Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2010-Jan-30 10:24:51 |
Detected languages |
English - United States
|
Debug artifacts |
c:\Free\Hat\hard\Log\problemtable.pdb
|
CompanyName | MyWebGrocer |
FileDescription | Norgreat |
OriginalFilename | Creasesalt.exe |
InternalName | Norgreat |
LegalCopyright | Copyright (c) 2004-2014, MyWebGrocer book coverheat |
ProductVersion | 10.3.21.16 |
LegalTrademarks | Norgreat freshschool thousand |
FileVersion | 10.3.21.16 |
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 48/70 (Scanned on 2019-02-08 14:26:43) |
MicroWorld-eScan:
Trojan.Autoruns.GenericKDS.41002543
CAT-QuickHeal: Trojan.IcedID ALYac: Trojan.IcedID.gen Malwarebytes: Trojan.IcedID K7GW: Spyware ( 0053a3c61 ) K7AntiVirus: Spyware ( 0053a3c61 ) TrendMicro: TROJ_GEN.R045C0WAV19 Symantec: Trojan.Gen.2 TrendMicro-HouseCall: TROJ_GEN.R045C0WAV19 Paloalto: generic.ml Kaspersky: Trojan-Banker.Win32.IcedID.tope BitDefender: Trojan.Autoruns.GenericKDS.41002543 NANO-Antivirus: Trojan.Win32.Inject3.fmoavy Avast: Win32:Malware-gen Tencent: Win32.Trojan-banker.Icedid.Htmt Ad-Aware: Trojan.Autoruns.GenericKDS.41002543 Emsisoft: Trojan.Autoruns.GenericKDS.41002543 (B) DrWeb: Trojan.Inject3.12534 Zillya: Trojan.IcedId.Win32.475 Invincea: heuristic McAfee-GW-Edition: RDN/PWS-Banker Trapmine: malicious.high.ml.score Ikarus: Trojan-Banker.IcedID Webroot: W32.Rogue.Gen Fortinet: W32/IcedId.H!tr.spy Antiy-AVL: Trojan[Banker]/Win32.IcedID Endgame: malicious (moderate confidence) Arcabit: Trojan.Autoruns.GenericS.D271A62F ViRobot: Trojan.Win32.Z.Icedid.173056 ZoneAlarm: Trojan-Banker.Win32.IcedID.tope Microsoft: Trojan:Win32/Occamy.C TACHYON: Banker/W32.IcedID.173056 Sophos: Mal/Generic-L AhnLab-V3: Trojan/Win32.Banker.C2986132 Acronis: suspicious McAfee: RDN/PWS-Banker MAX: malware (ai score=100) VBA32: TrojanBanker.IcedID Cylance: Unsafe ESET-NOD32: Win32/Spy.IcedId.H Rising: Spyware.IcedId!8.F061 (TFE:5:bcGlcaMyMpM) SentinelOne: static engine - malicious GData: Trojan.Autoruns.GenericKDS.41002543 AVG: Win32:Malware-gen Cybereason: malicious.237015 Panda: Trj/WLT.E CrowdStrike: malicious_confidence_100% (W) Qihoo-360: Win32/Trojan.9c5 |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2010-Jan-30 10:24:51 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 9.0 |
SizeOfCode | 0x14600 |
SizeOfInitializedData | 0x2b200 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000A7C9 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x16000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.0 |
ImageVersion | 0.0 |
SubsystemVersion | 5.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x43000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetLocaleInfoA
FlushFileBuffers GetStringTypeA LCMapStringW MultiByteToWideChar LCMapStringA GetCurrentProcessId LoadLibraryA HeapSize GetConsoleMode GetConsoleCP InitializeCriticalSectionAndSpinCount GetTickCount GetFileType SetHandleCount GetEnvironmentStringsW FreeEnvironmentStringsW CompareStringA CompareStringW SetEnvironmentVariableA CloseHandle WriteConsoleA GetConsoleOutputCP WriteConsoleW SetFilePointer GetTempPathA Sleep VirtualProtectEx LockResource GetDateFormatA GetModuleHandleA GetVersionExA OpenProcess GetSystemTime GetWindowsDirectoryA CreateFileA GetStringTypeW QueryPerformanceCounter SetStdHandle GetEnvironmentStrings GetSystemTimeAsFileTime GetTimeFormatA GetLastError HeapReAlloc HeapAlloc HeapFree RaiseException RtlUnwind GetCommandLineA GetStartupInfoA TerminateProcess GetCurrentProcess UnhandledExceptionFilter SetUnhandledExceptionFilter IsDebuggerPresent WideCharToMultiByte GetTimeZoneInformation GetCPInfo InterlockedIncrement InterlockedDecrement GetACP GetOEMCP IsValidCodePage GetModuleHandleW GetProcAddress TlsGetValue TlsAlloc TlsSetValue TlsFree SetLastError GetCurrentThreadId DeleteCriticalSection LeaveCriticalSection EnterCriticalSection HeapCreate VirtualFree VirtualAlloc ExitProcess WriteFile GetStdHandle GetModuleFileNameA FreeEnvironmentStringsA |
---|---|
USER32.dll |
AppendMenuA
InflateRect SetParent EndDeferWindowPos ExitWindowsEx GetClientRect SetFocus RegisterClassExA GetWindowTextLengthA IntersectRect CallWindowProcA GetCursorPos GetFocus GetClassInfoExA CheckMenuRadioItem LoadImageA DrawIcon RegisterHotKey DispatchMessageA IsWindowEnabled GetClassNameA |
GDI32.dll |
OffsetViewportOrgEx
SetViewportExtEx ScaleViewportExtEx SetWindowExtEx |
WINSPOOL.DRV |
ClosePrinter
DocumentPropertiesA OpenPrinterA AddPrinterConnectionA GetJobA |
COMCTL32.dll |
CreatePropertySheetPageA
PropertySheetA #6 |
COMDLG32.dll |
ReplaceTextA
GetOpenFileNameA GetSaveFileNameA |
SHLWAPI.dll |
PathAppendA
PathAddBackslashA PathFindFileNameA PathStripToRootA |
ADVAPI32.dll |
RegOpenKeyExA
RegQueryValueExA AllocateAndInitializeSid FreeSid OpenProcessToken StartServiceCtrlDispatcherA InitializeSecurityDescriptor RegisterServiceCtrlHandlerA SetEntriesInAclA SetSecurityDescriptorDacl SetServiceStatus ControlService CreateServiceW LookupPrivilegeValueA OpenSCManagerA OpenServiceA OpenThreadToken QueryServiceStatus RegCreateKeyExA RegDeleteKeyA RegCloseKey |
SensApi.dll |
IsDestinationReachableA
|
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 10.3.21.16 |
ProductVersion | 10.3.21.16 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | MyWebGrocer |
FileDescription | Norgreat |
OriginalFilename | Creasesalt.exe |
InternalName | Norgreat |
LegalCopyright | Copyright (c) 2004-2014, MyWebGrocer book coverheat |
ProductVersion (#2) | 10.3.21.16 |
LegalTrademarks | Norgreat freshschool thousand |
FileVersion (#2) | 10.3.21.16 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2010-Jan-30 10:24:51 |
Version | 0.0 |
SizeofData | 62 |
AddressOfRawData | 0x1ae18 |
PointerToRawData | 0x19818 |
Referenced File | c:\Free\Hat\hard\Log\problemtable.pdb |
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x420ff4 |
SEHandlerTable | 0x41b070 |
SEHandlerCount | 9 |
XOR Key | 0xeddcffe6 |
---|---|
Unmarked objects | 0 |
ASM objects (VS2008 build 21022) | 21 |
C objects (VS2008 build 21022) | 108 |
C++ objects (VS2008 build 21022) | 47 |
Imports (VS2008 SP1 build 30729) | 19 |
Total imports | 154 |
C++ objects (VS2008 SP1 build 30729) | 1 |
Linker (VS2008 SP1 build 30729) | 1 |
Resource objects (VS2008 SP1 build 30729) | 1 |