101af013bd6eaa8d64b38634c32249a8

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2014-Jun-25 22:58:59

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Possibly launches other programs:
  • CreateProcessA
 Can create temporary files:
  • CreateFileW
  • CreateFileA
  • GetTempPathA
 Has Internet access capabilities:
  • InternetReadFile
  • InternetSetOptionA
  • InternetOpenA
  • InternetCloseHandle
  • InternetConnectA
 Functions related to the privilege level:
  • OpenProcessToken
  • CheckTokenMembership
  • DuplicateToken
 Enumerates local disk drives:
  • GetVolumeInformationA
  • GetDriveTypeA
  • GetDriveTypeW
 Manipulates other processes:
  • Process32Next
  • OpenProcess
  • Process32First
 Can take screenshots:
  • CreateCompatibleDC
  • BitBlt
Suspicious The file contains overlay data. 32 bytes of data starting at offset 0x5600.
Malicious VirusTotal score: 32/49 (Scanned on 2014-07-26 22:21:03) nProtect: Trojan-Spy/W32.Agent.22048
McAfee: VTFlooder!101AF013BD6E
K7AntiVirus: Trojan ( 0049c30b1 )
K7GW: Trojan ( 0049c30b1 )
TheHacker: Trojan/Agent.wbx
NANO-Antivirus: Trojan.Win32.ATRAPS.dbpzhw
F-Prot: W32/A-887abf0f!Eldorado
Symantec: Trojan.Gen
Avast: Win32:Trojan-gen
ClamAV: Win.Trojan.Agent-748115
Kaspersky: Trojan-Spy.Win32.Agent.cpyi
BitDefender: DeepScan:Generic.Malware.FP!dldPk!.A3F6BED5
SUPERAntiSpyware: Trojan.Agent/Gen-Atraps
Ad-Aware: DeepScan:Generic.Malware.FP!dldPk!.A3F6BED5
Comodo: TrojWare.Win32.Agent.WBX
F-Secure: DeepScan:Generic.Malware.FP!dldPk!.A3F6BED5
DrWeb: BackDoor.Spy.2465
VIPRE: Trojan.Win32.Generic!BT
AntiVir: TR/ATRAPS.A.1755
McAfee-GW-Edition: VTFlooder!101AF013BD6E
Emsisoft: DeepScan:Generic.Malware.FP!dldPk!.A3F6BED5 (B)
Antiy-AVL: Trojan/Win32.TSGeneric
Microsoft: Trojan:Win32/Vflooder.C
AhnLab-V3: Trojan/Win32.Agent
GData: DeepScan:Generic.Malware.FP!dldPk!.A3F6BED5
ByteHero: Trojan.Win32.Heur.Gen
ESET-NOD32: a variant of Win32/Agent.WBX
Ikarus: Trojan.Win32.Agent
Fortinet: W32/Agent.WBX!tr
AVG: Agent4.BXTX
Panda: Trj/Genetic.gen
Qihoo-360: Malware.QVM20.Gen

Hashes

MD5 101af013bd6eaa8d64b38634c32249a8
SHA1 136f0899d8de226fbb4ff9e1c145b9ee8821a581
SHA256 385f4819ce16d738087e7495e6e5db185fff1b502444d04007329d01e2e74493
SHA3 2af5cad4ebec5b6cae1b31f422f2fdb410265e9588508def97bda8a3f55383e9
SSDeep 384:bx02c+NiNMhaS9MySYitL93lppji83C8ARDr3QfTQkNEExIstAv3ATefCiigrcLr:62XiNCR9MLYWi8JsOOstAv3ATec460tE
Imports Hash 74167f8a3222943360c482c8dc5c7d89

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2014-Jun-25 22:58:59
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x3800
SizeOfInitializedData 0x1c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00003960 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x5000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x8000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 c11fe0d7f0559b10389fdbeba6c235d0
SHA1 0042a5b5270210f1215817fc64089a8b11a49895
SHA256 5c6a1f33b116e8855a90c01429eddbc48fe0c3c58fb576db4e053236fd8f7c18
SHA3 b0923afcb7978c8c6686cbfc5ceea07313051982387550d145e681f3d501d41d
VirtualSize 0x37ac
VirtualAddress 0x1000
SizeOfRawData 0x3800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.18794

.rdata

MD5 4876331aeba55516c4f01c33e4bb1ab3
SHA1 9b16fc6997981b2958fe7ab95aae9ccf648a25ed
SHA256 33e4617d9867ffd7ba68bea2123120804e31e6d3956fed4545d7fb34e1cb03e8
SHA3 c7f8d4ce9805bee58c54fd549029f95153e2e1f26505960107a152b4831a344a
VirtualSize 0xc7c
VirtualAddress 0x5000
SizeOfRawData 0xe00
PointerToRawData 0x3c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.76219

.data

MD5 a02d1b70927f3c90c3f02cc8bce4ca81
SHA1 4612eadcccebd6dc4dc0d7622c52718fcec20ad0
SHA256 ae1346f254ccf5abcd39afb2098deddd8efe61b6c71052bf8b0f5eb7d3f88062
SHA3 53275d62f75a30cc241489c1e0cf2250aa57bb19fbb7dd418bbbecd15d36881f
VirtualSize 0x62c
VirtualAddress 0x6000
SizeOfRawData 0x600
PointerToRawData 0x4a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.30151

.reloc

MD5 317ba6796007105fdad3e5bac141a6c4
SHA1 cb25f3756fd9d57e5c0c0eb3e932e39057ff152d
SHA256 4851e1e7959e695679e4151bb77dacec2ce695f2f1574620b7e7d505f8586aed
SHA3 6fc97e71bc25305563d74d9f489b29a3fd1cb9c6f4eb78e2945c2f1947cc9d72
VirtualSize 0x5a0
VirtualAddress 0x7000
SizeOfRawData 0x600
PointerToRawData 0x5000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.95012

Imports

KERNEL32.dll CreateFileW
FindFirstFileW
FindClose
FindNextFileW
GetWindowsDirectoryW
WaitForSingleObject
GetModuleHandleW
GetTickCount
Sleep
CreateProcessA
GetModuleFileNameW
GetStartupInfoA
ReadFile
GetFileSize
DeleteFileA
CreateThread
GetProcAddress
LoadLibraryA
GetCurrentProcess
GetLastError
GetSystemInfo
GetModuleHandleA
GlobalAlloc
GlobalFree
GetTempFileNameA
CreateFileA
CloseHandle
GetVersionExA
CreateToolhelp32Snapshot
GetDiskFreeSpaceA
HeapReAlloc
Process32Next
GetCurrentDirectoryW
GetSystemDirectoryA
GetFileAttributesW
GetVolumeInformationA
OpenProcess
GetDriveTypeA
GetLogicalDrives
Process32First
GetDriveTypeW
GetComputerNameA
GetProcessHeap
HeapFree
HeapAlloc
GetTempPathA
USER32.dll GetWindowRect
GetWindowDC
ReleaseDC
GetDesktopWindow
GDI32.dll CreateDIBSection
CreateCompatibleDC
DeleteObject
DeleteDC
BitBlt
SelectObject
ADVAPI32.dll GetTokenInformation
OpenProcessToken
GetUserNameA
CreateWellKnownSid
CheckTokenMembership
DuplicateToken
SHELL32.dll SHGetFolderPathW
#680
ole32.dll CreateStreamOnHGlobal
ntdll.dll _snwprintf
_wcsicmp
sprintf
memcpy
memset
WININET.dll InternetReadFile
InternetSetOptionA
HttpOpenRequestA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
HttpQueryInfoA
InternetConnectA
IPHLPAPI.DLL GetAdaptersInfo
gdiplus.dll GdipSaveImageToStream
GdipGetImageEncodersSize
GdipDisposeImage
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdiplusStartup
PSAPI.DLL GetModuleFileNameExA
MPR.dll WNetCloseEnum
WNetOpenEnumW
WNetEnumResourceW

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x7f4c89dc
Unmarked objects 0
Imports (VS2003 (.NET) build 4035) 2
Imports (VS2008 SP1 build 30729) 23
Total imports 104
175 (VS2010 build 30319) 13
Linker (VS2010 build 30319) 1

Errors

<-- -->