1bf32d0a1f35cc92c1bb7cd029867423

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2004-Mar-20 06:38:50

Plugin Output

Info Matching compiler(s): Microsoft Visual C++
Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentVersion\Run
Suspicious The PE is possibly packed. Section .text is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Enumerates local disk drives:
  • GetVolumeInformationA
Manipulates other processes:
  • OpenProcess
Malicious VirusTotal score: 42/58 (Scanned on 2016-12-29 09:28:52) MicroWorld-eScan: Gen:Win32.Malware.ciW@aq4YCBl
CMC: Generic.Win32.1bf32d0a1f!CMCRadar
McAfee: W32/Decon.worm
Zillya: Virus.Decon.Win32.1
AegisLab: W32.HLLW.Decon.a!c
CrowdStrike: malicious_confidence_62% (D)
K7GW: Virus ( 00492a7e1 )
K7AntiVirus: Virus ( 00492a7e1 )
F-Prot: W32/Heuristic-119!Eldorado
Symantec: W32.SillyFDC
TrendMicro-HouseCall: PAK_Generic.001
Avast: Win32:Decon
Kaspersky: Virus.Win32.HLLW.Decon.a
BitDefender: Gen:Win32.Malware.ciW@aq4YCBl
NANO-Antivirus: Virus.Win32.HLLW.gjko
Rising: Malware.Generic!2GTfp8rNngR@5 (thunder)
Ad-Aware: Gen:Win32.Malware.ciW@aq4YCBl
Emsisoft: Gen:Win32.Malware.ciW@aq4YCBl (B)
Comodo: Win32.HLLW.Decon.A
F-Secure: Gen:Win32.Malware.ciW@aq4YCBl
DrWeb: Win32.HLLW.Decon
VIPRE: BehavesLike.Win32.Malware.wsc (mx-v)
Invincea: generic.a
McAfee-GW-Edition: W32/Decon.worm
Cyren: W32/Heuristic-119!Eldorado
Jiangmin: Trojan/HLLW.ad
Avira: TR/Crypt.XPACK.Gen
Antiy-AVL: Virus/Win32.Decon
Microsoft: Worm:Win32/Decon.A
Arcabit: Gen:Win32.Malware.E71C81
GData: Gen:Win32.Malware.ciW@aq4YCBl
Sophos: W32/Decon-A
ALYac: Gen:Win32.Malware.ciW@aq4YCBl
AVware: BehavesLike.Win32.Malware.wsc (mx-v)
VBA32: BScope.Trojan.Agent
ESET-NOD32: Win32/HLLW.Decon.A
Yandex: Win32.HLLW.Decon.A
Ikarus: Trojan-Dropper.Agent
Fortinet: W32/HLLWDecon.A!worm
AVG: Win32/Decon.A
Panda: W32/Decon.A.worm
Qihoo-360: Malware.Radar01.Gen

Hashes

MD5 1bf32d0a1f35cc92c1bb7cd029867423
SHA1 cc33dff8641f6b724396691dc0f2aaf5a0cc5d5b
SHA256 f184244369966918978cb4cbae5bf072daa0eed43b622e6035228843a8fd6bbf
SHA3 dc7ecbe95d9cb29e13c600da5603821b3c2552798589b82f3c023d396a1690a4
SSDeep 768:Xt99T5s9xGBK+y/ob9HKC7SVJnclm6zp//OyyRK/c9w8o:Xn9T5sGB1y/ob9qCYJncg6wZRamlo
Imports Hash 3d3aad89f3674c92a3dbf23c2518bfd1

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 2
TimeDateStamp 2004-Mar-20 06:38:50
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0xa200
SizeOfInitializedData 0x2000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00002690 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xc000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0xe000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 bdd3f17e8724fa967d047407c8590d3e
SHA1 0fa07352ca570cd405032455fa1b5cb48008074d
SHA256 4e9b643605f4a40095e253ff00679bb571f595e0d2610c62d3f650e6706b046f
SHA3 816940f284da8b744d6ec24f79476aef53651ae56be3cf36a5bd96ffc48872cc
VirtualSize 0xa11c
VirtualAddress 0x1000
SizeOfRawData 0xa200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_LOCKED
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.44376

.data

MD5 c06eccfdffbbbf161d26c6ea8d967ba3
SHA1 75c3aa1916bd446090e7e4773303536bccfe138d
SHA256 6d8a0ec3c11deea32e517cb9259e46295957e3717b6fa6d45503fe246a828f95
SHA3 29ab33879d834bc2bd99399955e6e8998c5c6c11d32d0c80923207c5512b5854
VirtualSize 0x1e84
VirtualAddress 0xc000
SizeOfRawData 0xa00
PointerToRawData 0xa600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.01961

Imports

KERNEL32.dll GetVolumeInformationA
SetErrorMode
Sleep
SetFileAttributesA
CopyFileA
GetWindowsDirectoryA
GetCurrentProcessId
SetStdHandle
SetFilePointer
LCMapStringW
LCMapStringA
GetStringTypeW
GetStringTypeA
OpenProcess
TerminateProcess
GetModuleFileNameA
CloseHandle
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
DebugBreak
GetStdHandle
WriteFile
InterlockedDecrement
OutputDebugStringA
GetProcAddress
LoadLibraryA
InterlockedIncrement
IsBadWritePtr
IsBadReadPtr
HeapValidate
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetFileType
HeapDestroy
HeapCreate
HeapFree
VirtualFree
RtlUnwind
GetLastError
HeapAlloc
HeapReAlloc
VirtualAlloc
GetCPInfo
GetACP
GetOEMCP
MultiByteToWideChar
FlushFileBuffers
USER32.dll MessageBoxA
EnumWindows
GetWindowTextA
GetWindowThreadProcessId
PeekMessageA
ADVAPI32.dll RegSetValueExA
RegCloseKey
RegOpenKeyExA

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x13b3268b
Unmarked objects 0
C++ objects (VS98 build 8168) 3
14 (7299) 14
C objects (VS98 build 8168) 54
19 (8034) 7
Total imports 65
C++ objects (VS98 build 8168) (#2) 2

Errors