Manalyze report for d021087ca2df63be27cc283385c8466926cef33b9fd7e1adadefad469619f665

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2017-Sep-15 22:49:09
Detected languages	English - United Kingdom English - United States
Debug artifacts	F:\work\build\win_32-linkMT-callFast-x86_32\cl_16.00.40219.01\rel\armcc\armcc.pdb
FileVersion	`5.06.0.151`
CompanyName	ARM Limited
LegalCopyright	Copyright (C) 2017
ProductName	5.06
ProductVersion	`5.06.0`
Copyright	Copyright (C) ARM Ltd 2017 . All Rights Reserved
FileDescription	The ARM C/C++ Compiler
InternalName	standard armcc for win_32-x86_32-rel ;(;valgrind=false;)
OriginalFilename	armcc

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `MASM/TASM - sig1(h)`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Tries to detect virtualized environments: HARDWARE\DESCRIPTION\System` `Looks for VMWare presence: VMWARE VMWare VMware` `Looks for Qemu presence: QEMU Qemu` `Accesses the WMI: ROOT\CIMV2 root\cimv2` `Miscellaneous malware strings: CMD.EXE cmd.exe` `Contains domain names: cnstab.ch ds.arm.com http://ds.arm.com http://ds.arm.com/support/%s http://ds.arm.com/support/licensing/ http://www.arm.com http://www.arm.com/support http://www.keil.com http://www.keil.com/support/man/docs/license/license_management.htm http://www.w3.org http://www.w3.org/2000/xmlns/ http://www.w3.org/XML/1998/namespace www.arm.com www.keil.com www.w3.org`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to SHA1` `Uses constants related to Blowfish` `Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .textidx` `Unusual section name found: .fnp_dir` `Unusual section name found: .fnp_mar`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryW` `Code injection capabilities: CreateRemoteThread OpenProcess VirtualAlloc` `Code injection capabilities (mapping injection): MapViewOfFileEx CreateFileMappingA MapViewOfFile CreateRemoteThread` `Can access the registry: RegQueryValueExA RegOpenKeyExA RegCloseKey RegSetValueExA RegCreateKeyA RegCreateKeyExA RegQueryInfoKeyA RegEnumKeyExA RegSetValueExW RegQueryValueExW RegEnumValueA RegDeleteValueA` `Possibly launches other programs: CreateProcessA` `Uses Microsoft's cryptographic API: CryptReleaseContext CryptDestroyKey CryptGenKey CryptGetUserKey CryptAcquireContextA CryptDestroyHash CryptEncrypt CryptDeriveKey CryptHashData CryptCreateHash CryptDecrypt` `Can create temporary files: CreateFileA GetTempPathA CreateFileW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Leverages the raw socket API to access the Internet: WSACleanup htonl setsockopt ioctlsocket send recv closesocket WSAGetLastError socket connect select __WSAFDIsSet inet_addr getnameinfo getsockopt getaddrinfo freeaddrinfo gethostname gethostbyname inet_ntoa htons WSAStartup` `Interacts with services: OpenSCManagerA OpenServiceA QueryServiceStatus` `Enumerates local disk drives: GetVolumeInformationA GetDriveTypeA GetDriveTypeW` `Manipulates other processes: OpenProcess ReadProcessMemory`
Info	The PE is digitally signed.	`Signer: ARM Ltd` `Issuer: GlobalSign Extended Validation CodeSigning CA - SHA256 - G3`
Safe	VirusTotal score: 0/72 (Scanned on 2023-11-05 09:09:31)	`All the AVs think this file is safe.`

Hashes

MD5	`8dc40421b9badb591fa81187edf9285b`
SHA1	`b0dab0e83bc455f48fcf668b06642df1329e8ad1`
SHA256	`d021087ca2df63be27cc283385c8466926cef33b9fd7e1adadefad469619f665`
SHA3	`1338c29fc75382271a8b00133071324afa5dc83d5800eaec5a1d050bff0c4de2`
SSDeep	`196608:+Ash+iUY9CWMGMBigPQJDZGQyUniKtCqXKE0dkT6YfVMRY0MD:wAMrMIAUn2qXKE0dkT6YfVMRYn`
Imports Hash	`851c4d8accb6c11dffaf77cfd553a838`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x118`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`7`
TimeDateStamp	2017-Sep-15 22:49:09
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`10.0`
SizeOfCode	`0xaef800`
SizeOfInitializedData	`0x45a000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0099BC9B (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xaf1000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x1872000`
SizeOfHeaders	`0x400`
Checksum	`0xf51a46`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x800000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`ca0651181fa9b4b655e45097b9295c51`
SHA1	`e3dc404d158ac0d7cbc4b9ddbe2e8483272f5f4b`
SHA256	`7f654d04dcfd56e15644a0c2b60c360992cd1e5b08d4465aeba9d3ac505fc3d7`
SHA3	`e03c23dc34d5f55617ca050543a96d9cd45ff91c0be3e65daac75f06ec4fd00c`
VirtualSize	`0xa15d2b`
VirtualAddress	`0x1000`
SizeOfRawData	`0xa15e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.7353`

.textidx

MD5	`d5547b345ba0d827163d24aadfacec87`
SHA1	`640880403bb52be5ff8779e1b30b5ac3dbd8973b`
SHA256	`af85bdb3bc5af0df323ba491d1be9972b92eaf702e6323e82337e84fd96c575d`
SHA3	`a313a45f9dee1c804c0f771d21005027c8f8b2dbf813ee7da476e37fd42a9916`
VirtualSize	`0xd9987`
VirtualAddress	`0xa17000`
SizeOfRawData	`0xd9a00`
PointerToRawData	`0xa16200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.08435`

.rdata

MD5	`088ae039d54347f39619eef886fbfbf4`
SHA1	`b011c6903d3859692374c2edd87c66adbab22654`
SHA256	`04c1afa72606b76c97a6151dbd7fe041adb24f009d4953569f9a833950fa3df5`
SHA3	`9ff8cb315e9f8d42427ffdf4d833090134137133e1cd248d91a123bc596daadb`
VirtualSize	`0x3d3b55`
VirtualAddress	`0xaf1000`
SizeOfRawData	`0x3d3c00`
PointerToRawData	`0xaefc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.23119`

.data

MD5	`c13594e84ce89125b8f676376be98479`
SHA1	`17c803e7493edb3add6542b7d85751ea7e81dee3`
SHA256	`8b6a9781f47d213ae3024941c209d8c18e13cfdeb78a9d8be805b0a2055c01c1`
SHA3	`37c8d2f6474a51c7b7fc3b24dfbf3a1996d2b4ee57ff1bad340457206e238da7`
VirtualSize	`0x9a9704`
VirtualAddress	`0xec5000`
SizeOfRawData	`0x85a00`
PointerToRawData	`0xec3800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.05035`

.fnp_dir

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x64`
VirtualAddress	`0x186f000`
SizeOfRawData	`0x200`
PointerToRawData	`0xf49200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.fnp_mar

MD5	`9475a59226943a3ad422e18169989f66`
SHA1	`4174927c59854c80d33c69e7a43856b2b6c6af84`
SHA256	`d839a3521723b8a55d09d8eed9848940b284828e4d09218202c3ee11046bc16d`
SHA3	`6a93cc87909571d767d237e39dc48f437ee4242cf646fe335698b2b191003d4e`
VirtualSize	`0x1`
VirtualAddress	`0x1870000`
SizeOfRawData	`0x200`
PointerToRawData	`0xf49400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0203931`

.rsrc

MD5	`e245ed5140055cb1a2d6540d321871a5`
SHA1	`cc38cd6addd3591e5769c589f47851e5ac13b0b6`
SHA256	`63fc3954f87e3e6a5190a47c4246192605c9fcd6beaa360c647e53e584c68e76`
SHA3	`9740def7214a9ca5da7af29b3f2878609e394e2c2d6e7d89ef0217c86599d4bd`
VirtualSize	`0x594`
VirtualAddress	`0x1871000`
SizeOfRawData	`0x600`
PointerToRawData	`0xf49600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.42329`

Imports

ADVAPI32.dll	`RegQueryValueExA` `RegOpenKeyExA` `RegCloseKey` `GetUserNameA` `OpenSCManagerA` `CryptReleaseContext` `CryptDestroyKey` `CryptGenKey` `CryptGetUserKey` `CryptAcquireContextA` `CryptDestroyHash` `RegSetValueExA` `CryptEncrypt` `CryptDeriveKey` `CryptHashData` `CryptCreateHash` `RegCreateKeyA` `CryptDecrypt` `OpenServiceA` `QueryServiceStatus` `RegCreateKeyExA` `CloseServiceHandle` `RegQueryInfoKeyA` `RegEnumKeyExA` `GetUserNameW` `RegSetValueExW` `RegQueryValueExW` `RegEnumValueA` `RegDeleteValueA` `StartServiceA`
MPR.dll	`WNetGetUniversalNameA`
IPHLPAPI.DLL	`GetAdaptersInfo`
ole32.dll	`CoInitializeSecurity` `CoInitializeEx` `CoCreateGuid` `CoCreateInstance` `CoSetProxyBlanket` `CoUninitialize`
SHLWAPI.dll	`PathRemoveBackslashW` `PathRemoveFileSpecA` `PathFileExistsA` `PathCombineA`
COMCTL32.dll	`#17`
NETAPI32.dll	`Netbios`
WS2_32.dll	`WSACleanup` `htonl` `setsockopt` `ioctlsocket` `send` `recv` `closesocket` `WSAGetLastError` `socket` `connect` `select` `__WSAFDIsSet` `inet_addr` `getnameinfo` `getsockopt` `getaddrinfo` `freeaddrinfo` `gethostname` `gethostbyname` `inet_ntoa` `htons` `WSAStartup`
KERNEL32.dll	`GetCurrentDirectoryW` `PeekNamedPipe` `GetFileInformationByHandle` `FlushFileBuffers` `GetConsoleMode` `GetConsoleCP` `HeapDestroy` `HeapCreate` `IsProcessorFeaturePresent` `FatalAppExitA` `GetStartupInfoW` `SetHandleCount` `InitializeCriticalSectionAndSpinCount` `GetCurrentThread` `GetCurrentThreadId` `TlsFree` `TlsSetValue` `TlsGetValue` `TlsAlloc` `IsValidCodePage` `GetProcAddress` `LoadLibraryA` `GetCurrentProcessId` `CreateFileA` `SetFilePointer` `GetLocaleInfoA` `UnmapViewOfFile` `VirtualQuery` `MapViewOfFileEx` `FormatMessageA` `WriteFile` `GetLastError` `GetTempFileNameA` `CreateFileMappingA` `CloseHandle` `GetVersion` `GetTempPathA` `MapViewOfFile` `FreeLibrary` `GetCurrentProcess` `WaitForSingleObject` `CreateRemoteThread` `GetCommandLineA` `OpenProcess` `ReadProcessMemory` `GetExitCodeThread` `DuplicateHandle` `OpenFileMappingA` `ExpandEnvironmentStringsA` `GetExitCodeProcess` `CreateProcessA` `GetComputerNameA` `SystemTimeToFileTime` `QueryPerformanceCounter` `GetSystemTimeAsFileTime` `QueryPerformanceFrequency` `SetInformationJobObject` `GetFileAttributesExA` `AssignProcessToJobObject` `GetFileAttributesA` `TerminateProcess` `ReadFile` `CreateJobObjectA` `GetStdHandle` `FindFirstFileA` `FindFirstFileExA` `VirtualAlloc` `SetFileAttributesA` `CreatePipe` `SetCurrentDirectoryW` `VirtualProtect` `GetCurrentDirectoryA` `GetVersionExA` `DeleteFileA` `GetModuleFileNameA` `WideCharToMultiByte` `MultiByteToWideChar` `GetPrivateProfileIntA` `GetPrivateProfileStringA` `Sleep` `GetFullPathNameA` `GetSystemDirectoryA` `ReleaseMutex` `HeapSize` `MoveFileExA` `GetLocalTime` `GetVolumeInformationA` `GetSystemDefaultLangID` `GetUserDefaultLangID` `LocalFree` `DeviceIoControl` `GetTickCount` `FreeEnvironmentStringsA` `lstrlenA` `GetEnvironmentStrings` `GetWindowsDirectoryA` `SetErrorMode` `SetHandleInformation` `GetCommandLineW` `GetEnvironmentVariableA` `GetEnvironmentVariableW` `GetTimeZoneInformation` `GetProcessTimes` `FindFirstFileW` `FindNextFileW` `FindNextFileA` `FindClose` `ResetEvent` `CreateEventA` `SetEvent` `GetDriveTypeA` `VirtualFree` `SetLastError` `LeaveCriticalSection` `EnterCriticalSection` `InitializeCriticalSection` `DeleteCriticalSection` `SetNamedPipeHandleState` `WaitNamedPipeA` `SleepEx` `GetOEMCP` `GetACP` `GetLocaleInfoW` `GetModuleFileNameW` `IsDebuggerPresent` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `LCMapStringW` `LoadLibraryW` `CreateThread` `ResumeThread` `ExitThread` `DeleteFileW` `GetFileAttributesW` `MoveFileW` `MoveFileA` `CreateFileW` `GetFileType` `RaiseException` `SetCurrentDirectoryA` `SetEnvironmentVariableA` `CreateDirectoryA` `GetDateFormatA` `GetTimeFormatA` `HeapReAlloc` `GetCPInfo` `FindFirstFileExW` `GetDriveTypeW` `HeapSetInformation` `RtlUnwind` `SetConsoleCtrlHandler` `ExitProcess` `GetModuleHandleW` `FileTimeToLocalFileTime` `FileTimeToSystemTime` `HeapAlloc` `HeapFree` `DecodePointer` `EncodePointer` `InterlockedExchange` `SetStdHandle` `FreeEnvironmentStringsW` `GetUserDefaultLCID` `EnumSystemLocalesA` `IsValidLocale` `GetStringTypeW` `GetFullPathNameW` `SetEnvironmentVariableW` `GetEnvironmentStringsW` `SetEndOfFile` `GetProcessHeap` `CreateMutexA` `WriteConsoleW` `GetModuleHandleA` `InterlockedCompareExchange` `InterlockedDecrement` `InterlockedIncrement` `CompareStringW`
USER32.dll	`wsprintfA` `GetClientRect` `ScreenToClient` `CreateDialogIndirectParamA` `ShowWindow` `DialogBoxIndirectParamA` `SetFocus` `GetFocus` `EndDialog` `GetDlgItemTextA` `GetDlgItemTextW` `SetDlgItemTextA` `MessageBeep` `GetWindowLongA` `SendMessageA` `GetDlgItem` `GetWindowRect` `EnableWindow` `GetSystemMetrics` `GetActiveWindow` `MessageBoxA` `CharUpperW` `GetParent` `SetWindowTextA` `MoveWindow`
SHELL32.dll	`#680`
OLEAUT32.dll	`VariantInit` `VariantClear` `SysAllocString` `SysFreeString` `SysStringLen` `SysAllocStringLen`
COMDLG32.dll	`GetOpenFileNameA`
dhcpcsvc.DLL	`DhcpRequestParams`

Delayed Imports

DoBackendCallbackCommand

Ordinal	`1`
Address	`0x94bd20`

1

Type	`RT_VERSION`
Language	English - United Kingdom
Codepage	Latin 1 / Western European
Size	`0x398`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.52423`
MD5	`c3bf69c8a7a7738f9f38eddc9d4097bc`
SHA1	`f731dc4fd9e704a13f0c29b16262616704c4fa6e`
SHA256	`9c8db524e05ba7405f216bd1e34edfcf0f586fa0dfa0a842e09a5d3c710d283c`
SHA3	`c9813e6ae2b15b15ce16e4e086234ae563982f64d4462f217756bbd3c1c51df6`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	5.6.0.151
ProductVersion	5.6.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
FileVersion (#2)	5.06.0.151
CompanyName	ARM Limited
LegalCopyright	Copyright (C) 2017
ProductName	5.06
ProductVersion (#2)	5.06.0
Copyright	Copyright (C) ARM Ltd 2017 . All Rights Reserved
FileDescription	The ARM C/C++ Compiler
InternalName	standard armcc for win_32-x86_32-rel ;(;valgrind=false;)
OriginalFilename	armcc

Resource LangID	English - United Kingdom

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2017-Sep-15 22:49:09
Version	`0.0`
SizeofData	`106`
AddressOfRawData	`0xe94680`
PointerToRawData	`0xe93280`
Referenced File	F:\work\build\win_32-linkMT-callFast-x86_32\cl_16.00.40219.01\rel\armcc\armcc.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x380d14ef`
Unmarked objects	`0`
152 (20115)	`13`
ASM objects (VS2010 SP1 build 40219)	`48`
C objects (VS2008 SP1 build 30729)	`2`
C objects (VS2012 build 50727 / VS2005 build 50727)	`138`
Total imports	`278`
Imports (VS2008 SP1 build 30729)	`29`
Unmarked objects (#2)	`1`
C++ objects (VS2010 SP1 build 40219)	`99`
175 (VS2010 SP1 build 40219)	`603`
C objects (VS2010 SP1 build 40219)	`495`
Exports (VS2010 SP1 build 40219)	`1`
Resource objects (VS2010 SP1 build 40219)	`1`
Linker (VS2010 SP1 build 40219)	`1`

Errors

Leave a comment

No comments yet.