Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2014-Nov-21 20:03:38 |
Detected languages |
English - United States
Process Default Language |
Debug artifacts |
import1.pdb
|
CompanyName | Stencyl, LLC |
FileDescription | Stencyl 2.0 |
FileVersion | 2.0 |
InternalName | Stencyl |
LegalCopyright | Copyright, Stencyl, LLC |
OriginalFilename | Stencyl.exe |
ProductName | Stencyl |
ProductVersion | 2.0 |
Info | Interesting strings found in the binary: |
Contains domain names:
|
Suspicious | The PE is packed or was manually edited. | The number of imports reported in the RICH header is inconsistent. |
Info | The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
|
Suspicious | The PE header may have been manually modified. |
The resource timestamps differ from the PE header:
|
Info | The PE is digitally signed. |
Signer: Xarios Ltd
Issuer: COMODO Code Signing CA 2 |
Malicious | VirusTotal score: 53/69 (Scanned on 2022-01-03 10:26:20) |
DrWeb:
Trojan.Packed.29002
MicroWorld-eScan: Gen:Heur.Mint.Zard.24 FireEye: Generic.mg.1408275c2e2c8fe5 McAfee: Bot-FKC!1408275C2E2C Cylance: Unsafe Zillya: Trojan.SpyEyesCRTD.Win32.8959 Sangfor: Spyware.Win32.SpyEyes.8 K7AntiVirus: Backdoor ( 0049930f1 ) Alibaba: TrojanSpy:Win32/SpyEyes.0d278040 K7GW: Backdoor ( 0049930f1 ) Cybereason: malicious.c2e2c8 BitDefenderTheta: Gen:NN.ZexaF.34114.wu1@aubarLiG VirIT: Backdoor.Win32.Generic.BSXY Symantec: W32.Qakbot ESET-NOD32: Win32/Qbot.BG TrendMicro-HouseCall: WORM_QBOT.SMA Paloalto: generic.ml ClamAV: Win.Malware.QBot-272 Kaspersky: Trojan-Spy.Win32.SpyEyes.aspt BitDefender: Gen:Heur.Mint.Zard.24 NANO-Antivirus: Trojan.Win32.SpyEyes.djrxep SUPERAntiSpyware: Trojan.Agent/Gen-Dropper Avast: Win32:DangerousSig [Trj] Tencent: Win32.Trojan.Falsesign.Dumi Ad-Aware: Gen:Heur.Mint.Zard.24 Sophos: Mal/EncPk-AQV Comodo: Malware@#5pn30hpo5yhz VIPRE: Trojan.Win32.Generic!BT TrendMicro: WORM_QBOT.SMA McAfee-GW-Edition: Bot-FKC!1408275C2E2C Emsisoft: Gen:Heur.Mint.Zard.24 (B) GData: Gen:Heur.Mint.Zard.24 Jiangmin: TrojanSpy.SpyEyes.lhp Avira: HEUR/AGEN.1108573 MAX: malware (ai score=94) Antiy-AVL: Trojan/Generic.ASMalwS.CF6AD6 Kingsoft: Win32.Troj.SpyEyes.as.(kcloud) ViRobot: Trojan.Win32.Z.Spyeyes.369056 Microsoft: Trojan:MSIL/Cryptor Cynet: Malicious (score: 100) AhnLab-V3: Trojan/Win32.SpyEyes.R127534 Acronis: suspicious VBA32: SScope.Malware-Cryptor.Hlux ALYac: Gen:Heur.Mint.Zard.24 APEX: Malicious Rising: Trojan.Generic@ML.93 (RDML:lLWdLqWgtLlNtmJ/Wya4Mw) Yandex: TrojanSpy.SpyEyes!Aal83YwbBWA Ikarus: Trojan.SuspectCRC Fortinet: W32/Qbot.BH!tr Webroot: Trojan.Dropper.Gen AVG: Win32:DangerousSig [Trj] Panda: Trj/Chgt.L CrowdStrike: win/malicious_confidence_100% (W) |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xc8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2014-Nov-21 20:03:38 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0x6000 |
SizeOfInitializedData | 0x52000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00006000 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x7000 |
ImageBase | 0x70000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x1000 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x59000 |
SizeOfHeaders | 0x1000 |
Checksum | 0x69d7d |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
InterlockedExchange
GetComputerNameW lstrlenA DuplicateHandle GetProfileIntW GetPrivateProfileStringW LocalReAlloc GetPrivateProfileSectionW IsProcessorFeaturePresent SetConsoleTitleW GetVolumeNameForVolumeMountPointW MoveFileExW SetThreadPriority lstrcpyA ReadConsoleOutputAttribute GetThreadContext SystemTimeToTzSpecificLocalTime SetProcessAffinityMask GetPriorityClass SetVolumeLabelA EnumDateFormatsW MoveFileExA CreateDirectoryW LoadLibraryA GetLastError InterlockedExchange FreeLibrary GetProcAddress LocalAlloc RaiseException |
---|---|
SHLWAPI.dll |
StrToInt64ExW
IntlStrEqWorkerW UrlEscapeW SHDeleteEmptyKeyW PathBuildRootA SHStrDupA PathFindOnPathA PathCompactPathW PathIsUNCServerShareA SHRegQueryUSValueA SHRegGetPathW PathIsDirectoryA PathIsUNCServerShareW StrDupW PathSetDlgItemPathW PathCompactPathA StrSpnA ColorAdjustLuma PathFileExistsW |
WINMM.dll |
waveOutGetDevCapsW
midiOutClose midiInGetNumDevs waveOutGetPitch midiOutCacheDrumPatches mmioSetInfo waveOutGetID joyGetPos waveOutGetVolume mmioWrite joyGetNumDevs waveOutReset SendDriverMessage mmioInstallIOProcW waveOutGetErrorTextW OpenDriver waveInStart midiInAddBuffer midiInGetDevCapsW waveOutPause midiStreamProperty mciSendCommandA PlaySoundA mmioClose auxGetDevCapsW auxGetVolume GetDriverModuleHandle auxOutMessage joyGetDevCapsW mciGetYieldProc DrvGetModuleHandle mmioGetInfo |
USER32.dll (delay-loaded) |
CharNextW
|
Attributes | 0x1 |
---|---|
Name | USER32.dll |
ModuleHandle | 0x3932c |
DelayImportAddressTable | 0x39324 |
DelayImportNameTable | 0x3823c |
BoundDelayImportTable | 0x38250 |
UnloadDelayImportTable | 0 |
TimeStamp | 1970-Jan-01 00:00:00 |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 2.0.0.0 |
ProductVersion | 2.0.0.0 |
FileFlags | (EMPTY) |
FileOs |
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Stencyl, LLC |
FileDescription | Stencyl 2.0 |
FileVersion (#2) | 2.0 |
InternalName | Stencyl |
LegalCopyright | Copyright, Stencyl, LLC |
OriginalFilename | Stencyl.exe |
ProductName | Stencyl |
ProductVersion (#2) | 2.0 |
Resource LangID | Process Default Language |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2014-Nov-21 20:04:55 |
Version | 0.0 |
SizeofData | 36 |
AddressOfRawData | 0x38a18 |
PointerToRawData | 0x38a18 |
Referenced File | import1.pdb |
XOR Key | 0x4a0cf939 |
---|---|
Unmarked objects | 0 |
Total imports | 23 |
Imports (30806) | 3 |
C objects (30826) | 15 |
94 (2179) | 1 |
Linker (30806) | 1 |