17a4eebabaadf6a842392c7d7106557c

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2019-Dec-20 03:53:01
Detected languages English - United States
FileDescription The Fabulous Toontown Rewritten Engine
FileVersion 3.1.111.107
InternalName TTREngine.exe
LegalCopyright (C) Toontown Rewritten 2019
OriginalFilename TTREngine.exe
ProductName TTREngine
ProductVersion 3.1.111.107

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • crl.symauth.com
  • http://pki-crl.symauth.com
  • http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl07
  • http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0
  • http://pki-ocsp.symauth.com0
  • pki-crl.symauth.com
  • symauth.com
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Suspicious This PE is packed with Themida Unusual section name found:
Unusual section name found:
Unusual section name found:
Unusual section name found:
Unusual section name found:
Unusual section name found:
Unusual section name found:
Unusual section name found:
Unusual section name found: .imports
Unusual section name found: .themida
Section .themida is both writable and executable.
Unusual section name found: .boot
Unusual section name found: .taggant
Suspicious The PE contains functions most legitimate programs don't use. Uses Microsoft's cryptographic API:
  • CryptReleaseContext
Leverages the raw socket API to access the Internet:
  • WSAAddressToStringA
Malicious VirusTotal score: 11/71 (Scanned on 2020-06-09 05:28:40) Bkav: HW32.Packed.
FireEye: Generic.mg.17a4eebabaadf6a8
Cybereason: malicious.1273b7
Invincea: heuristic
APEX: Malicious
Trapmine: suspicious.low.ml.score
SentinelOne: DFI - Suspicious PE
Endgame: malicious (high confidence)
VBA32: BScope.Trojan.Fuerboos
Rising: Malware.Heuristic!ET#90% (RDMK:cmRtazopGGpmGIm568+/FN11B1Fz)
Qihoo-360: Generic/HEUR/QVM19.1.0AFF.Malware.Gen

Hashes

MD5 17a4eebabaadf6a842392c7d7106557c
SHA1 728071e1273b77a6109cced449b42624966caea2
SHA256 55a094b378582c30220e3cb8e00259fc3db6c31da323689326ae1c0cad295e0b
SHA3 fee898c165129e4eda08ce5721e87b881583e14e5bbcec91dd6cbc2a31ddd44b
SSDeep 393216:DNtRgrjKR1xwreBR0HMSM29h2KWRCE5wdKNp:BtEjw1ureBUC29cKWkE+dKNp
Imports Hash a273d35efcc1e0d03af535c4e3a9ca16

DOS Header

e_magic MZ
e_cblp 0x78
e_cp 0x1
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0
e_ss 0
e_sp 0
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x78

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 15
TimeDateStamp 2019-Dec-20 03:53:01
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x1335000
SizeOfInitializedData 0x570400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0313C000 (Section: .taggant)
BaseOfCode 0x1000
BaseOfData 0
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x313f000
SizeOfHeaders 0x400
Checksum 0x12f3c08
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

MD5 e9b00223958ba390ffde05fd204be4bb
SHA1 776933bd3dbef24a0c20861b3d81d41883972e25
SHA256 10fd95b866485d833a917f44ac4b93b43927a152c93eaa81dbf88c475cb3bbd5
SHA3 c790cfe6f8c178f2c2b49a0dd77606761a1ce8528055ee37f29046590ec47b82
VirtualSize 0x1334f91
VirtualAddress 0x1000
SizeOfRawData 0x709ca4
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 7.98952

(#2)

MD5 9e23add9606507d2ef1887f4688341cb
SHA1 870590fbc4bd14c540f3601f0e9b734b88e114e8
SHA256 d263c590845e3d641bcb454f1575c9847bfce3a21434932201096f359ed0989a
SHA3 3573636e65002b363fac0edb2c0301e39ba95a000d5d55fc702da1de3bd0f038
VirtualSize 0x36cb24
VirtualAddress 0x1336000
SizeOfRawData 0x14d767
PointerToRawData 0x70a200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.98387

(#3)

MD5 ae20bf00c15f1e7fe40fe56d5e86ca14
SHA1 b2e53c70adfc3d150b524219e89b9d8700e29ced
SHA256 45a6b1426761a1cca73c1de0ad5dbb9ef5be924cabf5d3a04c35bde5e80ccb17
SHA3 af6aac215c95d9ef75a96fba17db96dc063db4c961313eadf873b1c582b256d6
VirtualSize 0x159074
VirtualAddress 0x16a3000
SizeOfRawData 0x2bf11
PointerToRawData 0x857a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.96365

(#4)

MD5 f51a5276241a50a07765d53880d233f5
SHA1 65d01dab94bd94c310624d6d5a9dfb9c879e5aa3
SHA256 0704fdded205bdaf80489b560e4b0bb80a22b32b848cab2f6f27d16d8c896f6a
SHA3 33aa2e8978d326401ed17a1bef23e491c7f228d48050bb85ab62135583107f78
VirtualSize 0x4
VirtualAddress 0x17fd000
SizeOfRawData 0xb
PointerToRawData 0x883a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.27761

(#5)

MD5 885eb9f7c879568afe317cecfb42a738
SHA1 7c1ca7a4643823212a0acbfacf95628506e75082
SHA256 d70fa83c49affcadeceb93f33102abd198d189fde261cff8dbf2db475f2ca757
SHA3 1b86e59a87fd0bc76a4f2a70280214b31b34b77cdd7f28780da01a19eebb7b83
VirtualSize 0x104
VirtualAddress 0x17fe000
SizeOfRawData 0xbc
PointerToRawData 0x883c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.89741

(#6)

MD5 ea820994c7d4b40f8fb5c159f943cc08
SHA1 ba50a27ce55508bca03e38e55cbcef010e5d24bc
SHA256 9a99bdd3650b5bcd5f58dd9459a4b365046c8af140f4eab89a4b2f71fc878e34
SHA3 277751655f1781481d17d9e2ddf12e1a162e4e2b2ae2dd4c527aca4baf8a1f39
VirtualSize 0x9
VirtualAddress 0x17ff000
SizeOfRawData 0x9
PointerToRawData 0x883e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.16993

(#7)

MD5 b66575598f32ae855c4c8c0db203ca7e
SHA1 a2b5e8ff5facedbf10aef34ed7a7a6f1ef05523a
SHA256 7607488f3ad61ebda4bb4cd06016cf90e77fa8535990533b38cf2b68ea87aec7
SHA3 9859d77f8f4de9f5faf55254f6b6297b02508820a21f4f34f4a6f0091d0ef1cb
VirtualSize 0x2b4f8
VirtualAddress 0x1800000
SizeOfRawData 0x1cc18
PointerToRawData 0x884000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.94834

(#8)

MD5 0409aaf5c378cdbf53473452b5381468
SHA1 f8c0cd004867fec3250b9253ff5f65ccdb5a5c99
SHA256 a101e90ad351114db2f7b7d10461356a0b483d644b2e488d23796882c93cc130
SHA3 ce264eaeff0808517c46aafeca1859293a209f0f96270b64a733d47fda6a6099
VirtualSize 0x137cd0
VirtualAddress 0x182c000
SizeOfRawData 0xb6123
PointerToRawData 0x8a0e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 7.97214

.imports

MD5 549ce7ae1e380f0d7a10b2a54d0f63eb
SHA1 fac406b3d09ad41653e287ae9aa82a9dd7dc3bc2
SHA256 592890112b5c72337e212ac816af9cdde2c74fa3ae16ab3dabcb6ea8144d8242
SHA3 18c6f0fc2835b362e31236cfa673caf9636eb45a49eb7773d56dc195bddb7f79
VirtualSize 0x1000
VirtualAddress 0x1964000
SizeOfRawData 0x400
PointerToRawData 0x957000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.89438

.tls

MD5 040f732ce9195de2373521db7cdf1477
SHA1 cd833927d3b02674325bcab76dc61dd20db96186
SHA256 5a701bd68b07a42bcf78f8cc1adc9ddf2daf96b3a858fe000ad774861171cccf
SHA3 991c4e28b9ae5482e4fbb67d534291726853dbd15d583e933f33d430acea692f
VirtualSize 0x1000
VirtualAddress 0x1965000
SizeOfRawData 0x200
PointerToRawData 0x957400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.212584

.rsrc

MD5 ae0a5510cf6bb9a022d28b257f794db1
SHA1 e05b99cb53b769604ce165c29423ee357063f8ca
SHA256 b6b1fccb07586c7c2bfb8ebb085578440c194f0d63099da9c1c41129033041c8
SHA3 bf41c88d42c326f4cce441a09e0784ff99bb3a22bb711832a5fd7a9d50f0dfc9
VirtualSize 0x2b600
VirtualAddress 0x1966000
SizeOfRawData 0x2b600
PointerToRawData 0x957600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.1419

.themida

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0xe42000
VirtualAddress 0x1992000
SizeOfRawData 0
PointerToRawData 0x982c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot

MD5 d599e329535293db668ad3139b73600b
SHA1 4f1eb243d4c1b9e5b1b3a08ca0e6851df3eee254
SHA256 e2af515541c2a24b9e854b3f762e51ab31ca568a87e9e421996407cff8eec7b4
SHA3 069c1b47fc3bc2203239e0c0eb9f9000d71f5b8b6bdfe6c7294a13ce1b04e143
VirtualSize 0x966c00
VirtualAddress 0x27d4000
SizeOfRawData 0x966c00
PointerToRawData 0x982c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 7.91229

.reloc

MD5 8b22cc1657ede389f2215a0400861946
SHA1 317567fd3b7be02449eb06d898fd1c43ea77eca1
SHA256 08a515d966f1d6198627739e7359b98109e252a5efd6aa37cc5b3bcd57deb2dc
SHA3 06c4136b1245b95eb0c08b93b53fbb497ae6423a9d66ef21b4058be2647ba3a9
VirtualSize 0x1000
VirtualAddress 0x313b000
SizeOfRawData 0x200
PointerToRawData 0x12e9800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_MEM_READ
Entropy 0.194395

.taggant

MD5 b6ea289b4a9ea12aa7872b1c40a11c2d
SHA1 71124464f16da4602e9089da612033ee4a64874d
SHA256 6963c2ac5c7ca3b69730adfa76298012669f86312c2bc82c5b50c92b984e1287
SHA3 3a727a943b9af08c8dbf479c48880fc643477079751eb12e5316dfcc7b024be4
VirtualSize 0x2200
VirtualAddress 0x313c000
SizeOfRawData 0x2014
PointerToRawData 0x12e9a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 3.88447

Imports

kernel32.dll GetModuleHandleA
USER32.dll AdjustWindowRect
WS2_32.dll WSAAddressToStringA
OpenAL32.dll alBufferData
ADVAPI32.dll CryptReleaseContext
SHELL32.dll CommandLineToArgvW
CFGMGR32.dll CM_Get_DevNode_Registry_PropertyA
IPHLPAPI.DLL GetAdaptersAddresses
OPENGL32.dll glAlphaFunc
GDI32.dll CreateCompatibleBitmap
IMM32.dll ImmGetCandidateWindow
CRYPT32.dll CertCloseStore
OLEAUT32.dll #200
ole32.dll ProgIDFromCLSID

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.56291
MD5 6a130853154f81d22a937587da7ed309
SHA1 593002e63f1dd0c8f2af9c530f23436e29571eaa
SHA256 0e3d1b7610a21f9d75dd0cfd0eb7dea617d6a45bae711506bf0258611ab2caf1
SHA3 04144d5106031e2101a7ecaf0bb0514bf05c5801f26fff7f2588d384fd5abcb8

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x988
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.72183
MD5 277b5c266899319101dc28d6ea3d7cb0
SHA1 e56542b9227445a687135526c8153adc9931c41b
SHA256 69af4e6e677981f2e3d7dc369f999945199b03579be82220d0e26ec473a34bce
SHA3 f3cce4e6bd301c048eb3c6a7197b8dda133624cec14fd86b792a95329dfa6af4

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.08828
MD5 a027164452671d8b46f73fb98df31e4e
SHA1 e7e538c9ccdb98627c90baf6a3c09828dcff40b0
SHA256 6fbaa2537d0cfed96f1e1f40ee6b7c968b3533173a587f7e1d0b30d50139657a
SHA3 b64b889b0d04c5417f579a0e29d3646648af027d7ec13b809c26253ebd1b5e44

4

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.4467
MD5 148c83f0a770875d46535c4e420bb57f
SHA1 792f280194dd8c1f5db0940eb9c5041d992ab2f0
SHA256 0139faa52e35b281a2b37d0d37acc0ff5f9cc8aae53be2454cb589f556498d2c
SHA3 c52ff3d1b8cbac1c4612f2b64ca20de3a4b771209a1c705533b976fa868d6ab6

5

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10828
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.68903
MD5 a7d8a82e971ccb6b13ccb26825c654bb
SHA1 cb93f93362d836516e62a8ff7ae1f15156a50d45
SHA256 bf3db0a1857a871719f53fc69f1f8c5caee48704414365410147b1e269c28528
SHA3 bf0369602c35ef4311884d13aaa2e76aa3d9f6dd7501cde2183cbb8b04c4f341

6

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x161ec
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.97992
Detected Filetype PNG graphic file
MD5 4131ba256e5f257d93700d8a8178d1a7
SHA1 efa4bd20f63d9053ad0368c0e260c729f90153ca
SHA256 e9f915ac7f77e0657abdbf9cd8df8e0705c1da41552f05138a178017a506ae74
SHA3 8494f028cb16d24ff097dedf6f880f60355e444c0757838a5e8d5ef4a6bea887

101

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x5a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.84676
Detected Filetype Icon file
MD5 191008cf823f06ab3c4a23f953d41476
SHA1 0b639441a9afb4749d9db6a60598a27b5b66d2b2
SHA256 40da8647f170a7245c844ca7e01ba86d0a78fb26d34c3e9957a7c2b9776e48c3
SHA3 7cd23e6029a9813759343fe0ac8ddc7ffa55e3274bc898ff7f9947afeb01e0d6

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x2d8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.43424
MD5 67d8e0a722d365d91cfee6a5540afb41
SHA1 53a0e32d1b9e5a0087f8c92ced5f474d9e2bd601
SHA256 e8c72c919151ac9f5489aa065267ef822ece0f24c32786f2bcec30cbbefbf30e
SHA3 f38215a7d580ab7a438216c9118298be6d3e77ea3beb81f5fde52e5cb89887cc

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x143
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.71208
MD5 9ce8c70178061cc4cf4a6bb1e291df93
SHA1 dc9804dd3aa348fb0c05f53c53c698518af514a0
SHA256 6f88bc7cb02ccb2dbc26b5f4ce53e355b331e31bb920b2ba8cbbcd1b5d4cd5a0
SHA3 9492809889cb617928395fd8b46fc6dd11eeb9b1101175bd478b7c4ca5bc10e1

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 3.1.111.107
ProductVersion 3.1.111.107
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
FileDescription The Fabulous Toontown Rewritten Engine
FileVersion (#2) 3.1.111.107
InternalName TTREngine.exe
LegalCopyright (C) Toontown Rewritten 2019
OriginalFilename TTREngine.exe
ProductName TTREngine
ProductVersion (#2) 3.1.111.107
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

Errors

[!] Error: Could not reach the TLS callback table. [*] Warning: Section .themida has a size of 0!