File information

Malware score

20/344 heuristic rules

98%


malware score

Status: static.suspected.ml.gen

28
Suspect Score

0
Legit Score

11
Crypted Score

20
Packed Score

Static Analysis Indicators static.suspected.ml.gen

PE Markers anomalies check

Fields Values

Rich signature

found

Digital signature

not found

Overlay

not found

Subsystem

GUI

Compiler

Is .NET Image

Image is Native

Important PE Header Values suspect

Headers Hashes (MD5/SHA256/SSDEEP) Size

IMAGE_DOS_HEADERS

0x40

IMAGE_NT_HEADER

0x108

IMAGE_OPTIONAL_HEADERS

0xe0
ImageFileHeader Field Additional info Value Common

ImageFileHeader.Machine

0x14c

True

ImageFileHeader.TimeDataStamp

0x588cd2ca

True

ImageFileHeader.Characteristics

0x102

True

ImageFileHeader.SizeOfOptionalHeader

0xe0

True

ImageOptionalHeader Field Additional info Value Common

ImageOptionalHeader.EntryPoint

0x720c

False

ImageOptionalHeader.ImageBase

0x400000

True

ImageOptionalHeader.Checksum

0x0

False

ImageOptionalHeader.LinkerVersion

10.0

True

Resources anomalies check suspect

Risk Structure

0%

VersionInfo not found

0%

Manifest not found

0%

Message Table not found

0%

Strings Table not found

0%

RCDATA not found

0%

Icon not found

0%

Icon Group not found

0%

Cursor not found

0%

Accelerator not found

Frequency anomalies check suspect

Risk Anomalies Information

0%

File Entropy

7.1325981179895

0%

File Entropy (without zeros)

7.1053185

0%

Zero Value Frequency

0.052682636589404

0%

0xFF Bytes Frequency

4.7935638

0%

Chi-Square Distribution

4316.2481632864

0%

Monte Carlo Pi Value

3.1711292200233

0%

Monte Carlo Pi Error Rate

0.94017810997041

0%

Packed percent

0

Entropy status:  Packed  | Zero Value Frequency:  Not Packed

PE Sections Info valid

Name VA RVA Characteristics Virtual Size Aligned Raw Size Size Of Raw Data Pointer To Raw Data

.text

0x1000

0x401000

0x60000020 (Executable, Readable)

0x639c

0x6400

0x6400

0x400

.rdata

0x8000

0x408000

0x40000040 (Readable)

0x90c

0xa00

0xa00

0x6800

.data

0x9000

0x409000

0xc0000040 (Initialized Data, Readable, Writable)

0xbd98

0xba00

0xba00

0x7200

.reloc

0x15000

0x415000

0x42000040 (Initialized Data, Readable)

0x1de

0x200

0x200

0x12c00

Total Number Of Sections (NumberOfSections): 4

PE Sections Statistics valid

Name Entropy Zero freq Ratio Hashes

.text

6.0097429151254

0.041992188

33.557046979866%

.rdata

5.4650980369837

0.369921875

3.3557046979866%

.data

7.2499974809217

0.020938340053763

62.41610738255%

.reloc

3.6573519113917

0.5546875

0.67114093959732%

Total Number Of Sections (NumberOfSections): 4

PE imported functions suspect

| Function name: GetCurrentProcess | RVA: 4228932 | HINT: 448 |
| Function name: GetProcAddress | RVA: 4228952 | HINT: 581 |
| Function name: GetModuleHandleW | RVA: 4228970 | HINT: 536 |
| Function name: LocalFree | RVA: 4228920 | HINT: 840 |
| Function name: CloseHandle | RVA: 4228906 | HINT: 82 |
| Function name: ExitThread | RVA: 4228892 | HINT: 282 |
| Function name: GetModuleHandleA | RVA: 4229350 | HINT: 533 |
| Function name: GetStartupInfoA | RVA: 4229370 | HINT: 610 |
| Function name: FreeSid | RVA: 4229004 | HINT: 288 |
| Function name: CoInitializeEx | RVA: 4229090 | HINT: 63 |
| Function name: CoCreateInstance | RVA: 4229028 | HINT: 16 |
| Function name: CoInitializeSecurity | RVA: 4229066 | HINT: 64 |
| Function name: CoUninitialize | RVA: 4229048 | HINT: 108 |
| Function name: #2 | RVA: --- | HINT: --- |
| Function name: _initterm | RVA: 4229220 | HINT: 271 |
| Function name: _controlfp | RVA: 4229336 | HINT: 183 |
| Function name: memset | RVA: 4229132 | HINT: 665 |
| Function name: printf | RVA: 4229142 | HINT: 670 |
| Function name: _except_handler3 | RVA: 4229316 | HINT: 202 |
| Function name: _XcptFilter | RVA: 4229172 | HINT: 72 |
| Function name: exit | RVA: 4229186 | HINT: 585 |
| Function name: _acmdln | RVA: 4229194 | HINT: 143 |
| Function name: __getmainargs | RVA: 4229204 | HINT: 88 |
| Function name: _exit | RVA: 4229164 | HINT: 211 |
| Function name: __setusermatherr | RVA: 4229232 | HINT: 131 |
| Function name: _adjust_fdiv | RVA: 4229252 | HINT: 157 |
| Function name: __p__commode | RVA: 4229268 | HINT: 106 |
| Function name: __p__fmode | RVA: 4229284 | HINT: 111 |
| Function name: __set_app_type | RVA: 4229298 | HINT: 129 |

Total Number of Imported Functions:  29  | Total Number of Libraries:  5  | Total Number of Blacklisted Functions:  6

PE Opcodes Frequency & Anomalies Analyzer suspect

# Opcode Quantity of instruction Frequency of instruction Byte

2

AND

8

1.5296367%

-)

3

ARPL

4

0.76481837%

-)

4

BOUND

1

0.19120459%

-)

5

CALL

16

3.0592735%

-)

6

CLI

1

0.19120459%

-)

7

CMP

10

1.9120458%

-)

8

DAS

1

0.19120459%

-)

9

DEC

3

0.57361376%

-)

10

IMUL

13

2.4856596%

-)

11

INC

13

2.4856596%

-)

12

INS

5

0.95602292%

-)

13

INT 3

4

0.76481837%

-)

14

JA

3

0.57361376%

-)

15

JAE

8

1.5296367%

-)

16

JB

3

0.57361376%

-)

17

JBE

2

0.38240919%

-)

18

JMP

6

1.1472275%

-)

19

JNS

2

0.38240919%

-)

20

JNZ

4

0.76481837%

-)

21

JO

4

0.76481837%

-)

22

JS

3

0.57361376%

-)

23

JZ

14

2.6768641%

-)

24

LEA

5

0.95602292%

-)

25

LOOP

1

0.19120459%

-)

26

MOV

37

7.0745697%

-)

27

MOVSB

2

0.38240919%

-)

28

MOVZX

1

0.19120459%

-)

29

OR

3

0.57361376%

-)

30

OUT

1

0.19120459%

-)

31

OUTS

21

4.0152965%

-)

32

POP

19

3.6328871%

-)

33

POPA

3

0.57361376%

-)

34

PUSH

50

9.5602293%

-)

35

RET

4

0.76481837%

-)

36

SBB

1

0.19120459%

-)

37

SUB

1

0.19120459%

-)

38

TEST

2

0.38240919%

-)

39

XCHG

3

0.57361376%

-)

40

XOR

4

0.76481837%

-)

Load more

Total Number Of Opcodes: 523

Opcodes Frequency Chart

PE Dumped Strings suspect

# String Common

3

`.rdata local path or dir

No

4

@.data local path or dir

No

5

.reloc local path or dir

No

10

SVWh

Yes

12

YYSV

Yes

13

SVWh

Yes

14

YYSh

Yes

15

YYSSSj

Yes

17

YYSSSj

Yes

18

tUWV

Yes

19

YYSj

Yes

23

QQSVWhu

Yes

24

tJhD

Yes

25

YYVWW

Yes

27

SVWjPXjLf

Yes

28

XjEf

Yes

29

XjWf

Yes

30

XjTf

Yes

31

XjBf

Yes

32

XjQf

Yes

33

XjFf

Yes

34

Xj__jSf

Yes

36

Xjjf

Yes

37

YjfZjpf

Yes

56

jNXjbf

Yes

58

XjGf

Yes

59

Xjjf

Yes

60

Xjpf

Yes

62

Xjlf

Yes

63

Xjmf

Yes

64

Xjff

Yes

66

Xjwf

Yes

67

Xjjf

Yes

68

Xjlf

Yes

69

Xjmf

Yes

70

XjWf

Yes

71

Xjjf

Yes

72

Xjnf

Yes

73

Xjff

Yes

74

jNXjbf

Yes

76

XjJf

Yes

77

Xjgf

Yes

78

Xjof

Yes

79

Xjff

Yes

80

XjWf

Yes

81

Xjjf

Yes

82

Xjnf

Yes

83

Xjff

Yes

85

Xj9f

Yes

86

XjYf

Yes

Load more

Total Number of Strings: 1255 |  Common strings: 1221 | Danger strings: 34

Bytes Frequency Chart