0711fed81877b9b642ed0cd6d6b2b02f

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2006-Mar-02 17:50:37

Plugin Output

Suspicious PEiD Signature: Pelles C 3.00, 4.00, 4.50 EXE (X86 CRT-LIB)
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to security software:
  • cleaner.exe
 May have dropper capabilities:
  • CurrentVersion\Run
 Miscellaneous malware strings:
  • backdoor
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Can access the registry:
  • RegOpenKeyExA
  • RegQueryValueExA
  • RegCloseKey
  • RegSetValueExA
 Possibly launches other programs:
  • ShellExecuteA
 Leverages the raw socket API to access the Internet:
  • #23
  • #8
  • #9
  • #2
  • #17
  • #20
  • #115
  • #116
  • #11
  • #52
  • #51
 Interacts with services:
  • OpenSCManagerA
  • OpenServiceA
  • ChangeServiceConfigA
  • EnumServicesStatusA
  • ControlService
  • DeleteService
 Enumerates local disk drives:
  • GetDriveTypeA
 Manipulates other processes:
  • OpenProcess
  • Process32First
  • Process32Next
Suspicious The file contains overlay data. 908597 bytes of data starting at offset 0x14e00.
The overlay data has an entropy of 7.88045 and is possibly compressed or encrypted.
Overlay data amounts for 91.3989% of the executable.
Malicious VirusTotal score: 64/72 (Scanned on 2019-10-31 12:13:28) Bkav: W32.PasistA.Worm
MicroWorld-eScan: Trojan.GenericKD.40360503
FireEye: Generic.mg.0711fed81877b9b6
CAT-QuickHeal: Worm.Sfone.A3
McAfee: W32/Generic.worm.f
Cylance: Unsafe
Zillya: Worm.Agent.Win32.9
CrowdStrike: win/malicious_confidence_100% (D)
K7GW: Trojan ( 00008f2e1 )
K7AntiVirus: Trojan ( 00008f2e1 )
Arcabit: Trojan.Generic.D267DA37
Invincea: heuristic
BitDefenderTheta: Gen:NN.ZexaO.31176.8mZ@aiU8KBe
Cyren: W32/Worm.KOKR-0749
Symantec: W32.SillyWNSE
TotalDefense: Win32/Sfone.A
Baidu: Win32.Worm.Agent.fj
APEX: Malicious
ClamAV: Win.Malware.Sfone-6763601-0
Kaspersky: Worm.Win32.Agent.cp
BitDefender: Trojan.GenericKD.40360503
NANO-Antivirus: Trojan.Win32.Agent.hakuu
Tencent: Worm.Win32.Agent.b
Ad-Aware: Trojan.GenericKD.40360503
Emsisoft: Trojan.GenericKD.40360503 (B)
Comodo: Worm.Win32.Agent.CP@42tt
F-Secure: Trojan.TR/Spy.Gen
DrWeb: Win32.HLLW.Siggen.1607
VIPRE: Worm.Win32.Agent.cp (v)
TrendMicro: WORM_AGENT.JM
McAfee-GW-Edition: BehavesLike.Win32.PWSZbot.dc
Fortinet: W32/Agent.CP!worm
Trapmine: malicious.high.ml.score
CMC: Worm.Win32.Agent!O
Sophos: Troj/Agent-AGQR
Ikarus: Worm.Win32.Agent.cp
F-Prot: W32/Worm.BLGI
Jiangmin: Worm/Agent.te
Webroot: W32.Worm.Gen
Avira: TR/Spy.Gen
MAX: malware (ai score=82)
Antiy-AVL: Worm/Win32.Agent.cp
Endgame: malicious (high confidence)
Microsoft: Worm:Win32/Sfone.A
ViRobot: Worm.Win32.A.Agent.61440
ZoneAlarm: Worm.Win32.Agent.cp
AhnLab-V3: Worm/Win32.Agent.R233959
Acronis: suspicious
VBA32: Worm.Agent
ALYac: Trojan.GenericKD.40360503
Malwarebytes: Worm.Sform
Panda: Trj/Genetic.gen
ESET-NOD32: Win32/Agent.CP
TrendMicro-HouseCall: WORM_AGENT.JM
Rising: Worm.Agent!1.BDD2 (CLASSIC)
Yandex: Worm.Sfone.A
SentinelOne: DFI - Malicious PE
eGambit: Unsafe.AI_Score_99%
GData: Trojan.GenericKD.40360503
MaxSecure: Poly.Worm.Agent.CP
AVG: Win32:Agent-URR [Trj]
Cybereason: malicious.81877b
Avast: Win32:Agent-URR [Trj]
Qihoo-360: HEUR/QVM20.1.E9B3.Malware.Gen

Hashes

MD5 0711fed81877b9b642ed0cd6d6b2b02f
SHA1 df2366d674f649305baa8f15615728ce21d9d86c
SHA256 0fe31d7396d8ea9d61b8d957ca947aca81c778b724c3f4c7e720cec48ee77dec
SHA3 2e488b34ed355e01689db88e33170833770f926425aefb5f1bc2a78a38d69c73
SSDeep 12288:dXCNi9B8nRUqxz+WDwuB/lnC6icSSO/38YqgSHQfta960GOvrdboGp05U8N58Z0Z:oW8uqh+i7/up/38Jwun5oGp05H8ymw
Imports Hash 7127cfc9ce4fbc6173332aca0e2c65ca

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2006-Mar-02 17:50:37
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 2.0
SizeOfCode 0xa600
SizeOfInitializedData 0xa800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00004C20 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xc000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x18000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 5b219decd6fd463ad3ad0dddf889571c
SHA1 637cf47782dd7d627f3f57faba7de0ffab7a771b
SHA256 b18aed3c569ee65110a1aee3eb5e63a5f00e0a200e372f1f6b2b9d97579d9735
SHA3 65ada6266a42e88c49e795bb60eb16577f14b77e54cff0dfa9d4b94a3740df22
VirtualSize 0xa566
VirtualAddress 0x1000
SizeOfRawData 0xa600
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.44597

.rdata

MD5 8806421e2c7a0ca959009736cb2393d1
SHA1 28ccebd8e29d6c57ba2212d675021b0e42c95be2
SHA256 78b306b29187ca9099f4056fb4c72ef051e1eb4fd1d7cd19d8a69a4d4c0c7b5c
SHA3 899a23d3a3933662eb20b81bad0a9af58dd53da9a7bef0e4cd3ac9292b76d1a5
VirtualSize 0x6504
VirtualAddress 0xc000
SizeOfRawData 0x6600
PointerToRawData 0xa800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.17229

.data

MD5 5d7aeb7307e66e421593ff7979086604
SHA1 781b38308d6467e07530dcfa16c4ae4ff3e214d6
SHA256 69be2be0b5d87668121972e5d919b7f5949e1d740eda552127cd278242b74432
SHA3 909be373fe5c1882fe4ec86b30150061f1b7f3021077b38420ef74ee4fc11191
VirtualSize 0x41c0
VirtualAddress 0x13000
SizeOfRawData 0x4000
PointerToRawData 0x10e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.86195

Imports

KERNEL32.DLL GetDriveTypeA
GetWindowsDirectoryA
GetComputerNameA
GetLastError
Sleep
GetModuleFileNameA
GetLocalTime
CreateThread
OpenMutexA
ReleaseMutex
CreateMutexA
CloseHandle
GetVersionExA
CreateFileA
CreateFileMappingA
MapViewOfFile
WriteFile
SetFilePointer
FindFirstFileA
FindNextFileA
FindClose
OpenProcess
TerminateProcess
CreateToolhelp32Snapshot
Process32First
Process32Next
LoadLibraryA
GetProcAddress
FreeLibrary
GetSystemTimeAsFileTime
SetConsoleCtrlHandler
GetStartupInfoA
GetModuleHandleA
VirtualAlloc
VirtualQuery
HeapCreate
HeapDestroy
HeapAlloc
HeapReAlloc
HeapFree
HeapSize
HeapValidate
ExitProcess
RtlUnwind
GetFileType
GetStdHandle
GetCurrentProcess
DuplicateHandle
SetHandleCount
GetCommandLineA
GetEnvironmentStrings
FreeEnvironmentStringsA
UnhandledExceptionFilter
GetTimeZoneInformation
SetStdHandle
DeleteFileA
ReadFile
SetEndOfFile
ADVAPI32.dll RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegSetValueExA
RegConnectRegistryA
OpenSCManagerA
LockServiceDatabase
OpenServiceA
ChangeServiceConfigA
StartServiceA
CloseServiceHandle
UnlockServiceDatabase
EnumServicesStatusA
ControlService
DeleteService
MPR.dll WNetAddConnection2A
WNetCancelConnection2A
WNetOpenEnumA
WNetEnumResourceA
WNetCloseEnum
WNetGetConnectionA
SHELL32.dll FindExecutableA
ShellExecuteA
USER32.dll GetWindowTextA
GetWindowThreadProcessId
EnumWindows
WS2_32.dll #23
#8
#9
#2
#17
#20
#115
#116
#11
#52
#51

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

<-- -->