00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0.256468`

Imports

cmpbk32.dll	`PhoneBookEnumNumbers` `PhoneBookEnumCountries` `PhoneBookLoad` `PhoneBookCopyFilter` `PhoneBookFreeFilter`
shell32.dll	`ExtractIconW` `SHFileOperationA` `StrRStrA` `SHUpdateImageA` `DllGetClassObject` `DragQueryFileW` `SHGetFolderPathW` `FindExecutableW` `SHQueryRecycleBinA` `ShellExecuteA` `ShellExecuteW` `SHDefExtractIconW` `StrStrW` `StrChrW` `ShellAboutW` `ShellMessageBoxA`
kernel32.dll	`GetFileSize` `GetModuleHandleA` `GetACP` `SetVolumeLabelA` `GetCurrentDirectoryW` `HeapReAlloc` `OpenJobObjectW` `GetCurrentDirectoryW` `CloseHandle` `GetCurrentDirectoryW` `GetCurrentDirectoryW` `CreateProcessW` `DeleteFileA` `GetCurrentDirectoryW` `CreateSemaphoreW` `ReadConsoleA` `GetCurrentDirectoryW` `GetConsoleTitleA` `WaitForSingleObject` `GetCurrentDirectoryW` `GetCurrentDirectoryW` `GetModuleFileNameA` `GetCurrentDirectoryW` `GetProcAddress` `GetCurrentDirectoryW` `GetCurrentDirectoryW` `GetExpandedNameA`
user32.dll	`BeginPaint` `DispatchMessageW` `FlashWindow` `CreateDesktopW` `IsDialogMessageA` `DialogBoxParamA` `PostMessageW` `GetPropA` `PeekMessageW` `CharToOemA` `wsprintfA` `LoadMenuW` `GetDlgItemTextW` `IsCharUpperA` `LoadCursorA`
shlwapi.dll	`UrlEscapeW` `UrlIsW` `UrlHashW` `UrlIsOpaqueA` `PathCombineA` `UrlGetLocationA` `PathIsRootW` `PathCommonPrefixW` `UrlGetPartA` `UrlUnescapeW` `UrlCompareA`
rsaenh.dll	`CPGenKey` `CPDecrypt` `CPCreateHash` `CPEncrypt`

Delayed Imports

1

Type	`RT_RCDATA`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`348a9791dc41b89796ec3808b5b5262f`
SHA1	`b376885ac8452b6cbf9ced81b1080bfd570d9b91`
SHA256	`5341e6b2646979a70e57653007a1f310169421ec9bdd9f1a5648f75ade005af1`
SHA3	`47af990afa74cf47281fe85246e796e7963fce8e05c443d221aaf1ebaf238b1d`

2

Type	`RT_RCDATA`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`348a9791dc41b89796ec3808b5b5262f`
SHA1	`b376885ac8452b6cbf9ced81b1080bfd570d9b91`
SHA256	`5341e6b2646979a70e57653007a1f310169421ec9bdd9f1a5648f75ade005af1`
SHA3	`47af990afa74cf47281fe85246e796e7963fce8e05c443d221aaf1ebaf238b1d`

Version Info

IMAGE_DEBUG_TYPE_UNKNOWN

Characteristics	`0`
TimeDateStamp	2017-May-09 02:47:42
Version	`0.0`
SizeofData	`27`
AddressOfRawData	`0x1c`
PointerToRawData	`0x420`

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Could not read the name of the DLL to be delay-loaded!