1a30aa0f0570687ebb2d87adfe653b60

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2013-Feb-05 04:03:07
Detected languages Chinese - PRC
English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual Basic 5.0
Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual Basic v5.0 - v6.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual Basic v6.0
Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentVersion\Run
Miscellaneous malware strings:
  • Cmd.exe
  • cmd.exe
Malicious The file headers were tampered with. Section .text is both writable and executable.
Section .reloc is both writable and executable.
The RICH header checksum is invalid.
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Possibly launches other programs:
  • CreateProcessA
  • WinExec
  • ShellExecuteA
Can create temporary files:
  • GetTempPathA
  • CreateFileA
Has Internet access capabilities:
  • InternetOpenUrlA
  • InternetOpenA
  • InternetCloseHandle
  • InternetConnectA
  • InternetReadFile
Functions related to the privilege level:
  • OpenProcessToken
Enumerates local disk drives:
  • GetVolumeInformationA
Manipulates other processes:
  • OpenProcess
Malicious VirusTotal score: 60/68 (Scanned on 2018-04-21 11:06:28) MicroWorld-eScan: Win32.Virtob.Gen.12.Dam
CMC: Trojan.Win32.Scar!O
CAT-QuickHeal: Trojan.Sakurel.S8447
McAfee: Trojan-FDXL!1A30AA0F0570
Malwarebytes: Trojan.Agent
Zillya: Dropper.Agent.Win32.242119
TheHacker: Trojan/Shyape.g
K7GW: Trojan ( 0040f80c1 )
K7AntiVirus: Trojan ( 0040f80c1 )
TrendMicro: BKDR_DIOFOPI.SM
Baidu: Win32.Trojan.Shyape.a
NANO-Antivirus: Trojan.Win64.Agent.cysfdn
F-Prot: W32/S-4bc2e477!Eldorado
Symantec: Trojan.Gen.MBT
TrendMicro-HouseCall: BKDR_DIOFOPI.SM
Avast: Win32:Malware-gen
ClamAV: Win.Trojan.Generic-6296810-0
GData: Win32.Trojan.Shyape.A
Kaspersky: Trojan.Win32.Scar.ojsz
BitDefender: Win32.Virtob.Gen.12.Dam
ViRobot: Trojan.Win32.Sakula.91136
AegisLab: Troj.Dropper.W32.Agent.tnrg
Tencent: Win32.Trojan.Scar.Dxwq
Ad-Aware: Win32.Virtob.Gen.12.Dam
Sophos: Troj/Kelihos-BL
Comodo: TrojWare.Win32.Shyape.GA
F-Secure: Win32.Virtob.Gen.12.Dam
DrWeb: Trojan.DownLoad3.22515
VIPRE: Trojan.Win32.Generic!BT
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Generic.dh
Emsisoft: Win32.Virtob.Gen.12.Dam (B)
Ikarus: Trojan.Win32.Scar
Cyren: W32/S-4bc2e477!Eldorado
Jiangmin: Trojan/Scar.bayz
Webroot: W32.Trojan.Gen
Avira: TR/Crypt.Xpack.jtvys
Antiy-AVL: Trojan/Win32.AGeneric
Endgame: malicious (high confidence)
Arcabit: Win32.Virtob.Gen.12.Dam
SUPERAntiSpyware: Trojan.Agent/Gen-Sakurel
ZoneAlarm: Trojan.Win32.Scar.ojsz
Microsoft: Trojan:Win32/Sakurel.B!dha
AhnLab-V3: Trojan/Win32.Scar.R160937
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=100)
VBA32: Trojan.Scar
Cylance: Unsafe
Panda: Trj/Genetic.gen
Zoner: Trojan.Scar
ESET-NOD32: a variant of Win32/Shyape.G
Yandex: Trojan.DR.Agent!LXI5ADQxoWI
SentinelOne: static engine - malicious
eGambit: RAT.Sakula
Fortinet: W32/Shyape.G!tr
AVG: Win32:Malware-gen
Cybereason: malicious.f05706
Paloalto: generic.ml
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.Sakurel.A

Hashes

MD5 1a30aa0f0570687ebb2d87adfe653b60
SHA1 1b1f928ebf86274189ec413f7faf1916adeacfa2
SHA256 149aebbc51682eba0f83f5e6af627b5fe391dddaec0d3fb0380eaf33ee0996ef
SHA3 58d172b7d2b92a36ece4f96b93392a478e89ebb7ef8b8d89165c9c13a01eeec3
SSDeep 3072:M29DkEGRQixVSjLwes5G30Bg7uZwOuz/xS3iGpZMhDEXzkOSUUKeF8aD:M29qRfVSndj30B3wBxE1+ijy
Imports Hash b4538adff206ee2fe33d1de16ca9b03e

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2013-Feb-05 04:03:07
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 9.0
SizeOfCode 0xdc00
SizeOfInitializedData 0x8400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000473A (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xf000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x20000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 cbd3f0d638d3c4fad786bfca78e2bc44
SHA1 d960a5bbef2a524fa963a4b1e226b47f1960da4a
SHA256 37cfc031a4198740c15bcc9623772827d28d0a1cf30cfdec85c4891eeef355b6
SHA3 06067a58cf86845481917e704b6c0e986b19610148e512806a6a1040ba380dc1
VirtualSize 0xdc00
VirtualAddress 0x1000
SizeOfRawData 0xdc00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.59555

.rdata

MD5 9c9b446a02daa6409c23262139d48cb7
SHA1 f300ed7e2b5e7456aaf2f227122fe4346407e8c0
SHA256 4cda9a99d395586de83546a0344cbb4dead6b9779df2925ba5961566340ad28f
SHA3 1fb959afddea05e6856b0eab48e9d544c22787e58965d64fbd807c97a47a2425
VirtualSize 0x260e
VirtualAddress 0xf000
SizeOfRawData 0x2800
PointerToRawData 0xe000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.38393

.data

MD5 0e85cb31de1e91487f1efeeb96798d88
SHA1 0e272e318acf08ee509b8bddfec94e70e4fe7183
SHA256 f4f8bfa5b1e9340deeffe8be4cc00432991cb2a7131eefa956fb280d65d1341f
SHA3 2d05395dd2bcac27a09c842aa4ed5223ac837416de7ba264434ab613e42c2f55
VirtualSize 0x3980
VirtualAddress 0x12000
SizeOfRawData 0x1a00
PointerToRawData 0x10800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.80909

.rsrc

MD5 61fb2ab043e33ec214eefc8d3e2a5f91
SHA1 8bd2b04e0bda2ce7cd36a8ef3af990012593a364
SHA256 a424a224702e6bc2f8790d941752effdd52d7b21470cb0a12013cfa3d7766428
SHA3 acf9c96615f203958b2cbdd59c76ff5a8dad30193031a586c19eb372bfb7fbf4
VirtualSize 0x2c34
VirtualAddress 0x16000
SizeOfRawData 0x2e00
PointerToRawData 0x12200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.48875

.reloc

MD5 81870026831d6c64d3745d8ff770ca56
SHA1 b5c0a1865440495e499dfcfc637f44a5fb0bd67a
SHA256 27454621f251b4109d6eae3878621975e9e1fe50dd4648be65f195cf947b73fe
SHA3 7840c6a232f180bdc476f6b752461adcc9872a8f0512001b1cdf07781e5a0405
VirtualSize 0x6400
VirtualAddress 0x19000
SizeOfRawData 0x13fe
PointerToRawData 0x15000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.73497

Imports

KERNEL32.dll GetCurrentThread
VirtualFree
ExpandEnvironmentStringsA
WriteFile
OpenProcess
WideCharToMultiByte
GetVolumeInformationA
Sleep
SizeofResource
CreateProcessA
TerminateProcess
ReadFile
GetSystemDirectoryA
MultiByteToWideChar
GetTickCount
CreateDirectoryA
GetStartupInfoA
FindFirstFileA
GetLastError
VirtualAlloc
FindClose
LockResource
CreatePipe
GetModuleFileNameA
GetVersionExA
WinExec
CloseHandle
GetCurrentProcessId
GetTempPathA
GetCurrentProcess
LoadResource
PeekNamedPipe
SetFilePointer
SetPriorityClass
FindResourceA
GetFileSize
CreateFileA
GetComputerNameA
SetThreadPriority
ExitProcess
GetProcessHeap
SetEndOfFile
GetStringTypeW
GetStringTypeA
GetModuleHandleW
GetProcAddress
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
GetCommandLineA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetStdHandle
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSectionAndSpinCount
HeapCreate
HeapReAlloc
RtlUnwind
GetConsoleCP
GetConsoleMode
SetHandleCount
GetFileType
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapSize
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
LCMapStringA
LCMapStringW
ADVAPI32.dll RegOpenKeyA
GetUserNameA
FreeSid
AllocateAndInitializeSid
RegDeleteKeyA
EqualSid
RegSetValueExA
GetTokenInformation
OpenProcessToken
RegCloseKey
SHELL32.dll SHChangeNotify
#680
ShellExecuteA
WININET.dll HttpOpenRequestA
InternetOpenUrlA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
InternetConnectA
InternetReadFile

Delayed Imports

101

Type DAT
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x1400
Entropy 2.88288
MD5 1d80af301994f9b6bf3fa2389ff125da
SHA1 71897d507912d78aa3c3f7a9eed390dba01c87ef
SHA256 38a702c28b567a748fe3d904f6ece3518d88236a9851d24e8b7e2f89c32c9a25
SHA3 b208ac27e575f8928f26ace07fc9b95556dbe327060c760c840ac7447171dcd5

102

Type DAT
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x1600
Entropy 3.28864
MD5 11587f16f3129cad17222498eadc84f2
SHA1 4521b3193b05698fe5b4375eaf1b876d4e46515e
SHA256 2eda86a26b2c38f7f20b646052ba2ff2ddcb81db625deabeaa11960cda6bbb43
SHA3 c69f479f549cf51a9abd8d1e83c03ae9549f6d984d1899b90cb8255e98e54a7d

1

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 e866b0d6eb6b499c134d292a46d5fbd2b563ab64f5106fbde195c0caeaf53232

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2013-Feb-05 04:03:07
Version 0.0
SizeofData 62
AddressOfRawData 0x10690
PointerToRawData 0xf690

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x412008
SEHandlerTable 0x4106d0
SEHandlerCount 3

RICH Header

XOR Key 0x5dac9980
Unmarked objects 0
C++ objects (VS2008 build 21022) 33
ASM objects (VS2008 build 21022) 18
C objects (VS2008 build 21022) 115
Imports (VS2012 build 50727 / VS2005 build 50727) 9
Total imports 127
138 (VS2008 build 21022) 1
Linker (VS2008 build 21022) 1
Resource objects (VS2008 build 21022) 1

Errors