2469c7e897b343350b6277171e7e0dcf

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2017-Jun-16 01:36:19

Plugin Output

Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX v2.0 -> Markus, Laszlo & Reiser (h)
UPX -> www.upx.sourceforge.net
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
Unusual section name found: UPX2
The PE only has 5 import(s).
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Malicious VirusTotal score: 41/67 (Scanned on 2017-12-21 16:14:48) MicroWorld-eScan: Trojan.Generic.21836106
CAT-QuickHeal: Trojan.Pakes
McAfee: Artemis!2469C7E897B3
Cylance: Unsafe
TheHacker: Posible_Worm32
K7GW: Riskware ( 0040eff71 )
K7AntiVirus: Riskware ( 0040eff71 )
Invincea: heuristic
Symantec: Trojan.Gen.2
ESET-NOD32: a variant of Generik.NHDUKJQ
TrendMicro-HouseCall: TROJ_GEN.R047C0OFQ17
Paloalto: generic.ml
Kaspersky: Trojan.Win32.Pakes.auux
BitDefender: Trojan.Generic.21836106
NANO-Antivirus: Trojan.Win32.Pakes.eqcbxr
AegisLab: Troj.W32.Pakes!c
Avast: Win32:Malware-gen
Tencent: Win32.Trojan.Pakes.Hpsb
Ad-Aware: Trojan.Generic.21836106
Comodo: UnclassifiedMalware
F-Secure: Trojan.Generic.21836106
TrendMicro: TROJ_GEN.R047C0OFQ17
McAfee-GW-Edition: BehavesLike.Win32.Generic.xm
Emsisoft: Trojan.Generic.21836106 (B)
Cyren: W32/Trojan.JXCI-4734
Webroot: W32.Trojan.Gen
Avira: TR/Pakes.tbxwy
Antiy-AVL: Trojan/Win32.Pakes
Arcabit: Trojan.Generic.D14D314A
ZoneAlarm: Trojan.Win32.Pakes.auux
GData: Trojan.Generic.21836106
ALYac: Trojan.Generic.21836106
MAX: malware (ai score=88)
Yandex: Trojan.Agent!bBfTuMEynS4
Ikarus: Trojan.Win32.Pakes
Fortinet: W32/Pakes.AUUX!tr
AVG: Win32:Malware-gen
Cybereason: malicious.1b8fb7
Panda: Trj/GdSda.A
CrowdStrike: malicious_confidence_90% (D)
Qihoo-360: Win32/Trojan.1d1

Hashes

MD5 2469c7e897b343350b6277171e7e0dcf
SHA1 2545a3ff8e6e815992f9385a5f0411818c4146d6
SHA256 ff74910fadbf214950608806110debda7a3728df1cdfc60beeec74b74317ead8
SHA3 f4c034abd0a2c7fdff0c2223fac052064109368e10ceb804140a33723e175102
SSDeep 48:ygYB8AwR8wS90IO8KYM7vsW6bs9qktA6q49hiovX7kEQZ9iT4DebpSeJY8JTa+9:vAwR8T0IOGM7kW6b1NboioPMpaT9
Imports Hash a444940f1e817b601e31403aeb2d6222

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xb8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2017-Jun-16 01:36:19
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 14.1
SizeOfCode 0x1000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0x4000
AddressOfEntryPoint 0x00005800 (Section: UPX1)
BaseOfCode 0x5000
BaseOfData 0x6000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.1
ImageVersion 6.1
SubsystemVersion 6.1
Win32VersionValue 0
SizeOfImage 0x7000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x4000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 ace0ec4c600846a7b630ac479c5f98db
SHA1 ed2c9f4823b896cf0b5a23f1bebab411715c99e3
SHA256 fdef114781f33c821ce5536751bf7b6804c4d4c796f216229a46b00889b71f20
SHA3 5a38f1749d0326304462aa0af064474064fd3352fceba6d96fb0c02c747df069
VirtualSize 0x1000
VirtualAddress 0x5000
SizeOfRawData 0xa00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.446

UPX2

MD5 45ddad643113250005cd7091967c31fb
SHA1 19f4402f6b707026485fca801c01ba99cc3803b4
SHA256 e548acd9de6108f863f3b3036ce6ee319949f398bf7e767c4542876230c8d188
SHA3 871ce09c21ff7351f87e56129ad90f3df9a3e27d8b5bf3b68b8b715e857acd91
VirtualSize 0x1000
VirtualAddress 0x6000
SizeOfRawData 0x200
PointerToRawData 0xe00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.59829

Imports

KERNEL32.DLL LoadLibraryA
ExitProcess
GetProcAddress
VirtualProtect
ntdll.dll memcpy

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xac92f2ad
Unmarked objects 0
Imports (VS2017 v15.2 compiler 25019) 5
Total imports 22
265 (VS2017 v15.2 compiler 25019) 1
Linker (VS2017 v15.2 compiler 25019) 1

Errors

[*] Warning: Section UPX0 has a size of 0!
<-- -->