07d2b057d2385a4cdf413e8d342305df

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2018-Feb-12 20:06:28
Detected languages English - United States
Korean - Korea
CompanyName Microsoft Corporation
FileDescription NetBT Unattend Generic Command
FileVersion 10.0.10586.0 (th2_release.151029-1700)
InternalName netbtugc.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename netbtugc.exe.mui
ProductName Microsoft® Windows® Operating System
ProductVersion 10.0.10586.0

Plugin Output

Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
  • LoadLibraryW
Interacts with services:
  • OpenServiceW
Suspicious The file contains overlay data. 2478175 bytes of data starting at offset 0x1fc00.
The overlay data has an entropy of 7.99992 and is possibly compressed or encrypted.
Overlay data amounts for 95.0139% of the executable.
Malicious VirusTotal score: 16/69 (Scanned on 2019-09-09 02:06:54) Qihoo-360: HEUR/QVM202.0.C0D1.Malware.Gen
McAfee: Trojan-HidCobra.a
Cylance: Unsafe
CrowdStrike: win/malicious_confidence_100% (W)
Symantec: Trojan.Gen.MBT
ESET-NOD32: a variant of Win64/NukeSped.AH
Avast: FileRepMalware
Sophos: Mal/Generic-S
Invincea: heuristic
McAfee-GW-Edition: Trojan-HidCobra.a
Trapmine: malicious.high.ml.score
Fortinet: W64/HidCobra.A!tr
Microsoft: Trojan:Win32/Casdet!rfn
MAX: malware (ai score=57)
GData: Win64.Trojan.Agent.8S3OV5
AVG: FileRepMalware

Hashes

MD5 07d2b057d2385a4cdf413e8d342305df
SHA1 1991e7797b2e97179b7604497f7f6c39eba2229b
SHA256 1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676
SHA3 46c327172363dd027ed5575cead3eb201c1a5db4f9c27e39cbe6f8bd0e9640c1
SSDeep 49152:2sn+T/ymkSsvc1vb+oNEOaPmztSWNz25hqhbR5C7kcaFZweRrjxQTgZdy:2sck5ojp+Ef25al5CyjwSJQMzy
Imports Hash 347c977c6137a340c7cc0fcd5b224aef

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2018-Feb-12 20:06:28
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 10.0
SizeOfCode 0x15c00
SizeOfInitializedData 0x9c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000000000000D200 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.2
ImageVersion 0.0
SubsystemVersion 5.2
Win32VersionValue 0
SizeOfImage 0x26000
SizeOfHeaders 0x400
Checksum 0x2f7c4
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 88425c71e7e293d43db9868e4693b365
SHA1 9f431d2a1310c94a56c874b70fa89d657054a650
SHA256 99a59dea8dddaedba1e03353a6f085c2ac885f3661b21da72f4d1f565b53d742
SHA3 df056d80fb42790e56570d593a928baaa5703a106cdde98bcd3877f4ae9d11e7
VirtualSize 0x15a2a
VirtualAddress 0x1000
SizeOfRawData 0x15c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.41552

.rdata

MD5 bb0048e4f3851ea07b365828ddf613f7
SHA1 316a8964c86629cf419d091651adb6d7422004e5
SHA256 cd8910806680273ff3bc53e23cda72e60b8fad8fd417be7b81dc8b0553ff983d
SHA3 66768674cd893fd72dcfefe6b527c23dbd1858e51cbda13037e0a7de17df0df6
VirtualSize 0x675e
VirtualAddress 0x17000
SizeOfRawData 0x6800
PointerToRawData 0x16000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.91225

.data

MD5 50e3efe1a6ea325c87f8e86e2fbd40b4
SHA1 591dde4f0c662fce2518a133e42ea31fdaad9a29
SHA256 e0380eba9d22035239fbfacbe3daf94cffb28947b0b2f2a2b0efd42a889443ea
SHA3 c7b3e6c968fdc288b4266c0f3e33197190c43170824d03457d9fb42b6e8b8710
VirtualSize 0x3e48
VirtualAddress 0x1e000
SizeOfRawData 0x1600
PointerToRawData 0x1c800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.09364

.pdata

MD5 f56a65eb9562d6c6d607f867d1d0fd09
SHA1 f2b07cdc687bf0a2d8baa169b3b3b2112fbafb36
SHA256 709c5c5b497ffe8ffb0dbd1b60e9c821aa643c76ac321416cdf43f53805d9378
SHA3 e4a31caf4f6c29ed32a3eeb2a8abe81a3df798682ee7947afe194b8091537cf6
VirtualSize 0x1038
VirtualAddress 0x22000
SizeOfRawData 0x1200
PointerToRawData 0x1de00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.72553

.rsrc

MD5 6a9a84d523e53e1d43c31b2cc069930c
SHA1 3603c3e372aa5ea2465ab1aa07f53e1ea6681ded
SHA256 b56c17c942b6966842cbe438d2d50093e7592bbb3f6cefbc179e60f8f03095f1
SHA3 c1ebec53c6d2f71c4b598c0904960586570f015ddc636fab86103182808c77cd
VirtualSize 0x5b0
VirtualAddress 0x24000
SizeOfRawData 0x600
PointerToRawData 0x1f000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.30815

.reloc

MD5 dab5e290c15de9634d93d8f592a44633
SHA1 48dacb8e8ef8492ea7f8782e5e753884a274bc43
SHA256 8be90ac5aac67f8b84929e6ba320e1b3540a229687b77e8780adb2d09146174f
SHA3 b9e13e9f03fd3448d356eb016946ed80e19165b576515d10cb8786466bf914dc
VirtualSize 0x4bc
VirtualAddress 0x25000
SizeOfRawData 0x600
PointerToRawData 0x1f600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 2.9126

Imports

KERNEL32.dll GetCurrentProcess
WriteFile
WideCharToMultiByte
ReadFile
CreateFileW
MultiByteToWideChar
GetCurrentDirectoryW
GetFileType
CloseHandle
MapViewOfFile
SystemTimeToFileTime
GetLastError
GetLocalTime
CreateFileMappingW
GetCommandLineW
MoveFileExW
lstrlenW
LocalAlloc
DeleteFileW
SetFilePointer
DosDateTimeToFileTime
LoadLibraryA
UnmapViewOfFile
GetProcAddress
EncodePointer
DecodePointer
HeapFree
HeapAlloc
GetCommandLineA
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
Sleep
HeapSize
GetModuleHandleW
ExitProcess
RtlUnwindEx
HeapSetInformation
GetVersion
HeapCreate
GetStdHandle
GetModuleFileNameW
RaiseException
RtlPcToFileHeader
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
FlsGetValue
FlsSetValue
FlsFree
SetLastError
GetCurrentThreadId
FlsAlloc
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
DeleteCriticalSection
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapReAlloc
LoadLibraryW
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
GetConsoleCP
GetConsoleMode
SetStdHandle
FlushFileBuffers
LCMapStringW
GetStringTypeW
SetEndOfFile
GetProcessHeap
WriteConsoleW
ADVAPI32.dll ChangeServiceConfig2A
OpenServiceW
CloseServiceHandle
StartServiceA
SHELL32.dll CommandLineToArgvW

Delayed Imports

1

Type RT_VERSION
Language Korean - Korea
Codepage Latin 1 / Western European
Size 0x3b4
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.48995
MD5 4b8c12c16fc9b68247d1f0e624474779
SHA1 5348990e8ed4a7bbc7a8348a087538327e5226dc
SHA256 72cb64f9213b7a180bd6d3e58f650791c4e7c146800c739b6c061732fa8f29a8
SHA3 cc56204c7fad1726a0420402b78d06755fa334ff4c84ae68f358743d51d070c6

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.0.10586.0
ProductVersion 10.0.10586.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription NetBT Unattend Generic Command
FileVersion (#2) 10.0.10586.0 (th2_release.151029-1700)
InternalName netbtugc.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename netbtugc.exe.mui
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 10.0.10586.0
Resource LangID Korean - Korea

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x4c74ba8b
Unmarked objects 0
152 (20115) 2
C++ objects (VS2010 build 30319) 41
C objects (VS2010 build 30319) 118
ASM objects (VS2010 build 30319) 10
Imports (VS2008 SP1 build 30729) 9
Total imports 112
175 (VS2010 build 30319) 6
Resource objects (VS2010 build 30319) 1
Linker (VS2010 build 30319) 1

Errors