Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2018-Jan-28 01:40:45 |
Detected languages |
Danish - Denmark
|
InternalName | nowuz.exe |
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Malicious | The file headers were tampered with. |
Unusual section name found: .mysec2
Unusual section name found: .version Unusual section name found: .mysec1 Unusual section name found: .mysec3 Unusual section name found: .version The RICH header checksum is invalid. |
Info | The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 41/69 (Scanned on 2019-02-14 15:10:18) |
MicroWorld-eScan:
Gen:Trojan.Heur.Hype.pK0@ayi3drhG
McAfee: Trojan-FPZV!0B2673DDF85E Cylance: Unsafe Invincea: heuristic Symantec: Packed.Generic.525 ESET-NOD32: a variant of Win32/Kryptik.GOXF TrendMicro-HouseCall: TrojanSpy.Win32.FAREIT.SMKC1.hp ClamAV: Win.Packed.Gandcrab-6846115-0 Kaspersky: HEUR:Trojan.Win32.Generic BitDefender: Gen:Trojan.Heur.Hype.pK0@ayi3drhG NANO-Antivirus: Trojan.Win32.Kryptik.fmxjap Rising: Trojan.Kryptik!8.8/N3#100% (RDM+:cmRtazqtG+Z9D4gI3tC7alluBlA3) Ad-Aware: Gen:Trojan.Heur.Hype.pK0@ayi3drhG Emsisoft: Gen:Trojan.Heur.Hype.pK0@ayi3drhG (B) F-Secure: Heuristic.HEUR/AGEN.1038782 DrWeb: Trojan.PWS.Siggen2.9541 TrendMicro: TrojanSpy.Win32.FAREIT.SMKC1.hp McAfee-GW-Edition: Trojan-FPZV!0B2673DDF85E Trapmine: malicious.high.ml.score Ikarus: Trojan-Downloader.Win32.SmokeLoader Jiangmin: Trojan.Agentb.dzz Avira: HEUR/AGEN.1038782 Fortinet: W32/Kryptik.GOTY!tr Endgame: malicious (high confidence) Arcabit: Trojan.Heur.Hype.E5DB28 ZoneAlarm: HEUR:Trojan.Win32.Generic Microsoft: Ransom:Win32/GandCrab.BB!bit AhnLab-V3: Trojan/Win32.Agent.C2952825 Acronis: suspicious MAX: malware (ai score=82) VBA32: BScope.Trojan.Chapak Malwarebytes: Trojan.MalPack.GS.Generic Panda: Trj/GdSda.A SentinelOne: static engine - malicious eGambit: Unsafe.AI_Score_51% GData: Gen:Trojan.Heur.Hype.pK0@ayi3drhG AVG: Win32:Evo-gen [Susp] Cybereason: malicious.df85e0 Avast: Win32:Evo-gen [Susp] CrowdStrike: malicious_confidence_100% (D) Qihoo-360: HEUR/QVM10.1.398F.Malware.Gen |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 9 |
TimeDateStamp | 2018-Jan-28 01:40:45 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 10.0 |
SizeOfCode | 0x1ce00 |
SizeOfInitializedData | 0x23000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000546F (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x1e000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x48000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.DLL |
GetProcessHandleCount
TerminateProcess SetComputerNameExW GetLastError GetProcAddress LoadLibraryA GetProcessWorkingSetSize LocalAlloc SetProcessWorkingSetSize SetCommMask GetThreadPriority GetProcessShutdownParameters GetCommTimeouts GetProcessAffinityMask FatalExit DuplicateHandle GlobalAlloc CloseHandle lstrcpyA LocalFileTimeToFileTime GetStringTypeW MultiByteToWideChar LCMapStringW WideCharToMultiByte HeapReAlloc IsValidCodePage GetOEMCP GetACP LoadLibraryW GetProcessTimes GetDriveTypeA GetTickCount GetCurrentProcess GetCPInfo GetProcessIoCounters GetNativeSystemInfo PulseEvent _lopen ExitProcess HeapSize Sleep RtlUnwind EnterCriticalSection LeaveCriticalSection GetSystemTimeAsFileTime GetCurrentProcessId QueryPerformanceCounter GetCommandLineW HeapSetInformation GetStartupInfoW RaiseException UnhandledExceptionFilter SetUnhandledExceptionFilter IsDebuggerPresent HeapAlloc HeapFree IsProcessorFeaturePresent EncodePointer DecodePointer GetModuleHandleW WriteFile GetStdHandle GetModuleFileNameW FreeEnvironmentStringsW GetEnvironmentStringsW SetHandleCount InitializeCriticalSectionAndSpinCount GetFileType DeleteCriticalSection TlsAlloc TlsGetValue TlsSetValue TlsFree InterlockedIncrement SetLastError GetCurrentThreadId InterlockedDecrement HeapCreate |
---|---|
ADVAPI32.dll |
SetSecurityDescriptorDacl
LookupPrivilegeNameA ReportEventA |
GDI32.dll |
CreateBrushIndirect
StretchDIBits RoundRect AnimatePalette |
MSIMG32.dll |
TransparentBlt
GradientFill |
SHELL32.dll |
ShellAboutA
ShellExecuteW #179 |
USER32.dll |
SetPropA
DlgDirListComboBoxA GetAltTabInfoA GetMenuInfo GetScrollRange SetWindowTextW LoadImageW CopyImage GetFocus BeginPaint SetScrollRange CreateIconIndirect |
WINHTTP.dll |
WinHttpConnect
WinHttpOpen WinHttpCreateUrl WinHttpReadData WinHttpWriteData WinHttpQueryDataAvailable |
Ordinal | 1 |
---|---|
Address | 0x1ace0 |
Ordinal | 2 |
---|---|
Address | 0x1acd0 |
Bivuyodan zabasibetuw gano medajeziret nasisumek |
Godotefifipike meloterupirar hodibolu ceya nivupucemo |
Putofijijuse cadecodedupo luroyimuvumelef vuhafixami zepazabapol |
Pepiyag jona ceheguxepe worugayinero xelerapifucili |
Zubajefanexa cuj wigimupifawuwuz hohavoz |
Bofapinayo kebuja |
Cabugulinopixud juyutocejetub zedusiyihike kicubemov |
Jupotigofu jalimiliyuhuy lumuka vaxusupujo givub |
Nuwozasabowakiy xasaci vub |
Mud lasumey dut camodericisi huguyuf |
Pox cigosaz najuwufahu gofegopeduropel desimunexib |
Lojahanasotipi yehumawanigisaw xucigep |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 1.0.0.0 |
ProductVersion | 1.0.0.0 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | UNKNOWN |
InternalName | nowuz.exe |
Resource LangID | Danish - Denmark |
---|
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x41e07c |
SEHandlerTable | 0x403700 |
SEHandlerCount | 8 |
XOR Key | 0xd5bc5a2d |
---|---|
Unmarked objects | 0 |
ASM objects (VS2010 build 30319) | 21 |
C objects (VS2010 build 30319) | 90 |
C++ objects (VS2010 build 30319) | 31 |
Imports (VS2008 SP1 build 30729) | 15 |
Total imports | 120 |
175 (VS2010 build 30319) | 1 |
34526 (22812) | 1 |
Resource objects (VS2010 build 30319) | 1 |
10080 (46431) | 1 |