0d07363187dcda999e1a6e750ed7a57a

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Jul-04 18:19:53
Detected languages English - United States
Debug artifacts C:\Users\W7\Downloads\kur\Redir\Bin\Loader.pdb

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious PEiD Signature: HQR data file
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to internet browsers:
  • chrome.exe
  • firefox.exe
  • iexplore.exe
May have dropper capabilities:
  • CurrentVersion\Run
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
  • LoadLibraryExW
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
Code injection capabilities:
  • OpenProcess
  • VirtualAllocEx
  • WriteProcessMemory
  • CreateRemoteThread
  • VirtualAlloc
Can access the registry:
  • RegCloseKey
  • RegSetValueExW
  • RegCreateKeyExW
Functions related to the privilege level:
  • OpenProcessToken
  • AdjustTokenPrivileges
Manipulates other processes:
  • Process32First
  • Process32Next
  • OpenProcess
  • WriteProcessMemory
Malicious The PE is possibly a dropper. Resource 129 detected as a PE Executable.
Resource 132 detected as a PE Executable.
Resources amount for 76.3407% of the executable.
Malicious VirusTotal score: 49/65 (Scanned on 2018-11-09 01:40:02) MicroWorld-eScan: Gen:Win32.ExplorerHijack.BuW@aagEb4bi
CAT-QuickHeal: Trojan.Mauvaise.SL1
McAfee: Artemis!0D07363187DC
Cylance: Unsafe
VIPRE: Trojan.Win32.Generic!BT
SUPERAntiSpyware: Trojan.Agent/Gen-Injector
K7GW: Spyware ( 0050847d1 )
K7AntiVirus: Spyware ( 0050847d1 )
Invincea: heuristic
F-Prot: W32/Heuristic-KPP!Eldorado
Symantec: Trojan.Pandex
TrendMicro-HouseCall: TSPY_URSNIF_GG3109CE.UVPM
Avast: Win32:Malware-gen
ClamAV: Win.Trojan.Loader-6327977-0
Kaspersky: Trojan.Win32.Agent.ikhw
BitDefender: Gen:Win32.ExplorerHijack.BuW@aagEb4bi
NANO-Antivirus: Trojan.Win64.Mlw.eqtngq
Paloalto: generic.ml
Tencent: Win32.Trojan.Agent.Eyh
Endgame: malicious (high confidence)
Emsisoft: Gen:Win32.ExplorerHijack.BuW@aagEb4bi (B)
DrWeb: Trojan.PWS.Papras.2833
TrendMicro: TSPY_URSNIF_GG3109CE.UVPM
McAfee-GW-Edition: BehavesLike.Win32.Generic.gh
TheHacker: Trojan/Spy.Ursnif.ax
Ikarus: Trojan-Spy.Agent
Cyren: W32/Heuristic-KPP!Eldorado
Webroot: W32.Trojan.Gen
Avira: HEUR/AGEN.1030721
Fortinet: W32/Generic.AP.EB410!tr
Antiy-AVL: Trojan/Win32.Agent
Arcabit: Gen:Win32.ExplorerHijack.ED52DE
ZoneAlarm: Trojan.Win32.Agent.ikhw
Microsoft: TrojanSpy:Win32/Ursnif
Sophos: Mal/Generic-S
AhnLab-V3: Malware/Win32.Generic.C1575536
VBA32: Trojan.Agent
MAX: malware (ai score=100)
Ad-Aware: Gen:Win32.ExplorerHijack.BuW@aagEb4bi
ESET-NOD32: a variant of Win32/Spy.Ursnif.AX
Rising: Spyware.Ursnif!8.1DEF (TFE:5:HKLQVK9oOmK)
Yandex: TrojanSpy.Ursnif!KTWbTIb/usQ
SentinelOne: static engine - malicious
GData: Gen:Win32.ExplorerHijack.BuW@aagEb4bi
AVG: Win32:Malware-gen
Cybereason: malicious.187dcd
Panda: Trj/Genetic.gen
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Sorter.AVE.CryptLocker.BS

Hashes

MD5 0d07363187dcda999e1a6e750ed7a57a
SHA1 9617aa7821b406fa05d17c35032c5042b0a0b0fc
SHA256 b8057cc930c2a8c54123d6c6a90db8ddd87af227eef5d9ddf24a15fb0c2c15dc
SHA3 503ba0fda6a49c63878b3368cce740c3c952eac969f1234f5bc004b359faf22d
SSDeep 6144:WoYJZScfatSHc/K4Ei+AQB78rf/4hbnop6q6yQ8h/uJR5TI4Zt6rrPbr0Wu:WfSqhWEzgrf/4hzop6qhQNg4W
Imports Hash 4f9a1b151e9e33915dff4c4ef5ac0a41

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2017-Jul-04 18:19:53
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 12.0
SizeOfCode 0x10200
SizeOfInitializedData 0x5f200
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00003ED3 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x12000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x73000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 c9a2389500e31a80d23f2368729135fa
SHA1 63a783ed96a7d54f26701afd1974ae34c1bfd753
SHA256 20e69c76f87778ea683ee8bb9d77e66e024b5815df4167f9e8fb4d8a063fce1b
SHA3 de20d127bd85181a697123254670804fb9d611f815e4d7ea3118ec2243d546ba
VirtualSize 0x1011d
VirtualAddress 0x1000
SizeOfRawData 0x10200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.66546

.rdata

MD5 698122f476f18491cdf10299a2ed6c78
SHA1 9d754d7d3ed67539e2e562f3b73e16b208995fbe
SHA256 4cbe9a5ae71006dbb9c48acb4fc0139e45fbbc74127e50468b9254b6ef97f89b
SHA3 2a256d4d2a03d375367d9ac5c2f1277b556518965fc3d3dd29b954b1f7db1e21
VirtualSize 0x6aba
VirtualAddress 0x12000
SizeOfRawData 0x6c00
PointerToRawData 0x10600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.75613

.data

MD5 e89391ca2ca579463f0e1dea020e79ac
SHA1 61917fdef80fd753264a77cdc9f129756e106c9b
SHA256 f716fd425e31179048b2e4cad7d3ef3f8b47204548ca02b66521feef8b2f4522
SHA3 c8f02148e8f79b81d1e64e91c56e4610b23b164dbd7782fc1e6e4314b06e5621
VirtualSize 0x34dc
VirtualAddress 0x19000
SizeOfRawData 0x1600
PointerToRawData 0x17200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.83185

.rsrc

MD5 619d7a694d4304c52046e9e20a9ca55f
SHA1 58fa6ff69445c2e0b9abefbb242388dfc939ac9b
SHA256 5ef94075f829ff57e101735218271eeedbc044ae399be8359a043cd93ae67e96
SHA3 c47528fe56de2a9d04ef2836a10b935f2eafea378f97e2e04a20d9aec0439665
VirtualSize 0x53a60
VirtualAddress 0x1d000
SizeOfRawData 0x53c00
PointerToRawData 0x18800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.34935

.reloc

MD5 34a63a896f1cb5dbeeabd1a1fbedfb76
SHA1 93177b42bf92776659ce22560fd2a179c1a8bbbc
SHA256 9ba8fc02a3af7b272e041f35d251729a51df0efd13f2e567cd38bd88320cb3e5
SHA3 a11baafc712c12634785a7100c4ca5414f5e6c6b752fff0cb06e065b1981127d
VirtualSize 0x132c
VirtualAddress 0x71000
SizeOfRawData 0x1400
PointerToRawData 0x6c400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.42862

Imports

SHLWAPI.dll PathRemoveFileSpecA
KERNEL32.dll GetStringTypeW
GetModuleFileNameA
FindResourceA
SizeofResource
LoadResource
LockResource
WriteFile
CloseHandle
GetModuleFileNameW
CreateMutexA
GetLastError
GetModuleHandleA
GetConsoleCP
LoadLibraryA
GetProcAddress
GetNativeSystemInfo
CreateToolhelp32Snapshot
Process32First
Process32Next
OpenProcess
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
WaitForSingleObject
GetExitCodeThread
GetCurrentProcess
ResetEvent
CreateThread
VirtualAlloc
SetLastError
VirtualFree
FlushInstructionCache
ResumeThread
GetConsoleMode
SetFilePointerEx
FlushFileBuffers
SetStdHandle
WriteConsoleW
Sleep
GetModuleHandleExW
LCMapStringW
EncodePointer
DecodePointer
ExitProcess
CreateFileW
MultiByteToWideChar
WideCharToMultiByte
IsDebuggerPresent
IsProcessorFeaturePresent
GetCommandLineA
RaiseException
RtlUnwind
HeapFree
HeapAlloc
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetModuleHandleW
GetStdHandle
LoadLibraryExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
HeapSize
GetCurrentThreadId
GetProcessHeap
GetFileType
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
OutputDebugStringW
HeapReAlloc
ADVAPI32.dll LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegSetValueExW
RegCreateKeyExW
AdjustTokenPrivileges

Delayed Imports

129

Type BINARY
Language English - United States
Codepage UNKNOWN
Size 0x25800
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.53771
Detected Filetype PE Executable
MD5 80ee12ce46ee791be58d222802b5a7c7
SHA1 5a620626aaf15d016967b96025623627f08fd350
SHA256 7db5023eb5a21bae40d12d90a888b586931feea2a63702886a74f73b2f91ae93
SHA3 bdc9509414d37c4d4201eab48f7f0889d13c157b4524505958784d5a3271ef56

132

Type BINARY
Language English - United States
Codepage UNKNOWN
Size 0x2e000
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.07324
Detected Filetype PE Executable
MD5 7b9d79b35571b614c32e39fc9c1643f4
SHA1 34691ceae73b0316aa53311a283a70365435034a
SHA256 ac784e5af306a91fc2ec9207ec68f5bd0bb0bb47a8116c80d5b3a54efe0e1ffe
SHA3 0eb2b002ca40f27ad1bdf29eed70213d7e6b50d0b5cbc82004789737f2293637

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2017-Jul-04 18:19:53
Version 0.0
SizeofData 71
AddressOfRawData 0x177e8
PointerToRawData 0x15de8
Referenced File C:\Users\W7\Downloads\kur\Redir\Bin\Loader.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2017-Jul-04 18:19:53
Version 0.0
SizeofData 20
AddressOfRawData 0x17830
PointerToRawData 0x15e30

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x419008
SEHandlerTable 0x417b90
SEHandlerCount 8

RICH Header

XOR Key 0xcbf096b8
Unmarked objects 0
ASM objects (20806) 24
C objects (20806) 118
C++ objects (20806) 45
Imports (VS2008 SP1 build 30729) 13
Total imports 121
229 (VS2013 build 21005) 4
Resource objects (VS2013 build 21005) 1
151 1
Linker (VS2013 build 21005) 1

Errors