150d4607b7004692bb9b0632513c69fb

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2019-Apr-04 07:35:25
Detected languages English - United States
Debug artifacts C:\Users\ZHYU\Desktop\c\call_retn\Debug\call_retn.pdb

Plugin Output

Info Matching compiler(s): MASM/TASM - sig1(h)
Suspicious The PE is possibly packed. Section .textbss is both writable and executable.
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • GetProcAddress
 Possibly launches other programs:
  • system

Hashes

MD5 150d4607b7004692bb9b0632513c69fb
SHA1 2226c61f9803b9d3a1ad04f5c08c13b8a11c4334
SHA256 8a8b6509f1d4ef6448269b9e93bcfcf6625c6d781ccd40bf9f2e3f004f471573
SHA3 f29e5d45becc2f8de022d1ce5192a982f09941fe13b86d98f6b16f3859f623c1
SSDeep 384:dVuppzw7CPPo7ZjaKnrL8vOS3oouP3wUbRrhO7VDB:dQ3zkw4XrtZoUZc5DB
Imports Hash 3ac80d255ae46708b6c29eb4195b87ec

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 7
TimeDateStamp 2019-Apr-04 07:35:25
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x3800
SizeOfInitializedData 0x3a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00011113 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x1b000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.textbss

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x10000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text

MD5 9bf2659e1108b09556219cbc7d4dcb68
SHA1 f594c927ef7bafc5f47e82e4609f56990b1141a9
SHA256 ac2943f5ecb1140ae809a60813210bac715b38e041dbcc696c6272dede9d33da
SHA3 01d7005a3257b8e15b9a925ddb3fb95c3eb36a7c29a4af89f027e83c7fb0397c
VirtualSize 0x369f
VirtualAddress 0x11000
SizeOfRawData 0x3800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 4.35681

.rdata

MD5 a5b7f2670a361a87553730a832be3f92
SHA1 85fce8fb4911768528f7ff535f8ebc95e35d85e6
SHA256 9552c22f65c195a568441cbdfc1d8c2d9878b3f7394bd268d813a3f961af1075
SHA3 ff3f4e3a4d3f568781ced212132ff0aab07fd06b677a42a9cd2fe42fd6a1ad4e
VirtualSize 0x1d29
VirtualAddress 0x15000
SizeOfRawData 0x1e00
PointerToRawData 0x3c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.25665

.data

MD5 065b59f094449a5910d85f9256bf75ea
SHA1 0654f4846863d495455e98fa2c4fce1ef8d66329
SHA256 ea7023628746b49a6f73de9576284f47955c6d32c09242717c39a8bfeeefa817
SHA3 f131c0f13a3396c7768bfe363559ebed4aba52684c68568a59a76dfb0b4212c6
VirtualSize 0x584
VirtualAddress 0x17000
SizeOfRawData 0x200
PointerToRawData 0x5a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.423784

.idata

MD5 da67566c8fd92707d35c41e644a1b2d5
SHA1 9161254eb7d616f668abc246754435c2da3d40db
SHA256 4eeda590d727c73f2fdaf103cda14f6e3ea400ebd505fc0a71cdc798b34ed9c8
SHA3 39b9c35bd56f9850fc2a4c0d78e3183bc9c51060db49ed99b7059dc09ea8a1b6
VirtualSize 0x8a4
VirtualAddress 0x18000
SizeOfRawData 0xa00
PointerToRawData 0x5c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.97386

.rsrc

MD5 f0ccdbcb76452db4c5dbedaf1bd4f3c6
SHA1 4aa0a871073bffa152b7a6ccac7a1ba6d5ae61ad
SHA256 f61f3c35dab55ab94f1a8d917cff8a23106dee17b30884e284d2fba3e7c367f9
SHA3 5e2a132294dbcdf822eedfe8b10271c069be7d6c79aab1a6b776365c1f7a3c89
VirtualSize 0x459
VirtualAddress 0x19000
SizeOfRawData 0x600
PointerToRawData 0x6600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.25075

.reloc

MD5 26c05006684952ee46bdcad586d89f99
SHA1 ea6a85742e0b4f18a141e60e042ed54bb2b4fa0d
SHA256 e72850407097a2fd8a4521678d08c9f011d1f40e160e5d9ac335ca628bb70059
SHA3 cddf01d66dd0d72d8b57df213f5b0aac2ed53dd30a69ef18d33acf08a97888d3
VirtualSize 0x472
VirtualAddress 0x1a000
SizeOfRawData 0x600
PointerToRawData 0x6c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 3.95577

Imports

MSVCR100D.dll wcscpy_s
_crt_debugger_hook
_wmakepath_s
_except_handler4_common
_onexit
_lock
__dllonexit
_unlock
_invoke_watson
_controlfp_s
?terminate@@YAXXZ
_initterm_e
_initterm
_CrtDbgReportW
_CrtSetCheckCount
__initenv
exit
_cexit
_XcptFilter
_exit
__getmainargs
_amsg_exit
__set_app_type
_fmode
_commode
__setusermatherr
_configthreadlocale
_CRT_RTC_INITW
system
_wsplitpath_s
printf
KERNEL32.dll GetCurrentProcess
TerminateProcess
FreeLibrary
GetModuleHandleW
VirtualQuery
GetModuleFileNameW
GetProcessHeap
HeapAlloc
HeapFree
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
DecodePointer
SetUnhandledExceptionFilter
LoadLibraryW
GetProcAddress
lstrlenA
RaiseException
MultiByteToWideChar
IsDebuggerPresent
WideCharToMultiByte
HeapSetInformation
InterlockedCompareExchange
Sleep
InterlockedExchange
EncodePointer
UnhandledExceptionFilter

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x196
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.93317
MD5 7cb71b006fcdcf8ade80e31fd5ab8060
SHA1 655380fb2cca01b0ca707f748fc7dcf006732518
SHA256 be8918559280a2e74748bf8f6238b568ed7cbf75183b2180a6a8a979a1ebf243
SHA3 1a03e76e664cba5cc9c5b4570c991d3f72475aebcf3d870270d080dcf1246092

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2019-Apr-04 07:35:25
Version 0.0
SizeofData 78
AddressOfRawData 0x16400
PointerToRawData 0x5000
Referenced File C:\Users\ZHYU\Desktop\c\call_retn\Debug\call_retn.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xb1fb9f33
Unmarked objects 0
Imports (VS2010 SP1 build 40219) 3
C objects (VS2010 SP1 build 40219) 18
Imports (VS2008 SP1 build 30729) 2
Total imports 60
C++ objects (VS2010 SP1 build 40219) 8
Resource objects (VS2010 SP1 build 40219) 1
Linker (VS2010 SP1 build 40219) 1

Errors

[*] Warning: Section .textbss has a size of 0!
<-- -->