1a30aa0f0570687ebb2d87adfe653b60

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2013-Feb-05 04:03:07
Detected languages Chinese - PRC
English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual Basic 5.0
Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual Basic v5.0 - v6.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual Basic v6.0
Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentVersion\Run
Miscellaneous malware strings:
  • Cmd.exe
  • cmd.exe
Malicious The file headers were tampered with. Section .text is both writable and executable.
Section .reloc is both writable and executable.
The RICH header checksum is invalid.
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Can access the registry:
  • RegOpenKeyA
  • RegDeleteKeyA
  • RegSetValueExA
  • RegCloseKey
Possibly launches other programs:
  • CreateProcessA
  • WinExec
  • ShellExecuteA
Can create temporary files:
  • GetTempPathA
  • CreateFileA
Has Internet access capabilities:
  • InternetOpenUrlA
  • InternetOpenA
  • InternetCloseHandle
  • InternetConnectA
  • InternetReadFile
Functions related to the privilege level:
  • OpenProcessToken
Enumerates local disk drives:
  • GetVolumeInformationA
Manipulates other processes:
  • OpenProcess
Malicious The file contains overlay data. 130050 bytes of data starting at offset 0x163fe.
The file contains a PE Executable after the PE data.
Malicious VirusTotal score: 60/68 (Scanned on 2018-04-21 11:06:28) MicroWorld-eScan: Win32.Virtob.Gen.12.Dam
CMC: Trojan.Win32.Scar!O
CAT-QuickHeal: Trojan.Sakurel.S8447
McAfee: Trojan-FDXL!1A30AA0F0570
Malwarebytes: Trojan.Agent
Zillya: Dropper.Agent.Win32.242119
TheHacker: Trojan/Shyape.g
K7GW: Trojan ( 0040f80c1 )
K7AntiVirus: Trojan ( 0040f80c1 )
TrendMicro: BKDR_DIOFOPI.SM
Baidu: Win32.Trojan.Shyape.a
NANO-Antivirus: Trojan.Win64.Agent.cysfdn
F-Prot: W32/S-4bc2e477!Eldorado
Symantec: Trojan.Gen.MBT
TrendMicro-HouseCall: BKDR_DIOFOPI.SM
Avast: Win32:Malware-gen
ClamAV: Win.Trojan.Generic-6296810-0
GData: Win32.Trojan.Shyape.A
Kaspersky: Trojan.Win32.Scar.ojsz
BitDefender: Win32.Virtob.Gen.12.Dam
ViRobot: Trojan.Win32.Sakula.91136
AegisLab: Troj.Dropper.W32.Agent.tnrg
Tencent: Win32.Trojan.Scar.Dxwq
Ad-Aware: Win32.Virtob.Gen.12.Dam
Sophos: Troj/Kelihos-BL
Comodo: TrojWare.Win32.Shyape.GA
F-Secure: Win32.Virtob.Gen.12.Dam
DrWeb: Trojan.DownLoad3.22515
VIPRE: Trojan.Win32.Generic!BT
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Generic.dh
Emsisoft: Win32.Virtob.Gen.12.Dam (B)
Ikarus: Trojan.Win32.Scar
Cyren: W32/S-4bc2e477!Eldorado
Jiangmin: Trojan/Scar.bayz
Webroot: W32.Trojan.Gen
Avira: TR/Crypt.Xpack.jtvys
Antiy-AVL: Trojan/Win32.AGeneric
Endgame: malicious (high confidence)
Arcabit: Win32.Virtob.Gen.12.Dam
SUPERAntiSpyware: Trojan.Agent/Gen-Sakurel
ZoneAlarm: Trojan.Win32.Scar.ojsz
Microsoft: Trojan:Win32/Sakurel.B!dha
AhnLab-V3: Trojan/Win32.Scar.R160937
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=100)
VBA32: Trojan.Scar
Cylance: Unsafe
Panda: Trj/Genetic.gen
Zoner: Trojan.Scar
ESET-NOD32: a variant of Win32/Shyape.G
Yandex: Trojan.DR.Agent!LXI5ADQxoWI
SentinelOne: static engine - malicious
eGambit: RAT.Sakula
Fortinet: W32/Shyape.G!tr
AVG: Win32:Malware-gen
Cybereason: malicious.f05706
Paloalto: generic.ml
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.Sakurel.A

Hashes

MD5 1a30aa0f0570687ebb2d87adfe653b60
SHA1 1b1f928ebf86274189ec413f7faf1916adeacfa2
SHA256 149aebbc51682eba0f83f5e6af627b5fe391dddaec0d3fb0380eaf33ee0996ef
SHA3 8e7967afc893b1692a2e61e541c1b01e4361deb3d701c45de5931d8e7c8801ba
SSDeep 3072:M29DkEGRQixVSjLwes5G30Bg7uZwOuz/xS3iGpZMhDEXzkOSUUKeF8aD:M29qRfVSndj30B3wBxE1+ijy
Imports Hash b4538adff206ee2fe33d1de16ca9b03e

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2013-Feb-05 04:03:07
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 9.0
SizeOfCode 0xdc00
SizeOfInitializedData 0x8400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000473A (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xf000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x20000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 cbd3f0d638d3c4fad786bfca78e2bc44
SHA1 d960a5bbef2a524fa963a4b1e226b47f1960da4a
SHA256 37cfc031a4198740c15bcc9623772827d28d0a1cf30cfdec85c4891eeef355b6
SHA3 c69fec48acb84f88d4c5288baaba5387f6f54852d07eda9c7711a55ca2ef5c50
VirtualSize 0xdc00
VirtualAddress 0x1000
SizeOfRawData 0xdc00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.59555

.rdata

MD5 9c9b446a02daa6409c23262139d48cb7
SHA1 f300ed7e2b5e7456aaf2f227122fe4346407e8c0
SHA256 4cda9a99d395586de83546a0344cbb4dead6b9779df2925ba5961566340ad28f
SHA3 651776730525c8f5076d266380355b569e2f1a975721d66bdc44bff8379ac762
VirtualSize 0x260e
VirtualAddress 0xf000
SizeOfRawData 0x2800
PointerToRawData 0xe000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.38393

.data

MD5 0e85cb31de1e91487f1efeeb96798d88
SHA1 0e272e318acf08ee509b8bddfec94e70e4fe7183
SHA256 f4f8bfa5b1e9340deeffe8be4cc00432991cb2a7131eefa956fb280d65d1341f
SHA3 f290c38cf8308b404f1c55979e1bbc2d4c79ac4189f8c1a6f87acb54c9072acf
VirtualSize 0x3980
VirtualAddress 0x12000
SizeOfRawData 0x1a00
PointerToRawData 0x10800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.80909

.rsrc

MD5 61fb2ab043e33ec214eefc8d3e2a5f91
SHA1 8bd2b04e0bda2ce7cd36a8ef3af990012593a364
SHA256 a424a224702e6bc2f8790d941752effdd52d7b21470cb0a12013cfa3d7766428
SHA3 b5f97a385770ded3af10a9aa9fabec88a34905bd47941674a5f5a29dbfd0cbff
VirtualSize 0x2c34
VirtualAddress 0x16000
SizeOfRawData 0x2e00
PointerToRawData 0x12200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.48875

.reloc

MD5 81870026831d6c64d3745d8ff770ca56
SHA1 b5c0a1865440495e499dfcfc637f44a5fb0bd67a
SHA256 27454621f251b4109d6eae3878621975e9e1fe50dd4648be65f195cf947b73fe
SHA3 a391d372686d31bc6bfd668309cca7060b311ea8c01dad6b7dc14d6a596eb2a3
VirtualSize 0x6400
VirtualAddress 0x19000
SizeOfRawData 0x13fe
PointerToRawData 0x15000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.73497

Imports

KERNEL32.dll GetCurrentThread
VirtualFree
ExpandEnvironmentStringsA
WriteFile
OpenProcess
WideCharToMultiByte
GetVolumeInformationA
Sleep
SizeofResource
CreateProcessA
TerminateProcess
ReadFile
GetSystemDirectoryA
MultiByteToWideChar
GetTickCount
CreateDirectoryA
GetStartupInfoA
FindFirstFileA
GetLastError
VirtualAlloc
FindClose
LockResource
CreatePipe
GetModuleFileNameA
GetVersionExA
WinExec
CloseHandle
GetCurrentProcessId
GetTempPathA
GetCurrentProcess
LoadResource
PeekNamedPipe
SetFilePointer
SetPriorityClass
FindResourceA
GetFileSize
CreateFileA
GetComputerNameA
SetThreadPriority
ExitProcess
GetProcessHeap
SetEndOfFile
GetStringTypeW
GetStringTypeA
GetModuleHandleW
GetProcAddress
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
GetCommandLineA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetStdHandle
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSectionAndSpinCount
HeapCreate
HeapReAlloc
RtlUnwind
GetConsoleCP
GetConsoleMode
SetHandleCount
GetFileType
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapSize
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
LCMapStringA
LCMapStringW
ADVAPI32.dll RegOpenKeyA
GetUserNameA
FreeSid
AllocateAndInitializeSid
RegDeleteKeyA
EqualSid
RegSetValueExA
GetTokenInformation
OpenProcessToken
RegCloseKey
SHELL32.dll SHChangeNotify
#680
ShellExecuteA
WININET.dll HttpOpenRequestA
InternetOpenUrlA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
InternetConnectA
InternetReadFile

Delayed Imports

101

Type DAT
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x1400
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.88288
MD5 1d80af301994f9b6bf3fa2389ff125da
SHA1 71897d507912d78aa3c3f7a9eed390dba01c87ef
SHA256 38a702c28b567a748fe3d904f6ece3518d88236a9851d24e8b7e2f89c32c9a25
SHA3 1f4e03dc19a5efd58bcd43b2102af24dc09aa6830fd5362a2af187a6c8e2aaf7

102

Type DAT
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x1600
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.28864
MD5 11587f16f3129cad17222498eadc84f2
SHA1 4521b3193b05698fe5b4375eaf1b876d4e46515e
SHA256 2eda86a26b2c38f7f20b646052ba2ff2ddcb81db625deabeaa11960cda6bbb43
SHA3 5a9ff194abd745076f2297fcda5e420c9edc16e0fa96aca46327394afef80f03

1

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2013-Feb-05 04:03:07
Version 0.0
SizeofData 62
AddressOfRawData 0x10690
PointerToRawData 0xf690

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x412008
SEHandlerTable 0x4106d0
SEHandlerCount 3

RICH Header

XOR Key 0x5dac9980
Unmarked objects 0
C++ objects (VS2008 build 21022) 33
ASM objects (VS2008 build 21022) 18
C objects (VS2008 build 21022) 115
Imports (VS2012 build 50727 / VS2005 build 50727) 9
Total imports 127
138 (VS2008 build 21022) 1
Linker (VS2008 build 21022) 1
Resource objects (VS2008 build 21022) 1

Errors

<-- -->