Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2018-Mar-02 12:17:54 |
Detected languages |
English - United States
|
Suspicious | PEiD Signature: |
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX -> www.upx.sourceforge.net UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser |
Suspicious | The PE is packed with UPX |
Unusual section name found: UPX0
Section UPX0 is both writable and executable. Unusual section name found: UPX1 Section UPX1 is both writable and executable. The PE's resources are bigger than it is. |
Info | The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
|
Suspicious | The PE is possibly a dropper. |
Resource 105 is possibly compressed or encrypted.
Resource 101 is possibly compressed or encrypted. Resource 102 is possibly compressed or encrypted. Resource 103 is possibly compressed or encrypted. Resource 104 is possibly compressed or encrypted. Resources amount for 205.587% of the executable. |
Suspicious | VirusTotal score: 2/67 (Scanned on 2018-03-11 10:13:37) |
Invincea:
heuristic
CrowdStrike: malicious_confidence_80% (W) |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x100 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 3 |
TimeDateStamp | 2018-Mar-02 12:17:54 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x7c000 |
SizeOfInitializedData | 0x1000 |
SizeOfUninitializedData | 0x9c000 |
AddressOfEntryPoint | 0x00118680 (Section: UPX1) |
BaseOfCode | 0x9d000 |
BaseOfData | 0x119000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.0 |
ImageVersion | 0.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x11a000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
api-ms-win-crt-heap-l1-1-0.dll |
free
|
---|---|
api-ms-win-crt-locale-l1-1-0.dll |
_configthreadlocale
|
api-ms-win-crt-math-l1-1-0.dll |
sin
|
api-ms-win-crt-runtime-l1-1-0.dll |
exit
|
api-ms-win-crt-stdio-l1-1-0.dll |
_set_fmode
|
api-ms-win-crt-time-l1-1-0.dll |
clock
|
api-ms-win-crt-utility-l1-1-0.dll |
abs
|
GDI32.dll |
CreateFontA
|
GLU32.dll |
gluPerspective
|
KERNEL32.DLL |
LoadLibraryA
ExitProcess GetProcAddress VirtualProtect |
MSVCP140.dll |
?_Xbad_alloc@std@@YAXXZ
|
OPENGL32.dll |
glEnd
|
USER32.dll |
GetDC
|
VCRUNTIME140.dll |
memcpy
|
WINMM.dll |
waveOutOpen
|