0066de7f554a0dea9fe7b55230846e6e

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2018-Oct-16 16:59:54
Detected languages English - United States

Plugin Output

Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX -> www.upx.sourceforge.net
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Uses Microsoft's cryptographic API:
  • CryptGenKey
Has Internet access capabilities:
  • URLDownloadToFileA
Leverages the raw socket API to access the Internet:
  • #16
Can take screenshots:
  • BitBlt
  • GetDC
Info The PE's resources present abnormal characteristics. Resource 103 is possibly compressed or encrypted.
Malicious VirusTotal score: 44/70 (Scanned on 2019-02-13 18:57:57) MicroWorld-eScan: Generic.Malware.SFH.B12A1375
CAT-QuickHeal: Trojan.Mauvaise.SL1
ALYac: Generic.Malware.SFH.B12A1375
Zillya: Trojan.Agent.Win32.997310
TheHacker: Posible_Worm32
K7GW: Spyware ( 0053ffbb1 )
K7AntiVirus: Spyware ( 0053ffbb1 )
Arcabit: Generic.Malware.SFH.B12A1375
Invincea: heuristic
Cyren: W32/Trojan.GBLP-5815
Symantec: ML.Attribute.HighConfidence
TrendMicro-HouseCall: TROJ_GEN.R011C0PJQ18
Avast: Win32:Adware-gen [Adw]
BitDefender: Generic.Malware.SFH.B12A1375
Paloalto: generic.ml
Tencent: Win32.Trojan.Generic.Chi
Ad-Aware: Generic.Malware.SFH.B12A1375
Emsisoft: Generic.Malware.SFH.B12A1375 (B)
Comodo: Malware@#3oaz1il2gd44a
F-Secure: Trojan.TR/Spy.Agent.bcosm
VIPRE: Trojan.Win32.Generic!BT
TrendMicro: TROJ_GEN.R011C0PJQ18
McAfee-GW-Edition: BehavesLike.Win32.SpyLydra.pc
Sophos: Mal/Generic-S
Ikarus: Trojan-Spy.Agent
Avira: TR/Spy.Agent.bcosm
Fortinet: W32/Agent.PNW!tr.spy
Antiy-AVL: Trojan/Win32.Fuery
Endgame: malicious (moderate confidence)
Microsoft: Trojan:Win32/Skeeyah.A!bit
AhnLab-V3: Malware/Win32.Generic.C2832976
Acronis: suspicious
McAfee: RDN/Generic PWS.y
Cylance: Unsafe
ESET-NOD32: Win32/Spy.Agent.PNW
Rising: Spyware.Agent!8.C6 (CLOUD)
Yandex: TrojanSpy.Agent!+DF+Jc/rAlI
SentinelOne: static engine - malicious
GData: Generic.Malware.SFH.B12A1375
AVG: Win32:Adware-gen [Adw]
Cybereason: malicious.f554a0
Panda: Trj/GdSda.A
CrowdStrike: malicious_confidence_90% (W)
Qihoo-360: HEUR/QVM11.1.BD31.Malware.Gen

Hashes

MD5 0066de7f554a0dea9fe7b55230846e6e
SHA1 2848ac48a098bc5bb19632944ef864e19c6a93d3
SHA256 f9b92656ff26783b868f6285165319e380582d32ecfff3fd629adb3753703463
SHA3 aebd7d24e1ac76382dfaac5793702ad37e27bef41a7d8e5b3833d8aefd7910de
SSDeep 768:Si376IARqE0zxyahrbIYy/6k/XrONfcJkP+FPnRxuwyhg1SApLMHjzKop:Si3w0ZzNh2ESJkPgnWwyhSSoIH3D
Imports Hash c615963b9ed490334f5c0889ace7aa1d

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x108

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2018-Oct-16 16:59:54
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0xb000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0x17000
AddressOfEntryPoint 0x000229E0 (Section: UPX1)
BaseOfCode 0x18000
BaseOfData 0x23000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x24000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x17000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 f975286aac1a1691af3f65aacffb460c
SHA1 3b4694dc46c7b5b1e26a047cbd4a3a849d8478a5
SHA256 9ab033dd64264558415730dcb01a2fcf7bd40591c2fea3a3abde3ad3540a15ec
SHA3 3dc0a30d0078b2d26f7b199518c97615c26b76aaefadf82b45b72c32aefa2072
VirtualSize 0xb000
VirtualAddress 0x18000
SizeOfRawData 0xae00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.87274

.rsrc

MD5 72c9b957f1bc73068146e69854b5bada
SHA1 ee86ae54267c24056c7279c7de6346e29cfaf7e9
SHA256 2ad39314f48cc373051464a8b157f86f6ef2aa5c7838dd40bb0e257797799b78
SHA3 7cfa56a52ead3a31dc3aaf7ea692f9eeaf134fe3b58638eeb3d2649082e0e2f2
VirtualSize 0x1000
VirtualAddress 0x23000
SizeOfRawData 0xa00
PointerToRawData 0xb200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.07953

Imports

ADVAPI32.dll CryptGenKey
api-ms-win-crt-convert-l1-1-0.dll strtol
api-ms-win-crt-filesystem-l1-1-0.dll _lock_file
api-ms-win-crt-heap-l1-1-0.dll free
api-ms-win-crt-locale-l1-1-0.dll _configthreadlocale
api-ms-win-crt-math-l1-1-0.dll __setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll exit
api-ms-win-crt-stdio-l1-1-0.dll fread
api-ms-win-crt-string-l1-1-0.dll wcsspn
api-ms-win-crt-time-l1-1-0.dll _time64
GDI32.dll BitBlt
gdiplus.dll GdiplusStartup
KERNEL32.DLL LoadLibraryA
ExitProcess
GetProcAddress
VirtualProtect
MSVCP140.dll _Stat
SHELL32.dll CommandLineToArgvW
SHLWAPI.dll PathFindExtensionA
urlmon.dll URLDownloadToFileA
USER32.dll GetDC
VCRUNTIME140.dll memchr
WS2_32.dll #16

Delayed Imports

109

Type RT_MENU
Language English - United States
Codepage UNKNOWN
Size 0x4a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.78365
MD5 f7ae0d3b92878bdac2efac459996c6fe
SHA1 3998ce5f1c2036270e7e724c777f93a2e32d1a71
SHA256 2ca134e891fff84cdd0b6c59284591401e4cb5c708ddd7fd1f7984951b1d8a9f
SHA3 f99bbc421a32f66422f81891d546a592225bcf1e4bc8d4532196db569fb30842

103

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x144
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.29442
MD5 31a484961203e358f1d8ac63a9096ded
SHA1 6cb065370e66af46dbbdb3e23c33bc6c8dafa0f7
SHA256 722fa78af0763ec069bc5e63ac5a514e62615f0f58b46d7d30cd504e2f1605d7
SHA3 58c4efe4bf58046569730524e85822172588cc978d9d1761caf4ec0a85f9cf83

7

Type RT_STRING
Language English - United States
Codepage UNKNOWN
Size 0x34
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.14237
MD5 5dbf14ea05dbdf86aaf87d2ba084d872
SHA1 0f1496a33148e3570e321f3ef8973755e9ae8c6a
SHA256 3731e620f6930f7217a929f130ccd946f27ccc7abc780c8edcc69a141609b27b
SHA3 b426cd544a5a4836e3c37c7c2b6b53895f006e760ac16a2ce6b8c6a9053508fc

109 (#2)

Type RT_ACCELERATOR
Language English - United States
Codepage UNKNOWN
Size 0x10
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4
MD5 f5fd34404b3976add1d70c8c4f3eb40c
SHA1 dce7b4c3c5f3ddd071687affe0f7654fb264f105
SHA256 299c3e2e9f56f820e3ea9a736fdbde62495950bf97505fe1af8d604391082039
SHA3 11ca1e993cdf03b2a874155cbc67ecc1cdaafca333e939a267d01f4448e7ba2c

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

TLS Callbacks

Load Configuration

Size 0xa0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x41b00c
SEHandlerTable 0x417360
SEHandlerCount 59

RICH Header

XOR Key 0x1ae6d52b
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 18
263 (VS2015/2017 runtime 25711) 1
ASM objects (VS 2015/2017 runtime 26706) 4
C objects (VS 2015/2017 runtime 26706) 12
C++ objects (VS 2015/2017 runtime 26706) 31
Imports (VS 2015/2017 runtime 26706) 4
C objects (VS2015/2017 runtime 25711) 2
Imports (VS2015/2017 runtime 25711) 23
Total imports 320
265 (VS2017 v15.8.5-8 compiler 26730) 3
Resource objects (VS2017 v15.8.5-8 compiler 26730) 1
151 1
Linker (VS2017 v15.8.5-8 compiler 26730) 1

Errors

[!] Error: Could not reach the TLS callback table. [*] Warning: Section UPX0 has a size of 0! [*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8! [*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!