Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2013-Feb-05 04:03:07 |
Detected languages |
Chinese - PRC
English - United States |
Info | Matching compiler(s): |
Microsoft Visual Basic 5.0
Microsoft Visual C++ 6.0 - 8.0 Microsoft Visual Basic v5.0 - v6.0 Microsoft Visual C++ Microsoft Visual C++ v6.0 Microsoft Visual Basic v6.0 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
May have dropper capabilities:
|
Malicious | The file headers were tampered with. |
Section .text is both writable and executable.
Section .reloc is both writable and executable. The RICH header checksum is invalid. |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | The file contains overlay data. |
130050 bytes of data starting at offset 0x163fe.
The file contains a PE Executable after the PE data. |
Malicious | VirusTotal score: 60/68 (Scanned on 2018-04-21 11:06:28) |
MicroWorld-eScan:
Win32.Virtob.Gen.12.Dam
CMC: Trojan.Win32.Scar!O CAT-QuickHeal: Trojan.Sakurel.S8447 McAfee: Trojan-FDXL!1A30AA0F0570 Malwarebytes: Trojan.Agent Zillya: Dropper.Agent.Win32.242119 TheHacker: Trojan/Shyape.g K7GW: Trojan ( 0040f80c1 ) K7AntiVirus: Trojan ( 0040f80c1 ) TrendMicro: BKDR_DIOFOPI.SM Baidu: Win32.Trojan.Shyape.a NANO-Antivirus: Trojan.Win64.Agent.cysfdn F-Prot: W32/S-4bc2e477!Eldorado Symantec: Trojan.Gen.MBT TrendMicro-HouseCall: BKDR_DIOFOPI.SM Avast: Win32:Malware-gen ClamAV: Win.Trojan.Generic-6296810-0 GData: Win32.Trojan.Shyape.A Kaspersky: Trojan.Win32.Scar.ojsz BitDefender: Win32.Virtob.Gen.12.Dam ViRobot: Trojan.Win32.Sakula.91136 AegisLab: Troj.Dropper.W32.Agent.tnrg Tencent: Win32.Trojan.Scar.Dxwq Ad-Aware: Win32.Virtob.Gen.12.Dam Sophos: Troj/Kelihos-BL Comodo: TrojWare.Win32.Shyape.GA F-Secure: Win32.Virtob.Gen.12.Dam DrWeb: Trojan.DownLoad3.22515 VIPRE: Trojan.Win32.Generic!BT Invincea: heuristic McAfee-GW-Edition: BehavesLike.Win32.Generic.dh Emsisoft: Win32.Virtob.Gen.12.Dam (B) Ikarus: Trojan.Win32.Scar Cyren: W32/S-4bc2e477!Eldorado Jiangmin: Trojan/Scar.bayz Webroot: W32.Trojan.Gen Avira: TR/Crypt.Xpack.jtvys Antiy-AVL: Trojan/Win32.AGeneric Endgame: malicious (high confidence) Arcabit: Win32.Virtob.Gen.12.Dam SUPERAntiSpyware: Trojan.Agent/Gen-Sakurel ZoneAlarm: Trojan.Win32.Scar.ojsz Microsoft: Trojan:Win32/Sakurel.B!dha AhnLab-V3: Trojan/Win32.Scar.R160937 AVware: Trojan.Win32.Generic!BT MAX: malware (ai score=100) VBA32: Trojan.Scar Cylance: Unsafe Panda: Trj/Genetic.gen Zoner: Trojan.Scar ESET-NOD32: a variant of Win32/Shyape.G Yandex: Trojan.DR.Agent!LXI5ADQxoWI SentinelOne: static engine - malicious eGambit: RAT.Sakula Fortinet: W32/Shyape.G!tr AVG: Win32:Malware-gen Cybereason: malicious.f05706 Paloalto: generic.ml CrowdStrike: malicious_confidence_100% (W) Qihoo-360: Win32/Trojan.Sakurel.A |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2013-Feb-05 04:03:07 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 9.0 |
SizeOfCode | 0xdc00 |
SizeOfInitializedData | 0x8400 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000473A (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0xf000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.0 |
ImageVersion | 0.0 |
SubsystemVersion | 5.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x20000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetCurrentThread
VirtualFree ExpandEnvironmentStringsA WriteFile OpenProcess WideCharToMultiByte GetVolumeInformationA Sleep SizeofResource CreateProcessA TerminateProcess ReadFile GetSystemDirectoryA MultiByteToWideChar GetTickCount CreateDirectoryA GetStartupInfoA FindFirstFileA GetLastError VirtualAlloc FindClose LockResource CreatePipe GetModuleFileNameA GetVersionExA WinExec CloseHandle GetCurrentProcessId GetTempPathA GetCurrentProcess LoadResource PeekNamedPipe SetFilePointer SetPriorityClass FindResourceA GetFileSize CreateFileA GetComputerNameA SetThreadPriority ExitProcess GetProcessHeap SetEndOfFile GetStringTypeW GetStringTypeA GetModuleHandleW GetProcAddress HeapFree HeapAlloc GetSystemTimeAsFileTime GetCommandLineA UnhandledExceptionFilter SetUnhandledExceptionFilter IsDebuggerPresent TlsGetValue TlsAlloc TlsSetValue TlsFree InterlockedIncrement SetLastError GetCurrentThreadId InterlockedDecrement GetStdHandle DeleteCriticalSection LeaveCriticalSection EnterCriticalSection LoadLibraryA InitializeCriticalSectionAndSpinCount HeapCreate HeapReAlloc RtlUnwind GetConsoleCP GetConsoleMode SetHandleCount GetFileType FreeEnvironmentStringsA GetEnvironmentStrings FreeEnvironmentStringsW GetEnvironmentStringsW QueryPerformanceCounter GetCPInfo GetACP GetOEMCP IsValidCodePage HeapSize GetLocaleInfoA SetStdHandle WriteConsoleA GetConsoleOutputCP WriteConsoleW FlushFileBuffers LCMapStringA LCMapStringW |
---|---|
ADVAPI32.dll |
RegOpenKeyA
GetUserNameA FreeSid AllocateAndInitializeSid RegDeleteKeyA EqualSid RegSetValueExA GetTokenInformation OpenProcessToken RegCloseKey |
SHELL32.dll |
SHChangeNotify
#680 ShellExecuteA |
WININET.dll |
HttpOpenRequestA
InternetOpenUrlA HttpSendRequestA InternetOpenA InternetCloseHandle InternetConnectA InternetReadFile |
Characteristics |
0
|
---|---|
TimeDateStamp | 2013-Feb-05 04:03:07 |
Version | 0.0 |
SizeofData | 62 |
AddressOfRawData | 0x10690 |
PointerToRawData | 0xf690 |
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x412008 |
SEHandlerTable | 0x4106d0 |
SEHandlerCount | 3 |
XOR Key | 0x5dac9980 |
---|---|
Unmarked objects | 0 |
C++ objects (VS2008 build 21022) | 33 |
ASM objects (VS2008 build 21022) | 18 |
C objects (VS2008 build 21022) | 115 |
Imports (VS2012 build 50727 / VS2005 build 50727) | 9 |
Total imports | 127 |
138 (VS2008 build 21022) | 1 |
Linker (VS2008 build 21022) | 1 |
Resource objects (VS2008 build 21022) | 1 |