18a68a9888459b469157f205fa7e3987

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2018-Feb-06 10:32:46
Detected languages English - United States

Plugin Output

Suspicious The PE is possibly packed. Unusual section name found: .AKS1
Section .AKS1 is both writable and executable.
Unusual section name found: .AKS2
Section .AKS2 is both writable and executable.
Unusual section name found: .AKS3
Section .AKS3 is both writable and executable.
The PE only has 5 import(s).
Info The PE contains common functions which appear in legitimate applications. Can access the registry:
  • RegCloseKey
Malicious The file contains overlay data. 984324 bytes of data starting at offset 0xd7400.
The file contains a Zip Compressed Archive after the PE data.
Malicious VirusTotal score: 3/60 (Scanned on 2019-04-11 03:53:06) Trapmine: suspicious.low.ml.score
SentinelOne: DFI - Suspicious PE
CrowdStrike: win/malicious_confidence_60% (D)

Hashes

MD5 18a68a9888459b469157f205fa7e3987
SHA1 ed82ff724f90e6ddb41b663d5a321603f7713deb
SHA256 7af7d5461005b29abf032de7f8de4de56a774c9c011e8e4041ac5cf2ea56c4c9
SHA3 1b7c189145f861d6af4051c5620973cfadeea8db79473460e34bf863e3eaf4e7
SSDeep 24576:GGlEdtt6tZ9zy8dHM5u6SQV3SbnNdcuFVzoXRT5bsUBSRC59PXHUj6Y8ojRQ:GGlnv1yqHwuIVCbnN24q3Pkc59PXsnG
Imports Hash fc750389bb15ccbea09917bc981aa0eb

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x108

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 4
TimeDateStamp 2018-Feb-06 10:32:46
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0xa2e00
SizeOfInitializedData 0x5ac00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000265000 (Section: .AKS3)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x285000
SizeOfHeaders 0x400
Checksum 0xe33d0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x4000000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.AKS1

MD5 1f40971985ce22bfca10f6162255324f
SHA1 a170a5195c2275be82ded7fe542a4aa8fd5d8483
SHA256 68aeb2529cfa3b7985e58502898b600a31b9cf21a7e3dd71ab5ef5ea7e486aad
SHA3 6c645e1787e35dfec3f1f1b9e3ef7d6b94105493544910fc3115f992a12806b1
VirtualSize 0x103000
VirtualAddress 0x1000
SizeOfRawData 0x52c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.99943

.AKS2

MD5 71ef91c53ef17f2d620ef5313a2e6ebc
SHA1 f2275afe19ca88a7320c95aba8cc7cce31453331
SHA256 0a40fd2f08f864fef8092e7ea5a65dd3bd13587258f9d7470c631b898e4f6c75
SHA3 91974ceea131800deb6b0e12de27b2fd652a4dc89667dac01fae62cabc38e278
VirtualSize 0x161000
VirtualAddress 0x104000
SizeOfRawData 0x64e00
PointerToRawData 0x53000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.99934

.AKS3

MD5 264c1918b481ba99e33a524ded96a97b
SHA1 359d72cefa5f7d8d9ebeca0a2d3d3581a7b50452
SHA256 b3edfe6643deaeb246e6c736581562988b0be0d2c36cf5d08222814c166ab012
SHA3 5f2f37f549f4ac05e1b30157c8455346fccda44f4fb7e72c65ebd0fc30e46748
VirtualSize 0x5b0
VirtualAddress 0x265000
SizeOfRawData 0x600
PointerToRawData 0xb7e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.27524

.rsrc

MD5 9deed7e5e822cab43ddbaae0cbdb76ba
SHA1 b7eea37b4e56d60187f8017475d74e98d059ea1d
SHA256 34aba02ec3e1a434b8d9aa2771efcbcc43a3d64122f9c949fa171dba37b9cddf
SHA3 2e60ee1663cafb147804817acd29a732c93e7faed1fba24b5093a9c370076a40
VirtualSize 0x1efcc
VirtualAddress 0x266000
SizeOfRawData 0x1f000
PointerToRawData 0xb8400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.26306

Imports

KERNEL32 GetModuleHandleA
GetProcAddress
ADVAPI32.dll RegCloseKey
USER32.dll MessageBoxW
OLEAUT32.dll #4

Delayed Imports

ctfxlauncher_build_date

Ordinal 1
Address 0xd4038

ctfxlauncher_relative_path

Ordinal 2
Address 0xd4040

ctfxlauncher_version

Ordinal 3
Address 0xd4030

1

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x128
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.24012
MD5 08311e20dfea5c275a5221780b82469e
SHA1 7e8604549bbfd4178e7bb59a70b000740c63724a
SHA256 bdcb1c36242f0c65016cccb26e5a212d9ce0e3136f6dade75ec186854583c23b
SHA3 103d683bdd6debaaf66802f5c1d7e0011d1bfa31a9bf13ec9ac10169ad532356

2

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.3281
MD5 bbee03e1fcc89f8056a7b391a8f36c6d
SHA1 62c8cca44cbf455877d9fb6586fe3207eaee0509
SHA256 852145c00de9fe15be5006817ec124fae147ff4ad61c537becb895d7fd9b1c32
SHA3 5d4233a99354f4a7c71a64b7ba0f0de5b71f8aa9e2b9aac183f423977b82527e

3

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x668
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.31355
MD5 8943f7c656e3e30c5479a3494e627404
SHA1 3d163ee840510c9f67ca683fb608f30aba698d1d
SHA256 d6bf5a97ebb18f81e0b179ca90088061a7e8dba6b9588936fe20f51af8066390
SHA3 dc54890a238bba510f2e140e289f193cea76df230ae297b799cfec1e70ad5d2d

4

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0xa068
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.11766
MD5 4406379a9e18840cb8ebaff6246f3581
SHA1 a6f4584df116559e05f3e7a709dd85937446410c
SHA256 bc9b8d4cd65db83c886e2ce828bd3a61a015e7781ddede9c5f62942a7fbdd2a0
SHA3 2bfb009ccd56af95e549e11a6be392ec82cf1eef9ad0d1122d1ad9001345f33f

5

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x568
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.66407
MD5 33115c0b33bd97462ae05c30955aaa15
SHA1 8dde1a317782d12aeb47cffae577703a38a14aef
SHA256 5070d2bfb3f86ac78118b2e7fa768fd920a44677a99a1af451398b078ba9d43d
SHA3 4727775047276e5d547555fba7f1587323c557a0966d9f27ae898b8c62bd3280

6

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.63327
MD5 08f7c6c5b21df2ce3cc643a1a698aaa3
SHA1 000a87c94563b1ea1e1a951856a97479428452fb
SHA256 4ee0c8a0cf595a2be6e59e8b3ae7e88a2d83c47dc05b07fba2229bbe210d6760
SHA3 51bf9cc6f6792e659842458adbcb8cd33bfe3b7405868e3259da77b48d0efa42

7

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0xea8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.76092
MD5 f00d0fa5c4d6899290a7a38a4e2d92bf
SHA1 f9ba8fd44db65f50a6c9f75d223dde5578b74428
SHA256 4581c4a3ab0360e5ab004a138c1ce2616691d5f0701a152981af027f2606217c
SHA3 db41e3e1adde4cf480dd4d755516314e4de6e24544fdb61159280bfa18179e79

8

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x12428
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.66584
MD5 4a3ab0173ab62ec2b263b5b07643ef1e
SHA1 8abc444e985405a7637238ab9f1d3b21df6a4286
SHA256 452e61b2f5e760e05abca853502b7d931d67d3ccb6c36ca8e2ba9002f934ec1b
SHA3 e0d39290e226c97867b382fc08df79fd9e5f425f4d27a1deedb5dcbd5ac968ff

1 (#2)

Type RT_GROUP_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x76
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.8478
Detected Filetype Icon file
MD5 80f61ee14ad21e8fe72216e9b8289d2c
SHA1 3d27828ff01421726a673abb8fb248466a3d23ae
SHA256 df6d5c1b9652744d3825df5e96d606f5f7536db3517af8cc0e7e8418f19e8319
SHA3 e9af3b7b8dc3a5b6355c24fbf270224c337c7899248227c9e4fac0f670b2d5ea

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

Version Info

TLS Callbacks

StartAddressOfRawData 0x1402655a8
EndAddressOfRawData 0x1402655b0
AddressOfIndex 0x1402655a4
AddressOfCallbacks 0x1402655b0
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks (EMPTY)

Load Configuration

RICH Header

XOR Key 0xfd9f3958
Unmarked objects 0
241 (40116) 9
243 (40116) 152
242 (40116) 25
ASM objects (VS2015 UPD3 build 24123) 8
C objects (VS2015 UPD3 build 24123) 37
C++ objects (VS2015 UPD3 build 24123) 60
Imports (65501) 9
Total imports 118
C++ objects (VS2015 UPD3.1 build 24215) 2
Exports (VS2015 UPD3.1 build 24215) 1
Resource objects (VS2015 UPD3 build 24210) 1
Linker (VS2015 UPD3.1 build 24215) 1

Errors

[*] Warning: Could not read the name of the DLL to be delay-loaded!