170a55f7c0448f1741e60b01dcec9cfb
Summary
| Architecture |
IMAGE_FILE_MACHINE_AMD64
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 2017-May-04 02:40:47 |
| Detected languages |
English - United States
Korean - Korea |
Plugin Output
| Info | Matching compiler(s): |
Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++ Microsoft Visual C++ v6.0 |
| Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to MD5 Uses constants related to SHA1 |
| Info | The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
|
| Malicious | VirusTotal score: 51/70 (Scanned on 2019-12-20 09:45:45) |
MicroWorld-eScan:
Trojan.GenericKD.32643407
CAT-QuickHeal: Trojan.Multi McAfee: Trojan-HidCobra Cylance: Unsafe VIPRE: Trojan.Win32.Generic!BT Sangfor: Malware CrowdStrike: win/malicious_confidence_100% (W) Alibaba: Trojan:Win32/NukeSped.59a15195 K7GW: Trojan ( 005233111 ) K7AntiVirus: Trojan ( 005233111 ) TrendMicro: TROJ64_HOPLIGHT.ZLGJ Cyren: W64/Trojan3.AOLF Symantec: Trojan.Hoplight ESET-NOD32: a variant of Win32/NukeSped.AU Paloalto: generic.ml ClamAV: Win.Trojan.HiddenCobra-7402602-0 Kaspersky: Trojan.Win32.Agent.xabgmf BitDefender: Trojan.GenericKD.32643407 NANO-Antivirus: Trojan.Win64.NukeSped.fzpbxb Avast: Win32:Malware-gen Endgame: malicious (high confidence) Sophos: Troj/NukeSpe-G Comodo: Malware@#37lzep80nsppu F-Secure: Trojan.TR/AD.APTLazerus.dsenk Zillya: Trojan.Agent.Win32.1134660 McAfee-GW-Edition: Trojan-HidCobra FireEye: Trojan.GenericKD.32643407 Emsisoft: Trojan.GenericKD.32643407 (B) F-Prot: W64/Trojan3.AOLF Jiangmin: Trojan.Agent.cere Webroot: W32.Trojan.Gen Avira: TR/AD.APTLazerus.dsenk Antiy-AVL: Trojan/Win32.Agent Microsoft: Trojan:Win32/Casdet!rfn Arcabit: Trojan.Generic.D1F2194F ViRobot: Trojan.Win64.S.Agent.197632 ZoneAlarm: Trojan.Win32.Agent.xabgmf GData: Trojan.GenericKD.32643407 AhnLab-V3: Trojan/Win32.Akdoor.C2332488 VBA32: Trojan.Agent ALYac: Trojan.Nukesped.A MAX: malware (ai score=100) Ad-Aware: Trojan.GenericKD.32643407 TrendMicro-HouseCall: TROJ64_HOPLIGHT.ZLGJ Rising: Backdoor.Escad!8.18BD (TFE:6:S6ANyXOKFj) Yandex: Trojan.Agent!/BaVSi3If3g Ikarus: Trojan.Win32.NukeSped Fortinet: W32/HidCobra.9CFB!tr AVG: Win32:Malware-gen Panda: Trj/Agent.KOS Qihoo-360: Win32/Trojan.e04 |
Hashes
DOS Header
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0x100 |
PE Header
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_AMD64
|
| NumberofSections | 6 |
| TimeDateStamp | 2017-May-04 02:40:47 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xf0 |
| Characteristics |
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Image Optional Header
| Magic | PE32+ |
|---|---|
| LinkerVersion | 12.0 |
| SizeOfCode | 0xae00 |
| SizeOfInitializedData | 0x27600 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x0000000000001250 (Section: .text) |
| BaseOfCode | 0x1000 |
| ImageBase | 0x180000000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 6.0 |
| ImageVersion | 0.0 |
| SubsystemVersion | 6.0 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x36000 |
| SizeOfHeaders | 0x400 |
| Checksum | 0 |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
|
| SizeofStackReserve | 0x100000 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
.text
.rdata
.data
.pdata
.rsrc
.reloc
Imports
| KERNEL32.dll |
CreateFileA
WriteFile WinExec CloseHandle GetCommandLineA GetCurrentThreadId IsDebuggerPresent IsProcessorFeaturePresent GetLastError SetLastError EncodePointer DecodePointer ExitProcess GetModuleHandleExW GetProcAddress MultiByteToWideChar WideCharToMultiByte GetProcessHeap GetStdHandle GetFileType DeleteCriticalSection GetStartupInfoW GetModuleFileNameA HeapFree QueryPerformanceCounter GetCurrentProcessId GetSystemTimeAsFileTime GetEnvironmentStringsW FreeEnvironmentStringsW RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind UnhandledExceptionFilter SetUnhandledExceptionFilter InitializeCriticalSectionAndSpinCount Sleep GetCurrentProcess TerminateProcess TlsAlloc TlsGetValue TlsSetValue TlsFree GetModuleHandleW RtlUnwindEx EnterCriticalSection LeaveCriticalSection IsValidCodePage GetACP GetOEMCP GetCPInfo GetModuleFileNameW LoadLibraryExW HeapAlloc HeapReAlloc GetStringTypeW OutputDebugStringW HeapSize LCMapStringW FlushFileBuffers GetConsoleCP GetConsoleMode SetStdHandle SetFilePointerEx WriteConsoleW CreateFileW |
|---|
Delayed Imports
DoStart
| Ordinal | 1 |
|---|---|
| Address | 0x1010 |
101
2
Version Info
TLS Callbacks
Load Configuration
| Size | 0x70 |
|---|---|
| TimeDateStamp | 1970-Jan-01 00:00:00 |
| Version | 0.0 |
| GlobalFlagsClear | (EMPTY) |
| GlobalFlagsSet | (EMPTY) |
| CriticalSectionDefaultTimeout | 0 |
| DeCommitFreeBlockThreshold | 0 |
| DeCommitTotalFreeThreshold | 0 |
| LockPrefixTable | 0 |
| MaximumAllocationSize | 0 |
| VirtualMemoryThreshold | 0 |
| ProcessAffinityMask | 0 |
| ProcessHeapFlags | (EMPTY) |
| CSDVersion | 0 |
| Reserved1 | 0 |
| EditList | 0 |
| SecurityCookie | 0x180013000 |
RICH Header
| XOR Key | 0xc2662857 |
|---|---|
| Unmarked objects | 0 |
| Imports (65501) | 3 |
| Total imports | 80 |
| C++ objects (20806) | 24 |
| C objects (20806) | 96 |
| ASM objects (20806) | 8 |
| 229 (VS2013 build 21005) | 3 |
| Exports (VS2013 build 21005) | 1 |
| Resource objects (VS2013 build 21005) | 1 |
| 151 | 1 |
| Linker (VS2013 build 21005) | 1 |