0255111b794140231da7974bdbf61b96e1d61d822b85c9ae3e7c795ee4197466

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2006-Nov-27 09:24:01
Detected languages English - United States
CompanyName Oncom
ProductName xk
FileVersion 0.00.0020
ProductVersion 0.00.0020
InternalName DATA
OriginalFilename DATA.exe

Plugin Output

Info Matching compiler(s): Microsoft Visual Basic v5.0/v6.0
Microsoft Visual Basic v5.0 - v6.0
Microsoft Visual Basic v6.0
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • taskmgr.exe
 Contains references to security software:
  • AVP.exe
  • Alogserv.exe
  • Avconsol.exe
  • Avgctrl.exe
  • Avgemc.exe
  • Avgw.exe
  • Avsynmgr.exe
  • MSINFO32.EXE
  • NAV.exe
  • Rtvscan.exe
  • Vpc32.exe
  • Vsmain.exe
  • Vsstat.exe
 May have dropper capabilities:
  • CurrentVersion\Run
  • Programs\Startup
 Contains another PE executable:
  • This program cannot be run in DOS mode.
 Miscellaneous malware strings:
  • VIRUS
Malicious The file contains overlay data. 110592 bytes of data starting at offset 0x29000.
The file contains a PE Executable after the PE data.
Malicious VirusTotal score: 57/66 (Scanned on 2018-10-20 02:10:47) Bkav: W32.TakuburaN.Trojan
Lionic: Troj.W32.VBKrypt.tp14
MicroWorld-eScan: Trojan.VB.OJW
CMC: Trojan-Ransom.Win32!O
CAT-QuickHeal: Worm.Ludbaruma.A3
McAfee: W32/Rontokbro.gen@MM
Cylance: Unsafe
TheHacker: Trojan/VB.et
BitDefender: Trojan.VB.OJW
K7GW: P2PWorm ( 0050fa4b1 )
K7AntiVirus: Trojan ( 0040f6141 )
Arcabit: Trojan.VB.OJW
Baidu: Win32.Worm.VB.k
F-Prot: W32/Trojan.BDD.gen!Eldorado
Symantec: Trojan.Gen.2
ESET-NOD32: Win32/VB.ORD
TrendMicro-HouseCall: TROJ_TINBA.SMH
Paloalto: generic.ml
ClamAV: Win.Worm.Untukmu-5949608-0
Kaspersky: Trojan-Ransom.Win32.Blocker.kpuo
NANO-Antivirus: Trojan.Win32.Regrun.dxtouo
Avast: Win32:Emotet-AI [Trj]
Tencent: Trojan-Ransom.Win32.Blocker.kalr
Ad-Aware: Trojan.VB.OJW
Emsisoft: Trojan.VB.OJW (B)
F-Secure: Trojan.VB.OJW
DrWeb: Trojan.DownLoader7.3730
Zillya: Trojan.RegrunGen.Win32.1
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Rontokbro.dm
Sophos: W32/Mato-N
SentinelOne: static engine - malicious
Cyren: W32/Trojan.BDD.gen!Eldorado
Jiangmin: Trojan.Regrun.dz
Webroot: W32.Malware.Gen
Avira: TR/Agent.gdnw
Antiy-AVL: Trojan[Dropper]/Win32.Injector.BZKS
Endgame: malicious (high confidence)
Microsoft: Worm:Win32/Ludbaruma.A
SUPERAntiSpyware: Worm.Ludbaruma/Variant
ZoneAlarm: Trojan-Ransom.Win32.Blocker.kpuo
GData: Win32.Worm.Ludbaruma.A
AhnLab-V3: Backdoor/Win32.IRCBot.R1456
VBA32: Trojan.Downloader
ALYac: Trojan.VB.OJW
MAX: malware (ai score=100)
Malwarebytes: Trojan.AVDis.CS
Zoner: Trojan.Ludbaruma
Rising: Worm.VBInjectEx!1.99E6 (C64:YzY0OoeeJkcXeFVk)
Yandex: Trojan.Agent!o2EUNzRPHUE
Ikarus: Trojan.AgentMB.VB
Fortinet: W32/Regrun.PKE!tr
AVG: Win32:Emotet-AI [Trj]
Cybereason: malicious.96d348
Panda: Trj/Genetic.gen
CrowdStrike: malicious_confidence_100% (D)
Qihoo-360: Win32/Worm.FakeFolder.HU

Hashes

MD5 a63421896d348e9df65dedbb8596d0c8
SHA1 9c3a187ca75dca68e1f6afd73835a3f413f21ce9
SHA256 0255111b794140231da7974bdbf61b96e1d61d822b85c9ae3e7c795ee4197466
SHA3 85d5af845a3f817f5bfb15f68d2b19d439c0e23a5469fb9e5b55b6dd5f2fc8f8
SSDeep 3072:Ax/5F/E7tEf0J+p+tYlpJH7iXQNgggHlxDZiYLK5Wpht4xZVX4/awxf/:AxhF4c0+wWJH7igNgjdFKsCRAR/
Imports Hash 135e92fc9902f3140f2e5a51458efdf0

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xc8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2006-Nov-27 09:24:01
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x24000
SizeOfInitializedData 0x5000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000250C (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x25000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x2a000
SizeOfHeaders 0x1000
Checksum 0x295db
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 8cdfc65e9a1167419b2d290cd80b2c74
SHA1 01c973bbfe565d42bf493356afc48ad4e098e382
SHA256 83d3ce760902d4a51757ead4963c694758be031a9d1d96cdc3b286701924cf8c
SHA3 f0a30c36a24b7a202ad02ef2dd6a97b96ddc2e111a1d537aa7326de53ae6f862
VirtualSize 0x2308c
VirtualAddress 0x1000
SizeOfRawData 0x24000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.71834

.data

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA3 a99f9ed58079237f7f0275887f0c03a0c9d7d8de4443842297fceea67e423563
VirtualSize 0x1090
VirtualAddress 0x25000
SizeOfRawData 0x1000
PointerToRawData 0x25000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.rsrc

MD5 b4192861f9fe058fe72fd6e98b9042c1
SHA1 1af9a102b55a319102a6e7f77d76b1e9b1faf0c2
SHA256 7cca8be4f4cca3d9992dd81dc5451dd4ffb7176d8ef930f84cea48f8793419e3
SHA3 12e70cab6cc4131491f499b5ebce67ea84848225655ac7e5740019da78f45fe4
VirtualSize 0x203c
VirtualAddress 0x27000
SizeOfRawData 0x3000
PointerToRawData 0x26000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.9183

Imports

MSVBVM60.DLL __vbaVarTstGt
__vbaVarSub
__vbaNextEachAry
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaLenBstr
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
__vbaPut3
_adj_fdiv_m64
__vbaFreeObjList
#516
_adj_fprem1
#518
__vbaRecAnsiToUni
__vbaCopyBytes
__vbaStrCat
__vbaVarCmpNe
__vbaForEachCollAd
__vbaLsetFixstr
__vbaSetSystemError
__vbaHresultCheckObj
__vbaLenVar
_adj_fdiv_m32
#667
__vbaVarXor
__vbaAryDestruct
#669
__vbaLateMemSt
#593
__vbaExitProc
#594
__vbaOnError
__vbaObjSet
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
#598
__vbaStrFixstr
#520
#523
__vbaBoolVarNull
_CIsin
#631
#525
#632
__vbaVarCmpGt
__vbaChkstk
#526
__vbaFileClose
EVENT_SINK_AddRef
#528
__vbaGet3
__vbaStrCmp
#529
__vbaAryConstruct2
__vbaVarTstEq
__vbaObjVar
DllFunctionCall
__vbaVarOr
__vbaRedimPreserve
_adj_fpatan
__vbaFixstrConstruct
__vbaRedim
__vbaRecUniToAnsi
EVENT_SINK_Release
#600
_CIsqrt
__vbaVarAnd
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaPrintFile
__vbaStrToUnicode
_adj_fprem
_adj_fdivr_m64
#607
#608
#716
__vbaFPException
__vbaInStrVar
#717
__vbaStrVarVal
__vbaVarCat
__vbaI2Var
#644
#537
#645
_CIlog
__vbaFileOpen
__vbaNew2
__vbaInStr
__vbaVarLateMemCallLdRf
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
__vbaVarNot
_adj_fdivr_m32
_adj_fdiv_r
#100
__vbaVarTstNe
__vbaVarSetVar
__vbaI4Var
__vbaVarCmpEq
__vbaForEachAry
__vbaVarAdd
__vbaLateMemCall
__vbaStrToAnsi
__vbaVarDup
__vbaFpI2
__vbaVarMod
__vbaFpI4
#616
__vbaVarLateMemCallLd
#617
__vbaLateMemCallLd
_CIatan
__vbaStrMove
#618
#619
__vbaStrVarCopy
#543
_allmul
#544
_CItan
#546
__vbaNextEachCollAd
#547
__vbaAryUnlock
_CIexp
__vbaFreeObj
__vbaFreeStr

Delayed Imports

30001

Type RT_ICON
Language UNKNOWN
Codepage Unicode (UTF 16LE)
Size 0x568
TimeDateStamp 2006-Nov-27 09:24:00
Entropy 3.72249
MD5 39c46fa5435fb81ef770a1377a412707
SHA1 6f009943c7d96501b3e7946979725700909977f6
SHA256 e4938ec7ac6201183685b2a959309d5eccb95af4e5483755ef478ea90fe26aff
SHA3 c201e848d91d8e8c558d7ac167a4a1eeb89af42fab879256be85a0cd0d7ea565

30002

Type RT_ICON
Language UNKNOWN
Codepage Unicode (UTF 16LE)
Size 0x8a8
TimeDateStamp 2006-Nov-27 09:24:00
Entropy 3.92823
MD5 35b6a82d3a19141960bf1501a82ecab9
SHA1 090ac7cb83e0ae196ab1393654126c7177815225
SHA256 d9b5896e1c4c6ef492411bee875c012ec512f0ecbaebd1c1dd1f90ee40e7f081
SHA3 5bf3a173b3303fdde4ff59936bc30dcb28dd6411ccded7c2c8b96a30157b501f

30003

Type RT_ICON
Language UNKNOWN
Codepage Unicode (UTF 16LE)
Size 0xea8
TimeDateStamp 2006-Nov-27 09:24:00
Entropy 3.84893
MD5 b76c702ac27c491f8efef624432d9f3b
SHA1 dc394cd71e3a2fd5a718722f0ac3e31e873c990b
SHA256 4fd401fa62e7b1483b3f3c53b4a03b7d598ba1480f76ee489352e2377b60b502
SHA3 fd11c1b3315ef52db489cb16a4899462b30f7cd9d794afd5022ae6a476d1521c

1

Type RT_GROUP_ICON
Language UNKNOWN
Codepage Unicode (UTF 16LE)
Size 0x30
TimeDateStamp 2006-Nov-27 09:24:00
Entropy 2.942
Detected Filetype Icon file
MD5 d0c9b54f62ed97ed2fb571f417bda695
SHA1 2bc457ec29fa9ac119e6b2b5f8d715081cc9693a
SHA256 af8bbba38dd87838596082342b3002aa3ca69e1c2139949814d1f304b805635d
SHA3 9bb9e36d7ce70292bb81cefd4c1e32dfc111879a175b436bc70704ae0b2bd307

1 (#2)

Type RT_VERSION
Language English - United States
Codepage Unicode (UTF 16LE)
Size 0x204
TimeDateStamp 2006-Nov-27 09:24:00
Entropy 3.17482
MD5 5fb2df310c51bb9bb4d80c59048e1d64
SHA1 55e353f37191faee61751dd0a125f14d1166e18e
SHA256 5eb1c5212fdef6ab85c47fd2988578aae79ca8cdcc03f7f35db1b50d1406f1d9
SHA3 e6157a4014f2786317ed0fd4a6bfba5a3eeb3a6ae35de71cfdc2ce94e1d03f26

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 0.0.0.20
ProductVersion 0.0.0.20
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Oncom
ProductName xk
FileVersion (#2) 0.00.0020
ProductVersion (#2) 0.00.0020
InternalName DATA
OriginalFilename DATA.exe
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x8d156179
Unmarked objects 0
14 (7299) 1
9 (8041) 7
13 (8169) 1

Errors

[*] Warning: Raw bytes from section .text could not be obtained.
Leave a comment

No comments yet.