Manalyze report for e1bcc64752f50deec06c204434cf8670

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2017-Nov-06 08:09:12
Detected languages	English - United States German - Germany

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW`
Malicious	VirusTotal score: 44/68 (Scanned on 2017-11-14 21:03:30)	`MicroWorld-eScan: Trojan.GenericKD.12541634` `CAT-QuickHeal: Trojan.Agent` `McAfee: RDN/Generic Dropper` `Cylance: Unsafe` `Zillya: Dropper.Agent.Win32.280161` `K7GW: Trojan ( 0051ae5a1 )` `K7AntiVirus: Trojan ( 0051ae5a1 )` `Arcabit: Trojan.Generic.DBF5EC2` `Invincea: heuristic` `Symantec: Trojan.Gen.2` `TrendMicro-HouseCall: TROJ_GEN.R011C0PK917` `Avast: Win32:Malware-gen` `Kaspersky: Trojan.Win32.Agent.ikvy` `BitDefender: Trojan.GenericKD.12541634` `Paloalto: generic.ml` `AegisLab: Troj.Generickd!c` `Tencent: Win32.Trojan.Agent.Ajvg` `Ad-Aware: Trojan.GenericKD.12541634` `Emsisoft: Trojan.GenericKD.12541634 (B)` `Comodo: UnclassifiedMalware` `F-Secure: Trojan.GenericKD.12541634` `DrWeb: Trojan.Siggen7.31529` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: TROJ_GEN.R011C0PK917` `McAfee-GW-Edition: RDN/Generic Dropper` `Sophos: Mal/Generic-S` `Ikarus: Trojan-Dropper.Win32.Agent` `Webroot: W32.Trojan.Gen` `Avira: TR/Drop.Agent.ceuii` `Fortinet: W32/Agent.RUB!tr` `Antiy-AVL: Trojan/Win32.TSGeneric` `Endgame: malicious (high confidence)` `Microsoft: Trojan:Win32/Tiggre!rfn` `ViRobot: Trojan.Win32.S.Agent.183296.FT` `ZoneAlarm: Trojan.Win32.Agent.ikvy` `AhnLab-V3: Trojan/Win32.Injector.C2250605` `ALYac: Trojan.GenericKD.12541634` `AVware: Trojan.Win32.Generic!BT` `MAX: malware (ai score=100)` `ESET-NOD32: a variant of Win32/TrojanDropper.Agent.RUB` `GData: Trojan.GenericKD.12541634` `AVG: Win32:Malware-gen` `Panda: Trj/GdSda.A` `CrowdStrike: malicious_confidence_100% (D)`

Hashes

MD5	`e1bcc64752f50deec06c204434cf8670`
SHA1	`5a2dfc132a0eada14e55daeee2f4fcc2b0379569`
SHA256	`a80ea6390a2c31f8535f01126b3b49840af50aa43854fd9c58ef0ff656b198cc`
SHA3	`c982b4494fece5595df2f389c62c43d7a004237750529fd0a0c2ecdc009b1c02`
SSDeep	`3072:tEQcXGI/mOJwBXju2JqWo/YREgG8KiH9UQBsEkepRk03SVjDQ113V+M0p:bQGA65jvbG8KiH9UfEkSRk75Fp`
Imports Hash	`8261a1ec40b30812603e50d2cce268b2`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x120`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`7`
TimeDateStamp	2017-Nov-06 08:09:12
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0xe200`
SizeOfInitializedData	`0x1f200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000028D8 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x10000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x34000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`1fde1f1631262893c7a8bf5b81f35ad0`
SHA1	`c2f8e9278422b8a7b336efe65a62ce1693b9316d`
SHA256	`de107a5c4baa360d88259bc7dc371aeb4d33d8cf6a8c169fad151153ec396163`
SHA3	`2c4d758e10a40e0aaf25ad8640b1bb6fdabaa0c9157037f10b472f3503832d1f`
VirtualSize	`0xe06e`
VirtualAddress	`0x1000`
SizeOfRawData	`0xe200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.60077`

.rdata

MD5	`9dc292c3e31b7b8c629ea24ee8281b3c`
SHA1	`8a3565e9dbbb07ed0f3ef37bfe643a1b7c036f82`
SHA256	`9b685f730c29d7e5a6af60457ce76cf22025f9b090361c9f52186db9f73d892c`
SHA3	`29e8ae0ad17e66320efbce252231cfcc1db120a154f0e39af6bc18aabdd1d0c1`
VirtualSize	`0x1b0b8`
VirtualAddress	`0x10000`
SizeOfRawData	`0x1b200`
PointerToRawData	`0xe600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.23056`

.data

MD5	`86fbf8a9d2b846d2d28848ac99bbd306`
SHA1	`32d0f0f578b2b6d210d6ae696d940f63d4235af2`
SHA256	`1e60bbeaf5028dccc50d6b5a82582b54d3ae45be511df7e1527defa8efe013c7`
SHA3	`ef6d61626dfad2d1361b66d078f9427a45e9d2795c25a644a9c1a3f89fac15e5`
VirtualSize	`0x146c`
VirtualAddress	`0x2c000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x29800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.9067`

.tls

MD5	`1f354d76203061bfdd5a53dae48d5435`
SHA1	`aa0d33a0c854e073439067876e932688b65cb6a9`
SHA256	`4c6474903705cb450bb6434c29e8854f17d8324efca1fdb9ee9008599060883a`
SHA3	`991fbbd46bbd69198269fe6c247d440e0f8a7d38259b7a1e04b74790301d1d2b`
VirtualSize	`0x9`
VirtualAddress	`0x2e000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2a200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0203931`

.gfids

MD5	`af03b635625586ed8bc66f55552a827e`
SHA1	`4eab9aef65179ec9b6d9cd828a7533faab284d73`
SHA256	`32cc08ce5262054f235d2ce61ef4c705b77741db000ec345dcb4f4f5ba8600b7`
SHA3	`3b17c1f3240d2c6260fe95e4cff624e7843a20c6f63ac71bb82bc6df52aaa5cc`
VirtualSize	`0xf8`
VirtualAddress	`0x2f000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2a400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.79769`

.rsrc

MD5	`cecef47406ce086820c6e1611daad867`
SHA1	`7434fc4307d4cccc8870b05acf42f72ecb81ea34`
SHA256	`7c217f79bc639bc70e2f29963f13e1b6d0540805a0b561f36e29929b1fb6008e`
SHA3	`21c5ec574c279bbc07db7bd5ce2c9e9a7bf93f7c7e0299f4cbf44cd6dbd7a2b0`
VirtualSize	`0x1330`
VirtualAddress	`0x30000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x2a600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.75293`

.reloc

MD5	`438dd85193a4fd4c2a4183ea6c0c7ee5`
SHA1	`684ad187883f6a6345c7454051cd113fce6cd3fc`
SHA256	`0b8deda6c3b9e0fe68c1b56f01732e86c0da6d5d317835a2f74169a783e8d6ab`
SHA3	`90a087374b7d6597252964a2c7881b6ac05e9346fcf4cab51b35199858c3577c`
VirtualSize	`0x1148`
VirtualAddress	`0x32000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x2ba00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.45298`

Imports

KERNEL32.dll	`HeapFree` `InitializeCriticalSectionEx` `HeapSize` `GetLastError` `HeapReAlloc` `RaiseException` `HeapAlloc` `DecodePointer` `HeapDestroy` `DeleteCriticalSection` `GetProcessHeap` `WideCharToMultiByte` `CreateMutexA` `GetConsoleWindow` `Sleep` `lstrcmpiW` `WriteConsoleW` `FlushFileBuffers` `SetFilePointerEx` `GetConsoleMode` `GetConsoleCP` `GetStringTypeW` `SetStdHandle` `SetEnvironmentVariableA` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `CloseHandle` `EnterCriticalSection` `LeaveCriticalSection` `SetEvent` `ResetEvent` `WaitForSingleObjectEx` `CreateEventW` `GetModuleHandleW` `GetProcAddress` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `IsDebuggerPresent` `GetStartupInfoW` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `OutputDebugStringW` `EncodePointer` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `LoadLibraryExW` `SetLastError` `RtlUnwind` `MultiByteToWideChar` `ExitProcess` `GetModuleHandleExW` `GetModuleFileNameA` `GetStdHandle` `WriteFile` `GetCommandLineA` `GetCommandLineW` `GetACP` `GetFileType` `CompareStringW` `LCMapStringW` `FindClose` `FindFirstFileExA` `FindNextFileA` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `CreateFileW`
USER32.dll	`ShowWindow` `MessageBoxW`
ole32.dll	`CoInitializeEx` `CoUninitialize` `CoCreateInstance` `CLSIDFromProgID`
OLEAUT32.dll	`#8` `#12` `#9` `#2`

Delayed Imports

1

Type	`RT_ICON`
Language	German - Germany
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.63473`
MD5	`9af48befaa2c864e2c4c731ebafef93d`
SHA1	`a644b4b8102288109e9524bcf21f39f551a2ce0e`
SHA256	`53937bab045aceb53ca73ea3f4211a6bc45a63cbc7fe7a08ec163127b30a382d`
SHA3	`ff36017b114f4d79cef45fb4768e085e653714f9789e3c35170fca18c3a017d7`

101

Type	`RT_GROUP_ICON`
Language	German - Germany
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.7815`
Detected Filetype	Icon file
MD5	`3c68f77c35c26ff079a1c410ee44fa62`
SHA1	`0b40150c95fc2c6414c90d44ee78b8d8814b3393`
SHA256	`a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0`
SHA3	`590dcbf2ec3f485a6c24e3e627f383ee7588eb49978321f12c07d8190a6c1396`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2017-Nov-06 08:09:12
Version	`0.0`
SizeofData	`920`
AddressOfRawData	`0x29ef8`
PointerToRawData	`0x284f8`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2017-Nov-06 08:09:12
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

StartAddressOfRawData	`0x42e000`
EndAddressOfRawData	`0x42e008`
AddressOfIndex	`0x42cd10`
AddressOfCallbacks	`0x4101a4`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x5c`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x42c00c`
SEHandlerTable	`0x429ed0`
SEHandlerCount	`10`

RICH Header

XOR Key	`0x5e21871f`
Unmarked objects	`0`
241 (40116)	`9`
243 (40116)	`123`
242 (40116)	`24`
C++ objects (23013)	`2`
ASM objects (VS2015 UPD3 build 24123)	`19`
C++ objects (VS2015 UPD3 build 24123)	`39`
C objects (VS2015 UPD3 build 24123)	`18`
C objects (65501)	`3`
Imports (65501)	`9`
Total imports	`112`
265 (VS2015 UPD3.1 build 24215)	`8`
Resource objects (VS2015 UPD3 build 24210)	`1`
151	`1`
Linker (VS2015 UPD3.1 build 24215)	`1`

e1bcc64752f50deec06c204434cf8670

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.tls

.gfids

.rsrc

.reloc

Imports

Delayed Imports

1

101

1 (#2)

Version Info

IMAGE_DEBUG_TYPE_POGO

IMAGE_DEBUG_TYPE_ILTCG

TLS Callbacks

Load Configuration

RICH Header

Errors