2737455bff260fdc22216c3d1185d814

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2018-Dec-15 22:24:32
Detected languages English - United States
Comments
CompanyName dxdiag
FileDescription dxdiag Application
FileVersion 1.0.2.1
LegalCopyright Copyright dxdiag company
LegalTrademarks dxdiag company
ProductName dxdiag

Plugin Output

Suspicious The PE is an NSIS installer Unusual section name found: .ndata
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExA
Can access the registry:
  • RegCreateKeyExA
  • RegOpenKeyExA
  • RegEnumValueA
  • RegDeleteKeyA
  • RegDeleteValueA
  • RegCloseKey
  • RegSetValueExA
  • RegQueryValueExA
  • RegEnumKeyA
Possibly launches other programs:
  • CreateProcessA
Can create temporary files:
  • CreateFileA
  • GetTempPathA
Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
Changes object ACLs:
  • SetFileSecurityA
Can shut the system down or lock the screen:
  • ExitWindowsEx
Info The PE is digitally signed. Signer: law.com
Issuer: Trusted Secure Certificate Authority 5
Malicious VirusTotal score: 45/71 (Scanned on 2019-07-05 07:38:08) Bkav: HW32.Packed.
MicroWorld-eScan: Trojan.Agent.DZCM
FireEye: Trojan.Agent.DZCM
CAT-QuickHeal: Trojan.Wacatac
McAfee: RDN/Generic.dx
Alibaba: Trojan:Win32/Agentb.8f98eb93
K7AntiVirus: Trojan ( 005505201 )
TrendMicro: Trojan.Win32.DELF.AKT
NANO-Antivirus: Trojan.Win32.Delf.frtxvo
F-Prot: W32/Trojan3.AOCC
Symantec: Trojan Horse
Paloalto: generic.ml
Kaspersky: Trojan.Win32.Agentb.jpsa
BitDefender: Trojan.Agent.DZCM
AegisLab: Trojan.Win32.Agentb.4!c
Tencent: Win32.Trojan.Raasmx.Auto
Endgame: malicious (high confidence)
Emsisoft: Trojan.Agent.DZCM (B)
Comodo: Malware@#3ht055kuiswb9
F-Secure: Trojan.TR/AD.TA505.DQ
DrWeb: Trojan.Siggen8.35088
Zillya: Trojan.Agentb.Win32.22672
McAfee-GW-Edition: RDN/Generic.dx
Sophos: Troj/Mdrop-ISJ
Cyren: W32/Trojan.XYUQ-3703
Webroot: W32.Adware.Gen
Avira: TR/AD.TA505.DR
Fortinet: W32/Delf.BJF!tr
Arcabit: Trojan.Agent.DZCM
ViRobot: Trojan.Win32.S.Infostealer.411696
ZoneAlarm: Trojan.Win32.Agentb.jpsa
Microsoft: Trojan:Win32/Skeeyah.A!bit
AhnLab-V3: Backdoor/Win32.ServHelper.R277861
ALYac: Backdoor.Agent.ServHelper
Ad-Aware: Trojan.Agent.DZCM
Malwarebytes: Trojan.Injector.NSIS
ESET-NOD32: a variant of Win32/Delf.BJF
TrendMicro-HouseCall: Trojan.Win32.DELF.AKT
Rising: Backdoor.Agent!1.B95C (CLOUD)
Ikarus: Backdoor.ServHelper
GData: Trojan.Agent.DZCM
AVG: Win32:Trojan-gen
Avast: Win32:Trojan-gen
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: HEUR/QVM42.3.12C3.Malware.Gen

Hashes

MD5 2737455bff260fdc22216c3d1185d814
SHA1 66003b37c538f8dee543e014fef4fa17dcbe8e62
SHA256 fcfaa5a008448be96b273ca3d59e28d4a0b20156909da676520dc5103d15ad77
SHA3 b7d7d9e385458849bae3368249029182c92bbcc5970f8409c57a43c99cb5cbbb
SSDeep 6144:95aXZqZGebTwsnzad06EK8LemRw5YYx10+6dckHKM2GwpSeDxHDEOh8MTE19V8Un:uQ5bKYKhWw3x1sqkHKo3eDRDubLJ2S
Imports Hash 252855d26259282b1bb9bda8dff01755

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2018-Dec-15 22:24:32
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x6200
SizeOfInitializedData 0x1d000
SizeOfUninitializedData 0x400
AddressOfEntryPoint 0x00003328 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x8000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 6.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x2e000
SizeOfHeaders 0x400
Checksum 0x6acd7
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 0311bcb2ead177b380555800a8e6e6ee
SHA1 9b8f08f9640c322dbdf471fe113c60a6cae5d583
SHA256 019755b0ec6a48933fafa5a67be16db81d1531dfdafca7e8462d7a57ca9a270b
SHA3 e4af70cbba14ed2e18bf20f694a2bc5aa9af7dabf65216cc1b20b54fcdab98c9
VirtualSize 0x6077
VirtualAddress 0x1000
SizeOfRawData 0x6200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.40386

.rdata

MD5 926b1e688f085d737343e22bcf628243
SHA1 0a25c233003472b9655cbd0bfe8d21c962c8ede8
SHA256 31d66573fd3f6c2f210a2e0f179ababe40b511e57fcbe7b2880b57edbef7a0fe
SHA3 56036c53bce9bd3f7a1ee0f0290027a9105e20c329b90dbc886e1a778ab125fc
VirtualSize 0x1250
VirtualAddress 0x8000
SizeOfRawData 0x1400
PointerToRawData 0x6600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.04481

.data

MD5 9b72314b8d9ad5c72778b00cdf336ee2
SHA1 bbd203dd006ce01350a17c86143140eb14a9d94e
SHA256 1b8fb6198506eaef35e7f92db9770170a7ce9aa0e85c43137e7c4dc180bf3a06
SHA3 ff15db8aea32748882caf52ba47d30dd187512b673ec544648061cb3403e92a5
VirtualSize 0x1a838
VirtualAddress 0xa000
SizeOfRawData 0x400
PointerToRawData 0x7a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.22445

.ndata

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x8000
VirtualAddress 0x25000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc

MD5 7c092d18dca9bf6e445553ef23bdaafb
SHA1 da32f7427ad73f941ef5b0f5f4a29165d597b366
SHA256 2c4e5ead96561465bb5a9a4cbe17db911143271b4a98ebb75ccee6833f96107f
SHA3 eb1cc0cdc9cac66d5d2fbb0467a31214f76e7b30313f5f9a8bc60ed38400ebe9
VirtualSize 0xd10
VirtualAddress 0x2d000
SizeOfRawData 0xe00
PointerToRawData 0x7e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.2476

Imports

KERNEL32.dll SetEnvironmentVariableA
CreateFileA
GetFileSize
GetModuleFileNameA
ReadFile
GetCurrentProcess
CopyFileA
Sleep
GetTickCount
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
lstrlenA
GetVersion
SetErrorMode
lstrcpynA
ExitProcess
SetCurrentDirectoryA
GlobalLock
CreateThread
GetLastError
CreateDirectoryA
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
WriteFile
lstrcpyA
MoveFileExA
lstrcatA
GetSystemDirectoryA
GetProcAddress
GetExitCodeProcess
WaitForSingleObject
CompareFileTime
SetFileAttributesA
GetFileAttributesA
GetShortPathNameA
MoveFileA
GetFullPathNameA
SetFileTime
SearchPathA
CloseHandle
lstrcmpiA
GlobalUnlock
GetDiskFreeSpaceA
lstrcmpA
FindFirstFileA
FindNextFileA
DeleteFileA
SetFilePointer
GetPrivateProfileStringA
FindClose
MultiByteToWideChar
FreeLibrary
MulDiv
WritePrivateProfileStringA
LoadLibraryExA
GetModuleHandleA
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA
USER32.dll ScreenToClient
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
PostQuitMessage
GetWindowRect
EnableMenuItem
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
ReleaseDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndDialog
RegisterClassA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
ExitWindowsEx
GetDC
CreateDialogParamA
SetTimer
GetDlgItem
SetWindowLongA
SetForegroundWindow
LoadImageA
IsWindow
SendMessageTimeoutA
FindWindowExA
OpenClipboard
TrackPopupMenu
AppendMenuA
EndPaint
DestroyWindow
wsprintfA
ShowWindow
SetWindowTextA
GDI32.dll SelectObject
SetBkMode
CreateFontIndirectA
SetTextColor
DeleteObject
GetDeviceCaps
CreateBrushIndirect
SetBkColor
SHELL32.dll SHGetSpecialFolderLocation
ShellExecuteExA
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
SHFileOperationA
ADVAPI32.dll AdjustTokenPrivileges
RegCreateKeyExA
RegOpenKeyExA
SetFileSecurityA
OpenProcessToken
LookupPrivilegeValueA
RegEnumValueA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegEnumKeyA
COMCTL32.dll ImageList_Create
ImageList_AddMasked
ImageList_Destroy
#17
ole32.dll OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.50665
MD5 f00e9d9f29bad0b3f02ccf494a4f3a1f
SHA1 57f9c03e30c91d3035c2b658fff178f0e154947f
SHA256 7b99f0e5e7a3db2de9f02622f1ac8a0c9599492dd00196b3cb3c2ed15bbde57d
SHA3 ac2209893371010acb09ae7f6b8b3f6cb19c857bf9a89f6cfb543f351300bd09

105

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x100
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.66174
MD5 3409f314895161597f3c395cc5f65525
SHA1 1a99d016d65e567f24449d9362afb6ac44006d0b
SHA256 fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96
SHA3 b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26

106

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x11c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.88094
MD5 2d12c45dc2c029044aaff357141cb900
SHA1 083db861ab3c7db23c6257878296e73a89a74b8b
SHA256 69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729
SHA3 349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442

111

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x60
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.48825
MD5 6be4e1387d369cf86e68eacbdd0e81dd
SHA1 351970fe2681b9b35b5d59ad052011ed96a96e17
SHA256 85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0
SHA3 45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb

103

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.16096
Detected Filetype Icon file
MD5 42cf62b780813706e75fb9f2b2e8c258
SHA1 a022d5c1cfdd8aace0089f3e72f2eedd41bda464
SHA256 a0c9d012e2bf6b2fe05c2d97cb5594d97cf2f539e97935c12abd7a3562f4d9bf
SHA3 0aafc8e3d8b6bde595537da4ffe0efc5fe53f01dafe336a2a5828b6a71283d3c

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x278
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.23256
MD5 4aeac72a80c8b874f87719f7ce811ade
SHA1 416d955310abff1d20ce61d0e6041b3fbf6a5a20
SHA256 6bd409c9fd12d7ac04c20b4b7c9e4b6e44621fc9e8c7646e387072db1ef7a3ea
SHA3 28c051e591854730affc26a8ed0e0ad47333117c06933c76854805779503aabf

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x33e
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.2992
MD5 4b1844ad078c858804c5f578b2c0b3e3
SHA1 225c2fea69ed00409cdabfde3ec719fd437b15b8
SHA256 084534cc783285750dbf8c5106b55674a13ff630b08869b1cb916451e7313260
SHA3 c937912512960b93fc550dbe51e7296b8a574b6e2fcac35903317937aaf97a7b

Version Info

Signature 0xfeef04bd
StructVersion 0
FileVersion 2.3.6.0
ProductVersion 2.3.6.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
Comments
CompanyName dxdiag
FileDescription dxdiag Application
FileVersion (#2) 1.0.2.1
LegalCopyright Copyright dxdiag company
LegalTrademarks dxdiag company
ProductName dxdiag
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xd246d0e9
Unmarked objects 0
C objects (VS2003 (.NET) build 4035) 2
Total imports 159
Imports (VS2003 (.NET) build 4035) 15
48 (9044) 10
Resource objects (VS98 SP6 cvtres build 1736) 1

Errors

[*] Warning: Section .ndata has a size of 0!