Manalyze report for f300317af13482d53a001ec2d6a0f1f9

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2010-Jul-14 22:03:32
Detected languages	Chinese - PRC
CompanyName	Microsoft Corporation
FileDescription	Windows Service Pack Uninstall
FileVersion	`6.3.0004.1 built by: dnsrv`
InternalName	SPUNINST.EXE
LegalCopyright	(C) Microsoft Corporation. All rights reserved.
OriginalFilename	SPUNINST.EXE
ProductName	Microsoft(R) Windows(R) Operating System
ProductVersion	`6.3.0004.1`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++` `Microsoft Visual C++ v6.0` `Microsoft Visual C++ v5.0/v6.0 (MFC)`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentControlSet\seRviCes` `Contains another PE executable: This program cannot be run in DOS mode.`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE is possibly packed.	`Unusual section name found: .idata2`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Can access the registry: SHGetValueA SHDeleteKeyA SHCopyKeyA` `Possibly launches other programs: CreateProcessA` `Can create temporary files: GetTempPathA CreateFileA` `Leverages the raw socket API to access the Internet: closesocket getprotobynumber` `Manipulates other processes: Process32Next Process32First`
Malicious	The PE's digital signature is invalid.	`Signer: Kaspersky Lab` `Issuer: VeriSign Class 3 Code Signing 2004 CA` `The file was modified after it was signed.`
Malicious	VirusTotal score: 69/73 (Scanned on 2020-01-16 07:26:25)	`Bkav: W32.ZegostQKB.Trojan` `MicroWorld-eScan: Gen:Variant.Zegost.2` `VBA32: TrojanPSW.Bjlog` `FireEye: Generic.mg.f300317af13482d5` `CAT-QuickHeal: TrojanDropper.Zegost.C5` `McAfee: BackDoor-CEP.gen.cn` `Cylance: Unsafe` `Zillya: Trojan.Bjlog.Win32.11309` `SUPERAntiSpyware: Trojan.Agent/Gen-Zegost` `Sangfor: Malware` `K7AntiVirus: Unwanted-Program ( 004ae6551 )` `Alibaba: TrojanPSW:Win32/Bjlog.059b93a8` `K7GW: Unwanted-Program ( 004ae6551 )` `Cybereason: malicious.af1348` `Arcabit: Trojan.Zegost.2` `Invincea: heuristic` `Baidu: Win32.Backdoor.Zegost.b` `F-Prot: W32/Zegost.C.gen!Eldorado` `Symantec: Trojan Horse` `TotalDefense: Win32/Zegost.CJ` `APEX: Malicious` `Avast: Win32:Zegost-C [Trj]` `ClamAV: Win.Spyware.78740-1` `Kaspersky: Trojan-PSW.Win32.Bjlog.dtwr` `BitDefender: Gen:Variant.Zegost.2` `NANO-Antivirus: Trojan.Win32.Bjlog.drshei` `Paloalto: generic.ml` `ViRobot: Trojan.Win32.A.PSW-Bjlog.42428` `Tencent: Backdoor.Win32.Zegost.aaa` `Endgame: malicious (high confidence)` `Emsisoft: Gen:Variant.Zegost.2 (B)` `Comodo: Backdoor.Win32.Zegost.B@1qlsm2` `F-Secure: Backdoor:W32/Bjlog.D` `DrWeb: BackDoor.Zegost.48` `VIPRE: Trojan.Win32.Generic.pak!cobra` `TrendMicro: BKDR_ZEGOST.SMZZ` `McAfee-GW-Edition: BackDoor-CEP.gen.cn` `Trapmine: malicious.high.ml.score` `CMC: Trojan-PSW.Win32.Bjlog!O` `Sophos: Mal/PWS-GA` `SentinelOne: DFI - Malicious PE` `Cyren: W32/Zegost.L.gen!Eldorado` `Jiangmin: Trojan/PSW.Bjlog.bvd` `Webroot: W32.Trojan.Gen` `Avira: TR/PSW.Bjlog.lfzb` `Fortinet: W32/Bjlog.GL!tr` `Antiy-AVL: Trojan[PSW]/Win32.Bjlog.dtwr` `Microsoft: TrojanDropper:Win32/Zegost.B` `AegisLab: Trojan.Win32.Bjlog.l9ov` `ZoneAlarm: Trojan-PSW.Win32.Bjlog.dtwr` `TACHYON: Trojan-PWS/W32.Bjlog.209384` `AhnLab-V3: Trojan/Win32.Bjlog.R2244` `Acronis: suspicious` `BitDefenderTheta: AI:Packer.5AF68E151F` `ALYac: Gen:Variant.Zegost.2` `MAX: malware (ai score=100)` `Ad-Aware: Gen:Variant.Zegost.2` `Malwarebytes: Trojan.Dropper` `ESET-NOD32: a variant of Win32/Redosdru.FP` `TrendMicro-HouseCall: BKDR_ZEGOST.SMZZ` `Rising: Backdoor.Win32.GenFxj.c (CLOUD)` `Yandex: Trojan.Zegost.Gen.5` `Ikarus: Trojan.Agent` `eGambit: Unsafe.AI_Score_99%` `GData: Gen:Variant.Zegost.2` `AVG: Win32:Zegost-C [Trj]` `Panda: Generic Malware` `CrowdStrike: win/malicious_confidence_100% (W)` `Qihoo-360: Dropper.Win32.Zegost.A`

Hashes

MD5	`f300317af13482d53a001ec2d6a0f1f9`
SHA1	`0e5ba65affd69f93062cefdacf8bf143b24d22bb`
SHA256	`ccd37df0ab155d1378d4ba9fd5f862b4c162bea0668c3951905d45b0c5210d56`
SHA3	`d92fbe2e758ddeb1a26c9283b1ed8f427bffee32b06427cba14301617e499ae9`
SSDeep	`6144:8sItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX+:5tWUzJq8YPbncT3+I`
Imports Hash	`c509dbcf0dade053e5588087a4d64742`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2010-Jul-14 22:03:32
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x5000`
SizeOfInitializedData	`0x2b000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00002C46 (Section: CODE)`
BaseOfCode	`0x1000`
BaseOfData	`0x6000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x31800`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

CODE

MD5	`724bafa43942ace1c9c643b75c40e926`
SHA1	`56e080fdd83ec2006fa5f4b4c3ca48a97055734e`
SHA256	`bbd712c58fda6d5dae8d1284c129380c479f240f1034263a5488a0be662705ba`
SHA3	`b297656a57b5dc3daf81df41c1066715b40148841e9610d40b42e6c94b08f274`
VirtualSize	`0x4af8`
VirtualAddress	`0x1000`
SizeOfRawData	`0x4af8`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.19665`

.data

MD5	`200c6a73f1a1e932c7db531bb411db72`
SHA1	`20fc8d5ae7d61907f38344ab18a839a53619f951`
SHA256	`c22f4d62034c298ab3102a8e5e8963938d0b639cd226005d82aa1bfe26be67d3`
SHA3	`f9f7cc5fe4249a12924b5ec00fc51be46692cb4ce966d29c5e2d5cc62d29f3cb`
VirtualSize	`0x29990`
VirtualAddress	`0x6000`
SizeOfRawData	`0x29990`
PointerToRawData	`0x6000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.50752`

.rsrc

MD5	`616d25b4d6b22b2bccf1a51a19bc7f51`
SHA1	`9e2842c7b606270acb13dddc699d4eff4e9bc5c2`
SHA256	`ded86c896afbb93371eab95547028a89dc073f95c4d204c5b32f3165f39ec185`
SHA3	`510abd1f41fac9253ed3941136c9d09a7436010784657eb929de30ee77e69682`
VirtualSize	`0x7a0`
VirtualAddress	`0x30000`
SizeOfRawData	`0x7a0`
PointerToRawData	`0x30000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.64922`

.idata2

MD5	`de557d7c4177caf67c6461f82c4d050e`
SHA1	`acf7bf1a05bfeac8df16cde96282494c90192735`
SHA256	`549c70630a2e03d5fbe606f806ce983ba86673b3d487ad57144d6c5021809f03`
SHA3	`5c4ff3485f511740f462765eb10d09b4c58f0da01252983e0aad9e2fa27c02f6`
VirtualSize	`0x1000`
VirtualAddress	`0x31000`
SizeOfRawData	`0x800`
PointerToRawData	`0x30800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`36864`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.06373`

Imports

kernel32.dll	`ExitProcess` `GetTickCount` `IsBadWritePtr` `GetProcAddress` `GetModuleHandleA` `GetLastError` `Sleep` `LoadLibraryA` `GetCurrentDirectoryA` `GetTempPathA` `CloseHandle` `WriteFile` `SetFilePointer` `CreateFileA` `WaitForSingleObject` `GetCurrentProcess` `CreateEventA` `ExpandEnvironmentStringsA` `GetSystemDirectoryA` `SetEnvironmentVariableA` `SleepEx` `IsBadReadPtr` `ExitThread` `GetExitCodeThread` `CreateThread` `SetUnhandledExceptionFilter` `CreateProcessA` `GetStartupInfoA` `CopyFileA` `GetCommandLineA` `GetCurrentThreadId` `GetModuleFileNameA` `Process32Next` `lstrcmpi` `Process32First` `CreateToolhelp32Snapshot` `CreateDirectoryA` `DeleteFileA` `SetFileAttributesA` `GetFileAttributesA` `LocalAlloc` `InterlockedExchange` `RaiseException` `FreeLibrary`
msvcrt.dll	`_itoa` `_except_handler3` `memset` `__CxxFrameHandler` `memmove` `srand` `rand` `_ftol` `tolower` `malloc` `strncmp` `_exit` `_XcptFilter` `exit` `_acmdln` `__getmainargs` `_initterm` `__setusermatherr` `_adjust_fdiv` `__p__commode` `__p__fmode` `__set_app_type` `??1type_info@@UAE@XZ` `_controlfp`
SHLWAPI.dll	`PathFileExistsA` `SHGetValueA` `SHDeleteKeyA` `SHCopyKeyA`
USER32.dll	`GetActiveWindow` `wsprintfA` `FlashWindow`
WS2_32.dll	`closesocket` `getprotobynumber`

Delayed Imports

1

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x2ea`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.4319`
MD5	`7e0a1312448bc8ce72d4ca785d01a372`
SHA1	`bf395a78934e29f5bb86b2511c815e262733218e`
SHA256	`8f32551949beee37c8895980a889b2626bc6f31fc37dd99cd54376dd27968e3e`
SHA3	`9d94a5dca3bdfff8c7d01b55c30fa8d1c83fbea416fe661d9dcd4889640d38b3`

118

Type	`RT_GROUP_ICON`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.16096`
Detected Filetype	Icon file
MD5	`370606d3b3e5b3ca49795c5ca64e6590`
SHA1	`eacf05988a48ea58535ee73031b46e751fcaa7b1`
SHA256	`1911f30279ca3ca4a7f5aa7df361cb39b5ad4ec2860339fad699f8e233abcea1`
SHA3	`e85e3b62a9adac8af587c4d31e9bbb261f685bea62f192b67f9be103f49827a8`

1 (#2)

Type	`RT_VERSION`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x3a4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.48874`
MD5	`22b92abc3db99043ae35950109f524fb`
SHA1	`d6ccae7211ae726bb945b2dbc9ba884cba30d417`
SHA256	`b10d868e1284a2bb5a34368f9afeb9091611a68a3a8f8d1450625b77164f4c09`
SHA3	`f33990908b3e1d9346b50835afc847e6b18a25610152d3899813b31a02d125d4`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.3.4.1
ProductVersion	6.3.4.1
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	Chinese - PRC
CompanyName	Microsoft Corporation
FileDescription	Windows Service Pack Uninstall
FileVersion (#2)	6.3.0004.1 built by: dnsrv
InternalName	SPUNINST.EXE
LegalCopyright	(C) Microsoft Corporation. All rights reserved.
OriginalFilename	SPUNINST.EXE
ProductName	Microsoft(R) Windows(R) Operating System
ProductVersion (#2)	6.3.0004.1

Resource LangID	Chinese - PRC

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xaa373b29`
Unmarked objects	`0`
12 (7291)	`2`
14 (7299)	`2`
C objects (VS98 build 8168)	`11`
Linker (VS98 build 8168)	`2`
Imports (VS2003 (.NET) build 4035)	`9`
Total imports	`130`
Resource objects (VS98 cvtres build 1720)	`1`
C++ objects (VS98 build 8168)	`9`

Errors

[*] Warning: Could not read the name of the DLL to be delay-loaded!