Manalyze report for f3a80b0cc2f6550a23a403e9df3bb37e

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2016-Nov-26 14:00:52
Detected languages	Turkish - Turkey
Comments	CyberGhost Windows Client
CompanyName	CyberGhost S.R.L.
FileDescription	CyberGhost
FileVersion	`6.0.3.2124`
InternalName	CyberGhost.exe
LegalCopyright	Copyright © 2004-2016 CyberGhost S.R.L.
LegalTrademarks
OriginalFilename	CyberGhost.exe
ProductName	CyberGhost
ProductVersion	`6.0.3.2124`
Assembly Version	6.0.3.2124

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `The PE only has 7 import(s).`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc`
Info	The PE's resources present abnormal characteristics.	`Resource XFNARIOJCU is possibly compressed or encrypted.`
Malicious	VirusTotal score: 58/72 (Scanned on 2022-10-07 17:55:14)	`ALYac: Gen:Variant.Graftor.356180` `APEX: Malicious` `AVG: Win32:DropperX-gen [Drp]` `Acronis: suspicious` `Ad-Aware: Gen:Variant.Graftor.356180` `AhnLab-V3: Backdoor/Win32.RL_Androm.R367915` `Alibaba: Backdoor:Win32/Androm.37c44fc1` `Antiy-AVL: Trojan/Generic.ASMalwS.A9D` `Arcabit: Trojan.Graftor.D56F54` `Avast: Win32:DropperX-gen [Drp]` `Avira: BDS/Androm.kxkjx` `BitDefender: Gen:Variant.Graftor.356180` `BitDefenderTheta: Gen:NN.ZevbaF.34698.@pKfaa94PGjG` `ClamAV: Win.Malware.Razy-9835733-0` `Comodo: Malware@#1pk899i688ywr` `CrowdStrike: win/malicious_confidence_70% (W)` `Cybereason: malicious.cc2f65` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `Cyren: W32/Androm.CM.gen!Eldorado` `DrWeb: Trojan.KeyLogger.26760` `ESET-NOD32: a variant of Win32/GenKryptik.AJXL` `Elastic: malicious (moderate confidence)` `Emsisoft: Gen:Variant.Graftor.356180 (B)` `F-Secure: Backdoor.BDS/Androm.kxkjx` `FireEye: Generic.mg.f3a80b0cc2f6550a` `Fortinet: W32/Androm.MPYV!tr.bdr` `GData: Gen:Variant.Graftor.356180` `Google: Detected` `Ikarus: Backdoor.Androm` `Jiangmin: Backdoor.Androm.whk` `K7AntiVirus: Password-Stealer ( 004b72861 )` `K7GW: Password-Stealer ( 004b72861 )` `Kaspersky: Backdoor.Win32.Androm.otle` `Lionic: Trojan.Win32.Androm.m!c` `MAX: malware (ai score=88)` `Malwarebytes: Malware.AI.4264039072` `MaxSecure: Trojan.Malware.10695881.susgen` `McAfee: GenericRXAA-FA!F3A80B0CC2F6` `McAfee-GW-Edition: BehavesLike.Win32.Trojan.tc` `MicroWorld-eScan: Gen:Variant.Graftor.356180` `Microsoft: Trojan:Win32/Dynamer!rfn` `NANO-Antivirus: Trojan.Win32.Androm.fbqpgx` `Paloalto: generic.ml` `Panda: Trj/CI.A` `Rising: Backdoor.Androm!8.113 (CLOUD)` `Sangfor: Backdoor.Win32.Androm.kxkjx` `SentinelOne: Static AI - Suspicious PE` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `Tencent: Win32.Backdoor.Androm.Simw` `Trapmine: suspicious.low.ml.score` `VBA32: Backdoor.Androm` `VIPRE: Gen:Variant.Graftor.356180` `Webroot:` `Yandex: Backdoor.Androm!LjGFxGIqIQY` `Zillya: Backdoor.Androm.Win32.41966` `ZoneAlarm: Backdoor.Win32.Androm.otle`

Hashes

MD5	`f3a80b0cc2f6550a23a403e9df3bb37e`
SHA1	`9a1acca7aa72acbf82c5fbe1d3f00a95b5a95ba8`
SHA256	`d2db9e65e782e909f5e26079206b6a0ec030dfb99b124022794a6a9610ceb15f`
SHA3	`3565ef6050c35de54042669ee846aba4b84cedd605873370a7c5c3ef2675f344`
SSDeep	`98304:dbUsORdp8V4kqgPc13covmnUzIxTXIkVsWliB4se2qinCQGHinnF3AOeof:RUsOiVAkivmUzc4kHibqcYivB`
Imports Hash	`4f6bfb169aed4198ae4617b2e78088c4`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xc8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2016-Nov-26 14:00:52
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.33`
SizeOfCode	`0x5c0000`
SizeOfInitializedData	`0x7000`
SizeOfUninitializedData	`0xf000`
AddressOfEntryPoint	`0x005CF090 (Section: UPX1)`
BaseOfCode	`0x10000`
BaseOfData	`0x5d0000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`16.21`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x5d7000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xf000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`351295cccee538336ae48e38c244510f`
SHA1	`d65fa143f482083f728d994f2abebc832f905579`
SHA256	`1e6268bffee7c1eb3c0269640120ab56d32f5a964dceccc6e56da1a2ed672e79`
SHA3	`16743b9c6ae579727e405d1a05fe555eaeaeda9c8b586eb5794a6a4a2b1ed2b5`
VirtualSize	`0x5c0000`
VirtualAddress	`0x10000`
SizeOfRawData	`0x5bfe00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99996`

.rsrc

MD5	`d0d42fcfe524ea786263cd7d2b9f99ab`
SHA1	`af256e31242009d4406ec9f111ab8a59636e63af`
SHA256	`16059bbf4cb3a3fdb14331186072b29b44dd5be63a5a8c9da5fc49efc16f1480`
SHA3	`6cb054303df71b0164945fcf58ab525f4abeebd38feb14f71dca97b8fed7391c`
VirtualSize	`0x7000`
VirtualAddress	`0x5d0000`
SizeOfRawData	`0x6a00`
PointerToRawData	`0x5c0200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.91685`

Imports

KERNEL32.DLL	`LoadLibraryA` `GetProcAddress` `VirtualProtect` `VirtualAlloc` `VirtualFree` `ExitProcess`
MSVBVM60.DLL	`#618`

Delayed Imports

XFNARIOJCU

Type	`MUSIC`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x228000`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99991`
MD5	`a7c79269c3f5b5fca6726a90eb1766d6`
SHA1	`a3697cbb4c1ffbf99bfa367991f3d91fe811352c`
SHA256	`3b91bf398ee82b0978fa99235345287c7d9b02fa0e4ec7f29bbf3def0a63c5e7`
SHA3	`93b7e7742b99f1dfcccf7abefd3c56c761a478a13dbfdfcad1da5eca38c878ca`

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4028`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.64881`
MD5	`eb64ce38ac9a0d604969897000ef38f6`
SHA1	`c876ed900ef2dbd6582494b949b34cd5f22124b7`
SHA256	`ece037e105d76ca82aae0c7ef964ba285aa5bb839936cf2cfb9329ee77ce9eea`
SHA3	`d89e8475e1961588118ec17d361467de44d1370bdf19ea784d82194288bc6bd6`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1028`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.9684`
MD5	`be3b1c1390166618669fff997f8a2574`
SHA1	`e5d8ebe1c0de2f1e3723f063747b0029dc5f5336`
SHA256	`d4d8a1d8983ca4e0289864a461d8f5711bc89848a3513e5c77f19efd46a8802b`
SHA3	`8835fb10d30085b361ae03496014365cfa829695a87131169e40dd11fbf42910`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x928`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.05366`
MD5	`2bf418818927f997a9af2a735020788b`
SHA1	`95cdff5260ce12613ac3ab9cb382ceeba4cd71a5`
SHA256	`de4a96e70391e0883fd5694dd8dd55f6d966d3e48ce1cad8e77a0a4b23181c13`
SHA3	`6f455c8fc3b1dd6b03195a7f77e8b53480a9a028d1ee587bb50df0e98085b79f`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x428`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.1522`
MD5	`fe2bfee3c73724070b335dca05beb2e3`
SHA1	`903ac833c3122587f0f03c27d86b885f8e123182`
SHA256	`2ad38a47ec6a303d730605e2775d482c6a2560b5e56f7dd155d3413a4de377b1`
SHA3	`998714e6515b151f549832befdf840a44b423239dddd9e6df30d9b33b409ab83`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x3e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.48187`
Detected Filetype	Icon file
MD5	`6975d183862d628d9c196b0c122007da`
SHA1	`08f79701b92712eaaef1c57c61c97d297ebd8fef`
SHA256	`06d7e90d971f6e66f715d10a1bf4249fcc172b46122bfb1ee2dc5d7f93b81f92`
SHA3	`727090af118fa078ba77b888fd39fbedc5f23b77978c027095b748840694372e`

1 (#3)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x3c0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.41303`
MD5	`fca6f7c2e809acb09ac32e4d2a9ff68f`
SHA1	`aec2d3e3fea154af56a9435b64ead65c6b53c7f6`
SHA256	`73ba0fe3c937f62f516f6eaa4ce7d46cf165b8c75d9c9028c3fb7c82b1b69446`
SHA3	`252bfb97a898a2c57ef8832e8231431399dc227d3859a531fbdeacc5bddb3b12`

1 (#4)

Type	`RT_MANIFEST`
Language	Turkish - Turkey
Codepage	Latin 1 / Western European
Size	`0x424`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.64772`
MD5	`2ffb82c18f61dff08530d65c78f6c4a4`
SHA1	`d8ee247b5eeae2f2c809538edb1a6fbb913999b6`
SHA256	`d1a22f2d159aa4981f02d20f78c25bb21997052081ed969bf9da600e9d44ef78`
SHA3	`394a0e7223f55f34f83468926079b42d16a089184d563265e23b775b9f0622b8`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.0.3.2124
ProductVersion	6.0.3.2124
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
Comments	CyberGhost Windows Client
CompanyName	CyberGhost S.R.L.
FileDescription	CyberGhost
FileVersion (#2)	6.0.3.2124
InternalName	CyberGhost.exe
LegalCopyright	Copyright © 2004-2016 CyberGhost S.R.L.
LegalTrademarks
OriginalFilename	CyberGhost.exe
ProductName	CyberGhost
ProductVersion (#2)	6.0.3.2124
Assembly Version	6.0.3.2124

Resource LangID	UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x89a99a19`
Unmarked objects	`0`
14 (7299)	`1`
9 (8041)	`5`
13 (8169)	`1`

Errors

[*] Warning: Section UPX0 has a size of 0!