Manalyze report for f807f3a307a8ec230d5feb8e921ec82a

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2023-Jul-02 02:09:43
Detected languages	English - United States

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: http://nsis.sf.net http://nsis.sf.net/NSIS_Error nsis.sf.net`
Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress` `Can access the registry: RegEnumValueW RegEnumKeyW RegQueryValueExW RegSetValueExW RegCloseKey RegDeleteValueW RegDeleteKeyW RegOpenKeyExW RegCreateKeyExW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The file contains overlay data.	`809137 bytes of data starting at offset 0xe800.` `The overlay data has an entropy of 7.99977 and is possibly compressed or encrypted.` `Overlay data amounts for 93.1618% of the executable.`
Malicious	VirusTotal score: 20/71 (Scanned on 2026-02-13 00:28:05)	`APEX: Malicious` `Bkav: W32.AIDetectMalware` `CrowdStrike: win/malicious_confidence_90% (W)` `Cylance: Unsafe` `DeepInstinct: MALICIOUS` `Elastic: malicious (high confidence)` `Kaspersky: HEUR:Trojan.Win32.Agent.gen` `Kingsoft: Win32.Troj.Agent.cks` `McAfeeD: ti!8789354D5401` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Paloalto: generic.ml` `Rising: Downloader.Agent!8.B23 (LESS:bWQ1Op6gm+785O+1)` `Skyhigh: BehavesLike.Win32.Dropper.cc` `Sophos: Generic ML PUA (PUA)` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.moderate.ml.score` `TrellixENS: Artemis!F807F3A307A8` `VBA32: Trojan.Win32.SCTemp.Heur` `Varist: W32/Trojan.KRJE-9145` `huorong: TrojanDownloader/Agent.blx`

Hashes

MD5	`f807f3a307a8ec230d5feb8e921ec82a`
SHA1	`da92757de6b800b1e35873c9f8f1b18d51998381`
SHA256	`8789354d5401908e1a9bf2bb84a3ebb26ce20463ff6015ce3a32f47f7743d46a`
SHA3	`f8e8c8a7a6bc3ca29bae5214037a34fc783ba3362ecd948692f3b23c27ffb323`
SSDeep	`24576:UPdrSFWCnVPGMp3Gg56HLc881ulciali3AH:csWIVPfog56rznUiG`
Imports Hash	`9dda1a1d1f8a1d13ae0297b47046b26e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2023-Jul-02 02:09:43
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x6800`
SizeOfInitializedData	`0x22200`
SizeOfUninitializedData	`0x800`
AddressOfEntryPoint	`0x00003645 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x41000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`e65344ac983813901119e185754ec24e`
SHA1	`2e2d9a83daa729308b7cd185e22bcb46479a56bd`
SHA256	`5f999f1ac9618f2f597e44c35dc1fa622f24345640b4b9562b34dd34e76e1d92`
SHA3	`008386b2d98786950b15956c1a6f61ba1543b6a673022b82f1c7c150f7bc1c6e`
VirtualSize	`0x66b7`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.43787`

.rdata

MD5	`bd82d08a08da8783923a22b467699302`
SHA1	`8677bad7d268e6798da158299b8cde5996219d6a`
SHA256	`3feef820a9f96f0298da3113f8636dfeceef551c295fe0170dd77befe32d3b2e`
SHA3	`5e3cb63428d5f7f464b1f262839aaff7e576fca433f99011e311469f7bcbbf55`
VirtualSize	`0x1358`
VirtualAddress	`0x8000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.10336`

.data

MD5	`caa377d001cfc3215a3edff6d7702132`
SHA1	`12e015a7fa2a29356d00dee7e685246788254fef`
SHA256	`f382d804344ebc29cbc21b83080c050a81379e8a478ce109aac23cf53a2dc137`
SHA3	`9f2e198dbb796b48025124534f717a0ecd4cebf3bdb758a99dab79c8a0bd9bed`
VirtualSize	`0x1fb78`
VirtualAddress	`0xa000`
SizeOfRawData	`0x600`
PointerToRawData	`0x8000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.12621`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x10000`
VirtualAddress	`0x2a000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`6a084b0a456f3cca8f4eb884a51879af`
SHA1	`a10b0224a33f449d8e3efa4a9315c9bd0bba8c78`
SHA256	`4a702431c10a31272a8d33530a0da846166e09dade5e31645aa1400de8719402`
SHA3	`bdc828822590b9a4d433cbda150b64810b304c0fe4133c3beff467ff6df9d1de`
VirtualSize	`0x60b0`
VirtualAddress	`0x3a000`
SizeOfRawData	`0x6200`
PointerToRawData	`0x8600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.80086`

Imports

ADVAPI32.dll	`RegEnumValueW` `RegEnumKeyW` `RegQueryValueExW` `RegSetValueExW` `RegCloseKey` `RegDeleteValueW` `RegDeleteKeyW` `AdjustTokenPrivileges` `LookupPrivilegeValueW` `OpenProcessToken` `RegOpenKeyExW` `RegCreateKeyExW`
SHELL32.dll	`SHGetPathFromIDListW` `SHBrowseForFolderW` `SHGetFileInfoW` `SHFileOperationW` `ShellExecuteExW`
ole32.dll	`CoCreateInstance` `OleUninitialize` `OleInitialize` `IIDFromString` `CoTaskMemFree`
COMCTL32.dll	`ImageList_Destroy` `#17` `ImageList_AddMasked` `ImageList_Create`
USER32.dll	`MessageBoxIndirectW` `GetDlgItemTextW` `SetDlgItemTextW` `CreatePopupMenu` `AppendMenuW` `TrackPopupMenu` `OpenClipboard` `EmptyClipboard` `SetClipboardData` `CloseClipboard` `IsWindowVisible` `CallWindowProcW` `GetMessagePos` `CheckDlgButton` `LoadCursorW` `SetCursor` `GetSysColor` `SetWindowPos` `GetWindowLongW` `IsWindowEnabled` `SetClassLongW` `GetSystemMenu` `EnableMenuItem` `GetWindowRect` `ScreenToClient` `EndDialog` `RegisterClassW` `SystemParametersInfoW` `CharPrevW` `GetClassInfoW` `DialogBoxParamW` `CharNextW` `ExitWindowsEx` `DestroyWindow` `CreateDialogParamW` `SetTimer` `SetWindowTextW` `PostQuitMessage` `SetForegroundWindow` `ShowWindow` `wsprintfW` `SendMessageTimeoutW` `FindWindowExW` `IsWindow` `GetDlgItem` `SetWindowLongW` `LoadImageW` `GetDC` `ReleaseDC` `EnableWindow` `InvalidateRect` `SendMessageW` `DefWindowProcW` `BeginPaint` `GetClientRect` `FillRect` `DrawTextW` `EndPaint` `CharNextA` `wsprintfA` `DispatchMessageW` `CreateWindowExW` `PeekMessageW` `GetSystemMetrics`
GDI32.dll	`GetDeviceCaps` `SetBkColor` `SelectObject` `DeleteObject` `CreateBrushIndirect` `CreateFontIndirectW` `SetBkMode` `SetTextColor`
KERNEL32.dll	`RemoveDirectoryW` `lstrcmpiA` `GetTempFileNameW` `CreateProcessW` `CreateDirectoryW` `GetLastError` `CreateThread` `GlobalLock` `GlobalUnlock` `GetDiskFreeSpaceW` `WideCharToMultiByte` `lstrcpynW` `lstrlenW` `SetErrorMode` `GetVersionExW` `GetCommandLineW` `GetTempPathW` `GetWindowsDirectoryW` `SetEnvironmentVariableW` `WriteFile` `ExitProcess` `GetCurrentProcess` `GetModuleFileNameW` `GetFileSize` `CreateFileW` `GetTickCount` `Sleep` `SetFileAttributesW` `GetFileAttributesW` `SetCurrentDirectoryW` `MoveFileW` `GetFullPathNameW` `GetShortPathNameW` `SearchPathW` `CompareFileTime` `SetFileTime` `CloseHandle` `lstrcmpiW` `lstrcmpW` `ExpandEnvironmentStringsW` `GlobalFree` `GlobalAlloc` `GetModuleHandleW` `LoadLibraryExW` `FreeLibrary` `WritePrivateProfileStringW` `GetPrivateProfileStringW` `lstrlenA` `MultiByteToWideChar` `ReadFile` `SetFilePointer` `FindClose` `FindNextFileW` `FindFirstFileW` `DeleteFileW` `MulDiv` `lstrcpyA` `MoveFileExW` `lstrcatW` `GetSystemDirectoryW` `GetProcAddress` `GetModuleHandleA` `GetExitCodeProcess` `WaitForSingleObject` `CopyFileW`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2655`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.95489`
Detected Filetype	PNG graphic file
MD5	`f314d4d0204f6f368e28e7c22d0beb5d`
SHA1	`a09b0519feb8487bae549e5ce644a6a2d0852831`
SHA256	`26bec440fe395b1a85893d91e6aab10f30076286a95f2b956d18b1fd6fe83ccd`
SHA3	`e40d1d0f0402859c93e0b17662d871d37a40fea628f3f178664c4faf32e5687a`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x1376`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.94073`
Detected Filetype	PNG graphic file
MD5	`7de47e60f19e05605d1d8514bfb8a683`
SHA1	`8d82816f3a2f7db0408576c00c8ba8c5a4d386de`
SHA256	`c0fbf17828901796277ecc1e8c5c0e98716072f02af7a1cae7401f5553991edc`
SHA3	`bf4982260f275c06466eab21905569f578906f900b14ec388cb0891b64ae41f6`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xdbc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.91295`
Detected Filetype	PNG graphic file
MD5	`98503d6286eab24c897cd40fdc403fc1`
SHA1	`595d664977ff02993bda435dd854d27fb372e8ec`
SHA256	`50de510aec4e5f89ba762c79fad6747f2a63d4af1036ff24bbbf785cfaf2c4d8`
SHA3	`b12b1896924f3cb0b6b908dd42e0d2cdacbdc4be2e140d508f3e1b54ff09fb10`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x807`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.85812`
Detected Filetype	PNG graphic file
MD5	`710f086efaeab18e3b5f41a4e4ab3036`
SHA1	`f66b7125fb22905f9006a2743bde52eadf64228d`
SHA256	`9f30f5fa9b430e97d317ab8aca0ce116236adf5cf2622c355c1a4fedbb54ce04`
SHA3	`80a5ed370f86dcfd88b9cc71e4654e6d583b3fb8ee9d83a43d8c8ba5c65c973b`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x576`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.80245`
Detected Filetype	PNG graphic file
MD5	`8f51a745f20122b9c21a94a594741b93`
SHA1	`810f46a7abc8b985d4ca165d0095b785da609794`
SHA256	`4d1d45c175ab9c01e463832d8633f229752aad6faa089b1bdd53a9728b239fb7`
SHA3	`bc1a6a6beb0e6ba1456789063245d01556e6f5d928956de3c08c00fc3dc1c4b0`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2ff`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.67439`
Detected Filetype	PNG graphic file
MD5	`02cba33f07a00c0f677a6d278d1806dd`
SHA1	`3af68f69686831fbe4e572df5ebf0c8e41548fa9`
SHA256	`adae53c4006990950833a7db264891df0354f7301120ad3e14ce3620c3939950`
SHA3	`162f41d154a2db606b4d0c746fe78b2234c26783e57479e69053064959d4c9a1`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.66174`
MD5	`3409f314895161597f3c395cc5f65525`
SHA1	`1a99d016d65e567f24449d9362afb6ac44006d0b`
SHA256	`fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96`
SHA3	`b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x11c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.88094`
MD5	`2d12c45dc2c029044aaff357141cb900`
SHA1	`083db861ab3c7db23c6257878296e73a89a74b8b`
SHA256	`69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729`
SHA3	`349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x60`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.48825`
MD5	`6be4e1387d369cf86e68eacbdd0e81dd`
SHA1	`351970fe2681b9b35b5d59ad052011ed96a96e17`
SHA256	`85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0`
SHA3	`45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb`

103

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.70938`
Detected Filetype	Icon file
MD5	`f57770d134a5a47fb46b74d72689dfda`
SHA1	`ffc8c748c30c2c9a184671438ed76f85f2701c58`
SHA256	`2c09e850c9a0345626c7ab8d43d41a52d49d8f1556fd53bb6498ecfac3a9c277`
SHA3	`ab18985d47b38d999592f6c5814d7633c468e5c6e109002f1c5eb66a1ddca78d`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x33e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.2995`
MD5	`9882a66ab3928ea297d42bdc1e67aaa0`
SHA1	`8cb33de773bec66890b6fb0fe99ea70e470f1581`
SHA256	`ff85bd01632f06610f55502f59d24b671d8c608c4dd5f3567faa771a0e348f50`
SHA3	`467a95a9bebc6b79955b335c8adf3af1a7aba5faa35031333a4ea4ece89f7bfb`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd24e50e9`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`163`
Imports (VS2003 (.NET) build 4035)	`15`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!