Manalyze report for e4ed26d5e2a84cc5e48d285e4ea898c0

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Oct-23 20:44:37
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `MASM/TASM - sig1(h)`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentControlSet\Services`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1`
Malicious	The PE contains functions mostly used by malware.	`Can access the registry: RegCloseKey RegQueryValueExW RegSetValueExW RegCreateKeyExW` `Leverages the raw socket API to access the Internet: #115 #10 #9 #11 #23 #4 #16 #111 #18 #151 #21 #19 #22 #3` `Functions related to the privilege level: OpenProcessToken`
Malicious	VirusTotal score: 29/57 (Scanned on 2019-09-09 06:40:28)	`MicroWorld-eScan: Trojan.GenericKD.32416111` `McAfee: Trojan-HidCobra` `Cylance: Unsafe` `K7AntiVirus: Trojan ( 0052cf421 )` `Alibaba: Trojan:Win32/NukeSped.cb5844a3` `K7GW: Trojan ( 0052cf421 )` `F-Prot: W32/Trojan3.AOLC` `Symantec: Trojan.Hoplight` `APEX: Malicious` `Paloalto: generic.ml` `BitDefender: Trojan.GenericKD.32416111` `Ad-Aware: Trojan.GenericKD.32416111` `Emsisoft: Trojan.GenericKD.32416111 (B)` `F-Secure: Trojan.TR/NukeSped.flobc` `McAfee-GW-Edition: Trojan-HidCobra` `FireEye: Trojan.GenericKD.32416111` `Sophos: Mal/Generic-S` `Avira: TR/NukeSped.flobc` `MAX: malware (ai score=100)` `Arcabit: Trojan.Generic.D1EEA16F` `GData: Win32.Trojan.Agent.J7Q9TZ` `AhnLab-V3: Trojan/Win32.Crypt.C3464081` `TrendMicro-HouseCall: TROJ_GEN.R002H0DI819` `Tencent: Win32.Trojan.Generic.Amcj` `Ikarus: Trojan.Win32.NukeSped` `Fortinet: W32/NukeSped.AU!tr` `Panda: Trj/GdSda.A` `CrowdStrike: win/malicious_confidence_100% (W)` `Qihoo-360: Win32/Trojan.bb5`

Hashes

MD5	`e4ed26d5e2a84cc5e48d285e4ea898c0`
SHA1	`c3d28d8e49a24a0c7082053d22597be9b58302b1`
SHA256	`c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8`
SHA3	`95a76d45d2e1a703a85b89c9f06e59f3b33d334324b3b3012db537dced9286a9`
SSDeep	`3072:MzviXzovLFOLUAqWilvLc1V2n9+zEty7+LEfq0Mg3ewPWTc:Mzv+zovLFOLFqhlvlQz7ZqueweT`
Imports Hash	`387ff28ad8f86434c34e5e8d4eb0be42`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2017-Oct-23 20:44:37
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`10.0`
SizeOfCode	`0x20600`
SizeOfInitializedData	`0x5e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00020CE8 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x22000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x2d000`
SizeOfHeaders	`0x400`
Checksum	`0x2fbbc`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`33e3584e4c52c24e16fc108224a3f6a3`
SHA1	`927678b55eeb555a4cf2a8ffe811f33aaa34c3a3`
SHA256	`d0fa7e36e22987bd5b077e8ad1ae1c2c7ba343b5af29461aa2d54798a5ea3f4e`
SHA3	`4c6c58a78d5297b95c8ec2a1d807b060818c4e686ee588d35deec6ff81d3c7c5`
VirtualSize	`0x204fa`
VirtualAddress	`0x1000`
SizeOfRawData	`0x20600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.15343`

.rdata

MD5	`8a43450710359fae49269f1217924cf5`
SHA1	`bdc4b2f73f2e97f93cb7e297ea50f6c6b4401346`
SHA256	`33623597f7637e25015cfcc16f4306a70225a632bec175ca16d6d30323acf3cc`
SHA3	`b3d231537e3b6926f79d827e9d2d22b91dcaa99a8e1c41830f8bb1dea7cb5c9a`
VirtualSize	`0x406e`
VirtualAddress	`0x22000`
SizeOfRawData	`0x4200`
PointerToRawData	`0x20a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.2995`

.data

MD5	`b0c95d35585e130bea58057c11e9d53b`
SHA1	`a4cf79466863dafeb07b3b150c637699735266a6`
SHA256	`10f0b994ac9017468690d2ed528ae1cc4095244fba82e89b98c5a7234eaaada4`
SHA3	`bcdf82a4215e6d30bf361459bc8b279cdd7dfb6e9eaf51666290ce4e3174d05c`
VirtualSize	`0x3e84`
VirtualAddress	`0x27000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x24c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.45559`

.rsrc

MD5	`3a4fdc31bb49b29d6f19b94641d14ee8`
SHA1	`051e534aca4dbdd3425bd1efe8016ddfc27dcf38`
SHA256	`4bb0a022d9886a3f193067f2f59b5cee7137aae82dedf74142331783b3926ef1`
SHA3	`415371d82f6cfc2d70d274565135cfc61a3cfff8296c3d39954b2453e3326e22`
VirtualSize	`0x1b4`
VirtualAddress	`0x2b000`
SizeOfRawData	`0x200`
PointerToRawData	`0x25a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.11262`

.reloc

MD5	`f74e21bd34aa3a05131ae77f0b48c2b2`
SHA1	`aa9e4c639703139babb978066fc363fd54958506`
SHA256	`9f9d82d76944fe219e51b28d84c0f61b3ebe5424782297006ff4124edfa10a4d`
SHA3	`f6992010462a39a5f0ff1b0d15826aeff9ceb6b6b0f8ea178d23f92e2d1efba2`
VirtualSize	`0xb44`
VirtualAddress	`0x2c000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x25c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.87583`

Imports

WS2_32.dll	`#115` `#10` `#9` `#11` `#23` `#4` `#16` `#111` `#18` `#151` `#21` `#19` `#22` `#3`
KERNEL32.dll	`Sleep` `GetLastError` `WriteFile` `CloseHandle` `ReadFile` `CreateFileW` `GetFileAttributesW` `GetTickCount` `LocalFree` `LocalAlloc` `TerminateThread` `GetExitCodeThread` `WaitForMultipleObjects` `CreateThread` `InterlockedExchange` `DisconnectNamedPipe` `FlushFileBuffers` `GetCommandLineW` `ExitProcess` `FormatMessageW` `HeapFree` `GetProcessHeap` `HeapAlloc` `GetCurrentProcess` `GetCurrentThread` `WaitNamedPipeW` `ConnectNamedPipe` `CreateNamedPipeW` `InterlockedCompareExchange` `HeapSetInformation` `GetStartupInfoW` `EncodePointer` `DecodePointer` `SetUnhandledExceptionFilter` `GetCurrentThreadId` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `TerminateProcess` `UnhandledExceptionFilter` `IsDebuggerPresent` `FindClose` `WaitForSingleObject` `FindFirstFileW` `QueryPerformanceCounter` `QueryPerformanceFrequency` `WideCharToMultiByte` `UnmapViewOfFile` `DuplicateHandle` `CreateFileMappingW` `MapViewOfFile` `GetFileType` `GetFileInformationByHandle` `GetSystemTime` `GetLocalTime` `SystemTimeToFileTime` `GetFileSize` `SetFilePointer` `FindNextFileW` `FileTimeToDosDateTime` `FileTimeToSystemTime`
ADVAPI32.dll	`RegCloseKey` `RegQueryValueExW` `RegSetValueExW` `InitializeSecurityDescriptor` `AllocateAndInitializeSid` `GetLengthSid` `InitializeAcl` `AddAccessAllowedAce` `SetSecurityDescriptorDacl` `FreeSid` `OpenThreadToken` `OpenProcessToken` `GetTokenInformation` `RegCreateKeyExW`
SHELL32.dll	`CommandLineToArgvW`
MSVCR100.dll	`??3@YAXPAX@Z` `memmove` `memcmp` `_tzset` `free` `strstr` `sscanf` `fread` `ftell` `fseek` `_vsnprintf` `??2@YAPAXI@Z` `__CxxFrameHandler` `strcat` `strcpy` `strncpy` `wcscmp` `wcscat` `sprintf` `fgets` `printf` `fwrite` `_amsg_exit` `__wgetmainargs` `wcsrchr` `_exit` `_XcptFilter` `exit` `_wcmdln` `_initterm` `_initterm_e` `_configthreadlocale` `__setusermatherr` `_commode` `_fmode` `__set_app_type` `_unlock` `__dllonexit` `_lock` `_onexit` `_localtime32` `_time32` `_mktime32` `?terminate@@YAXXZ` `_except_handler4_common` `_invoke_watson` `_controlfp_s` `_crt_debugger_hook` `wcslen` `_cexit` `wcscpy` `strlen` `_swprintf` `fprintf` `fclose` `wcstok` `wcstombs` `wprintf` `__CxxFrameHandler3` `srand` `rand` `_wtoi` `memset` `memcpy` `_time64` `_stricmp` `fopen` `malloc`
MPR.dll	`WNetAddConnection2W` `WNetCancelConnection2W`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xc61332ca`
Unmarked objects	`0`
Imports (VS2010 build 30319)	`2`
152 (20115)	`5`
ASM objects (VS2010 build 30319)	`5`
C objects (VS2010 build 30319)	`18`
C objects (VS98 build 8168)	`14`
C++ objects (VS98 build 8168)	`3`
Total imports	`159`
Imports (VS2008 SP1 build 30729)	`11`
C++ objects (VS2010 build 30319)	`5`
Linker (VS2010 build 30319)	`1`

e4ed26d5e2a84cc5e48d285e4ea898c0

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors