1bf32d0a1f35cc92c1bb7cd029867423

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2004-Mar-20 06:38:50

Plugin Output

Info Matching compiler(s): Microsoft Visual C++
Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentVersion\Run
Suspicious The PE is possibly packed. Section .text is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Can access the registry:
  • RegSetValueExA
  • RegCloseKey
  • RegOpenKeyExA
Enumerates local disk drives:
  • GetVolumeInformationA
Manipulates other processes:
  • OpenProcess
Malicious VirusTotal score: 50/67 (Scanned on 2019-08-19 09:15:42) MicroWorld-eScan: Gen:Win32.Malware.ciW@aq4YCBl
FireEye: Gen:Win32.Malware.ciW@aq4YCBl
McAfee: W32/Decon.worm
Cylance: Unsafe
K7AntiVirus: Virus ( 00492a7e1 )
Alibaba: Virus:Win32/Decon.39657475
K7GW: Virus ( 00492a7e1 )
Cybereason: malicious.a1f35c
TrendMicro: TROJ_GEN.R002C0CCC19
F-Prot: W32/Heuristic-119!Eldorado
Symantec: W32.SillyFDC
APEX: Malicious
Avast: Win32:Decon
Kaspersky: Virus.Win32.HLLW.Decon.a
BitDefender: Gen:Win32.Malware.ciW@aq4YCBl
NANO-Antivirus: Virus.Win32.HLLW.gjko
Paloalto: generic.ml
Emsisoft: Gen:Win32.Malware.ciW@aq4YCBl (B)
Comodo: Win32.HLLW.Decon.A@1whe
DrWeb: Win32.HLLW.Decon
Zillya: Virus.Decon.Win32.1
McAfee-GW-Edition: W32/Decon.worm
CMC: Generic.Win32.1bf32d0a1f!CMCRadar
Sophos: W32/Decon-A
SentinelOne: DFI - Suspicious PE
Cyren: W32/Heuristic-119!Eldorado
Jiangmin: Trojan/HLLW.ad
Webroot: Worm:Win32/Decon.A
Avira: TR/Crypt.XPACK.Gen
Fortinet: W32/HLLWDecon.A!worm
Antiy-AVL: Virus/Win32.Decon
Arcabit: Gen:Win32.Malware.E71C81
AegisLab: Virus.Win32.HLLW.n!c
ZoneAlarm: Virus.Win32.HLLW.Decon.a
Microsoft: Worm:Win32/Decon.A
ALYac: Gen:Win32.Malware.ciW@aq4YCBl
MAX: malware (ai score=99)
VBA32: BScope.Trojan.Agent
ESET-NOD32: Win32/HLLW.Decon.A
TrendMicro-HouseCall: TROJ_GEN.R002C0CCC19
Rising: Win32.HLLW.Decon.a (CLASSIC)
Yandex: Win32.HLLW.Decon.A
Ikarus: Worm.Win32.Decon
eGambit: Generic.Malware
GData: Gen:Win32.Malware.ciW@aq4YCBl
Ad-Aware: Gen:Win32.Malware.ciW@aq4YCBl
AVG: Win32:Decon
Panda: W32/Decon.A.worm
CrowdStrike: win/malicious_confidence_90% (W)
Qihoo-360: Malware.Radar01.Gen

Hashes

MD5 1bf32d0a1f35cc92c1bb7cd029867423
SHA1 cc33dff8641f6b724396691dc0f2aaf5a0cc5d5b
SHA256 f184244369966918978cb4cbae5bf072daa0eed43b622e6035228843a8fd6bbf
SHA3 fc4f07ff1d94422068eacf1d0d80be395e98eabc4ef0adf3f7017ef3a8441961
SSDeep 768:Xt99T5s9xGBK+y/ob9HKC7SVJnclm6zp//OyyRK/c9w8o:Xn9T5sGB1y/ob9qCYJncg6wZRamlo
Imports Hash 3d3aad89f3674c92a3dbf23c2518bfd1

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 2
TimeDateStamp 2004-Mar-20 06:38:50
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0xa200
SizeOfInitializedData 0x2000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00002690 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xc000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0xe000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 bdd3f17e8724fa967d047407c8590d3e
SHA1 0fa07352ca570cd405032455fa1b5cb48008074d
SHA256 4e9b643605f4a40095e253ff00679bb571f595e0d2610c62d3f650e6706b046f
SHA3 99dfd1216ce894b04f74aff5035f7c2c440b61321a7cb03f354c4ad5fb2435e9
VirtualSize 0xa11c
VirtualAddress 0x1000
SizeOfRawData 0xa200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_LOCKED
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.44376

.data

MD5 c06eccfdffbbbf161d26c6ea8d967ba3
SHA1 75c3aa1916bd446090e7e4773303536bccfe138d
SHA256 6d8a0ec3c11deea32e517cb9259e46295957e3717b6fa6d45503fe246a828f95
SHA3 b52d0bb10d33aff21d74072eb29e039731870c2f56c8ccc799000ee202ae9912
VirtualSize 0x1e84
VirtualAddress 0xc000
SizeOfRawData 0xa00
PointerToRawData 0xa600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.01961

Imports

KERNEL32.dll GetVolumeInformationA
SetErrorMode
Sleep
SetFileAttributesA
CopyFileA
GetWindowsDirectoryA
GetCurrentProcessId
SetStdHandle
SetFilePointer
LCMapStringW
LCMapStringA
GetStringTypeW
GetStringTypeA
OpenProcess
TerminateProcess
GetModuleFileNameA
CloseHandle
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
DebugBreak
GetStdHandle
WriteFile
InterlockedDecrement
OutputDebugStringA
GetProcAddress
LoadLibraryA
InterlockedIncrement
IsBadWritePtr
IsBadReadPtr
HeapValidate
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetFileType
HeapDestroy
HeapCreate
HeapFree
VirtualFree
RtlUnwind
GetLastError
HeapAlloc
HeapReAlloc
VirtualAlloc
GetCPInfo
GetACP
GetOEMCP
MultiByteToWideChar
FlushFileBuffers
USER32.dll MessageBoxA
EnumWindows
GetWindowTextA
GetWindowThreadProcessId
PeekMessageA
ADVAPI32.dll RegSetValueExA
RegCloseKey
RegOpenKeyExA

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x13b3268b
Unmarked objects 0
C++ objects (VS98 build 8168) 3
14 (7299) 14
C objects (VS98 build 8168) 54
19 (8034) 7
Total imports 65
C++ objects (VS98 build 8168) (#2) 2

Errors

<-- -->