0fc645054ffe1d8cddaa69a66455a2a1

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2010-Aug-09 01:44:42
Detected languages English - United States
CompanyName Adobe Systems, Inc.
FileDescription Adobe? Flash? Player Installer/Uninstaller 10.1 r53
FileVersion 10,1,53,64
InternalName Adobe? Flash? Player Installer/Uninstaller 10.1
LegalCopyright Copyright ? 1996-2010 Adobe, Inc.
LegalTrademarks Adobe? Flash? Player
OriginalFilename FlashUtil.exe
ProductName Flash? Player Installer/Uninstaller
ProductVersion 10,1,53,64

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • regedit.exe
 May have dropper capabilities:
  • CurrentVersion\Run
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Suspicious The PE is possibly packed. Section .text is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. Possibly launches other programs:
  • WinExec
 Uses Microsoft's cryptographic API:
  • CryptAcquireContextA
  • CryptReleaseContext
  • CryptGenRandom
 Can create temporary files:
  • CreateFileA
  • GetTempPathA
 Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAllocEx
  • VirtualAlloc
 Interacts with services:
  • EnumServicesStatusA
  • OpenSCManagerA
Info The PE's resources present abnormal characteristics. Resource 102 is possibly compressed or encrypted.
Malicious The program tries to mislead users about its origins. The PE pretends to be from Adobe but is not signed!
Malicious VirusTotal score: 50/66 (Scanned on 2018-06-21 23:37:03) Emsisoft: Gen:Variant.Kazy.247287 (B)
MicroWorld-eScan: Gen:Variant.Kazy.247287
CAT-QuickHeal: Trojan.Mauvaise.SL1
McAfee: Downloader-BIJ
Cylance: Unsafe
K7AntiVirus: Trojan-Downloader ( 0040f54b1 )
K7GW: Trojan-Downloader ( 0040f54b1 )
Cybereason: malicious.54ffe1
TrendMicro: BKDR_SIMBOT.SMJB
Baidu: Win32.Trojan.Inject.bm
Cyren: W32/A-1a76837c!Eldorado
Symantec: Trojan.Cryect
TrendMicro-HouseCall: BKDR_SIMBOT.SMJB
Avast: Win32:Evo-gen [Susp]
ClamAV: Win.Trojan.Rubinurd-67
Kaspersky: Trojan.Win32.Inject.aaceh
Microsoft: Trojan:Win32/Dorv.A
NANO-Antivirus: Trojan.Win32.Small.cpbmb
ViRobot: Trojan.Win32.Downloader.36864.PZ
AegisLab: Troj.Downloader.W32.Small.lk0q
Ad-Aware: Gen:Variant.Kazy.247287
Comodo: Backdoor.Win32.Simbot.FTSP
F-Secure: Gen:Variant.Kazy.247287
DrWeb: Trojan.DownLoad2.15318
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Downloader.nm
TheHacker: Trojan/Injector.bfsu
Ikarus: Trojan-Downloader.Win32.Small
F-Prot: W32/A-1a76837c!Eldorado
Jiangmin: TrojanDownloader.Small.ajux
Webroot: W32.Trojan.Coremhead
Avira: TR/Dropper.Gen
MAX: malware (ai score=81)
Antiy-AVL: Trojan/Win32.Inject.aaceh
Endgame: malicious (high confidence)
Arcabit: Trojan.Kazy.D3C5F7
SUPERAntiSpyware: Trojan.Agent/Gen-Kazy
ZoneAlarm: Trojan.Win32.Inject.aaceh
AhnLab-V3: Backdoor/Win32.CSon.R885
ALYac: Gen:Variant.Kazy.247287
TACHYON: Trojan/W32.Agent.36864.BSC
VBA32: SScope.Backdoor.Simbot
Malwarebytes: Backdoor.Simbot
Panda: Trj/Genetic.gen
ESET-NOD32: a variant of Win32/Injector.BFSU
SentinelOne: static engine - malicious
Fortinet: W32/Generic.AC.DE4!tr
AVG: Win32:Evo-gen [Susp]
CrowdStrike: malicious_confidence_100% (D)
Qihoo-360: HEUR/QVM19.1.008D.Malware.Gen

Hashes

MD5 0fc645054ffe1d8cddaa69a66455a2a1
SHA1 3db42c5ef469c16601e1751e0b03020e6ad7d4f5
SHA256 67fbb723a5470c861ed1667b56f0b0fd225ced944ac7b4e87825610d218fbf9d
SHA3 a264a8909a0d2c95618c72d8646b5564fa579400df3d3dfca3956d4aa299667c
SSDeep 384:hrxUgif3+y4MfyzLeReRbnOYcP97rmqUwu98gr0/OUvNWnjikmg:hQGFihj9WqU998gr0gnAg
Imports Hash 118eb37b88640d7f3f7ac979ea5687cc

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2010-Aug-09 01:44:42
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x2000
SizeOfInitializedData 0x6000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001000 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x3000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x9000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 fc0f156e4d45f544e59366cac201cb35
SHA1 18d81061f825e2ad1550d445fef325d8000d041e
SHA256 5cbfeb67fbbdd65bddf94067d431aac2979de679c5072eb740ee9d0b9984b88b
SHA3 c2166eeb37a2593fa0bb0f83fdf90bf34bdd0076970b966f540884cee78a350a
VirtualSize 0x1765
VirtualAddress 0x1000
SizeOfRawData 0x2000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.95797

.rdata

MD5 141af7e07691724bef565c6b23ade8e9
SHA1 673061b2fd54875fe42c2a06f80bed11dcab732f
SHA256 5a3b8dbf78b08d9ae78924313b0983655473c6552275cc8188e9281accc43da3
SHA3 af0ed5341b590b4ad0179e78f23504faecbbe44ede4ce11c8fb79f15c41c079f
VirtualSize 0x735
VirtualAddress 0x3000
SizeOfRawData 0x1000
PointerToRawData 0x3000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.76183

.data

MD5 34de608c8cb14b6016dcc9a911bed334
SHA1 59a31637c63eea1e861cc629ce76eb263390368b
SHA256 15c6bfc66553ec54103de3541a07aae2e49dc914ee4cde7c6b2baafe8dae6147
SHA3 a1c2cab47f356404a897b33ad1d39dbbbc314fcb9f936f35b60712a1789751e8
VirtualSize 0x648
VirtualAddress 0x4000
SizeOfRawData 0x1000
PointerToRawData 0x4000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.01325

.rsrc

MD5 c09a326eede973179ceb26fd304c6382
SHA1 c58505bc9b8632a8b49feddc74fddc44351a460f
SHA256 fed69c73baf6dde7121370e8edb3f6547de34f290977eb3e74840a9b56f7cab0
SHA3 d6394d2efdf3f48de6ca260b3e316ef0c1774d2c1c3cdab9c1eba8e142ad4e71
VirtualSize 0x34c4
VirtualAddress 0x5000
SizeOfRawData 0x4000
PointerToRawData 0x5000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.51783

Imports

KERNEL32.dll ReadFile
HeapAlloc
GetProcessHeap
GetFileSize
CreateFileA
CopyFileA
MoveFileExA
GetTempFileNameA
GetTempPathA
GetModuleFileNameA
LockResource
LoadResource
SizeofResource
FindResourceA
GetLastError
lstrcpyA
MoveFileA
DeleteFileA
lstrcatA
lstrcmpiA
ExitProcess
ExpandEnvironmentStringsA
GetTickCount
LeaveCriticalSection
GetProcAddress
EnterCriticalSection
VirtualProtect
InitializeCriticalSection
GetModuleHandleA
TerminateProcess
VirtualAllocEx
HeapFree
VirtualAlloc
lstrlenA
Sleep
WinExec
GetLocalTime
SetUnhandledExceptionFilter
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
SetFilePointer
WriteFile
CloseHandle
BeginUpdateResourceA
UpdateResourceA
GetLongPathNameA
EndUpdateResourceA
USER32.dll wsprintfA
MessageBeep
MessageBoxA
ADVAPI32.dll CryptAcquireContextA
CryptReleaseContext
CloseServiceHandle
EnumServicesStatusA
OpenSCManagerA
CryptGenRandom
SHLWAPI.dll StrRChrIA
StrChrA
PathRemoveFileSpecA
dbghelp.dll MiniDumpWriteDump

Delayed Imports

szFile

Ordinal 1
Address 0x42f8

102

Type RT_RCDATA
Language English - United States
Codepage Latin 1 / Western European
Size 0x3000
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.9837
MD5 4ff7dad7427c125e885421e0036d6bf3
SHA1 dc26c10725d93cb3617033d1b65ddf42c22442d0
SHA256 17515f0937a7cfd54ed7cf4286b91344f3f504d93505e8748a1c82e506216b32
SHA3 47e7e0135357050429dfac178d000eadac84610020e9d9bdf7a42ebb9636d3b7

1

Type RT_VERSION
Language English - United States
Codepage Latin 1 / Western European
Size 0x410
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.47344
MD5 145baf5a3286f659568732061672195a
SHA1 ad57f97173966242511cfd866066692ca4bb1eb3
SHA256 c7e4444acb0d90d867fd35c7c7688913851d6ba9a46f16711bb23d016a23f88e
SHA3 1f7ad525bb390842a20932a0cb89503deba38072077704eaac76c2c0e087f6af

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.1.53.64
ProductVersion 10.1.53.64
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_DLL
Language English - United States
CompanyName Adobe Systems, Inc.
FileDescription Adobe? Flash? Player Installer/Uninstaller 10.1 r53
FileVersion (#2) 10,1,53,64
InternalName Adobe? Flash? Player Installer/Uninstaller 10.1
LegalCopyright Copyright ? 1996-2010 Adobe, Inc.
LegalTrademarks Adobe? Flash? Player
OriginalFilename FlashUtil.exe
ProductName Flash? Player Installer/Uninstaller
ProductVersion (#2) 10,1,53,64
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x722be73f
Unmarked objects 0
14 (7299) 4
Total imports 61
Imports (2179) 11
C objects (VS98 SP6 build 8804) 4
Resource objects (VS98 SP6 cvtres build 1736) 1
Linker (VC++ 6.0 SP5 imp/exp build 8447) 1

Errors

<-- -->