0be2e4ce284c5ed5505bd119887ce927

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2008-Nov-10 09:40:34

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • hack
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
Malicious The PE is possibly a dropper. Resource 1 detected as a PE Executable.
Malicious The file contains overlay data. 1310582 bytes of data starting at offset 0x287600.
The file contains a Zip Compressed Archive after the PE data.
Safe VirusTotal score: 0/69 (Scanned on 2019-03-13 23:10:39) All the AVs think this file is safe.

Hashes

MD5 0be2e4ce284c5ed5505bd119887ce927
SHA1 a0a503741b7201b9c1ea7c22b7586318f742b9fa
SHA256 de93edf3e31cddb052c2813b7f92f5b842ba67a5b2211000ba562c663acf9184
SHA3 b92870147bba2e117f889b76361d24a057bef0f28f5af7df45eb5e37a5dc3547
SSDeep 98304:Y61oxVCczhpdN3g4MfHUl+aZSTXg3rqjjxkiSmsfSRUZa:Y61+Jp3wZTLQbuvSmOA
Imports Hash b28c641d753fb51b62a00fe6115070ae

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2008-Nov-10 09:40:34
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 9.0
SizeOfCode 0x2200
SizeOfInitializedData 0x285000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00002B28 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x4000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x28b000
SizeOfHeaders 0x400
Checksum 0x510d
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 264ca42964cf5a4c6c722f9fd8c7f6d7
SHA1 681c8d8703f243f75d87b4d907c8d00cf2d02828
SHA256 d3c24986662d619dcbec7eaebc26f696264d78583645764f7fb7e9478ec3faf6
SHA3 852232a929dd5de7952abddeef2c1d76cd332e5d18523213c382c3a06dbaed15
VirtualSize 0x2084
VirtualAddress 0x1000
SizeOfRawData 0x2200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.0944

.rdata

MD5 f6694c54551d514f286e97634b5a17c3
SHA1 cd34cf98d2355f97ccbd60e6290549cd68bd5819
SHA256 3ab04c9e3b2142766407051d64d19e08e8ed1d2deab303882ee5da18ffe2eb5d
SHA3 918742b8f5aca3d44e167e3a7930031d470b3f40aa570c150251a848bcfcc83d
VirtualSize 0x912
VirtualAddress 0x4000
SizeOfRawData 0xa00
PointerToRawData 0x2600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.7069

.data

MD5 1611cb3b9b45f5539a91e11559fb588e
SHA1 d7bf9b095493ab8e9678d229191f0d9674a9ef9f
SHA256 7fe6d290c3ef541048216ff3924f96fd40e554542f5dc709a4ce2f427022bf36
SHA3 e92588bb781c107ffb1fe89d119349a367c40778006acfd8abd95180a2ccf28e
VirtualSize 0x1668
VirtualAddress 0x5000
SizeOfRawData 0xc00
PointerToRawData 0x3000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.5296

.rsrc

MD5 973c00d5b0ea8da742120fb1a6b24aec
SHA1 4c2d0bc0902273935e4b0cd762990585104fbf16
SHA256 00c31caeaa6233422940dd7730bf43b01229bddb609160fb23495be9bef71d05
SHA3 e150a831d70974faea6c6862737e3c415ccf8ba0f9b6175c50e4cd87bfe006f4
VirtualSize 0x283808
VirtualAddress 0x7000
SizeOfRawData 0x283a00
PointerToRawData 0x3c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.72149

Imports

MSVCR90.dll _controlfp_s
_invoke_watson
strncpy
_except_handler4_common
_decode_pointer
_onexit
_lock
__dllonexit
_unlock
?terminate@@YAXXZ
__set_app_type
_encode_pointer
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
__initenv
exit
_XcptFilter
_exit
_cexit
__getmainargs
_amsg_exit
realloc
bsearch
qsort
memset
memcpy
setbuf
getenv
atoi
malloc
free
_snprintf
strncmp
strrchr
fprintf
__iob_func
_crt_debugger_hook
_stricmp
_strdup
KERNEL32.dll LocalFree
IsDebuggerPresent
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
SetUnhandledExceptionFilter
InterlockedCompareExchange
Sleep
InterlockedExchange
HeapAlloc
IsBadReadPtr
SetLastError
GetProcessHeap
HeapFree
VirtualFree
VirtualProtect
VirtualAlloc
FreeLibrary
GetModuleHandleA
OutputDebugStringA
GetFullPathNameA
LoadLibraryA
GetProcAddress
UnmapViewOfFile
CreateFileA
GetFileSize
CreateFileMappingA
CloseHandle
MapViewOfFile
FindResourceA
LoadResource
LockResource
GetModuleFileNameA
GetLastError
FormatMessageA

Delayed Imports

1

Type PYTHON27.DLL
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x282600
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.72221
Detected Filetype PE Executable
MD5 c0a3daf00f1b3aa17d3de3741dc39000
SHA1 7f0e85fb40f1ecf97c4362ef8837ea6a955b1d68
SHA256 c9622466314b924a9e6b3930207bbae3a12dc18932be7eb805a2f3042e0cd6b7
SHA3 302bfa700200853a49222c1b9c527e4db8e17496bbbd30524a9e5bfb86e8b50c

1 (#2)

Type PYTHONSCRIPT
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0xe93
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.57845
MD5 a6b1354edea1590112b2aac776aca795
SHA1 02a878396917c68f687db7b24e2627723cd38bb3
SHA256 33a07ac62f6288470cf22a796a36446126f1a72922277a59896060a3115ad59f
SHA3 cd973c49faa17f90a86e3a2117e6bbf7e3eeaf687606167cc590e243b7ebf77b

1 (#3)

Type RT_MANIFEST
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x256
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.0207
MD5 5a32206e4bb9d06170ae00fa980db49b
SHA1 126a45f48625322ba11eb0acf1ade9115ad6802b
SHA256 9f2fc067639866642bb1a73fb43006d233e569d25566b16dedec472fe5d3c5c3
SHA3 bfab9d66b065ea131bdc44ac811cfcf4d5c43a1075f9b6d16f0c8f2f20237cac

Version Info

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x405a58
SEHandlerTable 0x4041d0
SEHandlerCount 1

RICH Header

XOR Key 0xd2ba5881
Unmarked objects 0
Imports (VS2012 build 50727 / VS2005 build 50727) 2
150 (20413) 2
Imports (VS2008 build 21022) 3
Total imports 84
ASM objects (VS2008 build 21022) 1
C++ objects (VS2008 build 21022) 2
C objects (VS2008 build 21022) 25
Linker (VS2008 build 21022) 1
Resource objects (VS2008 build 21022) 1

Errors