Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2004-Mar-20 06:38:50 |
Info | Matching compiler(s): | Microsoft Visual C++ |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
May have dropper capabilities:
|
Suspicious | The PE is possibly packed. | Section .text is both writable and executable. |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 50/67 (Scanned on 2019-08-19 09:15:42) |
MicroWorld-eScan:
Gen:Win32.Malware.ciW@aq4YCBl
FireEye: Gen:Win32.Malware.ciW@aq4YCBl McAfee: W32/Decon.worm Cylance: Unsafe K7AntiVirus: Virus ( 00492a7e1 ) Alibaba: Virus:Win32/Decon.39657475 K7GW: Virus ( 00492a7e1 ) Cybereason: malicious.a1f35c TrendMicro: TROJ_GEN.R002C0CCC19 F-Prot: W32/Heuristic-119!Eldorado Symantec: W32.SillyFDC APEX: Malicious Avast: Win32:Decon Kaspersky: Virus.Win32.HLLW.Decon.a BitDefender: Gen:Win32.Malware.ciW@aq4YCBl NANO-Antivirus: Virus.Win32.HLLW.gjko Paloalto: generic.ml Emsisoft: Gen:Win32.Malware.ciW@aq4YCBl (B) Comodo: Win32.HLLW.Decon.A@1whe DrWeb: Win32.HLLW.Decon Zillya: Virus.Decon.Win32.1 McAfee-GW-Edition: W32/Decon.worm CMC: Generic.Win32.1bf32d0a1f!CMCRadar Sophos: W32/Decon-A SentinelOne: DFI - Suspicious PE Cyren: W32/Heuristic-119!Eldorado Jiangmin: Trojan/HLLW.ad Webroot: Worm:Win32/Decon.A Avira: TR/Crypt.XPACK.Gen Fortinet: W32/HLLWDecon.A!worm Antiy-AVL: Virus/Win32.Decon Arcabit: Gen:Win32.Malware.E71C81 AegisLab: Virus.Win32.HLLW.n!c ZoneAlarm: Virus.Win32.HLLW.Decon.a Microsoft: Worm:Win32/Decon.A ALYac: Gen:Win32.Malware.ciW@aq4YCBl MAX: malware (ai score=99) VBA32: BScope.Trojan.Agent ESET-NOD32: Win32/HLLW.Decon.A TrendMicro-HouseCall: TROJ_GEN.R002C0CCC19 Rising: Win32.HLLW.Decon.a (CLASSIC) Yandex: Win32.HLLW.Decon.A Ikarus: Worm.Win32.Decon eGambit: Generic.Malware GData: Gen:Win32.Malware.ciW@aq4YCBl Ad-Aware: Gen:Win32.Malware.ciW@aq4YCBl AVG: Win32:Decon Panda: W32/Decon.A.worm CrowdStrike: win/malicious_confidence_90% (W) Qihoo-360: Malware.Radar01.Gen |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 2 |
TimeDateStamp | 2004-Mar-20 06:38:50 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0xa200 |
SizeOfInitializedData | 0x2000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00002690 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0xc000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0xe000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetVolumeInformationA
SetErrorMode Sleep SetFileAttributesA CopyFileA GetWindowsDirectoryA GetCurrentProcessId SetStdHandle SetFilePointer LCMapStringW LCMapStringA GetStringTypeW GetStringTypeA OpenProcess TerminateProcess GetModuleFileNameA CloseHandle GetModuleHandleA GetStartupInfoA GetCommandLineA GetVersion ExitProcess DebugBreak GetStdHandle WriteFile InterlockedDecrement OutputDebugStringA GetProcAddress LoadLibraryA InterlockedIncrement IsBadWritePtr IsBadReadPtr HeapValidate GetCurrentProcess UnhandledExceptionFilter FreeEnvironmentStringsA FreeEnvironmentStringsW WideCharToMultiByte GetEnvironmentStrings GetEnvironmentStringsW SetHandleCount GetFileType HeapDestroy HeapCreate HeapFree VirtualFree RtlUnwind GetLastError HeapAlloc HeapReAlloc VirtualAlloc GetCPInfo GetACP GetOEMCP MultiByteToWideChar FlushFileBuffers |
---|---|
USER32.dll |
MessageBoxA
EnumWindows GetWindowTextA GetWindowThreadProcessId PeekMessageA |
ADVAPI32.dll |
RegSetValueExA
RegCloseKey RegOpenKeyExA |
XOR Key | 0x13b3268b |
---|---|
Unmarked objects | 0 |
C++ objects (VS98 build 8168) | 3 |
14 (7299) | 14 |
C objects (VS98 build 8168) | 54 |
19 (8034) | 7 |
Total imports | 65 |
C++ objects (VS98 build 8168) (#2) | 2 |