Malware score

28/344 heuristic rules

98%


malware score

Status: static.suspected.ml.gen

39.3
Suspect Score

0
Legit Score

24
Crypted Score

22
Packed Score

Static Analysis Indicators static.suspected.ml.gen

PE Markers anomalies check

Fields Values

Rich signature

found

Digital signature

not found

Overlay

found

Subsystem

GUI

Compiler

Is .NET Image

Image is Native

Important PE Header Values suspect

Headers Hashes (MD5/SHA256/SSDEEP) Size

IMAGE_DOS_HEADERS

0x40

IMAGE_NT_HEADER

0x108

IMAGE_OPTIONAL_HEADERS

0xe0
ImageFileHeader Field Additional info Value Common

ImageFileHeader.Machine

0x14c

True

ImageFileHeader.TimeDataStamp

0x5da1b5ed

True

ImageFileHeader.Characteristics

0x818f

True

ImageFileHeader.SizeOfOptionalHeader

0xe0

True

ImageOptionalHeader Field Additional info Value Common

ImageOptionalHeader.EntryPoint

0xa7ed0

False

ImageOptionalHeader.ImageBase

0x400000

True

ImageOptionalHeader.Checksum

0x0

False

ImageOptionalHeader.LinkerVersion

2.25

True

Resources anomalies check valid

Risk Structure

0%

VersionInfo found

0%

Manifest found

0%

Message Table not found

0%

Strings Table found

0%

RCDATA found

0%

Icon found

0%

Icon Group not found

0%

Cursor not found

0%

Accelerator not found

Frequency anomalies check suspect

Risk Anomalies Information

0%

File Entropy

7.9027488422599

0%

File Entropy (without zeros)

7.7679577

0%

Zero Value Frequency

0.036766372333249

0%

0xFF Bytes Frequency

0.9768644

0%

Chi-Square Distribution

71028.992793641

0%

Monte Carlo Pi Value

3.1922532461841

0%

Monte Carlo Pi Error Rate

1.6125767462705

0%

Packed percent

0

Entropy status:  Packed  | Zero Value Frequency:  Not Packed

PE Version Info anomalies check valid

Fields Values

Original Filename

Company name

Product name

FireStorm

File description

FireStorm Setup

Internal name

Legal copyrights

3.0.0.011

Language

English (United States), codepage: 0

SSDEEP

12:2Oi3n8qXWYA/EEQ/NQYyWH+fm0+aUGiqQiN54sM7YnqKUW3JavPN5gzAHb:2bs+7bdyWH++2/N9l3EPNIk

MD5

12A74B3180DC059404E088B63A81B7F9

SHA256

B146A445EE09AE19949AB4B640A9DE2F7DE7873924078902C8FA3203B828B42A

Debug build:  False  | File version: 3.0.0.011  | Product version:   | Raw size: 1412

Manifest check valid

Fields Values

SSDEEP

24:2dt4m0mIgAKNCEFN4k+b0PgA3H3z0MPQi8WFMa4+A72LcT3rZ:cSdmIgnr4k+bkguj0KFj7c9

MD5

F78A870573F5BF2F15570E286257FAE7

SHA256

356CA8ABF11D97BF9DCBFF47C04BF1DDCB8685EF84D38E6850EC6C28A37655B9

                                        <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
    name="JR.Inno.Setup"
    processorArchitecture="x86"
    version="1.0.0.0"
    type="win32"/>
<description>Inno Setup</description>
<dependency>
    <dependentAssembly>
        <assemblyIdentity
            type="win32"
            name="Microsoft.Windows.Common-Controls"
            version="6.0.0.0"
            processorArchitecture="x86"
            publicKeyToken="6595b64144ccf1df"
            language="*"
        />
    </dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
        <requestedPrivileges>
            <requestedExecutionLevel level="asInvoker"            uiAccess="false"/>
        </requestedPrivileges>
    </security>
</trustInfo>
<application xmlns="urn:schemas-microsoft-com:asm.v3">
    <windowsSettings>
        <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
    </windowsSettings>
</application>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
    <application>
        <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
        <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
        <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
        <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
        <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
    </application>
</compatibility>
</assembly>

                    	            

Raw size: 1580 bytes

PE Main Icon check valid

Fields Values

SSDEEP

48:zjJADrYrMKkO6BSJVLKdsQpBte0p7htcTO/ouv1t0e+zh:zjJzWkXWsCTewDcawuP0e+N

MD5

D2107BC2BE856251ABE835BCF775D52B

SHA256

901433DC8B3EB1E94A8D665B00C44EDE4424897A260F7073EEBCDACEC2ED0685

Icon ID

0

Icon name

MAINICON

Language

Not recognized (sublanguage: Not recognized), codepage: Not recognized

Raw size: 16958 bytes | Total icons: 0

PE Sections Info valid

Name VA RVA Characteristics Virtual Size Aligned Raw Size Size Of Raw Data Pointer To Raw Data

.text

0x1000

0x401000

0x60000020 (Executable, Readable)

0xa50e8

0xa5200

0xa5200

0x400

.itext

0xa7000

0x4a7000

0x60000020 (Executable, Readable)

0x1668

0x1800

0x1800

0xa5600

.data

0xa9000

0x4a9000

0xc0000040 (Initialized Data, Readable, Writable)

0x37a4

0x3800

0x3800

0xa6e00

.bss

0xad000

0x4ad000

0xc0000000 (Readable, Writable)

0x6778

0x0

0x0

0x0

.idata

0xb4000

0x4b4000

0xc0000040 (Initialized Data, Readable, Writable)

0xf1c

0x1000

0x1000

0xaa600

.didata

0xb5000

0x4b5000

0xc0000040 (Initialized Data, Readable, Writable)

0x1a4

0x200

0x200

0xab600

.edata

0xb6000

0x4b6000

0x40000040 (Readable)

0x9a

0x200

0x200

0xab800

.tls

0xb7000

0x4b7000

0xc0000000 (Readable, Writable)

0x18

0x0

0x0

0x0

.rdata

0xb8000

0x4b8000

0x40000040 (Readable)

0x5d

0x200

0x200

0xaba00

.rsrc

0xb9000

0x4b9000

0x40000040 (Readable)

0x748c

0x7600

0x7600

0xabc00

Total Number Of Sections (NumberOfSections): 10

PE Sections Statistics valid

Name Entropy Zero freq Ratio Hashes

.text

6.3692847537951

0.18598599545799

14.972788501216%

.itext

5.9518106435376

0.23730469

0.1360132187847%

.data

5.0351685390112

0.37276785714286

0.3173641771643%

.bss

0

0

0%

.idata

4.7916109158606

0.28173828

0.0906754791898%

.didata

2.7458225536679

0.65234375

0.011334434898725%

.edata

1.8810692045044

0.77734375

0.011334434898725%

.tls

0

0

0%

.rdata

1.3799881252218

0.84570313

0.011334434898725%

.rsrc

3.3144307116962

0.48672537076271

0.66873165902478%

Total Number Of Sections (NumberOfSections): 10

PE imported functions suspect

| Function name: GetACP | RVA: 4932910 | HINT: 0 |
| Function name: GetExitCodeProcess | RVA: 4932920 | HINT: 0 |
| Function name: LocalFree | RVA: 4932942 | HINT: 0 |
| Function name: CloseHandle | RVA: 4932954 | HINT: 0 |
| Function name: SizeofResource | RVA: 4932968 | HINT: 0 |
| Function name: VirtualProtect | RVA: 4932986 | HINT: 0 |
| Function name: VirtualFree | RVA: 4933004 | HINT: 0 |
| Function name: GetFullPathNameW | RVA: 4933018 | HINT: 0 |
| Function name: ExitProcess | RVA: 4933038 | HINT: 0 |
| Function name: HeapAlloc | RVA: 4933052 | HINT: 0 |
| Function name: GetCPInfoExW | RVA: 4933064 | HINT: 0 |
| Function name: RtlUnwind | RVA: 4933080 | HINT: 0 |
| Function name: GetCPInfo | RVA: 4933092 | HINT: 0 |
| Function name: GetStdHandle | RVA: 4933104 | HINT: 0 |
| Function name: GetModuleHandleW | RVA: 4933120 | HINT: 0 |
| Function name: FreeLibrary | RVA: 4933140 | HINT: 0 |
| Function name: HeapDestroy | RVA: 4933154 | HINT: 0 |
| Function name: ReadFile | RVA: 4933168 | HINT: 0 |
| Function name: CreateProcessW | RVA: 4933180 | HINT: 0 |
| Function name: GetLastError | RVA: 4933198 | HINT: 0 |
| Function name: GetModuleFileNameW | RVA: 4933214 | HINT: 0 |
| Function name: SetLastError | RVA: 4933236 | HINT: 0 |
| Function name: FindResourceW | RVA: 4933252 | HINT: 0 |
| Function name: CreateThread | RVA: 4933268 | HINT: 0 |
| Function name: CompareStringW | RVA: 4933284 | HINT: 0 |
| Function name: LoadLibraryA | RVA: 4933302 | HINT: 0 |
| Function name: ResetEvent | RVA: 4933318 | HINT: 0 |
| Function name: GetVersion | RVA: 4933332 | HINT: 0 |
| Function name: RaiseException | RVA: 4933346 | HINT: 0 |
| Function name: FormatMessageW | RVA: 4933364 | HINT: 0 |
| Function name: SwitchToThread | RVA: 4933382 | HINT: 0 |
| Function name: GetExitCodeThread | RVA: 4933400 | HINT: 0 |
| Function name: GetCurrentThread | RVA: 4933420 | HINT: 0 |
| Function name: LoadLibraryExW | RVA: 4933440 | HINT: 0 |
| Function name: LockResource | RVA: 4933458 | HINT: 0 |
| Function name: GetCurrentThreadId | RVA: 4933474 | HINT: 0 |
| Function name: UnhandledExceptionFilter | RVA: 4933496 | HINT: 0 |
| Function name: VirtualQuery | RVA: 4933524 | HINT: 0 |
| Function name: VirtualQueryEx | RVA: 4933540 | HINT: 0 |
| Function name: Sleep | RVA: 4933558 | HINT: 0 |
| Function name: EnterCriticalSection | RVA: 4933566 | HINT: 0 |
| Function name: SetFilePointer | RVA: 4933590 | HINT: 0 |
| Function name: LoadResource | RVA: 4933608 | HINT: 0 |
| Function name: SuspendThread | RVA: 4933624 | HINT: 0 |
| Function name: GetTickCount | RVA: 4933640 | HINT: 0 |
| Function name: GetFileSize | RVA: 4933656 | HINT: 0 |
| Function name: GetStartupInfoW | RVA: 4933670 | HINT: 0 |
| Function name: GetFileAttributesW | RVA: 4933688 | HINT: 0 |
| Function name: InitializeCriticalSection | RVA: 4933710 | HINT: 0 |
| Function name: GetThreadPriority | RVA: 4933738 | HINT: 0 |
| Function name: SetThreadPriority | RVA: 4933758 | HINT: 0 |
| Function name: GetCurrentProcess | RVA: 4933778 | HINT: 0 |
| Function name: VirtualAlloc | RVA: 4933798 | HINT: 0 |
| Function name: GetSystemInfo | RVA: 4933814 | HINT: 0 |
| Function name: GetCommandLineW | RVA: 4933830 | HINT: 0 |
| Function name: LeaveCriticalSection | RVA: 4933848 | HINT: 0 |
| Function name: GetProcAddress | RVA: 4933872 | HINT: 0 |
| Function name: ResumeThread | RVA: 4933890 | HINT: 0 |
| Function name: GetVersionExW | RVA: 4933906 | HINT: 0 |
| Function name: VerifyVersionInfoW | RVA: 4933922 | HINT: 0 |
| Function name: HeapCreate | RVA: 4933944 | HINT: 0 |
| Function name: GetWindowsDirectoryW | RVA: 4933958 | HINT: 0 |
| Function name: VerSetConditionMask | RVA: 4933982 | HINT: 0 |
| Function name: GetDiskFreeSpaceW | RVA: 4934004 | HINT: 0 |
| Function name: FindFirstFileW | RVA: 4934024 | HINT: 0 |
| Function name: GetUserDefaultUILanguage | RVA: 4934042 | HINT: 0 |
| Function name: lstrlenW | RVA: 4934070 | HINT: 0 |
| Function name: QueryPerformanceCounter | RVA: 4934082 | HINT: 0 |
| Function name: SetEndOfFile | RVA: 4934108 | HINT: 0 |
| Function name: HeapFree | RVA: 4934124 | HINT: 0 |
| Function name: WideCharToMultiByte | RVA: 4934136 | HINT: 0 |
| Function name: FindClose | RVA: 4934158 | HINT: 0 |
| Function name: MultiByteToWideChar | RVA: 4934170 | HINT: 0 |
| Function name: LoadLibraryW | RVA: 4934192 | HINT: 0 |
| Function name: SetEvent | RVA: 4934208 | HINT: 0 |
| Function name: CreateFileW | RVA: 4934220 | HINT: 0 |
| Function name: GetLocaleInfoW | RVA: 4934234 | HINT: 0 |
| Function name: GetSystemDirectoryW | RVA: 4934252 | HINT: 0 |
| Function name: DeleteFileW | RVA: 4934274 | HINT: 0 |
| Function name: GetLocalTime | RVA: 4934288 | HINT: 0 |
| Function name: GetEnvironmentVariableW | RVA: 4934304 | HINT: 0 |
| Function name: WaitForSingleObject | RVA: 4934330 | HINT: 0 |
| Function name: WriteFile | RVA: 4934352 | HINT: 0 |
| Function name: ExitThread | RVA: 4934364 | HINT: 0 |
| Function name: DeleteCriticalSection | RVA: 4934378 | HINT: 0 |
| Function name: TlsGetValue | RVA: 4934402 | HINT: 0 |
| Function name: GetDateFormatW | RVA: 4934416 | HINT: 0 |
| Function name: SetErrorMode | RVA: 4934434 | HINT: 0 |
| Function name: IsValidLocale | RVA: 4934450 | HINT: 0 |
| Function name: TlsSetValue | RVA: 4934466 | HINT: 0 |
| Function name: CreateDirectoryW | RVA: 4934480 | HINT: 0 |
| Function name: GetSystemDefaultUILanguage | RVA: 4934500 | HINT: 0 |
| Function name: EnumCalendarInfoW | RVA: 4934530 | HINT: 0 |
| Function name: LocalAlloc | RVA: 4934550 | HINT: 0 |
| Function name: GetUserDefaultLangID | RVA: 4934564 | HINT: 0 |
| Function name: RemoveDirectoryW | RVA: 4934588 | HINT: 0 |
| Function name: CreateEventW | RVA: 4934608 | HINT: 0 |
| Function name: SetThreadLocale | RVA: 4934624 | HINT: 0 |
| Function name: GetThreadLocale | RVA: 4934642 | HINT: 0 |
| Function name: InitCommonControls | RVA: 4934674 | HINT: 0 |
| Function name: GetFileVersionInfoSizeW | RVA: 4934708 | HINT: 0 |
| Function name: VerQueryValueW | RVA: 4934734 | HINT: 0 |
| Function name: GetFileVersionInfoW | RVA: 4934752 | HINT: 0 |
| Function name: CreateWindowExW | RVA: 4934786 | HINT: 0 |
| Function name: TranslateMessage | RVA: 4934804 | HINT: 0 |
| Function name: CharLowerBuffW | RVA: 4934824 | HINT: 0 |
| Function name: CallWindowProcW | RVA: 4934842 | HINT: 0 |
| Function name: CharUpperW | RVA: 4934860 | HINT: 0 |
| Function name: PeekMessageW | RVA: 4934874 | HINT: 0 |
| Function name: GetSystemMetrics | RVA: 4934890 | HINT: 0 |
| Function name: SetWindowLongW | RVA: 4934910 | HINT: 0 |
| Function name: MessageBoxW | RVA: 4934928 | HINT: 0 |
| Function name: DestroyWindow | RVA: 4934942 | HINT: 0 |
| Function name: CharNextW | RVA: 4934958 | HINT: 0 |
| Function name: MsgWaitForMultipleObjects | RVA: 4934970 | HINT: 0 |
| Function name: LoadStringW | RVA: 4934998 | HINT: 0 |
| Function name: ExitWindowsEx | RVA: 4935012 | HINT: 0 |
| Function name: DispatchMessageW | RVA: 4935028 | HINT: 0 |
| Function name: SysAllocStringLen | RVA: 4935062 | HINT: 0 |
| Function name: SafeArrayPtrOfIndex | RVA: 4935082 | HINT: 0 |
| Function name: VariantCopy | RVA: 4935104 | HINT: 0 |
| Function name: SafeArrayGetLBound | RVA: 4935118 | HINT: 0 |
| Function name: SafeArrayGetUBound | RVA: 4935140 | HINT: 0 |
| Function name: VariantInit | RVA: 4935162 | HINT: 0 |
| Function name: VariantClear | RVA: 4935176 | HINT: 0 |
| Function name: SysFreeString | RVA: 4935192 | HINT: 0 |
| Function name: SysReAllocStringLen | RVA: 4935208 | HINT: 0 |
| Function name: VariantChangeType | RVA: 4935230 | HINT: 0 |
| Function name: SafeArrayCreate | RVA: 4935250 | HINT: 0 |
| Function name: NetWkstaGetInfo | RVA: 4935282 | HINT: 0 |
| Function name: NetApiBufferFree | RVA: 4935300 | HINT: 0 |
| Function name: RegQueryValueExW | RVA: 4935334 | HINT: 0 |
| Function name: AdjustTokenPrivileges | RVA: 4935354 | HINT: 0 |
| Function name: LookupPrivilegeValueW | RVA: 4935378 | HINT: 0 |
| Function name: RegCloseKey | RVA: 4935402 | HINT: 0 |
| Function name: OpenProcessToken | RVA: 4935416 | HINT: 0 |
| Function name: RegOpenKeyExW | RVA: 4935436 | HINT: 0 |

Total Number of Imported Functions:  137  | Total Number of Libraries:  7  | Total Number of Blacklisted Functions:  37

PE Exported functions valid

# Function RVA Offset

1

dbkFCallWrapperAddr

0xb063c

0x4b063c

2

__dbk_fcall_wrapper

0xd3dc

0x40d3dc

3

TMethodImplementationIntercept

0x53ac0

0x453ac0

Total Number of Exported Functions: 3 | Total Number of Blacklisted Exported Functions: 0

PE Resources valid

ID Type Language Size \ Offset Entropy Hashes

1

RT_ICON

1033 (1252)

0x4228 \ 0xac038

4.5165133451721

4086

RT_STRING

(1252)

0x360 \ 0xb0260

2.4272866840487

4087

RT_STRING

(1252)

0x260 \ 0xb05c0

3.7909546034635

4088

RT_STRING

(1252)

0x45c \ 0xb0820

3.3265796748268

4089

RT_STRING

(1252)

0x40c \ 0xb0c7c

3.396519291101

4090

RT_STRING

(1252)

0x2d4 \ 0xb1088

4.1469327254865

4091

RT_STRING

(1252)

0xb8 \ 0xb135c

2.9557586649654

4092

RT_STRING

(1252)

0x9c \ 0xb1414

3.4738506929641

4093

RT_STRING

(1252)

0x374 \ 0xb14b0

4.0771763210967

4094

RT_STRING

(1252)

0x398 \ 0xb1824

4.1699221164342

4095

RT_STRING

(1252)

0x368 \ 0xb1bbc

2.9515626886614

4096

RT_STRING

(1252)

0x2a4 \ 0xb1f24

4.1392478870953

2147484672

RT_RCDATA

(1252)

0x10 \ 0xb21c8

2.5

2147484686

RT_RCDATA

(1252)

0x2c4 \ 0xb21d8

4.0402352968385

11111

RT_RCDATA

(1252)

0x2c \ 0xb249c

3.0024430820459

2147484710

RT_GROUP_ICON

1033 (1252)

0x14 \ 0xb24c8

2.1709505944547

1

RT_VERSION

1033 (1252)

0x584 \ 0xb24dc

4.1106620375946

1

RT_MANIFEST

1033 (1252)

0x62c \ 0xb2a60

4.0294062380593

Total Number of Resources: 18 | Total Size of Rsrc Section: 30208 | Total Entropy of Rsrc Section: 3.3144307116962 | Total Ratio of Rsrc Section: 0.0066858009%

PE Opcodes Frequency & Anomalies Analyzer suspect

# Opcode Quantity of instruction Frequency of instruction Byte

2

CALL

20

12.42236%

-)

3

CMP

4

2.484472%

-)

4

DEC

2

1.242236%

-)

5

IMUL

2

1.242236%

-)

6

INC

3

1.8633541%

-)

7

JAE

1

0.621118%

-)

8

JL

1

0.621118%

-)

9

JMP

4

2.484472%

-)

10

JNZ

4

2.484472%

-)

11

JZ

1

0.621118%

-)

12

LEA

3

1.8633541%

-)

13

MOV

61

37.8882%

-)

14

OR

1

0.621118%

-)

15

POP

7

4.347826%

-)

16

PUSH

28

17.391304%

-)

17

RET

1

0.621118%

-)

18

SAR

1

0.621118%

-)

19

TEST

1

0.621118%

-)

20

XCHG

1

0.621118%

-)

21

XOR

10

6.21118%

-)

Load more

Total Number Of Opcodes: 161

Opcodes Frequency Chart

PE Dumped Strings suspect

# String Common

5

K-mX2O

Yes

8

YS5TH

Yes

25

.)~! local path or dir

No

28

.~B+ local path or dir

No

42

xFHS

Yes

43

Ivm2t

Yes

50

evDT

Yes

54

kWF3

Yes

63

xWru

Yes

74

XxUCK

Yes

75

EL.\ local path or dir

No

84

vv7J

Yes

86

vJbVg

Yes

88

m2VX

Yes

101

R.B,

Yes

110

tQ9I

Yes

117

#.Qk local path or dir

No

119

wB2u

Yes

130

rgs5

Yes

131

VjOF

Yes

132

I5Id

Yes

138

.|:{ local path or dir

No

139

vKX

Yes

140

Iv". local path or dir

No

143

f.m8

Yes

145

97. local path or dir

No

149

sGQwa

Yes

153

AwGxE

Yes

169

PdVh

Yes

171

v>.V local path or dir

No

172

Qsu8

Yes

175

\.h} local path or dir

No

201

I5yxP

Yes

208

JuLbP

Yes

212

[email protected]'a local path or dir

No

214

dqNL

Yes

225

?.\\ local path or dir

No

238

5MYV. local path or dir

No

239

axDU

Yes

249

rTI8

Yes

251

sZ6lL

Yes

261

yYWb

Yes

264

D0rj

Yes

266

.jvlc8a local path or dir

No

275

RKLZS

Yes

283

rLWn

Yes

284

i0<. local path or dir

No

287

oE,d

Yes

294

}.o> local path or dir

No

297

nRjEC4f6

Yes

Load more

Total Number of Strings: 3284 |  Common strings: 3140 | Danger strings: 144

Bytes Frequency Chart