Manalyze report for e6d8e767a407af85e3128741eeb1fae8

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2017-May-15 17:47:25
Detected languages	English - United States
CompanyName	Microsoft Corporation
FileDescription	ApiSet Stub DLL
FileVersion	`10.0.10586.15 (th2_release.151119-1817)`
InternalName	apisetstub
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	apisetstub
ProductName	Microsoft® Windows® Operating System
ProductVersion	`10.0.10586.15`

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .exp`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Uses Microsoft's cryptographic API: CryptGetDefaultProviderW`
Malicious	VirusTotal score: 51/68 (Scanned on 2017-11-20 04:31:31)	`MicroWorld-eScan: Trojan.Agent.CGWS` `CAT-QuickHeal: Trojan.Mauvaise.SL1` `McAfee: Packed-PN!E6D8E767A407` `Malwarebytes: Trojan.FakeMS` `VIPRE: Trojan.Win32.Generic!BT` `K7GW: Trojan ( 0050fcc61 )` `K7AntiVirus: Trojan ( 0050fcc61 )` `Invincea: heuristic` `Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9999` `Cyren: W32/Trojan.UCTI-1681` `Symantec: Trojan.Sakurel` `TrendMicro-HouseCall: TSPY_HPEMOTET.SMDX0` `Avast: Win32:Malware-gen` `Kaspersky: HEUR:Trojan.Win32.Generic` `BitDefender: Trojan.Agent.CGWS` `NANO-Antivirus: Trojan.Win32.GenKryptik.epgdps` `Paloalto: generic.ml` `AegisLab: Troj.W32.Generic!c` `Rising: Malware.XPACK-LNR/Heur!1.5594 (CLASSIC)` `Ad-Aware: Trojan.Agent.CGWS` `Sophos: Mal/EncPk-ANR` `F-Secure: Trojan.Agent.CGWS` `DrWeb: Trojan.Packed.140` `Zillya: Trojan.Kryptik.Win32.1250072` `TrendMicro: TSPY_HPEMOTET.SMDX0` `McAfee-GW-Edition: BehavesLike.Win32.Backdoor.gc` `Emsisoft: Trojan.Agent.CGWS (B)` `SentinelOne: static engine - malicious` `Webroot: W32.Backdoor.Gen` `Avira: TR/Crypt.ZPACK.lwzue` `Fortinet: W32/Kryptik.FSGL!tr` `Antiy-AVL: Trojan/Win32.SGeneric` `Endgame: malicious (high confidence)` `Arcabit: Trojan.Agent.CGWS` `ViRobot: Trojan.Win32.Agent.458752.AC` `ZoneAlarm: HEUR:Trojan.Win32.Generic` `AhnLab-V3: Trojan/Win32.Generic.R203206` `ALYac: Trojan.Agent.QakBot` `AVware: Trojan.Win32.Generic!BT` `MAX: malware (ai score=100)` `Cylance: Unsafe` `ESET-NOD32: a variant of Win32/Kryptik.FTKI` `Tencent: Suspicious.Heuristic.Gen.b.0` `Yandex: Trojan.Agent!f7wGDpetOCE` `Ikarus: Trojan.Win32.Krypt` `GData: Trojan.Agent.CGWS` `AVG: Win32:Malware-gen` `Cybereason: malicious.1b8fb7` `Panda: Trj/CI.A` `CrowdStrike: malicious_confidence_100% (W)` `Qihoo-360: Win32/Trojan.202`

Hashes

MD5	`e6d8e767a407af85e3128741eeb1fae8`
SHA1	`8cc066787be87eb287f1754f72ebe36f1c30e38f`
SHA256	`7dbd0df279062090c34f796efc7dd239eccd46b99b67aac370d6048d5adbb9ec`
SHA3	`6a4d89a4190a2a9301055ebdffbeaa61e3d80ee65cb621f10f7c45e07900d30b`
SSDeep	`6144:FrTsV+A6v8yfFCueDpWR0jf7NFDbn8vNSfKZ86t9nz5pV7Jy4Xx9j:Bg4rv8k/vuTNKvNSiW6txzLVAmj`
Imports Hash	`427137bae7135de9c5f92deb0faa0fe3`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`9`
TimeDateStamp	2017-May-15 17:47:25
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`8.0`
SizeOfCode	`0x4000`
SizeOfInitializedData	`0x6e000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00001990 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x5000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x73000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_LIBRARY_PROCESS_INIT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`053ba8f0e016e841a50a41195cc3fd07`
SHA1	`7545d5dfdf23a2c3f0edc52d6df7dd585437d696`
SHA256	`e3d16d9fb0f35a5b5de9fb04d91e98056ec506763dbd738d95dfcdf60e2a10d3`
SHA3	`eda13af32857db7d571873a9c4000ef1ec27ab5e4c645e633e9afc725f90e4b5`
VirtualSize	`0x10b8`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`3.91821`

.code

MD5	`d31f035ae35057f70d36e4a690368d78`
SHA1	`93831cf5e756f1c7b95115d0c2e833db45d194a3`
SHA256	`06d9df3845d926081a11a3dbb7654c8da1a911c8c256e54ba6b68764f0340f93`
SHA3	`dc98b78c71372239190019dbf227b1b33e6f83886f7d7e0d7312ada65b78651e`
VirtualSize	`0x15d0`
VirtualAddress	`0x3000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x3000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`4.72895`

.rdata

MD5	`6ec6dd32dff1bbf95f09573794d4daba`
SHA1	`73e405e4ae047239862af6f9e28be77e4b370f94`
SHA256	`49df7927e0c260f17e77d3bf959696724c0315645c7a8d5fb804c067be77be79`
SHA3	`12d476e7298b4182fe6218ac43c51ca8acefcf4cbadfd85c094be4fb273a125b`
VirtualSize	`0x47c`
VirtualAddress	`0x5000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x5000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.83778`

.data

MD5	`155bb038c2c35a1330ca85e6d83aea0a`
SHA1	`3f34ea85fa66505b330bcffbca4474283a039d5f`
SHA256	`93a00aa3979f88e8e02d7fd4abf11d802c29e45f286d1092467cb9ca879a1df5`
SHA3	`a607c25dec9acbb220f7606e9a877c403492c26b549ff69bfe32ac81c399f906`
VirtualSize	`0x3fbd`
VirtualAddress	`0x6000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x6000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.31691`

.CRT

MD5	`3515a9c5335866cc55e38d6693a808c6`
SHA1	`2f0b053605db6f8c68657d1125234996e8f11f74`
SHA256	`e4b350de2c3f4bb6cfb83cb6476cd25372caa13eecf97ab33b4ea6477c851939`
SHA3	`d616b1c1fd4125843b119ef793aa03371cae50b1c772479eecc6b02baa7ad3ee`
VirtualSize	`0x315bc`
VirtualAddress	`0xa000`
SizeOfRawData	`0x32000`
PointerToRawData	`0x7000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.96172`

.exp

MD5	`2dcbecce562a977854cd8761b5a02375`
SHA1	`ed76e8638f187d5faf85ffe05f592d0c60e5a8ff`
SHA256	`81166eb3f2b4e4156bf22ef496bbecb24fd85a653b256caab0c45b42019aa505`
SHA3	`ffe5baebedad49e71c9f54d1b9be3f9ba00c18af94bae07dbef52625b9e7e416`
VirtualSize	`0x11fef`
VirtualAddress	`0x3c000`
SizeOfRawData	`0x12000`
PointerToRawData	`0x39000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99762`

.code (#2)

MD5	`247a7a3beeb585428e5153db6b88f5b2`
SHA1	`0e48cd19d431d2d160ec21e25894ff02677b605d`
SHA256	`b508cbe775e52a18525d3fe08bf675001766b508cf0e15f74fbf492f6df89cf6`
SHA3	`7a3e071f9f59d323710319789379fea360c375729127384a9fec7209c6de4912`
VirtualSize	`0x220a5`
VirtualAddress	`0x4e000`
SizeOfRawData	`0x23000`
PointerToRawData	`0x4b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.94223`

.rsrc

MD5	`791e4fde2ceaf9416e397c119ee20fdc`
SHA1	`8fa6dfff40df301886f3b6e3e9da7532d88040c3`
SHA256	`ffd57bdbb3e2dae0b583933bb5377e963e08edad7bdaa45467a1284d86b674e8`
SHA3	`e4bed4ba0e40ee343dcd6db0d9c06bfc5e2d2429ea9f22176ffbc6f0983569c8`
VirtualSize	`0xe9e`
VirtualAddress	`0x71000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x6e000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.07011`

.reloc

MD5	`052353049f01366c717d3911bd3065b4`
SHA1	`d879534a966db7c6a52b2ba2514f7a704c167746`
SHA256	`59f4fc071a7fe616078b303c8c3f7483d3be9c50abaca1923941cb9d0dc4e734`
SHA3	`1441b497d31ce61230d8830931e138c70a8c371a3eb5dafb288cc5d65dea191b`
VirtualSize	`0x67d`
VirtualAddress	`0x72000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x6f000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.12917`

Imports

ADVAPI32.dll	`GetServiceDisplayNameW` `CryptGetDefaultProviderW` `GetSecurityDescriptorGroup`
KERNEL32.dll	`GetProcAddress` `ExitProcess` `GetModuleHandleA` `GetStringTypeW` `GetThreadTimes` `LocalFree` `FreeLibrary` `InterlockedExchange` `GetLastError` `LoadLibraryA` `RaiseException` `GetSystemTimeAsFileTime` `ExitThread` `LocalAlloc`
GDI32.dll	`GetSystemPaletteUse` `DeleteEnhMetaFile`
USER32.dll (delay-loaded)	`GetPropA` `GetClassNameA`

Delayed Imports

Attributes	`0x1`
Name	`USER32.dll`
ModuleHandle	`0x950c`
DelayImportAddressTable	`0x6a10`
DelayImportNameTable	`0x520c`
BoundDelayImportTable	`0x5234`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x394`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.48166`
MD5	`b33804121c6c77e41703e12eff18c534`
SHA1	`ed350a52c01a928d7cd36c91de7386ccd2204170`
SHA256	`e4981ca542713b98a665e9a8d6eabe9fde5545867323c5548a1c34097f254353`
SHA3	`ba5f879fcb1d86318d8d3103cb49b67f16347c067f6f16973bcc56fed5ea3f26`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.10586.15
ProductVersion	10.0.10586.15
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	ApiSet Stub DLL
FileVersion (#2)	10.0.10586.15 (th2_release.151119-1817)
InternalName	apisetstub
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	apisetstub
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	10.0.10586.15

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xcc50a961`
Unmarked objects	`0`
Imports (VS2012 build 50727 / VS2005 build 50727)	`7`
C++ objects (VS2012 build 50727 / VS2005 build 50727)	`3`
Total imports	`21`
Unmarked objects (#2)	`1`
Resource objects (VS2013 build 21005)	`1`
Linker (VS2012 build 50727 / VS2005 build 50727)	`1`

e6d8e767a407af85e3128741eeb1fae8

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.code

.rdata

.data

.CRT

.exp

.code (#2)

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors