1421419d1be31f1f9ea60e8ed87277db

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Jul-03 17:04:48
Detected languages English - Canada
CompanyName Microsoft Corporation
FileDescription Microsoft Valid Technic bandwidth
FileVersion 6.2.9200.20789
InternalName mvtband.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename mvtband.dll
ProductName Microsoft Valid Technic bandwidth
ProductVersion 7.6.7200.24614

Plugin Output

Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malware. Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Code injection capabilities (mapping injection):
  • MapViewOfFile
  • CreateFileMappingA
  • CreateRemoteThread
 Can access the registry:
  • RegOpenKeyExA
  • RegQueryValueExA
  • RegSetValueExA
  • RegCreateKeyExA
  • RegCloseKey
 Possibly launches other programs:
  • CreateProcessW
 Uses Microsoft's cryptographic API:
  • CryptBinaryToStringA
  • CryptStringToBinaryA
 Has Internet access capabilities:
  • InternetOpenA
  • InternetCloseHandle
  • InternetConnectA
  • InternetReadFile
  • InternetSetOptionA
  • InternetQueryOptionA
 Leverages the raw socket API to access the Internet:
  • #52
  • #116
  • #115
  • #57
 Enumerates local disk drives:
  • GetVolumeInformationW
 Manipulates other processes:
  • Process32Next
  • Process32First
 Reads the contents of the clipboard:
  • GetClipboardData
Malicious VirusTotal score: 46/64 (Scanned on 2017-08-25 04:36:35) MicroWorld-eScan: Gen:Variant.Razy.163623
CAT-QuickHeal: Trojan.Sofacy
McAfee: RDN/Generic.dx
Cylance: Unsafe
AegisLab: Gen.Variant.Razy!c
K7AntiVirus: Trojan ( 005123a31 )
K7GW: Trojan ( 005123a31 )
Invincea: heuristic
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9543
Cyren: W32/Trojan.IBSH-5630
Symantec: Trojan.Gen.2
TrendMicro-HouseCall: TROJ_SEDNIT.AUSB
Paloalto: generic.ml
Kaspersky: HEUR:Trojan.Win32.Sofacy.gen
BitDefender: Gen:Variant.Razy.163623
NANO-Antivirus: Trojan.Win32.Sofacy.erbysh
Avast: Win32:Malware-gen
Rising: Trojan.Sednit!8.632 (cloud:vWpuGMobpmE)
Ad-Aware: Gen:Variant.Razy.163623
Sophos: Mal/Generic-S
Comodo: UnclassifiedMalware
F-Secure: Gen:Variant.Razy.163623
DrWeb: Trojan.Sednit.37
VIPRE: Trojan.Win32.Generic!BT
TrendMicro: TROJ_SEDNIT.AUSB
McAfee-GW-Edition: BehavesLike.Win32.Miuref.mh
Emsisoft: Gen:Variant.Razy.163623 (B)
Avira: TR/Sednit.bpkwu
Fortinet: W32/Sednit.BN!tr
Endgame: malicious (high confidence)
Arcabit: Trojan.Razy.D27F27
ZoneAlarm: HEUR:Trojan.Win32.Sofacy.gen
Microsoft: Trojan:Win32/Foosace!rfn
AhnLab-V3: Trojan/Win32.Sofacy.R205182
ALYac: Gen:Variant.Razy.163623
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=81)
ESET-NOD32: a variant of Win32/Sednit.BN
Tencent: Win32.Trojan.Sofacy.Dvft
Yandex: Trojan.Sednit!kOlYGmJ/+Do
Ikarus: Trojan.Win32.Sednit
GData: Gen:Variant.Razy.163623
AVG: Win32:Malware-gen
Panda: Trj/GdSda.A
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.96f

Hashes

MD5 1421419d1be31f1f9ea60e8ed87277db
SHA1 f9fd3f1d8da4ffd6a494228b934549d09e3c59d1
SHA256 8c47961181d9929333628af20bdd750021e925f40065374e6b876e3b8afbba57
SHA3 f5e778083bcb3601d223ff0271400988adc5bccd8fa3cbfe46115c8b16c37db3
SSDeep 768:VAGqIPXBLp19Evz7SxN4+9tvpG/VBpTOmyx:VAGqIPRLZfN4m6BpTOlx
Imports Hash b08150f6ea6349de53cb52075751b780

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2017-Jul-03 17:04:48
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x5800
SizeOfInitializedData 0x1c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00006692 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x7000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0xc000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 c096140cc9f70fc4a59c864669386d8d
SHA1 6ef77f2702e77690198b20f6e16d1caba99a6edf
SHA256 c82c52867013870572cbe2c24154b2871ec0749be302bfdf1097bcd692a9ba67
SHA3 31a77c0b86d84733e535b151ef020825665dad7dc9ba72296fcf77107dab9c71
VirtualSize 0x576e
VirtualAddress 0x1000
SizeOfRawData 0x5800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.40598

.rdata

MD5 7fc8b941042a5241244b1f0c368e30b9
SHA1 0a71b82ddf5846c52b268af37e1cef0b5cdd2c0f
SHA256 037cde9add39426984bf802dddbb21d3c8940512a92a501b31310cf4a54653c1
SHA3 2093ed098be69ff306abb2f1205688ac043f3c8e862c1844db1ffef3b14253b3
VirtualSize 0x1184
VirtualAddress 0x7000
SizeOfRawData 0x1200
PointerToRawData 0x5c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.47836

.data

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0xf0
VirtualAddress 0x9000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc

MD5 7018152b1b1de93da7ad9fbaa9041118
SHA1 a0c1e9dc5c9602dd9b34df5f6e17e67d889c59b1
SHA256 10469886ee46ef0f61b4715a8d6b6d654bb53c8a7a10ab29af7d2ebc1f88cfe0
SHA3 1daad6f96233182f48e9d0f75b704f7a54869d77c4062d8e9d0bfd0ee93f3e03
VirtualSize 0x3d8
VirtualAddress 0xa000
SizeOfRawData 0x400
PointerToRawData 0x6e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.27979

.reloc

MD5 cce5a63f4ecd5850320b2ad28e547a67
SHA1 7cde97500cce9006b345a458c09b97d708e196d9
SHA256 e0ee0afdb438455d4ff5f02785e408ed27944d3a5a3024991bb9c836f38cfc32
SHA3 d0e0adb50f763318c4b25e20d4828c086e29afc33c411598c4a09b6e2993d4a7
VirtualSize 0x31c
VirtualAddress 0xb000
SizeOfRawData 0x400
PointerToRawData 0x7200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.57001

Imports

CRYPT32.dll CryptBinaryToStringA
CryptStringToBinaryA
gdiplus.dll GdipGetImageEncoders
GdipGetImageEncodersSize
GdipCreateBitmapFromHBITMAP
GdipSaveImageToStream
GdipDisposeImage
GdipCloneImage
GdiplusShutdown
GdiplusStartup
GdipFree
GdipAlloc
IPHLPAPI.DLL GetAdaptersAddresses
SHLWAPI.dll #213
#184
#214
urlmon.dll ObtainUserAgentString
WININET.dll InternetOpenA
InternetCloseHandle
InternetConnectA
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetSetOptionA
InternetQueryOptionA
WS2_32.dll #52
#116
#115
#57
KERNEL32.dll VirtualAlloc
GetPrivateProfileStringW
VirtualFree
DisableThreadLibraryCalls
lstrcmpiA
Process32Next
Process32First
CreateToolhelp32Snapshot
VerifyVersionInfoW
lstrlenW
GetVersionExA
GetSystemInfo
GetCurrentProcess
GetVolumeInformationW
VerSetConditionMask
GetTickCount
GetSystemTimeAsFileTime
QueryPerformanceCounter
LoadLibraryW
FreeLibrary
CreateProcessW
SetLastError
WriteFile
ReadFile
GetFileSize
CloseHandle
Sleep
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
OpenFileMappingA
WaitForSingleObject
GetExitCodeProcess
CreateThread
CreateRemoteThread
GetExitCodeThread
HeapAlloc
HeapReAlloc
HeapFree
GetProcessHeap
IsWow64Process
GetLastError
CreateMutexA
lstrlenA
MultiByteToWideChar
WideCharToMultiByte
ExpandEnvironmentStringsW
CreateDirectoryW
CreateFileW
DeleteFileW
USER32.dll GetClipboardData
CloseClipboard
keybd_event
wsprintfA
wsprintfW
GetSystemMetrics
GetMessageA
TranslateMessage
DispatchMessageA
OpenClipboard
ADVAPI32.dll RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegCloseKey
SHELL32.dll SHGetSpecialFolderPathW
ole32.dll CreateStreamOnHGlobal

Delayed Imports

Ordinal 1
Address 0x66ab

1

Type RT_VERSION
Language English - Canada
Codepage UNKNOWN
Size 0x374
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.53123
MD5 0358c2f6d10d47243de579f7cb2325eb
SHA1 bae1b355228327986ecae7f0bfa1201833f35e27
SHA256 b546680939ae595f8cb50f3be8192fa1f0730cea84bd2b5ce112b7e93bc65a9c
SHA3 eac4de65362740d3b45c0912704b74ac6bb3f7fb2595874b4b68ae4bd2b6e9c2

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.2.9200.20789
ProductVersion 7.6.7200.24614
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language English - Canada
CompanyName Microsoft Corporation
FileDescription Microsoft Valid Technic bandwidth
FileVersion (#2) 6.2.9200.20789
InternalName mvtband.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename mvtband.dll
ProductName Microsoft Valid Technic bandwidth
ProductVersion (#2) 7.6.7200.24614
Resource LangID English - Canada

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2017-Jul-03 17:04:48
Version 0.0
SizeofData 236
AddressOfRawData 0x76b8
PointerToRawData 0x62b8

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x3ef5c8da
Unmarked objects 0
Imports (65501) 25
Total imports 99
C objects (VS2015 UPD3 build 24210) 1
C++ objects (VS2015 UPD3 build 24210) 19
Exports (VS2015 UPD3 build 24210) 1
Resource objects (VS2015 UPD3 build 24210) 1
Linker (VS2015 UPD3 build 24210) 1

Errors

[*] Warning: Section .data has a size of 0!
<-- -->