Architecture |
IMAGE_FILE_MACHINE_AMD64
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date |
2018-Feb-06 10:32:46
|
Detected languages |
English - United States
|
Suspicious |
The PE is possibly packed. |
Unusual section name found: .AKS1
Section .AKS1 is both writable and executable.
Unusual section name found: .AKS2
Section .AKS2 is both writable and executable.
Unusual section name found: .AKS3
Section .AKS3 is both writable and executable.
The PE only has 5 import(s).
|
Info |
The PE contains common functions which appear in legitimate applications. |
Can access the registry:
|
Malicious |
The file contains overlay data. |
984324 bytes of data starting at offset 0xd7400.
The file contains a Zip Compressed Archive after the PE data.
|
Malicious |
VirusTotal score: 3/60 (Scanned on 2019-04-11 03:53:06) |
Trapmine:
suspicious.low.ml.score
SentinelOne:
DFI - Suspicious PE
CrowdStrike:
win/malicious_confidence_60% (D)
|
MD5 |
18a68a9888459b469157f205fa7e3987
|
SHA1 |
ed82ff724f90e6ddb41b663d5a321603f7713deb
|
SHA256 |
7af7d5461005b29abf032de7f8de4de56a774c9c011e8e4041ac5cf2ea56c4c9
|
SHA3 |
1b7c189145f861d6af4051c5620973cfadeea8db79473460e34bf863e3eaf4e7
|
SSDeep |
24576:GGlEdtt6tZ9zy8dHM5u6SQV3SbnNdcuFVzoXRT5bsUBSRC59PXHUj6Y8ojRQ:GGlnv1yqHwuIVCbnN24q3Pkc59PXsnG
|
Imports Hash |
fc750389bb15ccbea09917bc981aa0eb
|
e_magic |
MZ
|
e_cblp |
0x90
|
e_cp |
0x3
|
e_crlc |
0
|
e_cparhdr |
0x4
|
e_minalloc |
0
|
e_maxalloc |
0xffff
|
e_ss |
0
|
e_sp |
0xb8
|
e_csum |
0
|
e_ip |
0
|
e_cs |
0
|
e_ovno |
0
|
e_oemid |
0
|
e_oeminfo |
0
|
e_lfanew |
0x108
|
Signature |
PE
|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections |
4
|
TimeDateStamp |
2018-Feb-06 10:32:46
|
PointerToSymbolTable |
0
|
NumberOfSymbols |
0
|
SizeOfOptionalHeader |
0xf0
|
Characteristics |
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED
|
Magic |
PE32+
|
LinkerVersion |
14.0
|
SizeOfCode |
0xa2e00
|
SizeOfInitializedData |
0x5ac00
|
SizeOfUninitializedData |
0
|
AddressOfEntryPoint |
0x0000000000265000 (Section: .AKS3)
|
BaseOfCode |
0x1000
|
ImageBase |
0x140000000
|
SectionAlignment |
0x1000
|
FileAlignment |
0x200
|
OperatingSystemVersion |
6.0
|
ImageVersion |
0.0
|
SubsystemVersion |
6.0
|
Win32VersionValue |
0
|
SizeOfImage |
0x285000
|
SizeOfHeaders |
0x400
|
Checksum |
0xe33d0
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve |
0x4000000
|
SizeofStackCommit |
0x1000
|
SizeofHeapReserve |
0x100000
|
SizeofHeapCommit |
0x1000
|
LoaderFlags |
0
|
NumberOfRvaAndSizes |
16
|
MD5 |
1f40971985ce22bfca10f6162255324f
|
SHA1 |
a170a5195c2275be82ded7fe542a4aa8fd5d8483
|
SHA256 |
68aeb2529cfa3b7985e58502898b600a31b9cf21a7e3dd71ab5ef5ea7e486aad
|
SHA3 |
6c645e1787e35dfec3f1f1b9e3ef7d6b94105493544910fc3115f992a12806b1
|
VirtualSize |
0x103000
|
VirtualAddress |
0x1000
|
SizeOfRawData |
0x52c00
|
PointerToRawData |
0x400
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
7.99943
|
MD5 |
71ef91c53ef17f2d620ef5313a2e6ebc
|
SHA1 |
f2275afe19ca88a7320c95aba8cc7cce31453331
|
SHA256 |
0a40fd2f08f864fef8092e7ea5a65dd3bd13587258f9d7470c631b898e4f6c75
|
SHA3 |
91974ceea131800deb6b0e12de27b2fd652a4dc89667dac01fae62cabc38e278
|
VirtualSize |
0x161000
|
VirtualAddress |
0x104000
|
SizeOfRawData |
0x64e00
|
PointerToRawData |
0x53000
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
7.99934
|
MD5 |
264c1918b481ba99e33a524ded96a97b
|
SHA1 |
359d72cefa5f7d8d9ebeca0a2d3d3581a7b50452
|
SHA256 |
b3edfe6643deaeb246e6c736581562988b0be0d2c36cf5d08222814c166ab012
|
SHA3 |
5f2f37f549f4ac05e1b30157c8455346fccda44f4fb7e72c65ebd0fc30e46748
|
VirtualSize |
0x5b0
|
VirtualAddress |
0x265000
|
SizeOfRawData |
0x600
|
PointerToRawData |
0xb7e00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
6.27524
|
MD5 |
9deed7e5e822cab43ddbaae0cbdb76ba
|
SHA1 |
b7eea37b4e56d60187f8017475d74e98d059ea1d
|
SHA256 |
34aba02ec3e1a434b8d9aa2771efcbcc43a3d64122f9c949fa171dba37b9cddf
|
SHA3 |
2e60ee1663cafb147804817acd29a732c93e7faed1fba24b5093a9c370076a40
|
VirtualSize |
0x1efcc
|
VirtualAddress |
0x266000
|
SizeOfRawData |
0x1f000
|
PointerToRawData |
0xb8400
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
4.26306
|
KERNEL32 |
GetModuleHandleA
GetProcAddress
|
ADVAPI32.dll |
RegCloseKey
|
USER32.dll |
MessageBoxW
|
OLEAUT32.dll |
#4
|
Ordinal |
1
|
Address |
0xd4038
|
Ordinal |
2
|
Address |
0xd4040
|
Ordinal |
3
|
Address |
0xd4030
|
Type |
RT_ICON
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x128
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.24012
|
MD5 |
08311e20dfea5c275a5221780b82469e
|
SHA1 |
7e8604549bbfd4178e7bb59a70b000740c63724a
|
SHA256 |
bdcb1c36242f0c65016cccb26e5a212d9ce0e3136f6dade75ec186854583c23b
|
SHA3 |
103d683bdd6debaaf66802f5c1d7e0011d1bfa31a9bf13ec9ac10169ad532356
|
Type |
RT_ICON
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x2e8
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.3281
|
MD5 |
bbee03e1fcc89f8056a7b391a8f36c6d
|
SHA1 |
62c8cca44cbf455877d9fb6586fe3207eaee0509
|
SHA256 |
852145c00de9fe15be5006817ec124fae147ff4ad61c537becb895d7fd9b1c32
|
SHA3 |
5d4233a99354f4a7c71a64b7ba0f0de5b71f8aa9e2b9aac183f423977b82527e
|
Type |
RT_ICON
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x668
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.31355
|
MD5 |
8943f7c656e3e30c5479a3494e627404
|
SHA1 |
3d163ee840510c9f67ca683fb608f30aba698d1d
|
SHA256 |
d6bf5a97ebb18f81e0b179ca90088061a7e8dba6b9588936fe20f51af8066390
|
SHA3 |
dc54890a238bba510f2e140e289f193cea76df230ae297b799cfec1e70ad5d2d
|
Type |
RT_ICON
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0xa068
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.11766
|
MD5 |
4406379a9e18840cb8ebaff6246f3581
|
SHA1 |
a6f4584df116559e05f3e7a709dd85937446410c
|
SHA256 |
bc9b8d4cd65db83c886e2ce828bd3a61a015e7781ddede9c5f62942a7fbdd2a0
|
SHA3 |
2bfb009ccd56af95e549e11a6be392ec82cf1eef9ad0d1122d1ad9001345f33f
|
Type |
RT_ICON
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x568
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.66407
|
MD5 |
33115c0b33bd97462ae05c30955aaa15
|
SHA1 |
8dde1a317782d12aeb47cffae577703a38a14aef
|
SHA256 |
5070d2bfb3f86ac78118b2e7fa768fd920a44677a99a1af451398b078ba9d43d
|
SHA3 |
4727775047276e5d547555fba7f1587323c557a0966d9f27ae898b8c62bd3280
|
Type |
RT_ICON
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x8a8
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
5.63327
|
MD5 |
08f7c6c5b21df2ce3cc643a1a698aaa3
|
SHA1 |
000a87c94563b1ea1e1a951856a97479428452fb
|
SHA256 |
4ee0c8a0cf595a2be6e59e8b3ae7e88a2d83c47dc05b07fba2229bbe210d6760
|
SHA3 |
51bf9cc6f6792e659842458adbcb8cd33bfe3b7405868e3259da77b48d0efa42
|
Type |
RT_ICON
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0xea8
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
4.76092
|
MD5 |
f00d0fa5c4d6899290a7a38a4e2d92bf
|
SHA1 |
f9ba8fd44db65f50a6c9f75d223dde5578b74428
|
SHA256 |
4581c4a3ab0360e5ab004a138c1ce2616691d5f0701a152981af027f2606217c
|
SHA3 |
db41e3e1adde4cf480dd4d755516314e4de6e24544fdb61159280bfa18179e79
|
Type |
RT_ICON
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x12428
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.66584
|
MD5 |
4a3ab0173ab62ec2b263b5b07643ef1e
|
SHA1 |
8abc444e985405a7637238ab9f1d3b21df6a4286
|
SHA256 |
452e61b2f5e760e05abca853502b7d931d67d3ccb6c36ca8e2ba9002f934ec1b
|
SHA3 |
e0d39290e226c97867b382fc08df79fd9e5f425f4d27a1deedb5dcbd5ac968ff
|
Type |
RT_GROUP_ICON
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x76
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
2.8478
|
Detected Filetype |
Icon file
|
MD5 |
80f61ee14ad21e8fe72216e9b8289d2c
|
SHA1 |
3d27828ff01421726a673abb8fb248466a3d23ae
|
SHA256 |
df6d5c1b9652744d3825df5e96d606f5f7536db3517af8cc0e7e8418f19e8319
|
SHA3 |
e9af3b7b8dc3a5b6355c24fbf270224c337c7899248227c9e4fac0f670b2d5ea
|
Type |
RT_MANIFEST
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x15a
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
4.79597
|
MD5 |
24d3b502e1846356b0263f945ddd5529
|
SHA1 |
bac45b86a9c48fc3756a46809c101570d349737d
|
SHA256 |
49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
|
SHA3 |
1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e
|
StartAddressOfRawData |
0x1402655a8
|
EndAddressOfRawData |
0x1402655b0
|
AddressOfIndex |
0x1402655a4
|
AddressOfCallbacks |
0x1402655b0
|
SizeOfZeroFill |
0
|
Characteristics |
IMAGE_SCN_TYPE_REG
|
Callbacks |
(EMPTY)
|
XOR Key |
0xfd9f3958
|
Unmarked objects |
0
|
241 (40116) |
9
|
243 (40116) |
152
|
242 (40116) |
25
|
ASM objects (VS2015 UPD3 build 24123) |
8
|
C objects (VS2015 UPD3 build 24123) |
37
|
C++ objects (VS2015 UPD3 build 24123) |
60
|
Imports (65501) |
9
|
Total imports |
118
|
C++ objects (VS2015 UPD3.1 build 24215) |
2
|
Exports (VS2015 UPD3.1 build 24215) |
1
|
Resource objects (VS2015 UPD3 build 24210) |
1
|
Linker (VS2015 UPD3.1 build 24215) |
1
|
[*] Warning: Could not read the name of the DLL to be delay-loaded!