01ee8bc69dbaaa6a33e6454a044ad043

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2019-Jan-19 08:53:09
Detected languages English - United States

Plugin Output

Suspicious PEiD Signature: MEW 11 SE 1.0 -> Northfox
UPolyX V0.1 -> Delikon
HQR data file
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Uses constants related to SHA512
Uses constants related to AES
Uses constants related to Blowfish
Microsoft's Cryptography API
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
Functions which can be used for anti-debugging purposes:
  • SwitchToThread
Uses Microsoft's cryptographic API:
  • CryptSetHashParam
  • CryptAcquireContextW
  • CryptReleaseContext
  • CryptDestroyKey
  • CryptGetProvParam
  • CryptGetUserKey
  • CryptExportKey
  • CryptDecrypt
  • CryptCreateHash
  • CryptGenRandom
  • CryptEnumProvidersW
  • CryptSignHashW
  • CryptDestroyHash
Leverages the raw socket API to access the Internet:
  • #3
  • #112
  • #16
  • #111
  • #116
  • #19
Interacts with the certificate store:
  • CertOpenStore
Safe VirusTotal score: 0/70 (Scanned on 2019-03-24 16:31:36) All the AVs think this file is safe.

Hashes

MD5 01ee8bc69dbaaa6a33e6454a044ad043
SHA1 d7aee6644e46e502223b9b6302e3ba1b77ebbc1e
SHA256 55d4c1a34fa1b57934e8637a375c9e0838249f695789dfd2605306a4b7b7c834
SHA3 8c78c9f13df47a81779a81d123de9b71b3070f3fc11a2ef20e24578c1e0fdf83
SSDeep 49152:hhcswWukSOsWnkbYhAxB+PpvxUfK+NmI8FHqPtX8TN4GW:PoWk9xB8cBmI8R+Xn
Imports Hash 12e1f4a529fa16438f76e84cc39fa5f1

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x110

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2019-Jan-19 08:53:09
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x193e00
SizeOfInitializedData 0x465400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00000000000B82D8 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x5fc000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 0531a240b3bc56595e5b81c040bc4bfe
SHA1 385fd71e3c215bba68426459216191b6cda51ea4
SHA256 28852b748c5d04786f69e96e49be960bd73aba3354a68ffbb086b1c7a606781e
SHA3 0ce96b7556589055cc644f059c66c856747b94e5e8143e662d4cd358a67c07ff
VirtualSize 0x193cda
VirtualAddress 0x1000
SizeOfRawData 0x193e00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.43672

.rdata

MD5 db4d1415ad1e40a1b84116f7963e9f47
SHA1 6d993d3fa08fc0c847dbc68bbbeeb4309a2bb60d
SHA256 9408e790090e037d8c8af0553c8c2bac21e1253a156d22d0e754c0bb08709bbf
SHA3 badf4de9ddcc376ba194e0a739851e331d054358dd064d40ba85be70cd0ceacf
VirtualSize 0x2c8862
VirtualAddress 0x195000
SizeOfRawData 0x2c8a00
PointerToRawData 0x194200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.14008

.data

MD5 d0f4c1eff2259aa3a669a63e9b8e6122
SHA1 16783c29616fb79d0ae5f84127436844eacf70d5
SHA256 5e8d73f5f3e012e3fc9be15921121095f08fa09e4646f620408c3beabc769cd7
SHA3 af89f429fa3acf8a55dc58c4d5249b8c00a7ceccff3d136e81868450d511026a
VirtualSize 0x180d44
VirtualAddress 0x45e000
SizeOfRawData 0x7ac00
PointerToRawData 0x45cc00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.30693

.pdata

MD5 7646ee6f318f576fd3261783b42618ed
SHA1 010b196de77f38673ca6e6fc4d7f6c31804c0a8f
SHA256 59b69b3ddb8aba4e8ee06b8d20682f8ab0e5bfff0dc125162b6aebdbcbcc7f38
SHA3 96d47b9473bf43b6a556cafeee504e958495a31676587e03e67c518fa4251dcc
VirtualSize 0x10ca4
VirtualAddress 0x5df000
SizeOfRawData 0x10e00
PointerToRawData 0x4d7800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.13027

.rsrc

MD5 eb73cda25d185d1c288aee36c5c7c27f
SHA1 9344386e8fe1d76822e61b2a29a6555d91067c14
SHA256 642bac5ae26dc43d142a42f5ede28c4a1c6fbae2a7bc86520939361675c12e64
SHA3 fd6ed0a5c3d6f2ac08b711282d50123a777354501fb52c0837cbac80d8125649
VirtualSize 0x1e0
VirtualAddress 0x5f0000
SizeOfRawData 0x200
PointerToRawData 0x4e8600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.7015

.reloc

MD5 1c6ae0dab11462c25fafbcdd0627acf8
SHA1 32efed77714e704771f8890578d156b00186a38b
SHA256 7fbf394fd6108f4caa526602696cf90864a5ab4867b48078d8b0ad0b5c001372
SHA3 7fd3a87d3bc33cc52205a5ff2a3b8f4ade094330f60b952b9e38bf09d39ba261
VirtualSize 0xaa14
VirtualAddress 0x5f1000
SizeOfRawData 0xac00
PointerToRawData 0x4e8800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.42287

Imports

KERNEL32.dll MapViewOfFile
CreateFileMappingW
SetEndOfFile
HeapSize
WriteConsoleW
CopyFileW
CloseHandle
UnmapViewOfFile
GetFileAttributesW
CreateFileW
WideCharToMultiByte
GetLastError
MultiByteToWideChar
FormatMessageW
SetLastError
InitializeCriticalSectionAndSpinCount
SwitchToThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetTickCount
GetModuleHandleW
GetProcAddress
GetStdHandle
GetFileType
WriteFile
DeleteFiber
ConvertFiberToThread
QueryPerformanceCounter
GetCurrentProcessId
GlobalMemoryStatus
GetEnvironmentVariableW
GetConsoleMode
ReadConsoleA
ReadConsoleW
SetConsoleMode
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetCurrentThreadId
InitializeSListHead
RtlUnwindEx
RtlPcToFileHeader
RaiseException
EncodePointer
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
FreeLibrary
LoadLibraryExW
ReadFile
ExitProcess
GetModuleHandleExW
SetConsoleCtrlHandler
GetModuleFileNameW
GetCommandLineA
GetCommandLineW
GetACP
HeapFree
HeapAlloc
CompareStringW
LCMapStringW
GetStringTypeW
FlushFileBuffers
GetConsoleCP
SetFilePointerEx
SetStdHandle
HeapReAlloc
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetEnvironmentVariableW
GetProcessHeap
WS2_32.dll #3
#112
#16
#111
#116
#19
CRYPT32.dll CertEnumCertificatesInStore
CertFindCertificateInStore
CertOpenStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertGetCertificateContextProperty
CertCloseStore
USER32.dll MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation
ADVAPI32.dll CryptSetHashParam
CryptAcquireContextW
CryptReleaseContext
CryptDestroyKey
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
DeregisterEventSource
RegisterEventSourceW
CryptCreateHash
CryptGenRandom
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
ReportEventW

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2019-Jan-19 08:53:09
Version 0.0
SizeofData 796
AddressOfRawData 0x44cd5c
PointerToRawData 0x44bf5c

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2019-Jan-19 08:53:09
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

Size 0x100
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140466e50

RICH Header

XOR Key 0xfefe242c
Unmarked objects 0
241 (40116) 7
243 (40116) 153
242 (40116) 16
C objects (VS2013 UPD5 build 40629) 56
199 (41118) 1
C objects (VS 2015/2017 runtime 26706) 18
ASM objects (VS 2015/2017 runtime 26706) 9
C objects (VS2015 UPD3.1 build 24215) 461
C++ objects (VS 2015/2017 runtime 26706) 48
Imports (65501) 11
Total imports 156
265 (VS2017 v15.9.5-6 compiler 27026) 6
Resource objects (VS2017 v15.9.5-6 compiler 27026) 1
Linker (VS2017 v15.9.5-6 compiler 27026) 1

Errors

<-- -->