Manalyze report for e9856f4f9002935014176fa03932ddf7

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Jan-01 00:00:00
Detected languages	English - United States

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains obfuscated function names: 06 24 35 11 33 2e 22 00 25 25 33 24 32 32 0d 2e 20 25 0d 28 23 33 20 33 38` `Contains a XORed PE executable: 15 29 28 32 61 31 33 2e 26 33 20 2c 61 22 20 2f 2f 2e 35 61 ...` `Contains domain names: altavista.com bl.spamcop.net google.com http://search.lycos.com http://search.lycos.com/default.asp?lpv http://search.yahoo.com http://search.yahoo.com/search?p http://www.altavista.com http://www.altavista.com/web/results?q http://www.google.com http://www.google.com/search?hl lycos.com osirusoft.com relays.osirusoft.com search.lycos.com search.yahoo.com spamcop.net www.altavista.com www.google.com yahoo.com`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Functions which can be used for anti-debugging purposes: FindWindowA` `Can access the registry: RegCloseKey RegOpenKeyExA RegSetValueExA RegQueryValueExA RegEnumKeyA RegCreateKeyExA` `Possibly launches other programs: CreateProcessA` `Can create temporary files: CreateFileA GetTempPathA` `Leverages the raw socket API to access the Internet: connect send inet_addr gethostbyname socket select recv closesocket ntohs htons sendto WSAStartup gethostname` `Enumerates local disk drives: GetDriveTypeA`
Suspicious	The file contains overlay data.	`1216 bytes of data starting at offset 0x9e00.` `The overlay data has an entropy of 7.79065 and is possibly compressed or encrypted.`
Malicious	VirusTotal score: 69/72 (Scanned on 2023-10-05 14:36:05)	`ALYac: Win32.Mydoom.M@mm` `APEX: Malicious` `AVG: Win32:Mydoom-DV [Wrm]` `Acronis: suspicious` `AhnLab-V3: Worm/Win32.MyDoom.C145120` `Alibaba: Malware:Win32/Dorpal.ali1000029` `Antiy-AVL: Worm[Email]/Win32.Mydoom` `Arcabit: Win32.Mydoom.EE61DB` `Avast: Win32:Mydoom-DV [Wrm]` `Avira: TR/Spy.Agent.afe` `Baidu: Win32.Worm-Email.Mydoom.a` `BitDefender: Win32.Mydoom.M@mm` `BitDefenderTheta: AI:Packer.FBFF46801C` `Bkav: W32.FamVT.MydomNHb.Worm` `CAT-QuickHeal: Worm.Mydoom.A3` `ClamAV: Win.Worm.Mydoom-7` `CrowdStrike: win/malicious_confidence_100% (W)` `Cybereason: malicious.0074c8` `Cylance: unsafe` `Cynet: Malicious (score: 100)` `Cyren: W32/Mydoom.NHLR-0969` `DeepInstinct: MALICIOUS` `DrWeb: Win32.HLLM.MyDoom.54464` `ESET-NOD32: Win32/Mydoom.R` `Elastic: malicious (high confidence)` `Emsisoft: Win32.Mydoom.M@mm (B)` `F-Secure: Email-Worm:W32/Mydoom.gen!A` `FireEye: Generic.mg.e9856f4f90029350` `Fortinet: W32/MyDoom.K!tr` `GData: Win32.Worm.Mydoom.A` `Google: Detected` `Gridinsoft: Worm.Win32.Mydoom.ka!i` `Ikarus: Email-Worm.Win32.Mydoom` `Jiangmin: I-Worm/MyDoom.m` `K7AntiVirus: EmailWorm ( 0000439f1 )` `K7GW: EmailWorm ( 000043a01 )` `Kaspersky: Email-Worm.Win32.Mydoom.m` `Lionic: Worm.Win32.Mydoom.l3y8` `MAX: malware (ai score=80)` `Malwarebytes: Generic.Malware.AI.DDS` `MaxSecure: Worm.Mydoom.m` `McAfee: W32/Mydoom.c.o@MM` `McAfee-GW-Edition: BehavesLike.Win32.Mydoom.ph` `MicroWorld-eScan: Win32.Mydoom.M@mm` `Microsoft: Worm:Win32/Mydoom.O@mm` `NANO-Antivirus: Trojan.Win32.Mydoom.ekbf` `Panda: W32/Mydoom.N.worm` `Rising: Worm.Mydoom!1.A15B (CLASSIC)` `SUPERAntiSpyware: Worm.Mydoom` `Sangfor: Suspicious.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Sophos: W32/MyDoom-O` `Symantec: W32.Mydoom!gen` `TACHYON: Worm/W32.Mydoom.41664` `Tencent: Trojan.Win32.Mydoom.m` `Trapmine: malicious.high.ml.score` `TrendMicro: WORM_MYDOOM.GEN` `TrendMicro-HouseCall: WORM_MYDOOM.GEN` `VBA32: Trojan.Agent` `VIPRE: Win32.Mydoom.M@mm` `ViRobot: I-Worm.Win32.Mydoom.41664` `VirIT: Worm.Win32.Mydoom.O` `Webroot: W32.Worm.Gen` `Xcitium: Worm.Win32.Mydoom.R@3nf5` `Yandex: Trojan.GenAsa!ExGQZoHwzko` `Zillya: Worm.Mydoom.Win32.17` `ZoneAlarm: Email-Worm.Win32.Mydoom.m` `Zoner: Worm.Win32.Mydoom.3815` `tehtris: Generic.Malware`

Hashes

MD5	`e9856f4f9002935014176fa03932ddf7`
SHA1	`6d8070d0074c8a6a79540dfd589dc4e4201e3410`
SHA256	`b21bdc5455cfd3f13be06c017826e115763c05272833bce8ad0e75616df5d3df`
SHA3	`c03d6d39ff2114318d3e7fd56c798ee24444979f3edfdd86525ebda8262140a9`
SSDeep	`768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtH17:aqk/Zdic/qjh8w19JDH17`
Imports Hash	`7ee89a85ea0ffd700fd28e6cfa3d968f`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`7.0`
SizeOfCode	`0x7200`
SizeOfInitializedData	`0x2a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00003280 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x9000`
ImageBase	`0x500000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0xd000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`59bcd401aaeef30ae504c2db62704076`
SHA1	`2bce5befa0af5c796afbaa2aa69880ffd9550511`
SHA256	`436bce5f45aa23867811acbf41ca8879a85643e8dc333dd74afea402713130bd`
SHA3	`813602b01a59aa8280d852bd26eee498071815b9f3337e691a08bb85640b1cd0`
VirtualSize	`0x70a4`
VirtualAddress	`0x1000`
SizeOfRawData	`0x7200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.46652`

.data

MD5	`c3f04ab9d624db55128f57896a462a05`
SHA1	`17a361fb6a6df4a448fc42139557d3095aaf24fb`
SHA256	`dcbe482d5830272d3ef156a290ccd9f6676a6e7f8c506434580e40be828ad4b4`
SHA3	`3a1304f48b709d0f81ef7ba3a55bd5ddfc6927eceb6304e3c795e3f6d61b9c55`
VirtualSize	`0x2398`
VirtualAddress	`0x9000`
SizeOfRawData	`0x2200`
PointerToRawData	`0x7600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.9434`

.rsrc

MD5	`539e74621959a53a1beb0efde84e3b45`
SHA1	`88e279ec90fd5b97d39a7fdff5786dcda39b8ea8`
SHA256	`a440991a69e0d7eb69a4f1e1e94a6c1c23ea678b199038ff350c0a7ca308e950`
SHA3	`20fca84dde02f1f8302bccd4aa5ceae2d834937afd58db89cf36d8f913a6679d`
VirtualSize	`0x518`
VirtualAddress	`0xc000`
SizeOfRawData	`0x600`
PointerToRawData	`0x9800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.32912`

Imports

KERNEL32.DLL	`FindClose` `GetFileSize` `FindNextFileA` `MapViewOfFile` `UnmapViewOfFile` `FindFirstFileA` `GetEnvironmentVariableA` `GetDriveTypeA` `GetSystemTime` `WriteFile` `CreateFileMappingA` `LoadLibraryA` `CreateProcessA` `GlobalAlloc` `GetLastError` `CreateMutexA` `lstrcatA` `GetFileAttributesA` `CopyFileA` `DeleteFileA` `CloseHandle` `CreateFileA` `SetFileAttributesA` `lstrlenA` `GetTempPathA` `GetWindowsDirectoryA` `lstrcpyA` `GetModuleFileNameA` `ExitThread` `GetProcAddress` `GetModuleHandleA` `Sleep` `CreateThread` `ExitProcess` `GetTimeZoneInformation` `FileTimeToSystemTime` `FileTimeToLocalFileTime` `GetLocalTime` `GetTickCount` `WideCharToMultiByte` `InterlockedIncrement` `ReadFile` `SetFilePointer` `HeapFree` `GetProcessHeap` `HeapAlloc` `lstrcpynA` `lstrcmpA` `lstrcmpiA` `SetThreadPriority` `GetCurrentThread` `GlobalFree` `InterlockedDecrement` `GetTempFileNameA`
ADVAPI32.dll	`RegCloseKey` `RegOpenKeyExA` `RegSetValueExA` `RegQueryValueExA` `RegEnumKeyA` `RegCreateKeyExA`
MSVCRT.dll	`memset` `tolower` `memcpy` `isdigit` `strchr` `isalnum` `isspace` `malloc` `strstr`
USER32.dll	`CharUpperBuffA` `CharUpperA` `CharLowerA` `wvsprintfA` `wsprintfA` `FindWindowA` `PostMessageA`
WS2_32.dll	`connect` `send` `inet_addr` `gethostbyname` `socket` `select` `recv` `closesocket` `ntohs` `htons` `sendto` `WSAStartup` `gethostname`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.56279`
MD5	`e601e130464ab02c645b5709e1917752`
SHA1	`792dfc4c906e4b72ec3b32ac4f627f5f2d1a26e3`
SHA256	`cf36b6a0f47645beb9f1f8c134b95738b6299fe25858e8e892c0078ca96f9b7a`
SHA3	`584ce6704cee3437ab43af71b218dd6a4e6253fa77ea6866e185e02b43a77b9e`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.44714`
MD5	`3c82106fc43eea002ec89d06631f0e94`
SHA1	`f002356bce663bd2766f4f72a651937d11bdb25f`
SHA256	`e13aac8a2fd54404b0262e2bec323b4192e4e2ab20efa2101b2ab0af6bb8e652`
SHA3	`e0be09166a1597844fc8558d2e38f0ef475d0b894d851b0022e22cadc417cd31`

0

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x22`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.37086`
Detected Filetype	Icon file
MD5	`d59e0d372ea5fd8c1f4de744376a6af4`
SHA1	`6883ce60e71a83424db0b41d0ab6bf61080e3de2`
SHA256	`b10e28a32eddb2ab20a46ceae59d9c0786911eb20f0c8dd2a28421f226ea2b8b`
SHA3	`5e39df982879204dd9f129a37d1e1c2ff906e88de9ae01b4418db5e8455e7ae1`

Version Info

TLS Callbacks

Load Configuration

RICH Header

e9856f4f9002935014176fa03932ddf7

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.data

.rsrc

Imports

Delayed Imports

1

2

0

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors