1fa9ea76f6fe1eb6fe66d988396352a490155b6d06f174d02fd8b2750321ab3c

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Sep-11 23:57:32
Detected languages English - United States

Plugin Output

Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX v2.0 -> Markus, Laszlo & Reiser (h)
UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX -> www.upx.sourceforge.net
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser
Suspicious The PE is possibly packed. Unusual section name found: text
Section text is both writable and executable.
Unusual section name found: data
Section data is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Can take screenshots:
  • BitBlt
  • GetDC
Malicious VirusTotal score: 15/67 (Scanned on 2018-03-01 07:10:04) Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9708
CrowdStrike: malicious_confidence_60% (D)
Cylance: Unsafe
Ikarus: Packer.Win32.Krap
Invincea: heuristic
K7AntiVirus: Trojan ( 0051918e1 )
K7GW: Trojan ( 0051918e1 )
MAX: malware (ai score=79)
McAfee: Artemis!4FE023F18E0F
McAfee-GW-Edition: BehavesLike.Win32.Pate.nc
Paloalto: generic.ml
SentinelOne: static engine - malicious
TheHacker: Posible_Worm32
TrendMicro-HouseCall: Suspicious_GEN.F47V0110
WhiteArmor: Malware.HighConfidence

Hashes

MD5 4fe023f18e0f2b03c0afaff9675553fc
SHA1 4e4e01c448dff76418acc66d485a21be3f8117d0
SHA256 1fa9ea76f6fe1eb6fe66d988396352a490155b6d06f174d02fd8b2750321ab3c
SHA3 0300bc5ce549fafc4477aa77be94e03718f27a7b40413242fe8a3f4a97324b8d
SSDeep 384:koxc1StN76de2rs33l7MaiutDR0JvbVNXLZl8hTf5jB/5XdJsARY1c9nUgu06mH:Djtcdex7XbFibVNZSj55NGAP9nuhmHO
Imports Hash 66dedbd66a79491a3ee0d6fff0e16790

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2017-Sep-11 23:57:32
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 2.0
SizeOfCode 0x8000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0xb000
AddressOfEntryPoint 0x00012F40 (Section: data)
BaseOfCode 0xc000
BaseOfData 0x14000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x15000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

text

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0xb000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

data

MD5 09ad315979846f4268b816a04dddf49b
SHA1 6b57a5cef3799bb6b871f1135188cebd5fdc400e
SHA256 8675b8828bfb5f00522dde7b1aecd5b8222079b11660ba536dc1c9610f5028b7
SHA3 4d3984209d70f49e80389b9abcf4e284cd5ac38725b78827d5848cd9af42b938
VirtualSize 0x8000
VirtualAddress 0xc000
SizeOfRawData 0x7200
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.88435

.rsrc

MD5 adaef6be65531fc76309eaa82413dc01
SHA1 642a436f050209b83d38742c02e4348b2388e05e
SHA256 54324750a4b94d8370c0d68d1e2bc280b34b3cbf475aa9eb284ad37c5d934381
SHA3 e3f4c3eea08cd4f48293df08e9ec115f54ae4b5994155bef758e6f1b41478201
VirtualSize 0x1000
VirtualAddress 0x14000
SizeOfRawData 0x600
PointerToRawData 0x7400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.17296

Imports

COMCTL32.DLL ImageList_Add
GDI32.DLL BitBlt
gdiplus.dll GdipFree
KERNEL32.DLL LoadLibraryA
ExitProcess
GetProcAddress
VirtualProtect
MSVCRT.dll pow
OLE32.DLL RevokeDragDrop
USER32.DLL GetDC

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x263
TimeDateStamp 2017-Sep-11 23:57:32
Entropy 4.92322
MD5 841795bb3b61ebd511249778aa26af77
SHA1 59f426938522ef9906b0740821e8cc270d1ca897
SHA256 be809cba9d14bfb52a969d766992832b10e99e133babcdd99dc6d1bba5597cf7
SHA3 5fa5c36711cc5c3661248b1180ce35543201ff1dc77d158129b844f03a2144c9

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Section text has a size of 0!
Leave a comment

No comments yet.