Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2017-Jul-04 18:19:53 |
Detected languages |
English - United States
|
Debug artifacts |
C:\Users\W7\Downloads\kur\Redir\Bin\Loader.pdb
|
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Suspicious | PEiD Signature: | HQR data file |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to internet browsers:
|
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | The PE is possibly a dropper. |
Resource 129 detected as a PE Executable.
Resource 132 detected as a PE Executable. Resources amount for 76.3407% of the executable. |
Malicious | VirusTotal score: 49/65 (Scanned on 2018-11-09 01:40:02) |
MicroWorld-eScan:
Gen:Win32.ExplorerHijack.BuW@aagEb4bi
CAT-QuickHeal: Trojan.Mauvaise.SL1 McAfee: Artemis!0D07363187DC Cylance: Unsafe VIPRE: Trojan.Win32.Generic!BT SUPERAntiSpyware: Trojan.Agent/Gen-Injector K7GW: Spyware ( 0050847d1 ) K7AntiVirus: Spyware ( 0050847d1 ) Invincea: heuristic F-Prot: W32/Heuristic-KPP!Eldorado Symantec: Trojan.Pandex TrendMicro-HouseCall: TSPY_URSNIF_GG3109CE.UVPM Avast: Win32:Malware-gen ClamAV: Win.Trojan.Loader-6327977-0 Kaspersky: Trojan.Win32.Agent.ikhw BitDefender: Gen:Win32.ExplorerHijack.BuW@aagEb4bi NANO-Antivirus: Trojan.Win64.Mlw.eqtngq Paloalto: generic.ml Tencent: Win32.Trojan.Agent.Eyh Endgame: malicious (high confidence) Emsisoft: Gen:Win32.ExplorerHijack.BuW@aagEb4bi (B) DrWeb: Trojan.PWS.Papras.2833 TrendMicro: TSPY_URSNIF_GG3109CE.UVPM McAfee-GW-Edition: BehavesLike.Win32.Generic.gh TheHacker: Trojan/Spy.Ursnif.ax Ikarus: Trojan-Spy.Agent Cyren: W32/Heuristic-KPP!Eldorado Webroot: W32.Trojan.Gen Avira: HEUR/AGEN.1030721 Fortinet: W32/Generic.AP.EB410!tr Antiy-AVL: Trojan/Win32.Agent Arcabit: Gen:Win32.ExplorerHijack.ED52DE ZoneAlarm: Trojan.Win32.Agent.ikhw Microsoft: TrojanSpy:Win32/Ursnif Sophos: Mal/Generic-S AhnLab-V3: Malware/Win32.Generic.C1575536 VBA32: Trojan.Agent MAX: malware (ai score=100) Ad-Aware: Gen:Win32.ExplorerHijack.BuW@aagEb4bi ESET-NOD32: a variant of Win32/Spy.Ursnif.AX Rising: Spyware.Ursnif!8.1DEF (TFE:5:HKLQVK9oOmK) Yandex: TrojanSpy.Ursnif!KTWbTIb/usQ SentinelOne: static engine - malicious GData: Gen:Win32.ExplorerHijack.BuW@aagEb4bi AVG: Win32:Malware-gen Cybereason: malicious.187dcd Panda: Trj/Genetic.gen CrowdStrike: malicious_confidence_100% (W) Qihoo-360: Win32/Sorter.AVE.CryptLocker.BS |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2017-Jul-04 18:19:53 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 12.0 |
SizeOfCode | 0x10200 |
SizeOfInitializedData | 0x5f200 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00003ED3 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x12000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x73000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
SHLWAPI.dll |
PathRemoveFileSpecA
|
---|---|
KERNEL32.dll |
GetStringTypeW
GetModuleFileNameA FindResourceA SizeofResource LoadResource LockResource WriteFile CloseHandle GetModuleFileNameW CreateMutexA GetLastError GetModuleHandleA GetConsoleCP LoadLibraryA GetProcAddress GetNativeSystemInfo CreateToolhelp32Snapshot Process32First Process32Next OpenProcess VirtualAllocEx WriteProcessMemory CreateRemoteThread WaitForSingleObject GetExitCodeThread GetCurrentProcess ResetEvent CreateThread VirtualAlloc SetLastError VirtualFree FlushInstructionCache ResumeThread GetConsoleMode SetFilePointerEx FlushFileBuffers SetStdHandle WriteConsoleW Sleep GetModuleHandleExW LCMapStringW EncodePointer DecodePointer ExitProcess CreateFileW MultiByteToWideChar WideCharToMultiByte IsDebuggerPresent IsProcessorFeaturePresent GetCommandLineA RaiseException RtlUnwind HeapFree HeapAlloc EnterCriticalSection LeaveCriticalSection DeleteCriticalSection UnhandledExceptionFilter SetUnhandledExceptionFilter InitializeCriticalSectionAndSpinCount TerminateProcess TlsAlloc TlsGetValue TlsSetValue TlsFree GetStartupInfoW GetModuleHandleW GetStdHandle LoadLibraryExW IsValidCodePage GetACP GetOEMCP GetCPInfo HeapSize GetCurrentThreadId GetProcessHeap GetFileType QueryPerformanceCounter GetCurrentProcessId GetSystemTimeAsFileTime GetEnvironmentStringsW FreeEnvironmentStringsW OutputDebugStringW HeapReAlloc |
ADVAPI32.dll |
LookupPrivilegeValueA
OpenProcessToken RegCloseKey RegSetValueExW RegCreateKeyExW AdjustTokenPrivileges |
Characteristics |
0
|
---|---|
TimeDateStamp | 2017-Jul-04 18:19:53 |
Version | 0.0 |
SizeofData | 71 |
AddressOfRawData | 0x177e8 |
PointerToRawData | 0x15de8 |
Referenced File | C:\Users\W7\Downloads\kur\Redir\Bin\Loader.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2017-Jul-04 18:19:53 |
Version | 0.0 |
SizeofData | 20 |
AddressOfRawData | 0x17830 |
PointerToRawData | 0x15e30 |
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x419008 |
SEHandlerTable | 0x417b90 |
SEHandlerCount | 8 |
XOR Key | 0xcbf096b8 |
---|---|
Unmarked objects | 0 |
ASM objects (20806) | 24 |
C objects (20806) | 118 |
C++ objects (20806) | 45 |
Imports (VS2008 SP1 build 30729) | 13 |
Total imports | 121 |
229 (VS2013 build 21005) | 4 |
Resource objects (VS2013 build 21005) | 1 |
151 | 1 |
Linker (VS2013 build 21005) | 1 |