19927f9acb00ca90b7c24e7660ae6c9c

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2018-Mar-02 12:17:54
Detected languages English - United States

Plugin Output

Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX -> www.upx.sourceforge.net
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser
Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
The PE's resources are bigger than it is.
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Suspicious The PE is possibly a dropper. Resource 105 is possibly compressed or encrypted.
Resource 101 is possibly compressed or encrypted.
Resource 102 is possibly compressed or encrypted.
Resource 103 is possibly compressed or encrypted.
Resource 104 is possibly compressed or encrypted.
Resources amount for 205.587% of the executable.
Suspicious VirusTotal score: 2/67 (Scanned on 2018-03-11 10:13:37) Invincea: heuristic
CrowdStrike: malicious_confidence_80% (W)

Hashes

MD5 19927f9acb00ca90b7c24e7660ae6c9c
SHA1 1666e82df5fcb2754c4585d5097be74ac3ae7796
SHA256 a99b5976bd45c2b86a3da2470b3e07f9355c3319b3724cfb1021a6eaa2c805f1
SHA3 aaa7057add03ec7f568730f149732c95c1bc17a377fcfa0ac0734ba04f8e239e
SSDeep 12288:GNd8tJ43nmU9KFSogb33nGuLsJrRKKQEl1Dzivmt+:1tMmU9KFSogb32uLs+Sl1Dcm
Imports Hash e97d94ba5e8ddd5e4d5c6105f18030e1

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2018-Mar-02 12:17:54
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x7c000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0x9c000
AddressOfEntryPoint 0x00118680 (Section: UPX1)
BaseOfCode 0x9d000
BaseOfData 0x119000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x11a000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x9c000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 532678647d519d6714d2b0deee90c9d5
SHA1 9159f95a4bd9b689d1242e603d03064a77f9d444
SHA256 34d090973b9ae2c852e4a74ce54c001ab571aac1b2c834228b0501d4bbe1f034
SHA3 2a13acfe6547c07b49ead1432c59428ceb95ac99c6f5c03cd56f5c4cf079429b
VirtualSize 0x7c000
VirtualAddress 0x9d000
SizeOfRawData 0x7ba00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.84038

.rsrc

MD5 ab9bc1064bf5da32ce719ec6ff325cbc
SHA1 953b6574448aea42acbc236f64743af16f337289
SHA256 b1a1adfe1079f73d6d643991340ece87aec470d8e4427caf9c71a04a1c36738e
SHA3 3c9115487a3a31820c79436a6cf7a47f50d53962887348d997bd6603d957e837
VirtualSize 0x1000
VirtualAddress 0x119000
SizeOfRawData 0x800
PointerToRawData 0x7be00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.34552

Imports

api-ms-win-crt-heap-l1-1-0.dll free
api-ms-win-crt-locale-l1-1-0.dll _configthreadlocale
api-ms-win-crt-math-l1-1-0.dll sin
api-ms-win-crt-runtime-l1-1-0.dll exit
api-ms-win-crt-stdio-l1-1-0.dll _set_fmode
api-ms-win-crt-time-l1-1-0.dll clock
api-ms-win-crt-utility-l1-1-0.dll abs
GDI32.dll CreateFontA
GLU32.dll gluPerspective
KERNEL32.DLL LoadLibraryA
ExitProcess
GetProcAddress
VirtualProtect
MSVCP140.dll ?_Xbad_alloc@std@@YAXXZ
OPENGL32.dll glEnd
USER32.dll GetDC
VCRUNTIME140.dll memcpy
WINMM.dll waveOutOpen

Delayed Imports

105

Type MODFILE
Language English - United States
Codepage UNKNOWN
Size 0xdee0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.7953
MD5 4728fbf442c8ba70cfbba03b1c39b2cb
SHA1 3236b7de7535078e24e2965811d85541445376c6
SHA256 26cc1464d80a25346ad1822ba19abb0050270585d9be6991937eabd566f9a567
SHA3 a43ad6d84d12e1ae2953edf0eb8fbffc7568d22f3be80782eaa989634f9f1789

101

Type RAW
Language English - United States
Codepage UNKNOWN
Size 0xc000
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.72344
MD5 d49db82c2a595f2eec69e5b185cfd052
SHA1 1836edd470e65416ec9a80e2091b4e75b66cef74
SHA256 4a4ef30e6390babe2b2d1c1903b00f88db63ad533273d3acdcd3b6172c285e30
SHA3 1b00d78db5d1b6f8b58a9a983bb3e847e27b5aa56525cae692d57d684bd4af15

102

Type RAW
Language English - United States
Codepage UNKNOWN
Size 0x46b9c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.81204
MD5 1dc017936c383820aacf2f38da9874d8
SHA1 b27a849959e3eec4a37202d6893422450ef47a09
SHA256 818090c25b23257406db4e382476865274390d87aa05c77a4b6c4844aa0c98f2
SHA3 38473641ea569e1e3fe003d0a6b3d0e5eb8a04b5e4a527bd70449bf2c4879827

103

Type RAW
Language English - United States
Codepage UNKNOWN
Size 0x5be00
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.81223
MD5 7e93bc9730beeaf7065fa7d2c8509ff9
SHA1 b29d7ce188c0bb2557270aa621aa20f91843ad9a
SHA256 f9db3e6b7220cf3578c258fa79d2fcbcbdc92987af5756ea0c8c8de0322cfa06
SHA3 f467e3b279be966e3449ad669ad2a0118b64ebeb5e5d3ec15a87e1140de8f3ef

104

Type RAW
Language English - United States
Codepage UNKNOWN
Size 0x43134
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.8158
MD5 043bf6d2bebeba19ad984f794d3eab2b
SHA1 7e2889adb45ef4d0bd88847bd82528f903373f1a
SHA256 00afed005b863efeb7b36028a27c1a6bfe8320ca0c37dcfdb3e34b3474272c09
SHA3 e6e2d97f4968224eb107483e58bbf92caed7be0fa31c622c2614a911bf996f70

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[!] Error: Could not reach the TLS callback table. [*] Warning: Section UPX0 has a size of 0!
<-- -->