ea11ae3d034a017222f7c08fd48295f6

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2021-Sep-25 21:56:47
Detected languages English - United States

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • http://nsis.sf.net
  • http://nsis.sf.net/NSIS_Error
  • nsis.sf.net
Suspicious The PE is an NSIS installer Unusual section name found: .ndata
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Can access the registry:
  • RegCreateKeyExW
  • RegEnumKeyW
  • RegQueryValueExW
  • RegSetValueExW
  • RegCloseKey
  • RegDeleteValueW
  • RegDeleteKeyW
  • RegOpenKeyExW
  • RegEnumValueW
 Possibly launches other programs:
  • CreateProcessW
 Can create temporary files:
  • GetTempPathW
  • CreateFileW
 Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
 Changes object ACLs:
  • SetFileSecurityW
 Can shut the system down or lock the screen:
  • ExitWindowsEx
Suspicious The file contains overlay data. 792981 bytes of data starting at offset 0x2b000.
The overlay data has an entropy of 7.78511 and is possibly compressed or encrypted.
Overlay data amounts for 81.8258% of the executable.
Malicious VirusTotal score: 47/71 (Scanned on 2025-01-08 22:36:07) APEX: Malicious
AVG: Win32:TrojanX-gen [Trj]
AhnLab-V3: Trojan/Win.Generic.C5323869
Antiy-AVL: GrayWare/Win32.KeyGen
Arcabit: Trojan.NSIS.Androm.2
Avast: Win32:TrojanX-gen [Trj]
BitDefender: Gen:Heur.NSIS.Androm.2
Bkav: W32.AIDetectMalware
CAT-QuickHeal: Trojan.Ghanarava.17309633798295f6
CTX: exe.trojan.keygen
ClamAV: Win.Malware.Score-6997747-0
CrowdStrike: win/grayware_confidence_100% (W)
Cylance: Unsafe
Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
ESET-NOD32: Win32/Keygen.ACE potentially unsafe
Elastic: malicious (high confidence)
Emsisoft: Gen:Heur.NSIS.Androm.2 (B)
FireEye: Generic.mg.ea11ae3d034a0172
Fortinet: Riskware/KeyGen
GData: Win32.Application.Agent.981CTJ
Google: Detected
Gridinsoft: Trojan.Win32.Packed.cl
Ikarus: HackTool.Win32.Ke
K7AntiVirus: Unwanted-Program ( 0052f55b1 )
K7GW: Unwanted-Program ( 0052f55b1 )
Lionic: Trojan.Win32.Keygen.4!c
Malwarebytes: Generic.Malware/Suspicious
McAfee: Artemis!1D06359E88BB
McAfeeD: ti!BA4829D63FF9
MicroWorld-eScan: Gen:Heur.NSIS.Androm.2
Microsoft: HackTool:Win32/Keygen
Paloalto: generic.ml
Panda: Trj/CI.A
Rising: Hacktool.Keygen!8.B29 (CLOUD)
Sangfor: Hacktool.Win32.Keygen.V58x
Skyhigh: BehavesLike.Win32.Generic.dc
Sophos: Generic Reputation PUA (PUA)
Symantec: Trojan Horse
TrendMicro: TROJ_GEN.R06CC0PKK22
TrendMicro-HouseCall: TROJ_GEN.R06CC0PKK22
VBA32: BScope.Trojan.MulDrop
VIPRE: Gen:Heur.NSIS.Androm.2
Varist: W32/Zusy.TP.gen!Eldorado
Xcitium: ApplicUnwnt@#ffn5h4sb4u8g
Yandex: Trojan.Agent!pUg/eSCa1xY
Zillya: Trojan.Convagent.Win32.10263

Hashes

MD5 ea11ae3d034a017222f7c08fd48295f6
SHA1 d3f1bc34a2eae3125ce8b400b7d26f947cf18906
SHA256 ba4829d63ff925facfc2f3fc5c3b5673f786d32a004ea5cf35e18ba555df8d2e
SHA3 1283e7b4df44f3e8a4a7bca8f4668ac80cbd2f957818614f7247876a9ce8f2d7
SSDeep 24576:XYkcL5B7YdBaStIbWC2LPhgJsbt8WbDw/QPq4e:okA0dBaStIb2KJ0Xw/Qy4e
Imports Hash 61259b55b8912888e90f516ca08dc514

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2021-Sep-25 21:56:47
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x6800
SizeOfInitializedData 0x22a00
SizeOfUninitializedData 0x800
AddressOfEntryPoint 0x00003640 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x8000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 6.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x5e000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 6f5abe9eeda26ee84b3c1ed1a6c82001
SHA1 55517dc6ad93689679677d152abfdd1ce20f1135
SHA256 6683c31450d22725f8046313577f87ed284052143421d41ca971ebf03a732b4a
SHA3 0166ffe9450ef9b8cd85513de36173358cc6d06134a32f515f12aa858073020f
VirtualSize 0x6676
VirtualAddress 0x1000
SizeOfRawData 0x6800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.41746

.rdata

MD5 8c5edfd8ff9cc0135e197611be38ca18
SHA1 dc4f14d019cad6646b38852dfb7370532acafebc
SHA256 95df72950424a97746c83c619f9aa736879b408a87751927b5d41994e8183a9c
SHA3 b74f8f6ea5fb7e429da44419f9d163743fd38ce97f3b9819fb2397744d42dad2
VirtualSize 0x139a
VirtualAddress 0x8000
SizeOfRawData 0x1400
PointerToRawData 0x6c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.14107

.data

MD5 4b2421975c21b032f7ea000f5e7f9fbf
SHA1 f45486287d474fdcafc99c24e37c4eb61bf613b3
SHA256 f05daf3c91cc357d04794a740f21eaaeb870f250877e3a6dc498c5c3046cb414
SHA3 03ddd58bddd9af320b79e443521aae041b4098e328b842349f29c2bda6bdb122
VirtualSize 0x20378
VirtualAddress 0xa000
SizeOfRawData 0x600
PointerToRawData 0x8000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.11058

.ndata

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x10000
VirtualAddress 0x2b000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc

MD5 0ad2b66d4607826efecd79812ddecf05
SHA1 f18299d089b7ee914e0fb3f46475a0168f60ce92
SHA256 2141d79e5fb85f5a2ecb8b9e377f53a4f2e2a24fe1bf07b15af53b1b72877f57
SHA3 2e2d956fb46caa5c6259650587d3d6f20c4c81d53620ea37014bb155e2781963
VirtualSize 0x22910
VirtualAddress 0x3b000
SizeOfRawData 0x22a00
PointerToRawData 0x8600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.06472

Imports

ADVAPI32.dll RegCreateKeyExW
RegEnumKeyW
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetFileSecurityW
RegOpenKeyExW
RegEnumValueW
SHELL32.dll SHGetSpecialFolderLocation
SHFileOperationW
SHBrowseForFolderW
SHGetPathFromIDListW
ShellExecuteExW
SHGetFileInfoW
ole32.dll OleInitialize
OleUninitialize
CoCreateInstance
IIDFromString
CoTaskMemFree
COMCTL32.dll #17
ImageList_Create
ImageList_Destroy
ImageList_AddMasked
USER32.dll GetClientRect
EndPaint
DrawTextW
IsWindowEnabled
DispatchMessageW
wsprintfA
CharNextA
CharPrevW
MessageBoxIndirectW
GetDlgItemTextW
SetDlgItemTextW
GetSystemMetrics
FillRect
AppendMenuW
TrackPopupMenu
OpenClipboard
SetClipboardData
CloseClipboard
IsWindowVisible
CallWindowProcW
GetMessagePos
CheckDlgButton
LoadCursorW
SetCursor
GetSysColor
SetWindowPos
GetWindowLongW
PeekMessageW
SetClassLongW
GetSystemMenu
EnableMenuItem
GetWindowRect
ScreenToClient
EndDialog
RegisterClassW
SystemParametersInfoW
CreateWindowExW
GetClassInfoW
DialogBoxParamW
CharNextW
ExitWindowsEx
DestroyWindow
CreateDialogParamW
SetTimer
SetWindowTextW
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfW
SendMessageTimeoutW
FindWindowExW
IsWindow
GetDlgItem
SetWindowLongW
LoadImageW
GetDC
ReleaseDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
EmptyClipboard
CreatePopupMenu
GDI32.dll SetBkMode
SetBkColor
GetDeviceCaps
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
SetTextColor
SelectObject
KERNEL32.dll GetExitCodeProcess
WaitForSingleObject
GetModuleHandleA
GetProcAddress
GetSystemDirectoryW
lstrcatW
Sleep
lstrcpyA
WriteFile
GetTempFileNameW
lstrcmpiA
RemoveDirectoryW
CreateProcessW
CreateDirectoryW
GetLastError
CreateThread
GlobalLock
GlobalUnlock
GetDiskFreeSpaceW
WideCharToMultiByte
lstrcpynW
lstrlenW
SetErrorMode
GetVersionExW
GetCommandLineW
GetTempPathW
GetWindowsDirectoryW
SetEnvironmentVariableW
CopyFileW
ExitProcess
GetCurrentProcess
GetModuleFileNameW
GetFileSize
CreateFileW
GetTickCount
MulDiv
SetFileAttributesW
GetFileAttributesW
SetCurrentDirectoryW
MoveFileW
GetFullPathNameW
GetShortPathNameW
SearchPathW
CompareFileTime
SetFileTime
CloseHandle
lstrcmpiW
lstrcmpW
ExpandEnvironmentStringsW
GlobalFree
GlobalAlloc
GetModuleHandleW
LoadLibraryExW
MoveFileExW
FreeLibrary
WritePrivateProfileStringW
GetPrivateProfileStringW
lstrlenA
MultiByteToWideChar
ReadFile
SetFilePointer
FindClose
FindNextFileW
FindFirstFileW
DeleteFileW

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10828
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.24511
MD5 5b5022130f1d1dbdc6cde71771a5d5a0
SHA1 40ed7aa2fd0ab46670369b4cc723c09ac09fc8e9
SHA256 6b5fdefe6dd2d528c9945b7278a00145a0ac1bd84e8add4e3e32fca419f25200
SHA3 58843017377f6ce0844f0901fc966ee454231422843696c71cbfd89d2a724ed0

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0xd3f8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.92764
Detected Filetype PNG graphic file
MD5 8e234213412bb448337cfb1e05dec880
SHA1 69ecdabb73f87016394c1248606bf4e300573343
SHA256 47fffaf216469bbbefc3ae26d70990b9892d38f70571cc9179ae48708d63346a
SHA3 88a6ee33d21749f4effc806de7844244ec14335679eadb696b1e0e28f991c543

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.51849
MD5 be2b1e09de93e06a7fabe277f19fb858
SHA1 aac92694a24b2eb88ffefaed4b9a64aa85a38a60
SHA256 a41f6bb9977acd547d930b242992726149a0c1be828f2e8738c7086a8ba32c6d
SHA3 5038bc717043bd86c27084c5fcd5bd9b136ebdfd3ebb0475d49253ee752c40a6

4

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.75617
MD5 b6c1f5f4eaebd8a47b1e6cde0071bed0
SHA1 1674ed40858aae69c1d6dcfcf5cf3edfc88951a8
SHA256 82c21bdf67b5d1541a332b95f4d608e53f62b082ddccd7ddce131a7031d0c32f
SHA3 d9b8121d1743d57722ef3df47c54a1cfe0c730cb74192464a26f11af428ffb06

5

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x988
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.93004
MD5 bcc59368d45b5579e7800956bb51a186
SHA1 72b5b91b63245e85893efc630a91d67833bc4710
SHA256 61896d486a77df6beb5a61574023efe090d84e4d42466943ff1ea70c609b8050
SHA3 7448332a65762b449e00b9934a108b01e7cea71b7c66009f37659727ae5d7357

6

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.08765
MD5 f6692c2cdee7c8ac30439647d13abbd5
SHA1 a5e21684a8975d88fd875976f1d303bfda80848b
SHA256 f3601da020c40d12ebd27f044fae5aef42a1516358fd6a134395428d0de07759
SHA3 d81b1a790f5e8ce789cc5f8b3546e145a5a99d940f11e51bd0259232a9958cb8

105

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x100
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.66174
MD5 3409f314895161597f3c395cc5f65525
SHA1 1a99d016d65e567f24449d9362afb6ac44006d0b
SHA256 fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96
SHA3 b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26

106

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x11c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.88094
MD5 2d12c45dc2c029044aaff357141cb900
SHA1 083db861ab3c7db23c6257878296e73a89a74b8b
SHA256 69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729
SHA3 349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442

111

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x60
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.48825
MD5 6be4e1387d369cf86e68eacbdd0e81dd
SHA1 351970fe2681b9b35b5d59ad052011ed96a96e17
SHA256 85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0
SHA3 45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb

103

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x5a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.8213
Detected Filetype Icon file
MD5 269365d3bff809f0db865085c4757030
SHA1 fb8c074fa6ff8256aaab66a5a628a1114cb83b37
SHA256 dda68c1f5ebefcff8004d6425dfd295e6759d5095021abe2f07a687bf2dae53d
SHA3 8d1ff02155cc70269b42799bd7fcd3f692cb2d5439df5ab7ac4e655c6c484258

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x349
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.28747
MD5 39a5f7e944b19d4a6d666e5b22cb9189
SHA1 02ba880d90d9591390530245c9f79a8ff3e79aed
SHA256 64853bb3de406ea1dd1ca7b2acdf1e5f011236e25cf8271042b952be01e8f040
SHA3 d58d7ac1878dc0236f33fd60d22d0336f96582f4c1e4569f8d5bdadb4dc2e30c

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xd26650e9
Unmarked objects 0
C objects (VS2003 (.NET) build 4035) 2
Total imports 165
Imports (VS2003 (.NET) build 4035) 15
48 (9044) 10
Resource objects (VS98 SP6 cvtres build 1736) 1

Errors

[*] Warning: Section .ndata has a size of 0!