00cd56697fd3ff490fcdd5fb846147bb

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2015-Aug-19 18:07:40
Debug artifacts C:\dev\perl\htdocs_csdi_smoothviewer\src\media_installers\resources\upd35.pdb
FileDescription
FileVersion 0.0.0.0
InternalName MediaBuyerAgent.exe
LegalCopyright
OriginalFilename MediaBuyerAgent.exe
ProductVersion 0.0.0.0
Assembly Version 0.0.0.0

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to security software:
  • rshell.exe
Tries to detect virtualized environments:
  • HARDWARE\DESCRIPTION\System
Looks for VMWare presence:
  • VMware
  • vmware
May have dropper capabilities:
  • CurrentControlSet\services
Accesses the WMI:
  • root\Security
Info The PE is digitally signed. Signer: cloud4pc.
Issuer: GlobalSign CodeSigning CA - SHA256 - G2.
Malicious VirusTotal score: 39/58 (Scanned on 2016-09-03 00:54:00) Bkav: W32.HfsAdware.D362
MicroWorld-eScan: Application.Generic.1558515
CAT-QuickHeal: PUA.Eorezo.D3
Malwarebytes: Adware.EoRezo
Zillya: Adware.Eorezo.Win32.15053
K7AntiVirus: Adware ( 004cd9721 )
K7GW: Adware ( 004cd9721 )
Arcabit: Application.Generic.D17C7F3
Invincea: virus.win32.chir.b@mm
F-Prot: W32/S-0a7e3f89!Eldorado
Symantec: SMG.Heur!gen
TrendMicro-HouseCall: TROJ_GEN.R00XC0EI216
ClamAV: Win.Adware.Eorezo-357
Kaspersky: not-a-virus:AdWare.MSIL.Eorezo.cj
BitDefender: Application.Generic.1558515
NANO-Antivirus: Trojan.Win32.Unwanted.dztpro
Ad-Aware: Application.Generic.1558515
Comodo: Application.Win32.EoRezo.AB
F-Secure: Application.Generic.1558515
DrWeb: Program.Unwanted.734
VIPRE: Trojan.Win32.Generic!BT
TrendMicro: TROJ_GEN.R00XC0EI216
Sophos: Eorezo (PUA)
Cyren: W32/S-0a7e3f89!Eldorado
Jiangmin: AdWare.MSIL.djdb
Avira: ADWARE/EoRezo.86720
Antiy-AVL: Trojan/Win32.TSGeneric
GData: Application.Generic.1558515
AhnLab-V3: PUP/Win32.EoRezo.R167868
AVware: Trojan.Win32.Generic!BT
VBA32: AdWare.MSIL.Eorezo
ESET-NOD32: a variant of MSIL/Adware.EoRezo.B
Rising: Trojan.EoRezo!1.A145 (classic)
Yandex: PUA.EoRezo!
Ikarus: AdWare.MSIL.Eorezo
Fortinet: Adware/Eorezo
AVG: BundleApp.BKGC
CrowdStrike: malicious_confidence_100% (D)
Qihoo-360: HEUR/QVM03.0.0000.Malware.Gen

Hashes

MD5 00cd56697fd3ff490fcdd5fb846147bb
SHA1 c62da103cbb404c6c6d6c52c08350e44dae6a6ec
SHA256 b6b1e1f6297adb28efd1ca13cfc22058477cc8fe31e5b653fa52830e53a67ee2
SHA3 01ba9f4758969bb5f0472a03c1f4b4efa288f9f88bd25347186335c6716c9a25
SSDeep 1536:FPo51/2R8AEcH75p7soAsyawgtzam2BR6D1bZ6iidIc9f6NDlvHsOS:FPo51/2R8AEcH7v7gsyawgtzamND1l6p
Imports Hash f34d5f2d4577ed6d9ceec516c1f5a744

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2015-Aug-19 18:07:40
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 8.0
SizeOfCode 0x13a00
SizeOfInitializedData 0xa00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00015852 (Section: .text)
BaseOfCode 0x2000
BaseOfData 0x16000
ImageBase 0x400000
SectionAlignment 0x2000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x1a000
SizeOfHeaders 0x200
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 f6b24ae3e8f19e3c0ae358f1442cfda5
SHA1 00614ac4e2b331f998e7082ed4da1a331b1c8445
SHA256 e233812e5e09b7af8c1cb517b5f579555b06c922a32ab0072326859ae2d7e973
SHA3 c22a6e514c67277bc5eda3c0b218671f3ed5519580e1adca633ef1a87567fbcd
VirtualSize 0x138ea
VirtualAddress 0x2000
SizeOfRawData 0x13a00
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.4506

.rsrc

MD5 7fa4945f3eccbd141e423a85cb6a230f
SHA1 1ce8e43581581083f1c639f0d98661595e067b4b
SHA256 5d043ab3fb1f02d1abc1be55b64179c261407e4d3ae95a41e4f9a5d1ea5f1a39
SHA3 ec60fb76b42b2654aadd250eeadcf9a29740a3801adaebc60622d0d40dbaa359
VirtualSize 0x603
VirtualAddress 0x16000
SizeOfRawData 0x800
PointerToRawData 0x13c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.80718

.reloc

MD5 1b9f13ff9d5e832c6cce25be25dd9315
SHA1 0e57bab2fcca16ff39384061831fd7ee51e4dcc0
SHA256 2018de1068e3c50aeebdbe3b6af50a2fa342ba7eb1503fab4c79182bae8a9917
SHA3 40e32ef259005a220ff64da52c6347dca2ad92084356c5d0ebfcb0026c5e8303
VirtualSize 0xc
VirtualAddress 0x18000
SizeOfRawData 0x200
PointerToRawData 0x14400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0.10191

Imports

mscoree.dll _CorExeMain

Delayed Imports

1

Type RT_VERSION
Language UNKNOWN
Codepage UNKNOWN
Size 0x264
Entropy 3.20096
MD5 d3f59bc5de544b9132b69a4dbf2b18ab
SHA1 e424753f1679f55b1147e825d6e10358ba3bd19f
SHA256 fccde951f2b0c9dffce995b6c9a506145b3cf5ac5ee622924d3ea49b92346f11
SHA3 881ebdafbfe6a9b72c283ebd6a2b648d33bd86010ae3c3e8a4455ab8535586f7

1 (#2)

Type RT_MANIFEST
Language UNKNOWN
Codepage UNKNOWN
Size 0x2ff
Entropy 5.04449
MD5 c15c2bc862e2fda972e8e04d8655de7c
SHA1 0f90bdcffd30250fec7bb8057afff1760f3bd652
SHA256 aafcad20be643778ca26f93abce2dfe147f59f87258172ec82051549e6f7ff7c
SHA3 2f993eeadf1106cfe9e3a0d57243ee5ad403a29341d3008ce677035122043b51

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 0.0.0.0
ProductVersion 0.0.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
FileDescription
FileVersion (#2) 0.0.0.0
InternalName MediaBuyerAgent.exe
LegalCopyright
OriginalFilename MediaBuyerAgent.exe
ProductVersion (#2) 0.0.0.0
Assembly Version 0.0.0.0
Resource LangID UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2015-Aug-19 18:07:40
Version 0.0
SizeofData 102
AddressOfRawData 0x15884
PointerToRawData 0x13a84
Referenced File C:\dev\perl\htdocs_csdi_smoothviewer\src\media_installers\resources\upd35.pdb

TLS Callbacks

Load Configuration

RICH Header

Errors