167f8bf0459b32d81e4285af1a2305fc

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2009-Sep-23 01:45:03
Detected languages English - United States
Comments Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
CompanyName Apache Software Foundation
FileDescription ApacheBench command line utility
FileVersion 2.2.14
InternalName ab.exe
LegalCopyright Copyright 2009 The Apache Software Foundation.
OriginalFilename ab.exe
ProductName Apache HTTP Server
ProductVersion 2.2.14

Plugin Output

Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Leverages the raw socket API to access the Internet:
  • WSARecv
  • WSASend
Malicious VirusTotal score: 41/55 (Scanned on 2016-07-12 16:54:56) MicroWorld-eScan: Backdoor.Shell.AC
nProtect: Backdoor.Shell.AC
CAT-QuickHeal: Trojan.Swrort.A
McAfee: Swrort.d
Malwarebytes: Backdoor.Bot.Gen
VIPRE: Trojan.Win32.Swrort.B (v)
K7GW: Backdoor ( 04c51d011 )
K7AntiVirus: Backdoor ( 04c51d011 )
Baidu: Win32.Trojan.WisdomEyes.151026.9950.9999
F-Prot: W32/Swrort.A.gen!Eldorado
Symantec: Packed.Generic.347
ESET-NOD32: a variant of Win32/Rozena.AM
TrendMicro-HouseCall: TROJ_SWRORT.SMCA
Avast: Win32:SwPatch [Wrm]
ClamAV: Win.Trojan.MSShellcode-8
Kaspersky: Packed.Win32.BDF.a
BitDefender: Backdoor.Shell.AC
NANO-Antivirus: Trojan.Win32.Swrort.uhpfc
Ad-Aware: Backdoor.Shell.AC
Sophos: Mal/Swrort-C
Comodo: TrojWare.Win32.Rozena.A
F-Secure: Backdoor.Shell.AC
DrWeb: Trojan.Swrort.1
TrendMicro: TROJ_SWRORT.SMCA
McAfee-GW-Edition: Swrort.d
Emsisoft: Backdoor.Shell.AC (B)
Cyren: W32/Swrort.A.gen!Eldorado
Avira: TR/Crypt.XPACK.Gen2
Fortinet: W32/Swrort.C!tr
Antiy-AVL: Trojan[:HEUR]/Win32.AGeneric
Arcabit: Backdoor.Shell.AC
AegisLab: Backdoor.W32.Gen.lEkc
AhnLab-V3: Trojan/Win32.Shell.R1283
Microsoft: Trojan:Win32/Swrort.A
ALYac: Backdoor.Shell.AC
AVware: Trojan.Win32.Swrort.B (v)
Yandex: Trojan.Rosena.Gen.1
Ikarus: Exploit.PDF
GData: Backdoor.Shell.AC
AVG: Win32/Heur
Panda: Generic Suspicious

Hashes

MD5 167f8bf0459b32d81e4285af1a2305fc
SHA1 60f2d6d6cb55a9248629b2a0ea82a1fcbff32cd8
SHA256 547f959c5dc272ea8f59e44bab776096262922ddb0c975e338141b65d8ef6e45
SHA3 9c0b04338bd5042d8af1e0f1713e6fbc6fad1bfe9a41116eaccf8653ee03ec8b
SSDeep 384:IdmbFPObrx9PA8DteDzuscUHH06zfAdYRcWmU5q3:IdpXP94DzdTCQq3
Imports Hash 4c6e5b9cc5b626d38b0b4a6780d021dc

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2009-Sep-23 01:45:03
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0xb000
SizeOfInitializedData 0xa000
SizeOfUninitializedData 0
AddressOfEntryPoint 0xbeb2 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xc000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x16000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics (EMPTY)
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 5d08107e5347bc4850957dd8d9be6fdc
SHA1 79b4a7c6844e056915afd4ae6ba866450cb9d08a
SHA256 280da83faa92f9a1bb0ab0583e0428eb5eff4209d690b010a9eaa18de157a977
SHA3 069b45e8ec9bf0b0e8c554063c809b4f0f20b75f62c0b9e7df48b71c98b665a6
VirtualSize 0xa966
VirtualAddress 0x1000
SizeOfRawData 0xb000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 1.66371

.rdata

MD5 2e3e9740d0defee103a448d03a09adc7
SHA1 6da5a7c46a485da2e83848e89ce3fb42d6094ba1
SHA256 4074709813a9e829c385c8f08342af1c55f56066a991a86dcd7a3d13970e6ea1
SHA3 4facfeec9abdc796012ea02be1c4520d98a982aac38913de4a16086460f894c8
VirtualSize 0xfe6
VirtualAddress 0xc000
SizeOfRawData 0x1000
PointerToRawData 0xc000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.75484

.data

MD5 ce338fe6899778aacfc28414f2d9498b
SHA1 897256b6709e1a4da9daba92b6bde39ccfccd8c1
SHA256 4fe7b59af6de3b665b67788cc2f99892ab827efae3a467342b3bb4e3bc8e5bfe
SHA3 291ec7ae1d17299b418e889d0e5c003ebad587ecbedf6f3c7f8b898b52318f06
VirtualSize 0x705c
VirtualAddress 0xd000
SizeOfRawData 0x4000
PointerToRawData 0xd000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.rsrc

MD5 c13a9413aea7291b6fc85d75bfcde381
SHA1 2e051ef30946f9bed1931d1f9dde3ebdb9b99b89
SHA256 77d4d9b7bcf6235ac21dc6b2569ecc9c3a854539e23d8b939078d4ce151baae0
SHA3 971a28bd5b8b033a2be770fe3e6d3b3362bfc8b2394eba51235e1f8cbdb47aff
VirtualSize 0x7c8
VirtualAddress 0x15000
SizeOfRawData 0x1000
PointerToRawData 0x11000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.9583

Imports

MSVCRT.dll _iob
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
__p___initenv
_XcptFilter
_exit
_onexit
__dllonexit
strrchr
wcsncmp
_close
wcslen
wcscpy
strerror
modf
strspn
realloc
__p__environ
__p__wenviron
_errno
free
strncmp
strstr
strncpy
_ftol
qsort
fopen
perror
fclose
fflush
calloc
malloc
signal
printf
_isctype
atoi
exit
__mb_cur_max
_pctype
strchr
fprintf
_controlfp
_strdup
_strnicmp
KERNEL32.dll PeekNamedPipe
ReadFile
WriteFile
LoadLibraryA
GetProcAddress
GetVersionExA
GetExitCodeProcess
TerminateProcess
LeaveCriticalSection
SetEvent
ReleaseMutex
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
CreateMutexA
GetFileType
SetLastError
FreeEnvironmentStringsW
GetEnvironmentStringsW
GlobalFree
GetCommandLineW
TlsAlloc
TlsFree
DuplicateHandle
GetCurrentProcess
SetHandleInformation
CloseHandle
GetSystemTimeAsFileTime
FileTimeToSystemTime
GetTimeZoneInformation
FileTimeToLocalFileTime
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
Sleep
FormatMessageA
GetLastError
WaitForSingleObject
CreateEventA
SetStdHandle
SetFilePointer
CreateFileA
CreateFileW
GetOverlappedResult
DeviceIoControl
GetFileInformationByHandle
LocalFree
ADVAPI32.dll FreeSid
AllocateAndInitializeSid
WSOCK32.dll #7
#4
#9
#52
#14
#12
#21
#23
#3
#18
#10
#151
#115
#116
#111
WS2_32.dll WSARecv
WSASend

Delayed Imports

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x768
Entropy 3.49991
MD5 ddfda397f78597f8a3a40b972300dc26
SHA1 1e92b61cf6c7f7d73422bb7a2c0c335a7e459a7d
SHA256 465417d96548ce85076f6509efac41e5ad02fee2b8f712416e8b6aa08d93c494
SHA3 4d11459ec9db842f3a4f985c12b6e6b4810298802948ac7f293782fc5476f233

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 2.2.14.0
ProductVersion 2.2.14.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
Comments Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
CompanyName Apache Software Foundation
FileDescription ApacheBench command line utility
FileVersion (#2) 2.2.14
InternalName ab.exe
LegalCopyright Copyright 2009 The Apache Software Foundation.
OriginalFilename ab.exe
ProductName Apache HTTP Server
ProductVersion (#2) 2.2.14
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

Errors

[!] Error: Could not read PDB file information of invalid magic number.