Manalyze report for e6262629b23909797c8ffdeb158a827a98c58d825a799157b9ed3895706a158a

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2007-Dec-30 14:58:25

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `Unusual section name found: UPX2` `The PE only has 7 import(s).`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Functions which can be used for anti-debugging purposes: FindWindowA` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc`
Malicious	VirusTotal score: 53/72 (Scanned on 2025-01-29 16:47:57)	`ALYac: Gen:Variant.Babar.405160` `AVG: Win32:Malware-gen` `Alibaba: Trojan:Win32/Injector.a5282ef2` `Antiy-AVL: Trojan[PSW]/Win32.LegendMir` `Arcabit: Trojan.Babar.D62EA8` `Avast: Win32:Malware-gen` `BitDefender: Gen:Variant.Babar.405160` `Bkav: W32.AIDetectMalware` `CAT-QuickHeal: Trojan.Ghanarava.173083690479dcfe` `CTX: exe.trojan.buzus` `ClamAV: Win.Trojan.Buzus-14636` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win32/Injector.ACA` `Elastic: malicious (moderate confidence)` `Emsisoft: Gen:Variant.Babar.405160 (B)` `FireEye: Gen:Variant.Babar.405160` `Fortinet: W32/Generic.AC.57ED!tr` `GData: Gen:Variant.Babar.405160` `Google: Detected` `Gridinsoft: Trojan.Win32.Downloader.oa!s2` `Ikarus: Trojan.Win32.Injector` `Jiangmin: Trojan/Buzus.aeba` `K7AntiVirus: Trojan ( 005240d51 )` `K7GW: Trojan ( 005240d51 )` `Kingsoft: win32.troj.undef.a` `Lionic: Trojan.Win32.Buzus.4!c` `Malwarebytes: Inject.Exploit.Shellcode.DDS` `MaxSecure: Trojan.Malware.2238625.susgen` `McAfee: Artemis!BE9155B3214D` `McAfeeD: ti!E6262629B239` `MicroWorld-eScan: Gen:Variant.Babar.405160` `Microsoft: Trojan:Win32/Phonzy.A!ml` `NANO-Antivirus: Trojan.Win32.Gendal.cvwvvu` `Paloalto: generic.ml` `Panda: Generic Malware` `Rising: Trojan.Win32.Nodef.xmo (CLOUD)` `Sangfor: Trojan.Win32.Injector.Vw08` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win32.Trojan.lc` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `Tencent: Malware.Win32.Gencirc.141fdf9c` `TrendMicro: TROJ_SPNR.38L213` `TrendMicro-HouseCall: TROJ_SPNR.38L213` `VIPRE: Gen:Variant.Babar.405160` `Varist: W32/Injector.A.gen!Eldorado` `ViRobot: Trojan.Win32.A.Buzus.13824.A[UPX]` `VirIT: Trojan.Win32.Small.BUB` `Yandex: Trojan.GenAsa!KG+k5f/Cuuc` `Zillya: Trojan.Buzus.Win32.38575` `alibabacloud: Trojan:Win/Babar`

Hashes

MD5	`be9155b3214d2bc477a1b741ca79dcfe`
SHA1	`43c0c5bb9e6fdf637b79d119696b541020fae416`
SHA256	`e6262629b23909797c8ffdeb158a827a98c58d825a799157b9ed3895706a158a`
SHA3	`d8598c18e71608535fc418cf205992e530f125fb297ea4f89206da40a74cc1fc`
SSDeep	`384:qdq+OuLwIu5ORnRcn8BjRgRovwmFkaiMf3:4OuLwIu+bBjRrw`
Imports Hash	`cd4e2c86b64970a01c9f97f05e043347`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2007-Dec-30 14:58:25
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`7.0`
SizeOfCode	`0x3000`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0x6000`
AddressOfEntryPoint	`0x00009CF0 (Section: UPX1)`
BaseOfCode	`0x7000`
BaseOfData	`0xa000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0xb000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x6000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`eb9fa7303a9a4859265181f644c6d397`
SHA1	`def3a5d44394a5a0363be435e46f3e2d17d5c04e`
SHA256	`a90fd07ba712c4d3f8a4ad936a29d76ddcb94c6b757acd8f7510307520ab2724`
SHA3	`7a36c8e8701101d9a79733afb59064d32dab2820964140492d23333b6859c0b5`
VirtualSize	`0x3000`
VirtualAddress	`0x7000`
SizeOfRawData	`0x3000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.78233`

UPX2

MD5	`da0c13f808141c928dc5ff80795e753f`
SHA1	`646a73b4b35d4493adf66e3fe580b03f8efd2411`
SHA256	`914023f6d493d7fda6923c62e4adcaedad39ec5a9f49ddb51e65bbc67fa4245d`
SHA3	`86f6a28b5036466ad68a4a4a83854d7b001790a17cba07976d647cf5c4d58194`
VirtualSize	`0x1000`
VirtualAddress	`0xa000`
SizeOfRawData	`0x200`
PointerToRawData	`0x3400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.07258`

Imports

KERNEL32.DLL	`LoadLibraryA` `GetProcAddress` `VirtualProtect` `VirtualAlloc` `VirtualFree` `ExitProcess`
USER32.dll	`FindWindowA`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x407170`
SEHandlerTable	`0x405dd0`
SEHandlerCount	`2`

RICH Header

XOR Key	`0xeb0fd07`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 3077)	`36`
ASM objects (VS2003 (.NET) build 3077)	`11`
Imports (2067)	`2`
Imports (2179)	`3`
Total imports	`58`
C++ objects (VS2003 (.NET) build 3077)	`3`
Linker (VS2003 (.NET) build 3077)	`1`

Errors

[*] Warning: Section UPX0 has a size of 0!

Leave a comment

No comments yet.