Manalyze report for 6bc7ffa059611309fdae763e6da12bd15cc46558ea5a4d6eb59fe598bef0b7e6

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2005-Sep-28 03:04:05
Detected languages	English - United States
Comments
CompanyName
ProductName	Brontok.A
FileVersion	`1.00.0004`
ProductVersion	`1.00.0004`
InternalName	Brontok.A
OriginalFilename	Brontok.A.HVM31

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual Basic 5.0` `Microsoft Visual Basic v5.0/v6.0` `Microsoft Visual Basic v5.0 - v6.0` `Microsoft Visual Basic v6.0`
Info	Interesting strings found in the binary:	`Contains domain names: A.kotnorB.com google.com kafegaul.com kotnorB.com pornstargals.com yahoo.com`
Suspicious	The PE is possibly packed.	`Section .text is both writable and executable.` `Section .rsrc is both writable and executable.`
Malicious	VirusTotal score: 69/73 (Scanned on 2020-03-10 02:36:47)	`Bkav: W32.AchaentY.Trojan` `MicroWorld-eScan: Win32.Brontok.AP@mm` `FireEye: Generic.mg.78b832e5b174a831` `CAT-QuickHeal: Worm.Brontok.DC3` `McAfee: W32/Rontokbro.b@MM` `Cylance: Unsafe` `VIPRE: Worm.Win32.Brontok.1!cobra (v)` `SUPERAntiSpyware: Worm.Brontok-A` `Sangfor: Malware` `K7AntiVirus: Trojan ( 004c351a1 )` `Alibaba: Trojan:Win32/starter.ali1000030` `K7GW: Trojan ( 004c351a1 )` `Cybereason: malicious.5b174a` `Arcabit: Win32.Brontok.EF9751` `Invincea: heuristic` `BitDefenderTheta: AI:Packer.4E295F281D` `Cyren: W32/Brontok.C.gen!Eldorado` `Symantec: W32.Rontokbro.B@mm` `TotalDefense: Win32/Robknot.B` `Baidu: Win32.Worm-Email.Brontok.a` `APEX: Malicious` `Paloalto: generic.ml` `ClamAV: Win.Worm.Brontok-6` `Kaspersky: Email-Worm.Win32.VB.ay` `BitDefender: Win32.Brontok.AP@mm` `NANO-Antivirus: Trojan.Win32.Brontok.gfvy` `AegisLab: Worm.Win32.VB.kZz1` `Rising: Worm.VB.au (CLOUD)` `Ad-Aware: Win32.Brontok.AP@mm` `Emsisoft: Win32.Brontok.AP@mm (B)` `Comodo: Worm.Win32.Brontok.B@1xyc` `F-Secure: Worm.WORM/VB.ay.2` `DrWeb: BackDoor.Generic.1138` `Zillya: Worm.Brontok.Win32.11` `TrendMicro: WORM_RONTOKBRO.B` `McAfee-GW-Edition: BehavesLike.Win32.Vilsel.mt` `Fortinet: W32/Brontok.A@mm` `Trapmine: malicious.high.ml.score` `CMC: Email-Worm.Win32.Brontok!O` `Sophos: W32/Brontok-B` `SentinelOne: DFI - Malicious PE` `F-Prot: W32/VB.MZ` `Jiangmin: I-Worm/Brontok.a` `Webroot: W32.Malware.Gen` `Avira: WORM/VB.ay.2` `MAX: malware (ai score=85)` `Antiy-AVL: Worm[Email]/Win32.Brontok.c` `Endgame: malicious (high confidence)` `Microsoft: Worm:Win32/Brontok@mm` `ViRobot: I-Worm.Win32.Brontok.81920.H` `ZoneAlarm: Email-Worm.Win32.VB.ay` `AhnLab-V3: HEUR/Fakon.mwf.X1381` `Acronis: suspicious` `VBA32: TScope.Trojan.VB` `ALYac: Win32.Brontok.AP@mm` `Malwarebytes: Worm.Brontok` `Panda: W32/Brontok.GA.worm` `Zoner: Trojan.Win32.745` `ESET-NOD32: Win32/Brontok.B` `TrendMicro-HouseCall: WORM_RONTOKBRO.B` `Tencent: Trojan.Win32.FakeFolder.v` `Yandex: I-Worm.Brontok.ER` `Ikarus: Email-Worm.Win32.Brontok.A` `GData: Win32.Trojan.Rontokbro.A` `MaxSecure: Email-Worm.Brontok.Gen` `AVG: Win32:Brontok [Wrm]` `Avast: Win32:Brontok [Wrm]` `CrowdStrike: win/malicious_confidence_100% (W)` `Qihoo-360: HEUR/QVM03.0.0C1B.Malware.Gen`

Hashes

MD5	`78b832e5b174a831a9226756a2889134`
SHA1	`b0b5aba0dfa07ad59d5c94e3d8a6eb897086bc54`
SHA256	`6bc7ffa059611309fdae763e6da12bd15cc46558ea5a4d6eb59fe598bef0b7e6`
SHA3	`395fb122f1a4972d5a074dd2f9729b485acba664b2f8b30f58a166f90f515fa5`
SSDeep	`768:6v35BMCef+PQaEVSCBeWoLusS8dZrtzpDLbT99liMdOknCEXVOdFVXIoiLHfo5BL:M5AakFmuH8d3pDfT9tdXVC8/o5AY`
Imports Hash	`d077ffa44ebb639787633059ee7aeb2d`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xb8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2005-Sep-28 03:04:05
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0xf000`
SizeOfInitializedData	`0x5000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00001178 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x10000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`1.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x28000`
SizeOfHeaders	`0x1000`
Checksum	`0x87878787`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`49f7029d70920d7b68e4e9db32fad2e6`
SHA1	`ae15b9d7d37509b54d3abfa78176a83dd7624bd2`
SHA256	`73265d84714df43305ff512ee63d10917406a49fc7a74e173106e3d016f1a4f3`
SHA3	`842c191ccc0b459f2c1a594a7969f44c7ef29f99c480a2d3968bc9a354f13819`
VirtualSize	`0xe440`
VirtualAddress	`0x1000`
SizeOfRawData	`0xf000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.84681`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xc3c`
VirtualAddress	`0x10000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`98255e63256c2e307a70efe81d81b3f3`
SHA1	`5cc8300ed7ef8f82c4928523cc36168fd2793224`
SHA256	`6e2c079ae31f44e701978ea2e72bcc118d178801f2f5209b40956e891e80ab12`
SHA3	`45ed12e029cfee483551dc27270f7d0b7831fa6d9acf761264cfeab20a5b60b3`
VirtualSize	`0x17000`
VirtualAddress	`0x11000`
SizeOfRawData	`0x5116`
PointerToRawData	`0x10000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`68`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.36755`

Imports

MSVBVM60.DLL	`#696` `#697` `MethCallEngine` `#626` `#519` `#705` `#631` `#525` `EVENT_SINK_AddRef` `#527` `#529` `DllFunctionCall` `EVENT_SINK_Release` `#600` `EVENT_SINK_QueryInterface` `__vbaExceptHandler` `#711` `#712` `#606` `#713` `#607` `#531` `#536` `#645` `#648` `#571` `#576` `#685` `#578` `#100` `#616` `#618` `#542` `#543` `#546` `#580`

Delayed Imports

30001

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x1ca8`
TimeDateStamp	2005-Sep-28 03:04:04
Entropy	`3.63115`
MD5	`9bda40b65947219200be3d7599370f51`
SHA1	`dc27a66d3973e5d935d5e1e8dd98465fbccbe011`
SHA256	`41a6a9ede2128cd8b1d9760bca22b3ea7da096d87b89cabbf0d5f334c9354273`
SHA3	`51c8bae10ba5ceb79d7b461cf92bd3f4159e07e6d98dc99713feef734b3f4668`

30002

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0xca8`
TimeDateStamp	2005-Sep-28 03:04:04
Entropy	`3.1287`
MD5	`d90697803ccbc2b90b852414d8af977a`
SHA1	`609805bf6540f1ac382dee5b5e50462a4267b58f`
SHA256	`e2fc9d96007e18d69c31f1bcf6a42c3725b6d49ec3f7413c77972e435ab87bc4`
SHA3	`1e092fbb441e04ba1cc74598bc1482eddd16048b084a3b460cbcfadf3b092e7d`

30003

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x368`
TimeDateStamp	2005-Sep-28 03:04:04
Entropy	`3.50839`
MD5	`5c0d206b97f298dfb05850ace00c75ec`
SHA1	`23e606ac88b337c8b5a5392fa0934c3f4be9b22e`
SHA256	`47d147230da49a11bd3d2416da29eecc397d63ace80f868faad574af6b68734b`
SHA3	`481980bc7a336d79a72bf20639b77fdac40a1753defcb9bd0be3b316c9897d0d`

1

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x30`
TimeDateStamp	2005-Sep-28 03:04:04
Entropy	`2.96794`
Detected Filetype	Icon file
MD5	`7502b48caed96e9ea5b0c8797f0478db`
SHA1	`0cb1a07a682ddf7b21fb00420790b703167b3135`
SHA256	`25b7c8e05cec0c26389ad8a6a671e5276a2a6e981bf3084d3535c547f8fd9a6c`
SHA3	`f302a31edc455e64eedac9bca9fc15b4d9f27f72060dc374c1118cc2ff34eb59`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	Unicode (UTF 16LE)
Size	`0x238`
TimeDateStamp	2005-Sep-28 03:04:04
Entropy	`3.21171`
MD5	`6e76d7d7229c3bde1731348f6c4a2ba2`
SHA1	`bdf11a0f62b02791537b4703867946cdebaeba85`
SHA256	`994ce42967901d57afea4dc37b506e12917a01a4cfa067951b6151ae2ca5dfcc`
SHA3	`45908699ef67dc6c54732991a165a15f89d21e77ab093072860df54ec9131939`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.4
ProductVersion	1.0.0.4
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments
CompanyName
ProductName	Brontok.A
FileVersion (#2)	1.00.0004
ProductVersion (#2)	1.00.0004
InternalName	Brontok.A
OriginalFilename	Brontok.A.HVM31

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x886973f3`
Unmarked objects	`0`
13 (8169)	`1`

Errors

[*] Warning: Section .data has a size of 0!

Leave a comment

No comments yet.