{ "19840be0998802062efd3ebcfec2590f924d09309ef42bffc41df1225e914f47": { "DOS Header": { "e_magic": "MZ", "e_cblp": 144, "e_cp": 3, "e_crlc": 0, "e_cparhdr": 4, "e_minalloc": 0, "e_maxalloc": 65535, "e_ss": 0, "e_sp": 184, "e_csum": 0, "e_ip": 0, "e_cs": 0, "e_ovno": 0, "e_oemid": 0, "e_oeminfo": 0, "e_lfanew": 232 }, "Errors": "", "Exports": { "CompilerInstall": { "Ordinal": 1, "Address": 112268 }, "FailApplicationA": { "Ordinal": 2, "Address": 112336 }, "GenerateGoalA": { "Ordinal": 3, "Address": 112324 }, "HandleDateDynamicW": { "Ordinal": 4, "Address": 112304 }, "PrependDiskW": { "Ordinal": 5, "Address": 112284 }, "PreventProperly": { "Ordinal": 6, "Address": 112412 }, "RemoveInfoW": { "Ordinal": 7, "Address": 112372 }, "SchemaOtherIntegrateW": { "Ordinal": 8, "Address": 112400 }, "SemanticLinkGetA": { "Ordinal": 9, "Address": 112388 }, "SubsystemWork": { "Ordinal": 10, "Address": 112352 } }, "Hashes": { "MD5": "2d378958b6fb6c4bf4177f818f52a2b9", "SHA1": "b827b65d93edc00e52492eb95415b1d41d77364e", "SHA256": "19840be0998802062efd3ebcfec2590f924d09309ef42bffc41df1225e914f47", "SHA3": "b32b88ecca62161b1c3d70194a44839a9b6f68451c7c4e28415c2e7110498ef2", "SSDeep": "6144:Qzg0h+ghdLNT+1l1ese2rzMosU1mA9Fd9+:aJNT+Le27vTdg", "Imports Hash": "b88ede0c1d33880a42f9b396d1895a51" }, "Image Optional Header": { "Magic": "PE32", "LinkerVersion": "9.0", "SizeOfCode": 40960, "SizeOfInitializedData": 364544, "SizeOfUninitializedData": 0, "AddressOfEntryPoint": "0x000097F0 (Section: .text)", "BaseOfCode": 4096, "BaseOfData": 45056, "ImageBase": 4194304, "SectionAlignment": 4096, "FileAlignment": 4096, "OperatingSystemVersion": "4.0", "ImageVersion": "0.0", "SubsystemVersion": "4.0", "Win32VersionValue": 0, "SizeOfImage": 409600, "SizeOfHeaders": 4096, "Checksum": 366560, "Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI", "DllCharacteristics": [ "IMAGE_DLLCHARACTERISTICS_NO_SEH", "IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE" ], "SizeofStackReserve": 1048576, "SizeofStackCommit": 4096, "SizeofHeapReserve": 1048576, "SizeofHeapCommit": 4096, "LoaderFlags": 0, "NumberOfRvaAndSizes": 16 }, "Imports": { "KERNEL32.dll": [ "GetProcAddress", "GetModuleHandleA", "GetDateFormatW", "RemoveDirectoryW", "AddAtomW", "GetNumberFormatW", "GetModuleHandleW", "lstrlenW", "DeleteFileW", "DisableThreadLibraryCalls", "GetNumberFormatA", "LCMapStringW", "CreateJobObjectW", "GetShortPathNameA", "CreateProcessA", "VirtualProtect", "DeleteAtom", "GetDriveTypeW", "GetOEMCP", "GetNumberOfConsoleMouseButtons", "BackupSeek", "BuildCommDCBA", "CopyFileA", "GetFullPathNameA", "CreateDirectoryW", "GlobalFindAtomA", "CallNamedPipeA", "GetTimeFormatA", "CopyFileW", "GetCurrentThread", "MultiByteToWideChar", "GetLastError", "CreateMemoryResourceNotification", "GetSystemTime", "GetTimeFormatW", "CloseHandle", "AddConsoleAliasA", "GetDateFormatA", "AddConsoleAliasW", "CallNamedPipeW" ], "USER32.dll": [ "CharPrevW", "GetKeyNameTextA", "GetWindowTextA", "GetActiveWindow", "GetClipboardData", "FindWindowA", "GetClientRect", "GetWindowRect", "LoadIconA", "RegisterClassA", "IsCharAlphaNumericW", "GetLastInputInfo", "MessageBoxW", "GetKeyboardLayoutNameW", "LoadCursorFromFileW", "GetWindow", "IsWindowVisible", "GetFocus", "RegisterClassW", "LoadCursorA", "GetClassLongA", "GetMenuContextHelpId", "CharPrevA", "MapVirtualKeyW", "GetClipboardOwner", "GetShellWindow", "IsChild", "GetClassInfoExW", "GetTopWindow", "GetForegroundWindow", "GetWindowContextHelpId", "LoadIconW", "LoadMenuW" ], "GDI32.dll": [ "GetStockObject" ], "ADVAPI32.dll": [ "IsValidSid", "CryptAcquireContextA", "CryptCreateHash", "CryptDuplicateHash", "CryptDestroyHash", "CryptReleaseContext", "IsValidAcl", "CredMarshalCredentialW", "CreateWellKnownSid", "CredFree", "GetUserNameA" ], "msvcrt.dll": [ "memset" ], "NTMARTA.dll": [ "AccProvGetAllRights", "AccProvGetAccessInfoPerObjectType", "EventNameFree", "AccProvHandleSetAccessRights", "AccProvGetTrusteesAccess", "AccProvGetOperationResults", "AccConvertAccessMaskToActrlAccess", "AccLookupAccountName", "AccProvHandleRevokeAuditRights", "AccConvertAccessToSD", "AccProvHandleIsAccessAudited", "AccLookupAccountSid" ] }, "PE Header": { "Signature": "PE", "Machine": "IMAGE_FILE_MACHINE_I386", "NumberofSections": 6, "TimeDateStamp": "2011-Jul-24 14:13:10", "PointerToSymbolTable": 0, "NumberOfSymbols": 0, "SizeOfOptionalHeader": 224, "Characteristics": [ "IMAGE_FILE_32BIT_MACHINE", "IMAGE_FILE_DEBUG_STRIPPED", "IMAGE_FILE_DLL", "IMAGE_FILE_EXECUTABLE_IMAGE", "IMAGE_FILE_LINE_NUMS_STRIPPED" ] }, "Plugins": { "strings": { "level": 2, "plugin_output": { "May have dropper capabilities": [ "CurrentControlSet\\Services" ], "Miscellaneous malware strings": [ "cmd.exe" ] }, "summary": "Strings found in the binary may indicate undesirable behavior:" }, "findcrypt": { "level": 1, "plugin_output": { "info_0": "Microsoft's Cryptography API" }, "summary": "Libraries used to perform cryptographic operations:" }, "imports": { "level": 3, "plugin_output": { "Functions which can be used for anti-debugging purposes": [ "FindWindowA" ], "Possibly launches other programs": [ "CreateProcessA" ], "Uses Microsoft's cryptographic API": [ "CryptAcquireContextA", "CryptCreateHash", "CryptDuplicateHash", "CryptDestroyHash", "CryptReleaseContext" ], "Uses functions commonly found in keyloggers": [ "MapVirtualKeyW", "GetForegroundWindow" ], "Enumerates local disk drives": [ "GetDriveTypeW" ], "Reads the contents of the clipboard": [ "GetClipboardData" ] }, "summary": "The PE contains functions mostly used by malware." }, "virustotal": { "level": 3, "plugin_output": { "Bkav": "W32.SkeeyahTepfer.Trojan", "MicroWorld-eScan": "Gen:Variant.Razy.38182", "ALYac": "Gen:Variant.Razy.38182", "Zillya": "Trojan.Filecoder.Win32.2256", "K7AntiVirus": "Trojan ( 004e26c41 )", "Arcabit": "Trojan.Razy.D9526", "Baidu": "Win32.Trojan.WisdomEyes.151026.9950.9999", "Symantec": "Trojan.Gen.2", "ESET-NOD32": "Win32/Filecoder.NGH", "Avast": "Win32:Malware-gen", "Kaspersky": "Trojan-PSW.Win32.Tepfer.psxibe", "BitDefender": "Gen:Variant.Razy.38182", "NANO-Antivirus": "Trojan.Win32.ZPACK.ebmonx", "AegisLab": "Troj.Psw.W32.Tepfer!c", "Tencent": "Win32.Trojan.Filecoder.Hrzb", "Ad-Aware": "Gen:Variant.Razy.38182", "Emsisoft": "Gen:Variant.Razy.38182 (B)", "F-Secure": "Gen:Variant.Razy.38182", "VIPRE": "Trojan.Win32.Generic!BT", "TrendMicro": "TROJ_GEN.R047C0EDB16", "McAfee-GW-Edition": "BehavesLike.Win32.Expiro.fh", "Sophos": "Mal/Generic-S", "Avira": "TR/Crypt.ZPACK.bnyt", "Antiy-AVL": "Trojan[PSW]/Win32.Tepfer", "Microsoft": "Trojan:Win32/Skeeyah.A!rfn", "GData": "Gen:Variant.Razy.38182", "McAfee": "Artemis!2D378958B6FB", "AVware": "Trojan.Win32.Generic!BT", "Ikarus": "Trojan.Win32.Filecoder", "AVG": "FileCryptor.JVB", "Panda": "Trj/GdSda.A", "Qihoo-360": "HEUR/QVM40.1.Malware.Gen" }, "summary": "VirusTotal score: 32/57 (Scanned on 2016-04-12 21:31:20)" } }, "RICH Header": { "XOR Key": 411353000, "Unmarked objects": 0, "ASM objects (VS2008 SP1 build 30729)": 5, "Total imports": 535, "Imports (VS2008 SP1 build 30729)": 57, "Exports (VS2008 SP1 build 30729)": 1, "C++ objects (VS2008 SP1 build 30729)": 123, "C objects (VS2008 SP1 build 30729)": 29, "Linker (VS2008 SP1 build 30729)": 1, "Resource objects (VS2008 SP1 build 30729)": 1 }, "Sections": { ".text": { "MD5": "51f929780041b654f4c33e4d7651cddd", "SHA1": "86a9f350c26be1725c461961ba3300e10d3d0885", "SHA256": "d3c05839a0f89eb4b7a72a9e7533336689485cf6ff5cedda3d5ed56c205b9483", "SHA3": "f274f4b8e7dbda9e17d9679db4e90e56b36b0d178d511f1617c1a88186fa7400", "VirtualSize": 39616, "VirtualAddress": 4096, "SizeOfRawData": 40960, "PointerToRawData": 4096, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_CODE", "IMAGE_SCN_MEM_EXECUTE", "IMAGE_SCN_MEM_READ" ], "Entropy": 6.38581 }, ".rdata": { "MD5": "7a5cb2a7ba00a605cf8ddd3a006e6e75", "SHA1": "e018dd6da48702610b9facaba49fabc46e600a9b", "SHA256": "fbd16aca373b93ffce900743960081f598103f097930bfb9cdca4a543b78afd3", "SHA3": "4176840af2cbda298e265938879074323d3c0b032bfde7a9eced467afdc3853a", "VirtualSize": 32902, "VirtualAddress": 45056, "SizeOfRawData": 36864, "PointerToRawData": 45056, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ" ], "Entropy": 3.60712 }, ".data": { "MD5": "302f54edb3192ac3fc426172aa869c3b", "SHA1": "7a0e3cb55a344052ab8a30dda330939031f9bf34", "SHA256": "4121421ba4f9e3e658cfc347b0c9892d2c414df66dd9b7240ee204f5043446af", "SHA3": "d61cde913887d13bdd186cf1226a926283d3b6a4a1267b06e9f2cb5b3b77a3e2", "VirtualSize": 116576, "VirtualAddress": 81920, "SizeOfRawData": 32768, "PointerToRawData": 81920, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ", "IMAGE_SCN_MEM_WRITE" ], "Entropy": 4.19554 }, ".CRT": { "MD5": "d6990a46089a72b8f07da2a438362cf6", "SHA1": "5c8045b25f3f35bc8fce88cc1d78188ddddcf7d0", "SHA256": "106f29cafa5d2243a8049a497a7b5bde8d44f7af2291b24e472ffa1ba38431d6", "SHA3": "085b3ace2656c493945880f3709596acfa7c6e332e3e751691fb599602a94ceb", "VirtualSize": 54530, "VirtualAddress": 200704, "SizeOfRawData": 57344, "PointerToRawData": 114688, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ" ], "Entropy": 7.51158 }, ".tls": { "MD5": "8a83e4359a30f584e15041f2b30b8bc1", "SHA1": "8d17f6e211296f2259e7016e5dbf7e50bc9003c0", "SHA256": "0a283b5aec8aa0219f5305faf7c7ff57ddf376f322b6d84a3919969739a6fb1f", "SHA3": "df9910ef7a0084ba1ee2a86688fe5b37f1c9c9a697bc774dc21cf6412f71e475", "VirtualSize": 147375, "VirtualAddress": 258048, "SizeOfRawData": 147456, "PointerToRawData": 172032, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ", "IMAGE_SCN_MEM_WRITE" ], "Entropy": 7.51414 }, ".reloc": { "MD5": "8febc5b53f9128fd0c37a086e7242b16", "SHA1": "dd8c957bef5de16679ac2f6fdc71494d51b07957", "SHA256": "82ab1433024d2688b6e96b74cba84349d94ed3c48574b17b934da1fc928b722d", "SHA3": "8d0370af77995542ea1a83d6aa920cfde5cd70beffdfacb5141458d9376f92b3", "VirtualSize": 1610, "VirtualAddress": 405504, "SizeOfRawData": 4096, "PointerToRawData": 319488, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_DISCARDABLE", "IMAGE_SCN_MEM_READ" ], "Entropy": 1.20902 } }, "Summary": { "Architecture": "IMAGE_FILE_MACHINE_I386", "Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI", "Compilation Date": "2011-Jul-24 14:13:10" } } }