Architecture |
IMAGE_FILE_MACHINE_AMD64
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date |
1970-Jan-01 00:00:00
|
Debug artifacts |
Embedded COFF debugging symbols
|
Suspicious |
The PE is possibly packed. |
Unusual section name found: /4
Unusual section name found: /19
Unusual section name found: /32
Unusual section name found: /46
Unusual section name found: /63
Unusual section name found: /80
Unusual section name found: /99
Unusual section name found: /112
Unusual section name found: /124
Unusual section name found: .symtab
|
Suspicious |
The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
- LoadLibraryA
- LoadLibraryW
- GetProcAddress
Functions which can be used for anti-debugging purposes:
Leverages the raw socket API to access the Internet:
|
Malicious |
VirusTotal score: 3/65 (Scanned on 2018-11-08 20:45:55) |
Cylance:
Unsafe
Jiangmin:
Backdoor.Gorsh.c
CrowdStrike:
malicious_confidence_80% (W)
|
MD5 |
0d4a1006c03c5a7043de3b0cf904d169
|
SHA1 |
32cadcb447cbb5cbed884a27352836d7fac60671
|
SHA256 |
5892df42822a84947f4f3d2753631bf66db814417f49595ff95c37bea0dd3871
|
SHA3 |
8dcd44d708238e6984b119e509338376dd97637c41bdca2125d8d79db05f07db
|
SSDeep |
24576:6WAVE2fjGCFrBeqsIJNxzMq1KjmOBK5m1N8/n+:6WAfjG+rBe7IJNxzO6fY8
|
Imports Hash |
1c2a6fbef41572f4c9ce8acb5a63cde7
|
e_magic |
MZ
|
e_cblp |
0x90
|
e_cp |
0x3
|
e_crlc |
0x4
|
e_cparhdr |
0
|
e_minalloc |
0
|
e_maxalloc |
0xffff
|
e_ss |
0
|
e_sp |
0x8b
|
e_csum |
0
|
e_ip |
0
|
e_cs |
0
|
e_ovno |
0
|
e_oemid |
0
|
e_oeminfo |
0
|
e_lfanew |
0x80
|
Signature |
PE
|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections |
14
|
TimeDateStamp |
1970-Jan-01 00:00:00
|
PointerToSymbolTable |
0x1f8a00
|
NumberOfSymbols |
3634
|
SizeOfOptionalHeader |
0xf0
|
Characteristics |
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED
|
Magic |
PE32+
|
LinkerVersion |
3.0
|
SizeOfCode |
0xa6600
|
SizeOfInitializedData |
0x13600
|
SizeOfUninitializedData |
0
|
AddressOfEntryPoint |
0x0000000000052E60 (Section: .text)
|
BaseOfCode |
0x1000
|
ImageBase |
0x400000
|
SectionAlignment |
0x1000
|
FileAlignment |
0x200
|
OperatingSystemVersion |
4.0
|
ImageVersion |
1.0
|
SubsystemVersion |
4.0
|
Win32VersionValue |
0
|
SizeOfImage |
0x243000
|
SizeOfHeaders |
0x600
|
Checksum |
0
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
SizeofStackReserve |
0x200000
|
SizeofStackCommit |
0x1000
|
SizeofHeapReserve |
0x100000
|
SizeofHeapCommit |
0x1000
|
LoaderFlags |
0
|
NumberOfRvaAndSizes |
16
|
MD5 |
ba8bad982fa8c9ccb99d664499dc0852
|
SHA1 |
5490fae3f1aeebae91738c96eb28804bfaa1c9fc
|
SHA256 |
18e9f6ecd369bf0aacd58b1fb3a7b6b376bed6c593eeb6eb3c5103cb131dcc65
|
SHA3 |
9646acc759660a6e81c228ff661c43eb4f2e80c1e9f37f9163e0d50de753c296
|
VirtualSize |
0xa64dd
|
VirtualAddress |
0x1000
|
SizeOfRawData |
0xa6600
|
PointerToRawData |
0x600
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
|
Entropy |
5.8665
|
MD5 |
ec367b42c0e4f5f00031089dd340db13
|
SHA1 |
ca754bd02d93c9f95efd6d27b51bf2e82eb630dc
|
SHA256 |
7f9f813287b3729ecd938b2c81dfd3094332993d57577b8160b8042ae0e52b06
|
SHA3 |
010ffa5e15e203894c28ba669a4b7e5a1b39e86eb0bc3c6315e86df0e5083bc9
|
VirtualSize |
0xcee82
|
VirtualAddress |
0xa8000
|
SizeOfRawData |
0xcf000
|
PointerToRawData |
0xa6c00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
|
Entropy |
5.11788
|
MD5 |
8475ed715a1b412df33e4658b319e2c6
|
SHA1 |
ae486257518135f8950c797f4108e7433c68a0a7
|
SHA256 |
f4b8bb6a71e9c1165e24d076d649034fb99179ced1a03358ee04db42cd1fa23a
|
SHA3 |
64721f8262067d571d7f01922f5b34bab0c90e17d175ec83aab5bd333d105884
|
VirtualSize |
0x30f38
|
VirtualAddress |
0x177000
|
SizeOfRawData |
0x13600
|
PointerToRawData |
0x175c00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
4.15623
|
MD5 |
22b64d2fda5f7ecbbdeaa349e1ceee01
|
SHA1 |
72c8604af6367d669f6eea1062dc0f551cc85517
|
SHA256 |
d7d432bd92e4f643749c1eab81bbf7ec6e3b76affcd489039385c75050ef346a
|
SHA3 |
7f3b8c26b8dcb0a8f677e385f7914766478778ce7ec4dc121158e6b2c36b3246
|
VirtualSize |
0x112
|
VirtualAddress |
0x1a8000
|
SizeOfRawData |
0x200
|
PointerToRawData |
0x189200
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
4.75112
|
MD5 |
d5c8db6832a7245698db412a03d229ce
|
SHA1 |
4e7f62f354287d30bc336e8e515f179ddccc5e1b
|
SHA256 |
75ad8307e524015c6a17b0e782edd4f2fcf2fcbb4ed8e64b57446818a529451a
|
SHA3 |
0c7d8ae54711fc5672804b84825897864c6ad4967b25bffbab4b449206b6abea
|
VirtualSize |
0x15f3e
|
VirtualAddress |
0x1a9000
|
SizeOfRawData |
0x16000
|
PointerToRawData |
0x189400
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
7.99261
|
MD5 |
702cfe42a4603d6173db1c6fa14fce2d
|
SHA1 |
951a3aa6ba012166da8fafcd9b2ae54be581dd0f
|
SHA256 |
7c2e08d9a60f9e4581de152c3ed073f69a9c88cc6554168cca9022e5818d9da3
|
SHA3 |
6c21d206c0bdd8ffc378126dfd275f0cb77d1a25c8b9fb2a06d49cc5ab70c7a5
|
VirtualSize |
0x6d02
|
VirtualAddress |
0x1bf000
|
SizeOfRawData |
0x6e00
|
PointerToRawData |
0x19f400
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
7.91927
|
MD5 |
349ff9562dad40cdcf9c0bc039202cd0
|
SHA1 |
92076aa712d757aaee3fb83e0140386e486bde3d
|
SHA256 |
e21b9b51ec37131822eb3db45723c50ed4d8f6ce686779a144c382a6db9dccfd
|
SHA3 |
9e6e099dfd43b0807306daee0f2759562e2f5f384e2d8d9beee8d150a8f0d986
|
VirtualSize |
0x3066
|
VirtualAddress |
0x1c6000
|
SizeOfRawData |
0x3200
|
PointerToRawData |
0x1a6200
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
7.88486
|
MD5 |
203ea95450581e94b951585aa5e1feb9
|
SHA1 |
7d5bdea198d1f25bce4e6f654737a95354294989
|
SHA256 |
2b02610a73a646521b2249924abaa0f2ea7e5253ac30b8821d14836d890c91fa
|
SHA3 |
8919868d7ad01fb1da9f858fb7bce2556f55ae8ed03d5f8467afc447f0802618
|
VirtualSize |
0x3347
|
VirtualAddress |
0x1ca000
|
SizeOfRawData |
0x3400
|
PointerToRawData |
0x1a9400
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
7.95348
|
MD5 |
b695610b59faaff118f91fc317f4e65e
|
SHA1 |
6f4d208a90e255392c574ec0336b99e920d0f362
|
SHA256 |
233ae9f513e2418ad1e3a6fedf87626384729437a3501a83ccd8d11a2708eb08
|
SHA3 |
d286a8c03d951ad15f8f24a568274782f8434a89048151253ec5b4b51952349e
|
VirtualSize |
0x22
|
VirtualAddress |
0x1ce000
|
SizeOfRawData |
0x200
|
PointerToRawData |
0x1ac800
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
0.613839
|
MD5 |
7dd15ceec3fce8d361bb4a676fcea15c
|
SHA1 |
4005b4fe7b87220e83f308d393799245c832ace2
|
SHA256 |
947eba69486f1e7749bf2982000f79cb9e656c48b54a5e386cf448299a672f97
|
SHA3 |
6382fcf0e68fd2555884ff4af7237e5def8fa6c6eef1c3f69112e82d8dd4f370
|
VirtualSize |
0x2f011
|
VirtualAddress |
0x1cf000
|
SizeOfRawData |
0x2f200
|
PointerToRawData |
0x1aca00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
7.99524
|
MD5 |
b4a51eba955774079a6c8e825e1d914d
|
SHA1 |
e5b472cf3a3426726dffa55323345dc3c48daa44
|
SHA256 |
934edc0b86de2b47b01314d3b8659c617497f2bbb67a87b5ce3640d4158a7810
|
SHA3 |
0954b23d286b714571004121e48d58f8e081014572242962ec92e9b02e1a354f
|
VirtualSize |
0x14e5b
|
VirtualAddress |
0x1ff000
|
SizeOfRawData |
0x15000
|
PointerToRawData |
0x1dbc00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
7.98329
|
MD5 |
cbb390fed3d095a48cba5db46225bd4c
|
SHA1 |
06d3d28cdb8781e248416c44377a2cd7630fa5f1
|
SHA256 |
307eaa0f41f4486d827a8339cd7b2f93ff82bee4ac92060a8e46ab8cee1e4ce6
|
SHA3 |
410cf937d65702422f678f5f0be64b2e94a1291391b2e4ff5d3bc702135c8544
|
VirtualSize |
0x76c4
|
VirtualAddress |
0x214000
|
SizeOfRawData |
0x7800
|
PointerToRawData |
0x1f0c00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
7.78528
|
MD5 |
198bf3e237b0de38c411fc07f3297d4b
|
SHA1 |
73ec889066521cf875c79860b697ae5bcc10f1f3
|
SHA256 |
d0d5059d0b3be27bc809587bb1abd2472c587fcc37abde28daf64b48546af6c6
|
SHA3 |
26270f3ec0b6688f963063b8efff988aa4ed46798fc541c54078b2f878a600dc
|
VirtualSize |
0x416
|
VirtualAddress |
0x21c000
|
SizeOfRawData |
0x600
|
PointerToRawData |
0x1f8400
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
3.29141
|
MD5 |
3879b99e3fb5dbdaf7cc86c2d8f4b70a
|
SHA1 |
11ba0dd1cef504ce8baaf449546b1044523a16cf
|
SHA256 |
e9ae735e8bf5e5366ad70b8260506687924db647c923eb5be9860a411d86abc5
|
SHA3 |
9aca7eb90906967ed512bd46018d056c647e0fb10e0ca7ff2ad866159456ba20
|
VirtualSize |
0x25b27
|
VirtualAddress |
0x21d000
|
SizeOfRawData |
0x25c00
|
PointerToRawData |
0x1f8a00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
5.2113
|
winmm.dll |
timeEndPeriod
timeBeginPeriod
|
ws2_32.dll |
WSAGetOverlappedResult
|
kernel32.dll |
WriteFile
WriteConsoleW
WaitForSingleObject
VirtualQuery
VirtualFree
VirtualAlloc
SwitchToThread
SetWaitableTimer
SetUnhandledExceptionFilter
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
LoadLibraryA
LoadLibraryW
GetSystemInfo
GetStdHandle
GetQueuedCompletionStatus
GetProcessAffinityMask
GetProcAddress
GetEnvironmentStringsW
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateThread
CreateIoCompletionPort
CreateEventA
CloseHandle
AddVectoredExceptionHandler
|
[*] Warning: Tried to read outside the COFF string table to get the name of section /4!
[*] Warning: Tried to read outside the COFF string table to get the name of section /19!
[*] Warning: Tried to read outside the COFF string table to get the name of section /32!
[*] Warning: Tried to read outside the COFF string table to get the name of section /46!
[*] Warning: Tried to read outside the COFF string table to get the name of section /63!
[*] Warning: Tried to read outside the COFF string table to get the name of section /80!
[*] Warning: Tried to read outside the COFF string table to get the name of section /99!
[*] Warning: Tried to read outside the COFF string table to get the name of section /112!
[*] Warning: Tried to read outside the COFF string table to get the name of section /124!