072a7b7ee57647875bcbdd83ececa119

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2017-Jan-31 16:36:28
Detected languages English - United States
TLS Callbacks 1 callback(s) detected.
Debug artifacts C:\Users\Unstable\Documents\al-khaser\Release\al-khaser.pdb

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • Control.exe
  • Wireshark.exe
  • control.exe
  • dumpcap.exe
  • filemon.exe
  • procexp.exe
  • procmon.exe
  • regmon.exe
  • sc.exe
 Contains references to debugging or reversing tools:
  • ImmunityDebugger.exe
  • LordPE.exe
  • idaq.exe
  • idaq64.exe
  • ollydbg.exe
  • windbg.exe
 Tries to detect virtualized environments:
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
  • HARDWARE\Description\System
 Looks for VMWare presence:
  • 00:05:69
  • 00:0c:29
  • 00:1C:14
  • 00:50:56
  • VMWARE
  • VMWare
  • VMware
  • hgfs.sys
  • mhgfs.sys
  • vmmouse
  • vmware
 Looks for Sandboxie presence:
  • sbiedll.dll
 Looks for VirtualBox presence:
  • HARDWARE\ACPI\DSDT\VBOX__
  • HARDWARE\ACPI\FADT\VBOX__
  • HARDWARE\ACPI\RSDT\VBOX__
  • SOFTWARE\Oracle\VirtualBox Guest Additions
  • VBoxGuest
  • VBoxMouse
  • VBoxSF
  • VBoxService
  • VBoxTray
  • VBoxTrayToolWnd
  • VBoxTrayToolWndClass
  • VEN_80EE
  • \\.\pipe\VBoxMiniRdDN
  • \\.\pipe\VBoxTrayIPC
  • vboxhook.dll
  • vboxservice
  • vboxtray
 Looks for Qemu presence:
  • qemu
 Accesses the WMI:
  • ROOT\CIMV2
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryW
  • LoadLibraryExW
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
  • FindWindowW
 Can access the registry:
  • RegCloseKey
  • RegOpenKeyExW
  • RegQueryValueExW
 Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
 Functions related to the privilege level:
  • OpenProcessToken
 Manipulates other processes:
  • OpenProcess
  • Process32NextW
  • Process32FirstW
Malicious VirusTotal score: 3/61 (Scanned on 2017-06-09 19:58:30) Bkav: W32.eHeur.Malware03
Paloalto: generic.ml
Rising: Malware.Undefined!8.C (cloud:kOofpIqGiGB)

Hashes

MD5 072a7b7ee57647875bcbdd83ececa119
SHA1 69c9efa9fd29d42354aff8aa206f7f4b92ef7e1e
SHA256 4f4e3e24511e30f7a5f38f741425d41889bbce7ba72aa9b5f91002808f33fb59
SHA3 6840075b9d7e268bd77cb5f0d763bede0c580e7cf09c2cd9230e5ff2c75fe3c6
SSDeep 3072:Nx7FXOa6+/VP2PvI9UZKb4qcxJyJq42M7JFGbkbggZOdvqfZTQGBCPOClscj9He:TBJ/VP2IJb+JSqT1fW
Imports Hash efc7f09ff98da88a73d2843d5705cccb

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x110

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 7
TimeDateStamp 2017-Jan-31 16:36:28
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x1aa00
SizeOfInitializedData 0xe400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00005C01 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1c000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x2e000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 fcdc22526ca70ee4e8fe2bbd111e0cef
SHA1 90ae7554790f1fb4f044b988db9e5870988c5813
SHA256 0c99ce729b6e545504b339edfc59d7af1e46fed1c16df7b8b873c427d0178b57
SHA3 45b71e40ffd4a9c1c93e9e88785772f990401efcad3a6d42d89b4d48a09db2f4
VirtualSize 0x1a9e4
VirtualAddress 0x1000
SizeOfRawData 0x1aa00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.63974

.rdata

MD5 9ac1252d3166777a69dca8c868634d35
SHA1 739933f414f8396c1a7f43fb166b5bf24daf5211
SHA256 0c6030cbca72683e1f15acd54256db3ba9276015c7979de7e5c419352addb454
SHA3 a362480e4d069eff1a7489af1aa64b6d5d04a5f5d0098f0aad230fee6f3a1e20
VirtualSize 0xae66
VirtualAddress 0x1c000
SizeOfRawData 0xb000
PointerToRawData 0x1ae00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.88173

.data

MD5 2a67be3840fc94c40f11c9615386329d
SHA1 26d0d71f3866796bbdd610d3450e3635783044e3
SHA256 2c81833f7beb89b33b5bb53c513aa15d0e473d87609fb059a99d3ccb6c0d8129
SHA3 3ad9dbb3f026410c956e5d2401d63def7547d720dd0f637a8795ff8890df841b
VirtualSize 0x1528
VirtualAddress 0x27000
SizeOfRawData 0xa00
PointerToRawData 0x25e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.93539

.tls

MD5 bf619eac0cdf3f68d496ea9344137e8b
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
SHA3 622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59
VirtualSize 0x2
VirtualAddress 0x29000
SizeOfRawData 0x200
PointerToRawData 0x26800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.gfids

MD5 1a5e508c20c044995f2130d6cb994551
SHA1 4f43b48c79193b7ac8db521c8502080fe3c499de
SHA256 d26cb8b69ac793c32b97459fe4e0c8d7e72f39c26ffc5145d87469450324d508
SHA3 e34c1503f230ab69232f4f007aea07a457e816c40abc6f8e62cc958b7b81e4b5
VirtualSize 0xb0
VirtualAddress 0x2a000
SizeOfRawData 0x200
PointerToRawData 0x26a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.59292

.rsrc

MD5 8ec89d4b60516043011e1465be9419d1
SHA1 ab7001811df4b08ff4fa926a9a984adf8f690f73
SHA256 045735a0f679ae2c3b935c0ffb0dcd77928cdde1a437492a8463aa6836080f80
SHA3 66551a13c9a6c686c1325b8e6bfe357427a5c3bbb00a36a8dda9c57fc9ff36ba
VirtualSize 0x1e0
VirtualAddress 0x2b000
SizeOfRawData 0x200
PointerToRawData 0x26c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.71768

.reloc

MD5 0458bd80b3e8354742e041c9b3aa76e8
SHA1 0c14da00f8a39b9ccf1558c00f18064869cdb9de
SHA256 a7552f1ba28391e47574cb39c41a0ad366d6afd0a18503286266e03e7888dccf
SHA3 96c72d278bfec3b5d3ac21e8c7f063cee5f849ebf2f2085071c6168121a9f920
VirtualSize 0x1764
VirtualAddress 0x2c000
SizeOfRawData 0x1800
PointerToRawData 0x26e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.62465

Imports

KERNEL32.dll IsDebuggerPresent
VirtualProtect
VirtualFree
GetSystemInfo
Sleep
SetLastError
GetLastError
OutputDebugStringW
VerSetConditionMask
VerifyVersionInfoW
GetModuleHandleW
OpenProcess
SetHandleInformation
CreateMutexW
RaiseException
SetUnhandledExceptionFilter
DeviceIoControl
LocalAlloc
CreateFileW
GetDiskFreeSpaceExW
LocalFree
GlobalMemoryStatusEx
GetTickCount
ExpandEnvironmentStringsW
GetWindowsDirectoryW
WaitForSingleObject
ReadFile
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
lstrlenW
AddVectoredExceptionHandler
MultiByteToWideChar
FormatMessageW
HeapAlloc
LocalSize
GetProcessHeap
GetConsoleWindow
SetConsoleTitleW
HeapFree
GetFileAttributesW
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
CreateEventW
DecodePointer
SetEndOfFile
WriteConsoleW
HeapReAlloc
HeapSize
SetFilePointerEx
ReadConsoleW
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetStringTypeW
SetStdHandle
RemoveVectoredExceptionHandler
GetThreadContext
GetCurrentThread
VirtualAlloc
GetProcAddress
LoadLibraryW
CloseHandle
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
IsValidCodePage
FindNextFileA
VirtualQuery
FindFirstFileExA
FindClose
GetStdHandle
GetCurrentProcess
GetTimeZoneInformation
GetCPInfo
GetFileType
LCMapStringW
CompareStringW
GetACP
GetCommandLineW
GetCommandLineA
GetModuleHandleExW
ExitProcess
GetModuleFileNameA
WriteFile
WideCharToMultiByte
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
UnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
TerminateProcess
RtlUnwind
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
USER32.dll KillTimer
GetSystemMetrics
GetShellWindow
GetWindowThreadProcessId
TranslateMessage
MessageBoxW
GetCursorPos
FindWindowW
MoveWindow
GetMessageW
DispatchMessageW
SetTimer
ADVAPI32.dll RegCloseKey
GetTokenInformation
OpenProcessToken
RegOpenKeyExW
RegQueryValueExW
SHELL32.dll SHGetSpecialFolderPathW
ole32.dll CoCreateInstance
CoSetProxyBlanket
CoInitializeEx
CoInitializeSecurity
CoUninitialize
OLEAUT32.dll #25
#19
#9
#23
#20
IPHLPAPI.DLL GetAdaptersInfo
SHLWAPI.dll StrCmpW
StrStrIW
StrCmpIW
PathCombineW
MPR.dll WNetGetProviderNameW
SETUPAPI.dll SetupDiGetClassDevsW
SetupDiGetDeviceRegistryPropertyW
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
WINMM.dll timeEndPeriod
timeKillEvent
timeGetDevCaps
timeSetEvent

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2017-Jan-31 16:36:28
Version 0.0
SizeofData 84
AddressOfRawData 0x256c0
PointerToRawData 0x244c0
Referenced File C:\Users\Unstable\Documents\al-khaser\Release\al-khaser.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2017-Jan-31 16:36:28
Version 0.0
SizeofData 20
AddressOfRawData 0x25714
PointerToRawData 0x24514

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2017-Jan-31 16:36:28
Version 0.0
SizeofData 812
AddressOfRawData 0x25728
PointerToRawData 0x24528

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2017-Jan-31 16:36:28
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

StartAddressOfRawData 0x429000
EndAddressOfRawData 0x429001
AddressOfIndex 0x427960
AddressOfCallbacks 0x41c2b4
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_1BYTES
Callbacks 0x00402840

Load Configuration

Size 0x5c
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x427018
SEHandlerTable 0x4256b0
SEHandlerCount 4

RICH Header

XOR Key 0xe7e3f8ac
Unmarked objects 0
241 (40116) 10
243 (40116) 139
242 (40116) 24
ASM objects (VS2015 UPD3 build 24123) 20
C++ objects (VS2015 UPD3 build 24123) 35
C objects (VS2015 UPD3 build 24123) 20
C objects (VS2008 SP1 build 30729) 2
Imports (VS2008 SP1 build 30729) 25
Total imports 188
265 (VS2015 UPD3.1 build 24215) 48
ASM objects (VS2015 UPD3 build 24210) 1
Resource objects (VS2015 UPD3 build 24210) 1
Linker (VS2015 UPD3.1 build 24215) 1

Errors

<-- -->