Manalyze report for eed288e4a660c3347d87a51fb8e7f70f

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2018-Feb-01 19:43:01

Plugin Output

Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress`
Suspicious	The PE is possibly a dropper.	`Resource F134C3531485F4A34B40B10FE87A9963 is possibly compressed or encrypted.` `Resources amount for 88.4964% of the executable.`
Malicious	VirusTotal score: 8/69 (Scanned on 2019-04-04 08:24:33)	`FireEye: Generic.mg.eed288e4a660c334` `Invincea: heuristic` `SentinelOne: DFI - Suspicious PE` `Jiangmin: RiskTool.BAT.l` `Acronis: suspicious` `Cybereason: malicious.569b1d` `Paloalto: generic.ml` `CrowdStrike: win/malicious_confidence_80% (W)`

Hashes

MD5	`eed288e4a660c3347d87a51fb8e7f70f`
SHA1	`f309cec569b1d8de987f8c7ad12b3359bd1bbb11`
SHA256	`3c07d83a7873843eb62edc053e245ceafea6e9886345f2ffb37b7019a4a8cce8`
SHA3	`a1a810adaafe4643646d5c50a6700c0a85bfd19848ae69c892cf806044049a90`
SSDeep	`12288:TkN32H349/bINU6n/32oKUA00ueHOam6PRKg5/k3FBNUj:4N3Ym/bWb0wcM6PRz/2FBNW`
Imports Hash	`a50e815adb2cfe3e58d388c791946db8`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`3`
TimeDateStamp	2018-Feb-01 19:43:01
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0x7d000`
SizeOfInitializedData	`0x7000`
SizeOfUninitializedData	`0x1c000`
AddressOfEntryPoint	`0x0000000000098970 (Section: UPX1)`
BaseOfCode	`0x1d000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0xa1000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1c000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`639d3ea366ffd00504ebf00c333ceebf`
SHA1	`c29cc29451a15d45133e9abdeb0bf8f90473ea32`
SHA256	`cc4c68ad3b1b7c1cab9eb7fe58df9f5c59f154a2896161825700066cd69a77dd`
SHA3	`4b008eee183910b95db66357fe352e71a0a3545b1483c6fd0de757beaebb71ea`
VirtualSize	`0x7d000`
VirtualAddress	`0x1d000`
SizeOfRawData	`0x7c600`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99942`

.rsrc

MD5	`919255a373378fa6246f5b21ba047254`
SHA1	`a791623677b345071871859a33336e6a5b814ed3`
SHA256	`aeb29c9b4fbf8a9d2cf40dd07c48fd0aa3caaf0975af6336debcf962087418e8`
SHA3	`b609a76e118ba651dac9b62dacc397f91fbe94557e40ac777de44587403dd1bd`
VirtualSize	`0x7000`
VirtualAddress	`0x9a000`
SizeOfRawData	`0x6200`
PointerToRawData	`0x7c800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.02165`

Imports

COMCTL32.DLL	`InitCommonControlsEx`
GDI32.DLL	`GetStockObject`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
msvcrt.dll	`free`
OLE32.DLL	`CoInitialize`
SHELL32.DLL	`ShellExecuteExW`
SHLWAPI.DLL	`PathRemoveArgsW`
USER32.DLL	`SetFocus`
WINMM.DLL	`timeBeginPeriod`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1cbc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.87906`
Detected Filetype	PNG graphic file
MD5	`a91ee0f59054827e925b15bf61dafc90`
SHA1	`b8cbaf55af13c84336c76c35f5021cea28d4b0c9`
SHA256	`2cac50f56f17b4ac76e52168b2f8cf2f6d84bb076144853487e3eeefb8cfe1ac`
SHA3	`5dda3d81a760052b58f0634f89ca364d2fa8c9c0221c793002493a9ccfcee53a`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0.830613`
MD5	`c0a10339870ed56aa42203795087e4f3`
SHA1	`bddde31b37e3a0a3c49a9c6e35182a8fcad71ef6`
SHA256	`e39025a343b65e2faaf2d7e8745e96d41f2ea5dc24c4a33585645c0191ab4a9c`
SHA3	`493b09f1c13e66be51f4074ccdd301588a81e665c91557123ab50c2ba8865609`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0.988985`
MD5	`f4033ebe14734030a47df47be5ddfe06`
SHA1	`54b40e76ccae88833442e9927d2e71c194606351`
SHA256	`00661a985240bbd378c016e531c206740dac2d73ed5d91f11de6f21208c3b13f`
SHA3	`34d29fb747989c12c3dd1655689974ce3185186e2c0a0282b97a1bd043669f33`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.25832`
MD5	`a2ed967b737191fcdb8e7046af39b6ec`
SHA1	`75a3401c8a2ad2d105110b09d18547e0d6d9332a`
SHA256	`c050655e4fcd20b55ad9f071da39cdc7bb66188379bd3701030b9775be3d3175`
SHA3	`e14d781d7a4e37fec1a2ffa41fb7c691e4fa4ce7cb87777d8d9b8d9105473a75`

0879C7308A9E58CB6DEE0C666F3814B2

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.22193`
MD5	`78d98b18412780e1972c6d9679da19e4`
SHA1	`f22393b9d637d2772504a3478a146e10939acda5`
SHA256	`0beb33bd1136716a82d7b00a6c152b63f8ee2bad1a948252faf055ad95f82af3`
SHA3	`0cb511ab64fe02a0e7c217625be1b380b6604176b35240ffa7692800e70fb450`

58D4F51523

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`47ed733b8d10be225eceba344d533586`
SHA1	`a8abd012eb59b862bf9bc1ea443d2f35a1a2e222`
SHA256	`4a64a107f0cb32536e5bce6c98c393db21cca7f4ea187ba8c4dca8b51d4ea80a`
SHA3	`8d5cc459ce36eda1a075fb2a80696f455c96693ca7e619d1ebaa384c56ce4436`

EB5DE46299A0CFD3470BA6258D35D93D4B6E3A17

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4`
MD5	`8d50bf97d95d7549f2b3ed93090e9d3d`
SHA1	`a0ba0d7554e6656d7ec23396129218036c58216c`
SHA256	`855b46d66d8286c59187be387b0c1d784a4e8586914854faa78ed45d1650ce52`
SHA3	`74f456f606799263cdf4d42761028c6a7bdad92a89f33c225cbc430b0411d933`

F134C3531485F4A34B40B10FE87A9963

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x6df1c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99958`
MD5	`f71ca0d8aa978b6e1b557fb05527780e`
SHA1	`0acc4f478fee61372215eb8b5cac613cf1e4200f`
SHA256	`19909b577e3af74b09313d1073daa3b8396fca684788570d7aa7ced7d948dd5f`
SHA3	`cab08306fe703cb981336c1c0be5ab43350567914b1d2f11ca918bc13639e478`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x3e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.44608`
Detected Filetype	Icon file
MD5	`8cf11bcb5b742323d61319b6eb8b2cd2`
SHA1	`4be58298f1e890fd60157e60dc07f956895d84a0`
SHA256	`a5df8a435cd6727271fae6759bcb19ec0485146068d644e1265b55fdd1851385`
SHA3	`b40fcea6c74f9e54c2eb75fb48a3b640a9b91d49d893123eeb5543c0f58a3dcb`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2a0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.08821`
MD5	`ffd3b06250ba95d239365ef050b3627b`
SHA1	`16e3981245d8dbd44f33d93b203c02a44f3c2b95`
SHA256	`1c3703755b6e9a690e8eafaa0cc318f667cd5d4c06935b6e3cd07296df9e9dcd`
SHA3	`2c6baa84c172762978837565c2b2ed4f7716c0edaab79bda3a3ef74724426773`

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!