Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2019-Jan-19 08:53:09 |
Detected languages |
English - United States
|
Suspicious | PEiD Signature: |
MEW 11 SE 1.0 -> Northfox
UPolyX V0.1 -> Delikon HQR data file |
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to MD5
Uses constants related to SHA1 Uses constants related to SHA256 Uses constants related to SHA512 Uses constants related to AES Uses constants related to Blowfish Microsoft's Cryptography API |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Safe | VirusTotal score: 0/70 (Scanned on 2019-03-24 16:31:36) | All the AVs think this file is safe. |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x110 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 6 |
TimeDateStamp | 2019-Jan-19 08:53:09 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x193e00 |
SizeOfInitializedData | 0x465400 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00000000000B82D8 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.0 |
ImageVersion | 0.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x5fc000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
MapViewOfFile
CreateFileMappingW SetEndOfFile HeapSize WriteConsoleW CopyFileW CloseHandle UnmapViewOfFile GetFileAttributesW CreateFileW WideCharToMultiByte GetLastError MultiByteToWideChar FormatMessageW SetLastError InitializeCriticalSectionAndSpinCount SwitchToThread TlsAlloc TlsGetValue TlsSetValue TlsFree GetSystemTimeAsFileTime GetTickCount GetModuleHandleW GetProcAddress GetStdHandle GetFileType WriteFile DeleteFiber ConvertFiberToThread QueryPerformanceCounter GetCurrentProcessId GlobalMemoryStatus GetEnvironmentVariableW GetConsoleMode ReadConsoleA ReadConsoleW SetConsoleMode RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind UnhandledExceptionFilter SetUnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent IsDebuggerPresent GetStartupInfoW GetCurrentThreadId InitializeSListHead RtlUnwindEx RtlPcToFileHeader RaiseException EncodePointer EnterCriticalSection LeaveCriticalSection DeleteCriticalSection FreeLibrary LoadLibraryExW ReadFile ExitProcess GetModuleHandleExW SetConsoleCtrlHandler GetModuleFileNameW GetCommandLineA GetCommandLineW GetACP HeapFree HeapAlloc CompareStringW LCMapStringW GetStringTypeW FlushFileBuffers GetConsoleCP SetFilePointerEx SetStdHandle HeapReAlloc FindClose FindFirstFileExW FindNextFileW IsValidCodePage GetOEMCP GetCPInfo GetEnvironmentStringsW FreeEnvironmentStringsW SetEnvironmentVariableA SetEnvironmentVariableW GetProcessHeap |
---|---|
WS2_32.dll |
#3
#112 #16 #111 #116 #19 |
CRYPT32.dll |
CertEnumCertificatesInStore
CertFindCertificateInStore CertOpenStore CertDuplicateCertificateContext CertFreeCertificateContext CertGetCertificateContextProperty CertCloseStore |
USER32.dll |
MessageBoxW
GetUserObjectInformationW GetProcessWindowStation |
ADVAPI32.dll |
CryptSetHashParam
CryptAcquireContextW CryptReleaseContext CryptDestroyKey CryptGetProvParam CryptGetUserKey CryptExportKey CryptDecrypt DeregisterEventSource RegisterEventSourceW CryptCreateHash CryptGenRandom CryptEnumProvidersW CryptSignHashW CryptDestroyHash ReportEventW |
Characteristics |
0
|
---|---|
TimeDateStamp | 2019-Jan-19 08:53:09 |
Version | 0.0 |
SizeofData | 796 |
AddressOfRawData | 0x44cd5c |
PointerToRawData | 0x44bf5c |
Characteristics |
0
|
---|---|
TimeDateStamp | 2019-Jan-19 08:53:09 |
Version | 0.0 |
SizeofData | 0 |
AddressOfRawData | 0 |
PointerToRawData | 0 |
Size | 0x100 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x140466e50 |
XOR Key | 0xfefe242c |
---|---|
Unmarked objects | 0 |
241 (40116) | 7 |
243 (40116) | 153 |
242 (40116) | 16 |
C objects (VS2013 UPD5 build 40629) | 56 |
199 (41118) | 1 |
C objects (VS 2015/2017 runtime 26706) | 18 |
ASM objects (VS 2015/2017 runtime 26706) | 9 |
C objects (VS2015 UPD3.1 build 24215) | 461 |
C++ objects (VS 2015/2017 runtime 26706) | 48 |
Imports (65501) | 11 |
Total imports | 156 |
265 (VS2017 v15.9.5-6 compiler 27026) | 6 |
Resource objects (VS2017 v15.9.5-6 compiler 27026) | 1 |
Linker (VS2017 v15.9.5-6 compiler 27026) | 1 |