28cf5ebe7cca4f596abdada5d2ab23b0

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2010-Jan-30 10:24:51
Detected languages English - United States
Debug artifacts c:\Free\Hat\hard\Log\problemtable.pdb
CompanyName MyWebGrocer
FileDescription Norgreat
OriginalFilename Creasesalt.exe
InternalName Norgreat
LegalCopyright Copyright (c) 2004-2014, MyWebGrocer book coverheat
ProductVersion 10.3.21.16
LegalTrademarks Norgreat freshschool thousand
FileVersion 10.3.21.16

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Can access the registry:
  • RegisterHotKey
  • RegOpenKeyExA
  • RegQueryValueExA
  • RegCreateKeyExA
  • RegDeleteKeyA
  • RegCloseKey
Can create temporary files:
  • GetTempPathA
  • CreateFileA
Memory manipulation functions often used by packers:
  • VirtualProtectEx
  • VirtualAlloc
Functions related to the privilege level:
  • OpenProcessToken
Interacts with services:
  • ControlService
  • CreateServiceW
  • OpenSCManagerA
  • OpenServiceA
  • QueryServiceStatus
Manipulates other processes:
  • OpenProcess
Can shut the system down or lock the screen:
  • ExitWindowsEx
Malicious VirusTotal score: 48/70 (Scanned on 2019-02-08 14:26:43) MicroWorld-eScan: Trojan.Autoruns.GenericKDS.41002543
CAT-QuickHeal: Trojan.IcedID
ALYac: Trojan.IcedID.gen
Malwarebytes: Trojan.IcedID
K7GW: Spyware ( 0053a3c61 )
K7AntiVirus: Spyware ( 0053a3c61 )
TrendMicro: TROJ_GEN.R045C0WAV19
Symantec: Trojan.Gen.2
TrendMicro-HouseCall: TROJ_GEN.R045C0WAV19
Paloalto: generic.ml
Kaspersky: Trojan-Banker.Win32.IcedID.tope
BitDefender: Trojan.Autoruns.GenericKDS.41002543
NANO-Antivirus: Trojan.Win32.Inject3.fmoavy
Avast: Win32:Malware-gen
Tencent: Win32.Trojan-banker.Icedid.Htmt
Ad-Aware: Trojan.Autoruns.GenericKDS.41002543
Emsisoft: Trojan.Autoruns.GenericKDS.41002543 (B)
DrWeb: Trojan.Inject3.12534
Zillya: Trojan.IcedId.Win32.475
Invincea: heuristic
McAfee-GW-Edition: RDN/PWS-Banker
Trapmine: malicious.high.ml.score
Ikarus: Trojan-Banker.IcedID
Webroot: W32.Rogue.Gen
Fortinet: W32/IcedId.H!tr.spy
Antiy-AVL: Trojan[Banker]/Win32.IcedID
Endgame: malicious (moderate confidence)
Arcabit: Trojan.Autoruns.GenericS.D271A62F
ViRobot: Trojan.Win32.Z.Icedid.173056
ZoneAlarm: Trojan-Banker.Win32.IcedID.tope
Microsoft: Trojan:Win32/Occamy.C
TACHYON: Banker/W32.IcedID.173056
Sophos: Mal/Generic-L
AhnLab-V3: Trojan/Win32.Banker.C2986132
Acronis: suspicious
McAfee: RDN/PWS-Banker
MAX: malware (ai score=100)
VBA32: TrojanBanker.IcedID
Cylance: Unsafe
ESET-NOD32: Win32/Spy.IcedId.H
Rising: Spyware.IcedId!8.F061 (TFE:5:bcGlcaMyMpM)
SentinelOne: static engine - malicious
GData: Trojan.Autoruns.GenericKDS.41002543
AVG: Win32:Malware-gen
Cybereason: malicious.237015
Panda: Trj/WLT.E
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.9c5

Hashes

MD5 28cf5ebe7cca4f596abdada5d2ab23b0
SHA1 73702b3237015aa3db0123c1f9cae2d95f437ba5
SHA256 bc5c0986903154cd84089a5a37082aed31c86b968b0a12bd06281df84e45c1b0
SHA3 d57b8cd67cc1740a840e1f1dbb695c09e141257551123eab5beaf15a9b85912f
SSDeep 3072:7HogBAhpeZN1IJ5w+SZQN8ZyTIdyIU55+nrHUN5HDpCfsz:7HmhQZ/2GQi4TImSrHyFCfsz
Imports Hash eeca6bb09f6bb9e66ea98454101bce84

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2010-Jan-30 10:24:51
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 9.0
SizeOfCode 0x14600
SizeOfInitializedData 0x2b200
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000A7C9 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x16000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x43000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 5eafb759daba0e0ea1aa8714e4e585b9
SHA1 68cd6f319bb7103023c6dc1ff6177a55084ff0ea
SHA256 654403e16229f3e60dd30d304e2e23a2cff77dec03eb859ac8158be665e20b29
SHA3 4196f7f275b7ee584a4a976802a3bdd5bbcdf2de4eaf72c225c96de1f6a4b457
VirtualSize 0x144a4
VirtualAddress 0x1000
SizeOfRawData 0x14600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.89691

.rdata

MD5 2b5c278bbb9a868b030cb942717a7516
SHA1 07e6d71772d911b1df91a9c04bac1146f013d8d3
SHA256 2a74a69885ae278990fe27eb9a1c3bd2d831ee92f0c40e5caf6a0c9e858e54ba
SHA3 2faa29900ae338294c2b418cf2218d98da26d8bab95aca49e063a74efde579fd
VirtualSize 0x661e
VirtualAddress 0x16000
SizeOfRawData 0x6800
PointerToRawData 0x14a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.20339

.data

MD5 c50d0aa0a7c44f66cf6078a5173a2882
SHA1 59cb9ba1531df68a0fa808223ef772fead9c5b45
SHA256 fdcea7fc0758ecb8f2dd5f3bbfbfda5cd52f1db8cfbcee2e2f89abafc7ed6c6d
SHA3 2983146563813d67293dc774ab01b4afd61a69a6605e55862fb35533968b8848
VirtualSize 0x1a620
VirtualAddress 0x1d000
SizeOfRawData 0x5000
PointerToRawData 0x1b200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.0931

.rsrc

MD5 b7efff20360ef9f219522d1bbe4663fb
SHA1 b844423daac23ac16b09c775f61ae77091d623a9
SHA256 4a9958287a0f6749d8c724b06f8fae270710636b4505641588e6c61760288c3d
SHA3 64884d0eeae858172901a34536a3c3b0dd6db67ac604624a5c1c44c1db6bcec8
VirtualSize 0xa0e0
VirtualAddress 0x38000
SizeOfRawData 0xa200
PointerToRawData 0x20200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.40643

Imports

KERNEL32.dll GetLocaleInfoA
FlushFileBuffers
GetStringTypeA
LCMapStringW
MultiByteToWideChar
LCMapStringA
GetCurrentProcessId
LoadLibraryA
HeapSize
GetConsoleMode
GetConsoleCP
InitializeCriticalSectionAndSpinCount
GetTickCount
GetFileType
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
CompareStringA
CompareStringW
SetEnvironmentVariableA
CloseHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetFilePointer
GetTempPathA
Sleep
VirtualProtectEx
LockResource
GetDateFormatA
GetModuleHandleA
GetVersionExA
OpenProcess
GetSystemTime
GetWindowsDirectoryA
CreateFileA
GetStringTypeW
QueryPerformanceCounter
SetStdHandle
GetEnvironmentStrings
GetSystemTimeAsFileTime
GetTimeFormatA
GetLastError
HeapReAlloc
HeapAlloc
HeapFree
RaiseException
RtlUnwind
GetCommandLineA
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
WideCharToMultiByte
GetTimeZoneInformation
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
GetModuleHandleW
GetProcAddress
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapCreate
VirtualFree
VirtualAlloc
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
USER32.dll AppendMenuA
InflateRect
SetParent
EndDeferWindowPos
ExitWindowsEx
GetClientRect
SetFocus
RegisterClassExA
GetWindowTextLengthA
IntersectRect
CallWindowProcA
GetCursorPos
GetFocus
GetClassInfoExA
CheckMenuRadioItem
LoadImageA
DrawIcon
RegisterHotKey
DispatchMessageA
IsWindowEnabled
GetClassNameA
GDI32.dll OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
WINSPOOL.DRV ClosePrinter
DocumentPropertiesA
OpenPrinterA
AddPrinterConnectionA
GetJobA
COMCTL32.dll CreatePropertySheetPageA
PropertySheetA
#6
COMDLG32.dll ReplaceTextA
GetOpenFileNameA
GetSaveFileNameA
SHLWAPI.dll PathAppendA
PathAddBackslashA
PathFindFileNameA
PathStripToRootA
ADVAPI32.dll RegOpenKeyExA
RegQueryValueExA
AllocateAndInitializeSid
FreeSid
OpenProcessToken
StartServiceCtrlDispatcherA
InitializeSecurityDescriptor
RegisterServiceCtrlHandlerA
SetEntriesInAclA
SetSecurityDescriptorDacl
SetServiceStatus
ControlService
CreateServiceW
LookupPrivilegeValueA
OpenSCManagerA
OpenServiceA
OpenThreadToken
QueryServiceStatus
RegCreateKeyExA
RegDeleteKeyA
RegCloseKey
SensApi.dll IsDestinationReachableA

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0xea8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.13018
MD5 8f955c9527d6f47686ad7708a0f3284b
SHA1 791cb507d6a7c6d9326fd9571fc38755861d7d2a
SHA256 c82e533c8695f3904a6a9345aeea3863ca1e1da265721772a05543f54d4564a4
SHA3 80f8db0681247b3ba58da555daea71396562523ed80de442d69eda2d91149cee

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.61319
MD5 d6ef40cea9aba5ec919ded2d395885d0
SHA1 d6489177e2091d0f2c671a6951fbe62daeb585d9
SHA256 4f2c7f75de1bbb23a42b972190bf3d423d43055fc698fd85ffe59f49a4d17e8c
SHA3 85f068beaa5a2447030d5bb74e5684d45a1b6e28ebadb2d59014614b99cf5532

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x568
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.05967
MD5 753eca3142a8a807682dddaa80377e8c
SHA1 0717912bf856d811d96c4a1cd08aa83981677666
SHA256 1f1649e8b8d5d5cc27a4921c8aa07594a91971522a437846ed73e7d90722f574
SHA3 e63d004d77912ddc6bbf09be5812405025b6a074f5696aee5ca9366ad1befb4c

4

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x4228
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.11939
MD5 bd486471d752e16e95cb3fb163f0b6cd
SHA1 9b1b3a60fc22d03864d996aae1ace2e05a7e3aac
SHA256 69d627698c345ed4f79d4a4aa80ef9b0045c4e4abbe3173be6445fd517cc3b58
SHA3 7f5906f72eeba0f4e6517c127bcf4c86f81df8cd3ff5328f48dfb761912f2553

5

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.4135
MD5 feb8fdee406e1892ba6b4a9e4ba29a60
SHA1 29b877ca93aedb97342c9844385f32886aa03901
SHA256 153baf0fcdc0e759f935812467d168f75daf40f33507e7e6e73eb4e84b268082
SHA3 7571f77002ef6c8474b657e7db03aeab71b33b222674c972d304fee32bc06e64

6

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.42695
MD5 74358e588ecdf4bfe0cc7fd2577f141b
SHA1 74f9b8321e523909da62a9d1031ea4568961920b
SHA256 5283824558acfca856cde2c54d51b6cb9894a0c9a90799caed446fe72e67e156
SHA3 5d724714df322ba1ae4a748c5e371d36b9698cdf41e2e8986599f168f2052eab

7

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.11838
MD5 550f0de3cb928633ae05622a254cbb3a
SHA1 41841808ce36e9385932addcfb371947b1b2c57a
SHA256 18ca2e12fc154cdeacca475f4ba82b2335cca820fb654b2362acf72405d303c1
SHA3 d5fe31aff5ecf7a8f207cf215d07732a389627dc17b614ca7bd32989596bdb9c

100

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x68
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.83776
Detected Filetype Icon file
MD5 7fe09150272e3f38ad2a39ba9c0a67e2
SHA1 aa3acdf83de3f707079fd5a6316010e0665650df
SHA256 bec1b1e6bbc3c908d382c53b15a37d610620ef0bc3dbdafe5a612299d3220a73
SHA3 00e10ff12b8c1856db64cfa3eaf1a3d1c1ee9526af6e94518834e822d7173b79

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x330
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.44391
MD5 f0787ed7bb8139a225e08d9fa5e98eeb
SHA1 edae274b648be435eb0cbe2c618d6c74d821f450
SHA256 f7ba87efae0d3347e04a52033a3800df2f9144dbb314481c2424ee94d47654fc
SHA3 8f359ab75b491f003d3c2ad501f5315d43eae03385575a858c475cfa7fd7849f

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.3.21.16
ProductVersion 10.3.21.16
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName MyWebGrocer
FileDescription Norgreat
OriginalFilename Creasesalt.exe
InternalName Norgreat
LegalCopyright Copyright (c) 2004-2014, MyWebGrocer book coverheat
ProductVersion (#2) 10.3.21.16
LegalTrademarks Norgreat freshschool thousand
FileVersion (#2) 10.3.21.16
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2010-Jan-30 10:24:51
Version 0.0
SizeofData 62
AddressOfRawData 0x1ae18
PointerToRawData 0x19818
Referenced File c:\Free\Hat\hard\Log\problemtable.pdb

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x420ff4
SEHandlerTable 0x41b070
SEHandlerCount 9

RICH Header

XOR Key 0xeddcffe6
Unmarked objects 0
ASM objects (VS2008 build 21022) 21
C objects (VS2008 build 21022) 108
C++ objects (VS2008 build 21022) 47
Imports (VS2008 SP1 build 30729) 19
Total imports 154
C++ objects (VS2008 SP1 build 30729) 1
Linker (VS2008 SP1 build 30729) 1
Resource objects (VS2008 SP1 build 30729) 1

Errors