Manalyze report for fbd4ea403c67ebdba21276b36aca64a7

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Mar-08 23:05:20
Detected languages	English - United States

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: http://nsis.sf.net http://nsis.sf.net/NSIS_Error nsis.sf.net`
Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress` `Can access the registry: RegEnumValueW RegEnumKeyW RegQueryValueExW RegSetValueExW RegCloseKey RegDeleteValueW RegDeleteKeyW RegOpenKeyExW RegCreateKeyExW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: CreateFileW GetTempPathW` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The file contains overlay data.	`1109142 bytes of data starting at offset 0x19a00.` `The overlay data has an entropy of 7.9262 and is possibly compressed or encrypted.` `Overlay data amounts for 91.3549% of the executable.`
Malicious	VirusTotal score: 53/71 (Scanned on 2026-02-16 03:11:12)	`ALYac: Gen:Trojan.Malware.kvZ@a4cXcwji` `APEX: Malicious` `AVG: Win32:Evo-gen [Trj]` `AhnLab-V3: Trojan/Win.Generic.R757258` `Alibaba: Trojan:Win32/Dedok.ef5b2294` `Antiy-AVL: Trojan/Win32.Agent` `Arcabit: Trojan.Malware.EED929` `Avast: Win32:Evo-gen [Trj]` `Avira: HEUR/AGEN.1373296` `BitDefender: Gen:Trojan.Malware.kvZ@a4cXcwji` `Bkav: W32.AIDetectMalware` `CAT-QuickHeal: Trojan.Win64` `CTX: exe.trojan.generic` `CrowdStrike: win/malicious_confidence_100% (D)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `DrWeb: Trojan.MulDrop35.46216` `ESET-NOD32: Win32/Inoci.A trojan` `Elastic: malicious (high confidence)` `Emsisoft: Gen:Trojan.Malware.kvZ@a4cXcwji (B)` `F-Secure: Heuristic.HEUR/AGEN.1373296` `Fortinet: W32/Inoci.A!tr` `GData: Gen:Trojan.Malware.kvZ@a4cXcwji` `Google: Detected` `Gridinsoft: Trojan.Win32.Kryptik.sa` `Ikarus: Trojan-Dropper.Win64.Agent` `K7AntiVirus: Trojan ( 005ce47e1 )` `K7GW: Trojan ( 005ce47e1 )` `Kaspersky: Trojan.Win32.Dedok.cet` `Kingsoft: Win32.Trojan-PSW.Stealer.gen` `Lionic: Trojan.Win32.Agent.tsYE` `Malwarebytes: Generic.Malware/Suspicious` `MaxSecure: Trojan.Malware.584852859.susgen` `McAfeeD: ti!D22B56FBE800` `MicroWorld-eScan: Gen:Trojan.Malware.kvZ@a4cXcwji` `Microsoft: Trojan:Win32/Etset!rfn` `Paloalto: generic.ml` `Rising: Stealer.Agent!8.C2 (CLOUD)` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win32.Dropper.tc` `Sophos: Mal/Generic-S` `Tencent: Win32.Trojan.Dedok.Simw` `TrellixENS: Artemis!FBD4EA403C67` `TrendMicro: TROJ_GEN.R002C0DBF26` `TrendMicro-HouseCall: TROJ_GEN.R002C0DBF26` `VIPRE: Gen:Trojan.Malware.kvZ@a4cXcwji` `Varist: W64/ABTrojan.TZNV-4935` `ViRobot: Trojan.Win.Z.Stealer.1214102` `VirIT: Trojan.Win32.GenusT.FMNN` `alibabacloud: Trojan[stealer]:Win/Inoci.A` `huorong: HVM:Trojan/Deceiver.gen!A`

Hashes

MD5	`fbd4ea403c67ebdba21276b36aca64a7`
SHA1	`c612f7814de2fc829517d711e04ec3c7fa2315b2`
SHA256	`d22b56fbe800dfbb332d23556e297851bb5aa0b3cba6767e47296d6d4ea8ce1b`
SHA3	`639e6f44d377db2c0a3abe7da2a7422dbde34fea4d60f57375b0d9cae5552fab`
SSDeep	`24576:/TANB7lFtoNvaMYEmqsH6rNYIEko32LVJEViBQpdZ:L0ZEpw6r1po32LVJxSdZ`
Imports Hash	`573bb7b41bc641bd95c0f5eec13c233b`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2025-Mar-08 23:05:20
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x6a00`
SizeOfInitializedData	`0x2d200`
SizeOfUninitializedData	`0x800`
AddressOfEntryPoint	`0x0000358D (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x56000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`94737d36b692e6ce59779da29276e9c8`
SHA1	`404ffd0e99a36598d581f0deacadf58c31b81d76`
SHA256	`787c8bd338cc402b56aef79522566487fdabe71002273f1d61ce33d95a2169f0`
SHA3	`665383489e0ae2585e100f5d3ff3c374634934f15cda26f93559903cb218a967`
VirtualSize	`0x6933`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.48911`

.rdata

MD5	`830eee471db242c9b32a1101979a5864`
SHA1	`20670ffd0ac07ff2f163663df488d0bcb50a239d`
SHA256	`24f50a92df2985fbe4e63fdb8aa01b8822dc5b9249aca403ac13ef300bd19429`
SHA3	`2f7c867f1b73add842cb3153a0233ba004e4f2cc4ac7ad9b3d5f7c8c5d548f94`
VirtualSize	`0x1464`
VirtualAddress	`0x8000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x6e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.97094`

.data

MD5	`75e4d782d218f1e0e97d1f4aa26f7911`
SHA1	`18ba47233a004a3adc6589c8191cf98e30694f97`
SHA256	`bf0018ee8238ec05803110c1d17310d37416bf72548b9912c00f5cecc209d7d0`
SHA3	`fcfb042b8f00be3ccf01cf41bed67736c2e03884e63075ffd81bafefb4702d59`
VirtualSize	`0x2a818`
VirtualAddress	`0xa000`
SizeOfRawData	`0x600`
PointerToRawData	`0x8400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.17431`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x10000`
VirtualAddress	`0x35000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`1513d8375d36e6652219b9f7227b8c0a`
SHA1	`860f97445181c006c6613a9d6d5feacb828cedfa`
SHA256	`f19f101c6d2bddcb3e5a3e3190cc7400be834f68a8c7aae15417c8b0461f0786`
SHA3	`395ab738d0d2ed518cba7863578ab2e52aeb7ace1a3cc8e0dec2fe2bc6f27258`
VirtualSize	`0x10f90`
VirtualAddress	`0x45000`
SizeOfRawData	`0x11000`
PointerToRawData	`0x8a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.89679`

Imports

ADVAPI32.dll	`RegEnumValueW` `RegEnumKeyW` `RegQueryValueExW` `RegSetValueExW` `RegCloseKey` `RegDeleteValueW` `RegDeleteKeyW` `AdjustTokenPrivileges` `LookupPrivilegeValueW` `OpenProcessToken` `RegOpenKeyExW` `RegCreateKeyExW`
SHELL32.dll	`SHGetPathFromIDListW` `SHBrowseForFolderW` `SHGetFileInfoW` `SHFileOperationW` `ShellExecuteExW`
ole32.dll	`CoCreateInstance` `OleUninitialize` `OleInitialize` `IIDFromString` `CoTaskMemFree`
COMCTL32.dll	`ImageList_Destroy` `#17` `ImageList_AddMasked` `ImageList_Create`
USER32.dll	`MessageBoxIndirectW` `GetDlgItemTextW` `SetDlgItemTextW` `CreatePopupMenu` `AppendMenuW` `TrackPopupMenu` `OpenClipboard` `EmptyClipboard` `SetClipboardData` `CloseClipboard` `IsWindowVisible` `CallWindowProcW` `GetMessagePos` `CheckDlgButton` `LoadCursorW` `SetCursor` `GetSysColor` `SetWindowPos` `GetWindowLongW` `IsWindowEnabled` `SetClassLongW` `GetSystemMenu` `EnableMenuItem` `GetWindowRect` `ScreenToClient` `EndDialog` `RegisterClassW` `SystemParametersInfoW` `CharPrevW` `GetClassInfoW` `DialogBoxParamW` `CharNextW` `ExitWindowsEx` `DestroyWindow` `CreateDialogParamW` `SetTimer` `SetWindowTextW` `PostQuitMessage` `SetForegroundWindow` `ShowWindow` `wsprintfW` `SendMessageTimeoutW` `FindWindowExW` `IsWindow` `GetDlgItem` `SetWindowLongW` `LoadImageW` `GetDC` `ReleaseDC` `EnableWindow` `InvalidateRect` `SendMessageW` `DefWindowProcW` `BeginPaint` `GetClientRect` `FillRect` `DrawTextW` `EndPaint` `CharNextA` `wsprintfA` `DispatchMessageW` `CreateWindowExW` `PeekMessageW` `GetSystemMetrics`
GDI32.dll	`GetDeviceCaps` `SetBkColor` `SelectObject` `DeleteObject` `CreateBrushIndirect` `CreateFontIndirectW` `SetBkMode` `SetTextColor`
KERNEL32.dll	`lstrcmpiA` `CreateFileW` `GetTempFileNameW` `RemoveDirectoryW` `CreateProcessW` `CreateDirectoryW` `CreateThread` `GlobalLock` `GlobalUnlock` `GetDiskFreeSpaceW` `WideCharToMultiByte` `lstrcpynW` `lstrlenW` `SetErrorMode` `GetVersionExW` `GetCommandLineW` `GetTempPathW` `GetWindowsDirectoryW` `SetEnvironmentVariableW` `WriteFile` `ExitProcess` `GetCurrentProcess` `GetModuleFileNameW` `GetLastError` `GetFileSize` `GetTickCount` `Sleep` `SetFileAttributesW` `GetFileAttributesW` `SetCurrentDirectoryW` `MoveFileW` `GetFullPathNameW` `GetShortPathNameW` `SearchPathW` `CompareFileTime` `SetFileTime` `CloseHandle` `lstrcmpiW` `lstrcmpW` `ExpandEnvironmentStringsW` `GlobalFree` `GlobalAlloc` `GetModuleHandleW` `LoadLibraryExW` `FreeLibrary` `WritePrivateProfileStringW` `GetPrivateProfileStringW` `lstrlenA` `MultiByteToWideChar` `ReadFile` `SetFilePointer` `FindClose` `FindNextFileW` `FindFirstFileW` `DeleteFileW` `MulDiv` `lstrcpyA` `MoveFileExW` `lstrcatW` `GetSystemDirectoryW` `GetProcAddress` `GetModuleHandleA` `GetExitCodeProcess` `WaitForSingleObject` `CopyFileW`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.80909`
MD5	`b74bacd4ebe8ff2c1084a5d01fbdc5ec`
SHA1	`7b4eed2478f4d5b80a4803a6bb5bffc787046a68`
SHA256	`8d4c13cfeefa4b7c9cae29615a9f28b7b8c1da62b2e562a27e6e697b21ed120d`
SHA3	`c2390d2fee5628cd3b6e67f828e52c42395ea8f9ddedb0cefe6a12011a218519`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.66174`
MD5	`3409f314895161597f3c395cc5f65525`
SHA1	`1a99d016d65e567f24449d9362afb6ac44006d0b`
SHA256	`fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96`
SHA3	`b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x11c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.88094`
MD5	`2d12c45dc2c029044aaff357141cb900`
SHA1	`083db861ab3c7db23c6257878296e73a89a74b8b`
SHA256	`69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729`
SHA3	`349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x60`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.48825`
MD5	`6be4e1387d369cf86e68eacbdd0e81dd`
SHA1	`351970fe2681b9b35b5d59ad052011ed96a96e17`
SHA256	`85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0`
SHA3	`45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb`

103

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.98048`
Detected Filetype	Icon file
MD5	`38388dda6548693f4d42f2241a4218d7`
SHA1	`78bedd12a20f97e31e58742381f3d0ca1edb4715`
SHA256	`cd0991dd595a1392452a8c7ccf089e73626bc6eed1fd3f54ee4c6aa7ffbaedba`
SHA3	`9ace1e9f008d60580379cdfdcd4119706c82d52d2e5fdb9e5745fa00864cc1a8`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x33e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.2992`
MD5	`049a11f57000e4e9c591f015e3d6cb28`
SHA1	`62440541c3265540ca97a5ded0a08533c5d24c15`
SHA256	`726a2d84196a8088bcd85b4ad3520ed827ea5769006a6c5ef4268956324fe2ab`
SHA3	`843e43a222c01a6b0b84a9f018d2c04112065680ed55fb8eb0009d49302a9a53`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd24e50e9`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`163`
Imports (VS2003 (.NET) build 4035)	`15`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!