2ff1688fe866ec2871169197f9d46936

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Jun-13 15:12:43
Detected languages Korean - Korea

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Possibly launches other programs:
  • CreateProcessW
Leverages the raw socket API to access the Internet:
  • #16
  • #111
  • #23
  • #4
  • #18
  • #151
  • #21
  • #19
  • #22
  • #3
  • #11
Enumerates local disk drives:
  • GetLogicalDriveStringsW
  • GetVolumeInformationW
Suspicious The file contains overlay data. 124 bytes of data starting at offset 0x38000.
Malicious VirusTotal score: 35/68 (Scanned on 2019-09-09 04:46:38) FireEye: Generic.mg.2ff1688fe866ec28
McAfee: Trojan-HidCobra
Alibaba: Trojan:Win32/NukeSped.0595c10f
K7GW: Trojan ( 005329311 )
Cybereason: malicious.32ea70
TrendMicro: TROJ_FRS.VSNTI819
Symantec: Trojan.Hoplight
ESET-NOD32: a variant of Win32/NukeSped.AI
APEX: Malicious
Paloalto: generic.ml
Kaspersky: HEUR:Trojan.Win32.Generic
BitDefender: Trojan.GenericKD.32416090
Avast: FileRepMalware
Ad-Aware: Trojan.GenericKD.32416090
Sophos: Troj/Inject-DZV
F-Secure: Trojan.TR/AD.APTLazerus.oytdw
McAfee-GW-Edition: Trojan-HidCobra
Trapmine: suspicious.low.ml.score
Emsisoft: Trojan.GenericKD.32416090 (B)
Microsoft: Trojan:Win32/Casdet!rfn
Endgame: malicious (moderate confidence)
AegisLab: Trojan.Win32.Generic.4!c
ZoneAlarm: HEUR:Trojan.Win32.Generic
GData: Win32.Trojan.Agent.GXMR09
ALYac: Trojan.Nukesped.A
MAX: malware (ai score=99)
Cylance: Unsafe
TrendMicro-HouseCall: TROJ_FRS.VSNTI819
Rising: Trojan.Hoplight!1.B71E (CLASSIC)
SentinelOne: DFI - Suspicious PE
Fortinet: W32/HidCobra.9CFB!tr
AVG: FileRepMalware
Panda: Trj/GdSda.A
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.5ee

Hashes

MD5 2ff1688fe866ec2871169197f9d46936
SHA1 6dc37ff32ea70cbd0078f1881a351a0a4748d10e
SHA256 b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9
SHA3 464c04a2abfcc743a1c135ba9ebb48d931ba5fe04d6ef1bc4703553a8d65d401
SSDeep 6144:GANjUaXCXwz+vLFOLEq3VNwO9zyPqYNkHms:bNjxXgA9uPqR
Imports Hash 9bd558d106ace4535433f58c584c0fbc

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2017-Jun-13 15:12:43
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x2f000
SizeOfInitializedData 0xc000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00008447 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x30000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x3c000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 f9aa8191af45813b80031064403835f1
SHA1 ab2587c9dcfba85046cc69e26e980501b8d0a7d6
SHA256 dd95e1273f1720e10ddd4631801a7fe70b4a175de04effe5f7abc02262a020d8
SHA3 39a9a34df59a91e25de621ba7957a48ca23339ab6ee98b67ce2723fd3fd32164
VirtualSize 0x2e46a
VirtualAddress 0x1000
SizeOfRawData 0x2f000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.40085

.rdata

MD5 bbcbbf5f54deaee51d41d404973c30e4
SHA1 fa64ad9897105b3e16e5b9df631604ad99203af8
SHA256 beb8004bc7c6dbe585923ce4d3a4c99bb94c6dfe5fa5222419af6620853d757a
SHA3 b3db6fedaecba5261ac08755892828019374aea8ec6c81fc29ab96fe1fdd2f78
VirtualSize 0x3b7e
VirtualAddress 0x30000
SizeOfRawData 0x4000
PointerToRawData 0x30000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.22887

.data

MD5 8ea12cda731d50b93944d8534c11402c
SHA1 e309d6f90701b78023023c9133253cb7ece39f4f
SHA256 bbff27b4498ddf7cab9b9920c75cf6cd9343d800b8634065a12e9918c438d133
SHA3 350d48798a9855d877fd09ea35b1a1cd174612daec2c9ce281a1c437366e2f20
VirtualSize 0x6dc4
VirtualAddress 0x34000
SizeOfRawData 0x3000
PointerToRawData 0x34000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.92766

.rsrc

MD5 06d5d2729a367d565819e6867d8caea7
SHA1 98c7db9811f1f717e59d3e07eea28ee551b69ed7
SHA256 c9b4d03c5ce45ae6897e8c94eba78e65e5002667134d20b9d606e302b870ea87
SHA3 c34b885176df6752f7b9fc1c457977bc01b1b4e64e82a421163bde40859295d7
VirtualSize 0x980
VirtualAddress 0x3b000
SizeOfRawData 0x1000
PointerToRawData 0x37000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.31798

Imports

WS2_32.dll #16
#111
#23
#4
#18
#151
#21
#19
#22
#3
#11
KERNEL32.dll LeaveCriticalSection
CreateFileA
QueryPerformanceCounter
QueryPerformanceFrequency
FindFirstFileW
FindNextFileW
FindClose
UnmapViewOfFile
DuplicateHandle
CreateFileW
CreateFileMappingW
MapViewOfFile
CreateProcessW
GetModuleFileNameW
GetWindowsDirectoryW
GetTickCount
WideCharToMultiByte
FileTimeToLocalFileTime
LocalFree
LocalAlloc
QueryDosDeviceW
GetLogicalDriveStringsW
GetFileSize
CreateThread
GetVolumeInformationW
GetACP
GetSystemInfo
GetProcAddress
GetModuleHandleW
GetLastError
LoadLibraryA
Sleep
GetFileInformationByHandle
SystemTimeToFileTime
GetTimeZoneInformation
GetSystemTime
GetLocalTime
RtlUnwind
InterlockedDecrement
InterlockedIncrement
MultiByteToWideChar
GetFileAttributesW
GetModuleHandleA
GetStartupInfoW
GetVersion
ExitProcess
TerminateProcess
GetCurrentProcess
HeapReAlloc
HeapAlloc
HeapSize
GetCurrentThreadId
TlsSetValue
TlsAlloc
SetLastError
TlsGetValue
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
SetEndOfFile
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetEnvironmentStrings
GetCommandLineW
GetCommandLineA
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
HeapDestroy
HeapCreate
VirtualFree
HeapFree
WriteFile
GetModuleFileNameA
VirtualAlloc
IsBadWritePtr
SetFilePointer
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
GetCPInfo
LCMapStringA
LCMapStringW
SetStdHandle
GetStringTypeA
GetStringTypeW
FlushFileBuffers
CloseHandle
CompareStringA
CompareStringW
GetOEMCP
SetEnvironmentVariableA
FileTimeToSystemTime
FileTimeToDosDateTime
ReadFile
USER32.dll GetSystemMetrics

Delayed Imports

1

Type RT_ICON
Language Korean - Korea
Codepage UNKNOWN
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.19506
MD5 00ecd29321807c83650ce1e1216bc4f2
SHA1 9538a09f50ae009fe0af34a8748093cbe4866da7
SHA256 54b433ec4967fb4c1c194ab3b081ced6f122bbec78e0dfab9c6f9376d64a0870
SHA3 fd6d4b24f2de9140f30d2f5e8b5b9d1976911af1915b0b0962d627fdfe8f0d54

IDI_ICON1

Type RT_GROUP_ICON
Language Korean - Korea
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.81924
Detected Filetype Icon file
MD5 cbee427fa121aba9b9b265ff05de5383
SHA1 24fcae33001c8e0f5ec795c6edf076a69d59589f
SHA256 494e4fd717fa1ee0c5c7bb3b4e28fdab4b7f6e95b4f9865f5ab86f03f62ae62c
SHA3 a3fa35d56632275ba55716a4964f02031270f61f06a903fc460ac2dd6bebde85

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x7efa3341
Unmarked objects 0
12 (7291) 2
14 (7299) 25
C objects (VS98 build 8168) 140
Total imports 121
Imports (VS2003 (.NET) build 4035) 7
C++ objects (VS98 build 8168) 16
Resource objects (VS98 cvtres build 1720) 1

Errors