{ "7b63576c9f0ea6afb4c900b0c5832789922c0409e9cd6efd100d3b33024963cd": { "DOS Header": { "e_magic": "MZ", "e_cblp": 144, "e_cp": 3, "e_crlc": 0, "e_cparhdr": 4, "e_minalloc": 0, "e_maxalloc": 65535, "e_ss": 0, "e_sp": 184, "e_csum": 0, "e_ip": 0, "e_cs": 0, "e_ovno": 0, "e_oemid": 0, "e_oeminfo": 0, "e_lfanew": 216 }, "Hashes": { "MD5": "643654975b63a9bb6f597502e5cd8f49", "SHA1": "2c901a12e8c4ec9babfd693b5f3d805c945e4657", "SHA256": "7b63576c9f0ea6afb4c900b0c5832789922c0409e9cd6efd100d3b33024963cd", "SHA3": "0bdc1a6807b7a31ac0d8379136d2234a46b536ca6bd69164b79a3ee6d524298e", "SSDeep": "6144:c0WJzQyoyoMGGGGGGGGGGbGGGGGGGGGG6GG/DGXxeXJE85PmWyVcjUkdHbIIA3:c0WJztKHjl", "Imports Hash": "0fefba40443edd57f816502035077e3e" }, "Image Optional Header": { "Magic": "PE32", "LinkerVersion": "6.0", "SizeOfCode": 16384, "SizeOfInitializedData": 333824, "SizeOfUninitializedData": 0, "AddressOfEntryPoint": "0x000014C2 (Section: .text)", "BaseOfCode": 4096, "BaseOfData": 20480, "ImageBase": 4194304, "SectionAlignment": 4096, "FileAlignment": 512, "OperatingSystemVersion": "4.0", "ImageVersion": "0.0", "SubsystemVersion": "4.0", "Win32VersionValue": 0, "SizeOfImage": 356352, "SizeOfHeaders": 1024, "Checksum": 0, "Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI", "SizeofStackReserve": 1048576, "SizeofStackCommit": 4096, "SizeofHeapReserve": 1048576, "SizeofHeapCommit": 4096, "LoaderFlags": 0, "NumberOfRvaAndSizes": 16 }, "Imports": { "KERNEL32.dll": [ "CreateProcessA", "CloseHandle", "WriteFile", "LockResource", "SizeofResource", "LoadResource", "FindResourceA", "CreateFileA", "CreateDirectoryA", "GetCurrentDirectoryA", "GetTempPathA", "SetProcessPriorityBoost", "SetThreadPriority", "GetCurrentThread", "SetPriorityClass", "GetCurrentProcess", "lstrcatA", "lstrcpyA", "GetEnvironmentVariableA", "GetShortPathNameA", "GetModuleFileNameA", "GetStringTypeW", "GetStringTypeA", "LCMapStringW", "LCMapStringA", "GetModuleHandleA", "GetStartupInfoA", "GetCommandLineA", "GetVersion", "ExitProcess", "TerminateProcess", "UnhandledExceptionFilter", "FreeEnvironmentStringsA", "FreeEnvironmentStringsW", "WideCharToMultiByte", "GetEnvironmentStrings", "GetEnvironmentStringsW", "SetHandleCount", "GetStdHandle", "GetFileType", "HeapDestroy", "HeapCreate", "VirtualFree", "HeapFree", "RtlUnwind", "GetLastError", "SetFilePointer", "GetCPInfo", "GetACP", "GetOEMCP", "HeapAlloc", "VirtualAlloc", "HeapReAlloc", "GetProcAddress", "LoadLibraryA", "SetStdHandle", "MultiByteToWideChar", "FlushFileBuffers" ], "SHELL32.dll": [ "SHChangeNotify", "ShellExecuteA", "ShellExecuteExA" ] }, "PE Header": { "Signature": "PE", "Machine": "IMAGE_FILE_MACHINE_I386", "NumberofSections": 4, "TimeDateStamp": "2014-Jan-14 04:38:30", "PointerToSymbolTable": 0, "NumberOfSymbols": 0, "SizeOfOptionalHeader": 224, "Characteristics": [ "IMAGE_FILE_32BIT_MACHINE", "IMAGE_FILE_EXECUTABLE_IMAGE", "IMAGE_FILE_LINE_NUMS_STRIPPED", "IMAGE_FILE_LOCAL_SYMS_STRIPPED", "IMAGE_FILE_RELOCS_STRIPPED" ] }, "Plugins": { "compilers": { "level": 1, "plugin_output": { "info_0": "Microsoft Visual C++", "info_1": "Microsoft Visual C++ v6.0" }, "summary": "Matching compiler(s):" }, "strings": { "level": 2, "plugin_output": { "Contains another PE executable": [ "This program cannot be run in DOS mode." ] }, "summary": "Strings found in the binary may indicate undesirable behavior:" }, "findcrypt": { "level": 1, "plugin_output": { "info_0": "Uses constants related to DES" }, "summary": "Cryptographic algorithms detected in the binary:" }, "imports": { "level": 1, "plugin_output": { "[!] The program may be hiding some of its imports": [ "GetProcAddress", "LoadLibraryA" ], "Possibly launches other programs": [ "CreateProcessA", "ShellExecuteA" ], "Can create temporary files": [ "CreateFileA", "GetTempPathA" ] }, "summary": "The PE contains common functions which appear in legitimate applications." }, "resources": { "level": 3, "plugin_output": { "info_0": "Resource 108 detected as a PDF document.", "info_1": "Resource 109 detected as a PE Executable.", "info_2": "Resources amount for 93.026% of the executable." }, "summary": "The PE is possibly a dropper." }, "virustotal": { "level": 3, "plugin_output": { "Bkav": "W32.AIDetect.malware2", "Elastic": "malicious (high confidence)", "MicroWorld-eScan": "Gen:Variant.Barys.229848", "FireEye": "Generic.mg.643654975b63a9bb", "McAfee": "Artemis!643654975B63", "Malwarebytes": "Malware.AI.4172468544", "Zillya": "Dropper.Agent.Win32.234271", "Alibaba": "Backdoor:Win32/Sloth.e877666f", "Cybereason": "malicious.75b63a", "BitDefenderTheta": "AI:Packer.9CE5F6661F", "VirIT": "Trojan.Win32.DownLoader9.RDJ", "Symantec": "ML.Attribute.HighConfidence", "ESET-NOD32": "a variant of Win32/TrojanDropper.Agent.PVR", "APEX": "Malicious", "Paloalto": "generic.ml", "ClamAV": "Win.Trojan.B-262", "Kaspersky": "Backdoor.Win32.Sloth.c", "BitDefender": "Gen:Variant.Barys.229848", "NANO-Antivirus": "Trojan.Win32.RP.czjbjv", "Avast": "Win32:Downloader-VAV [Trj]", "Rising": "Dropper.Agent!8.2F (CLOUD)", "Ad-Aware": "Gen:Variant.Barys.229848", "Sophos": "Mal/Generic-S", "Comodo": "Malware@#i8nnjf8prdx7", "DrWeb": "Trojan.DownLoader9.11579", "VIPRE": "Trojan.Win32.Generic!BT", "TrendMicro": "Mal_DLDER", "McAfee-GW-Edition": "BackDoor-FBVO!AB9DB28EEC90", "Emsisoft": "Gen:Variant.Barys.229848 (B)", "SentinelOne": "Static AI - Suspicious PE", "GData": "Gen:Variant.Barys.229848", "Jiangmin": "Trojan.Generic.pbdo", "Avira": "TR/ATRAPS.Gen4", "Antiy-AVL": "Trojan/Win32.Occamy", "Kingsoft": "Win32.Heur.KVM007.a.(kcloud)", "Microsoft": "Trojan:Win32/Comisproc!gmb", "Cynet": "Malicious (score: 99)", "VBA32": "BScope.Trojan-Spy.Zbot", "ALYac": "Gen:Variant.Barys.229848", "Tencent": "Win32.Trojan.Atraps.Wmiw", "Yandex": "Trojan.GenAsa!tbPeKqtnYCk", "Fortinet": "W32/Agent.PVR!tr", "AVG": "Win32:Downloader-VAV [Trj]", "Panda": "Trj/CI.A", "CrowdStrike": "win/malicious_confidence_100% (W)" }, "summary": "VirusTotal score: 45/65 (Scanned on 2022-02-18 08:40:14)" } }, "RICH Header": { "XOR Key": 1291568401, "Unmarked objects": 0, "14 (7299)": 11, "C objects (VS98 build 8168)": 43, "19 (8034)": 5, "Total imports": 62, "C++ objects (VS98 build 8168)": 3, "Resource objects (VS98 cvtres build 1720)": 1 }, "Resources": { "108": { "Type": "PDF", "Language": "Chinese - PRC", "Codepage": "UNKNOWN", "Size": 15672, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 7.9079, "Detected Filetype": "PDF Document", "MD5": "76aa49de535ee39129d5751e00517ad0", "SHA1": "fc6eec9573c7ac9d5445e0e8c10f18ab91286eab", "SHA256": "daa2246de34e720e554d328516a9516ba34a476d1f363743623b427deb508201", "SHA3": "de9a54e78332afc452c3e02553b670a1b5adfe99e6e31e87cd2e7237983340aa" }, "109": { "Type": "US", "Language": "Chinese - PRC", "Codepage": "UNKNOWN", "Size": 11264, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 6.0344, "Detected Filetype": "PE Executable", "MD5": "ab9db28eec90696575bef33e293c0410", "SHA1": "810ba3a28f9e22125ed0b10c90f2151bcfb02203", "SHA256": "73428f344caa5704d0c54bdd3237478489f4e9752f668846b430356544c6fcf7", "SHA3": "d7157ddad791bcaf99c3a01b0dac9ce0a12c7475bc691c6d09b06905e83278e4" }, "1": { "Type": "RT_ICON", "Language": "Chinese - PRC", "Codepage": "UNKNOWN", "Size": 1640, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 3.36446, "MD5": "37802f4244f7aca50caa646d5e3e3adf", "SHA1": "0957d2eecfe1d099aaf1d8ccd6857a4917b5c86c", "SHA256": "d7a213e9d2693748cc4d949b2183de31878c808154ff32512e127a8118b1a869", "SHA3": "53c41350465a8a0d0b1aa2e9d578d5b2e850824a1084e2a0775287123de926c3" }, "2": { "Type": "RT_ICON", "Language": "Chinese - PRC", "Codepage": "UNKNOWN", "Size": 744, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 3.4983, "MD5": "044084a7e7813e45d785e5771d713c53", "SHA1": "bb45af39bb04fb08c154a9758e4ba2fd7e7a3ab1", "SHA256": "ec0f1c6de43d87c0becf018cb9d9a6fc83cc792519a4306fafcefe5ecacc6e97", "SHA3": "60aa023ef6248a1fe53d72d1a634e1e4ec8938cbf70067d7a7ea98e0a7a5e69c" }, "3": { "Type": "RT_ICON", "Language": "Chinese - PRC", "Codepage": "UNKNOWN", "Size": 296, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 3.19721, "MD5": "38bb18ab0c3d11a30409a6e0b4012b57", "SHA1": "fbca65562c2b5998ffef71b3a51b84353560dd14", "SHA256": "daf7848ff12e05e2cf9bb6a6d291ee2438af1ec81b444a8df07ca9abf5f95d6a", "SHA3": "c6cdca18cff1191d0974192fd5fd9ba20ecce2b57dc6bc8e0bf46e7efa31155f" }, "4": { "Type": "RT_ICON", "Language": "Chinese - PRC", "Codepage": "UNKNOWN", "Size": 3752, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 5.50363, "MD5": "49c7cd54577ad1e476d70282b548fc23", "SHA1": "ca39f76dd196c4885915a29d6739134f53ac3916", "SHA256": "13b0fbac7d1e3828cebf0d390affe216f50769abba5960c2f7c6e55154a74585", "SHA3": "84e02a501943cec3abb60c66f1b746622548fd546109c3397027da24e7e03481" }, "5": { "Type": "RT_ICON", "Language": "Chinese - PRC", "Codepage": "UNKNOWN", "Size": 2216, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 5.13728, "MD5": "c56bc0b85057a4df1cf8d122dfa7fc3f", "SHA1": "11346b67d66d85f220619d7e3bb391f322076b77", "SHA256": "0a8c332eabbe0be7dda025a36bbb74a352ce973a01c1202e4a3b2b8ff51b3fc6", "SHA3": "68d4d8143a19e4bfd1858a6e10bf4226b97f2f888c41f68c78b936294f556d4e" }, "6": { "Type": "RT_ICON", "Language": "Chinese - PRC", "Codepage": "UNKNOWN", "Size": 1384, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 3.08017, "MD5": "87d60af2f9ee2355b9b35bd483b8cbbc", "SHA1": "37bd7e5ee1b89b16688fb5105218ada821d0fb95", "SHA256": "94514c10dbf1d0e89f59a07b2d66ece808a79f72c950297066ef4125848230eb", "SHA3": "7980671a9f1a87bcdcc6b35e6c8cbc160b439ac2f158b6c2248fe9d315769d21" }, "7": { "Type": "RT_ICON", "Language": "Chinese - PRC", "Codepage": "UNKNOWN", "Size": 270376, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 4.21581, "MD5": "928b9580b18a35a665d29e9b6775f634", "SHA1": "5cb64ea9af930ab8ebd837c682e94a11047add19", "SHA256": "6fabdef0c67cd7b95657c8052eb5fced9a1c0c4f1ed768266ac132c1dc975167", "SHA3": "bb1916e1644dcc1abfa05fa87e73b4c916f3e1f5981f8cb3a3aae8628ccf11dd" }, "8": { "Type": "RT_ICON", "Language": "Chinese - PRC", "Codepage": "UNKNOWN", "Size": 9640, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 4.52717, "MD5": "2bd9749db4946242bab1cc959cac4acc", "SHA1": "dd12ecd6631a4505a128aea73c92b705d4ace89a", "SHA256": "41cfc6eb2bc18e593a8fc2dc2ecefbd71b9614378545ac65b03e4c9d019eca91", "SHA3": "8481b81d6bc25743a6a885f395de7a0b96c35803b3182dd522a8674e33559e06" }, "9": { "Type": "RT_ICON", "Language": "Chinese - PRC", "Codepage": "UNKNOWN", "Size": 3240, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 4.79854, "MD5": "e1db01a74974650eebde1785dc294121", "SHA1": "358b1ef0f3c08df027f0bb6994030a5bc185137e", "SHA256": "fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd", "SHA3": "aaf8936c6705c3c7e9aa60322fc122a316a607cea38f7c080dc6801b3585de8c" }, "10": { "Type": "RT_ICON", "Language": "Chinese - PRC", "Codepage": "UNKNOWN", "Size": 1128, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 4.45207, "MD5": "db99c2c04800cbb0938b19496feb5e2a", "SHA1": "7018317ba29b6a4b7a80cbbb5323362059222118", "SHA256": "94b2ef673471d0f96d83125ad5be115b3c599e0e4f51976529f609cfc2a7ef43", "SHA3": "c09e32835ce8f9df2ed5b379c353514b0b2cb163282692d177a3cee1a8774d5e" }, "110": { "Type": "RT_GROUP_ICON", "Language": "Chinese - PRC", "Codepage": "UNKNOWN", "Size": 146, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 2.94686, "Detected Filetype": "Icon file", "MD5": "c089fade0845c03465c36dbe43662184", "SHA1": "7fe145c2315d967c6b0d4d6a7aa4b5da4805eb1a", "SHA256": "bca95d518d15007e85b1e5ca42c0ce0d733c6c1720ef75f97a71f3b5a154f7a0", "SHA3": "a7d9c0d01133601cc72b47d1149c9a986343bb6b94e83b30668a5a9896c8f2eb" } }, "Sections": { ".text": { "MD5": "aa58df81e6566a98ab6c66985f6131c5", "SHA1": "42b6b4b8db37abe662c9b7f4bfe30c23c1861dec", "SHA256": "c438626161a8100216d973155a16c0849e6bafdcb89e4f8d3cca163724febabb", "SHA3": "0afafc4b7ae0315abda178d5acd722fe46d4e689cac4c65d40ff3834a4f77aca", "VirtualSize": 16324, "VirtualAddress": 4096, "SizeOfRawData": 16384, "PointerToRawData": 1024, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_CODE", "IMAGE_SCN_MEM_EXECUTE", "IMAGE_SCN_MEM_READ" ], "Entropy": 6.57064 }, ".rdata": { "MD5": "2e4359d421f248a3774c9a4b0dea6985", "SHA1": "5c05747bebffe49c955e050caf977838aae776e5", "SHA256": "000d633682598270638ced194977f15bfe816255a5d3d8d958c9c9745265ed42", "SHA3": "43683742bdcea44f6c7bd779589576dc1add528b5b6e111b31af8c587d37ab7c", "VirtualSize": 2656, "VirtualAddress": 20480, "SizeOfRawData": 3072, "PointerToRawData": 17408, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ" ], "Entropy": 4.87919 }, ".data": { "MD5": "e1ca358a07756f23b03efd68334ffca4", "SHA1": "8b80d6c3ce2a4f2a8c4092f3d91a30ea2b92b654", "SHA256": "04ccab66c91f570a383646f6fb476f1417124b7938cbfa3cf455127285e99a20", "SHA3": "ed21c497cdc77025a20b7f47dc4a82f71d91dd81aca0327ed316e37d1fd02eca", "VirtualSize": 7804, "VirtualAddress": 24576, "SizeOfRawData": 2560, "PointerToRawData": 20480, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ", "IMAGE_SCN_MEM_WRITE" ], "Entropy": 2.15182 }, ".rsrc": { "MD5": "b73f67a174421da5331b14d9f8d6e6bd", "SHA1": "d72e598e63a273309b301ad8de2a3c6e5f1ecd34", "SHA256": "79669f20bf31527881900521546dad660237b419937710293382270f932a0a3b", "SHA3": "a36a5504b664362f94505bf0a7068f58a4ab10c5189fd7406a53150d8734c738", "VirtualSize": 322256, "VirtualAddress": 32768, "SizeOfRawData": 322560, "PointerToRawData": 23040, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ" ], "Entropy": 4.7331 } }, "Summary": { "Architecture": "IMAGE_FILE_MACHINE_I386", "Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI", "Compilation Date": "2014-Jan-14 04:38:30", "Detected languages": [ "Chinese - PRC" ] } } }