328abb939e68e152274388567f7a8153

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2014-Dec-04 06:07:41
Detected languages English - United States
Debug artifacts C:\Users\Malware\Desktop\kaizen\November\cryptorLv1_1\Release\cryptorLv1_w.pdb

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Contains a base64-encoded executable:
  • TVqQAAMAAAAEAAAA//8AALgAAAA
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • GetProcAddress
Suspicious VirusTotal score: 2/66 (Scanned on 2018-02-26 16:03:25) Invincea: heuristic
Endgame: malicious (moderate confidence)

Hashes

MD5 328abb939e68e152274388567f7a8153
SHA1 f2468b79245affc3851d40d3c15439e49d6094e6
SHA256 a0dacf20a0eb7845e709c09982a95704ba40cf7918f48ba8b78739209fea7cb1
SHA3 1547e56f590ad4b21bcb4883818a21c89f951bb01a57388947c6e093fa1ba790
SSDeep 3072:LSSD5TK1eC0WXX66kfERS1HBY+auy8/pXXcI49uAHYDF6m6Z:LPTK1eCXk++nybRM8op6Z
Imports Hash c26206a1cb07ba99ef575d8c060d0369

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2014-Dec-04 06:07:41
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x13000
SizeOfInitializedData 0x13000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000651B (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x14000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x2a000
SizeOfHeaders 0x400
Checksum 0x2e6df
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 10a0d92d8f1474c44b53c4d2f84aa6f5
SHA1 94012f0ca0fd24b4c043444c043e27bbe852230f
SHA256 61c10e00ce38225fb731748062fec01e2e02553e480dc05a2c45277ba4e4f171
SHA3 1f2fbdbf52e79dd5fc0e03cba4543f8c43be65dd292fa71ec2216d5e125ff50b
VirtualSize 0x12e05
VirtualAddress 0x1000
SizeOfRawData 0x13000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.56149

.rdata

MD5 c022eac744caa3abb56b5f00ebfd3cdc
SHA1 fe3d94dfa6e3664c8dfabdefc22379b1e768b82d
SHA256 cea81ff7ceb4087484303c50c051ad500ae6c8cf3aa180679bc2f4bd8c9da54a
SHA3 e12e5f563c84ff6760a15265400651d644891b100b742dab579d7ebe25e35661
VirtualSize 0x4e9a
VirtualAddress 0x14000
SizeOfRawData 0x5000
PointerToRawData 0x13400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.84134

.data

MD5 a7b0deea88b907f80b6f78ea8cbbfc14
SHA1 6d946307218015b3b4323afed1639619a4013f29
SHA256 a1154c5c313333e47a24a8e9aaee60be6fbf404f378f4b9960948107d5e0a696
SHA3 66b5c49dad604abaac99fd2fd281dd3197bb7cd71c11eeef42274f09c3a8d8fc
VirtualSize 0xdf44
VirtualAddress 0x19000
SizeOfRawData 0xc000
PointerToRawData 0x18400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.1438

.rsrc

MD5 5f882a758b6b0045acd02c3e0551be90
SHA1 286df779023815d37858773d63741d85bd1c08ca
SHA256 89c7cf7d80a28f5be0685829362b9de63eef29976b3ac960e803df5be9403953
SHA3 ab81552548abd6997b2f88d20c12dc974aef5f45d630353a15baec9b484e0010
VirtualSize 0x1b4
VirtualAddress 0x27000
SizeOfRawData 0x200
PointerToRawData 0x24400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.11262

.reloc

MD5 442653ee02c1bf5df24c924428d1dfb6
SHA1 17c3d2d9500cc79a4d535ac014ae2314c50287b3
SHA256 768c734c745b26ba94962ce504258fdefbb20d24ad2062c76c19016f8c3d54ee
SHA3 c57b3884b000a8753f8b0ccf9eb9023f868a6557670ab5fe7c5b6e375fc5f5ee
VirtualSize 0x1c40
VirtualAddress 0x28000
SizeOfRawData 0x1e00
PointerToRawData 0x24600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.83252

Imports

KERNEL32.dll LoadLibraryW
Sleep
InterlockedIncrement
InterlockedDecrement
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
EncodePointer
DecodePointer
GetLastError
HeapFree
GetCommandLineW
HeapSetInformation
RaiseException
RtlUnwind
HeapAlloc
WideCharToMultiByte
LCMapStringW
MultiByteToWideChar
GetCPInfo
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
HeapSize
GetProcAddress
GetModuleHandleW
ExitProcess
GetACP
GetOEMCP
IsValidCodePage
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
HeapCreate
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
WriteFile
GetConsoleCP
GetConsoleMode
SetFilePointer
ReadFile
FlushFileBuffers
CloseHandle
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetUserDefaultLCID
GetLocaleInfoW
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetStringTypeW
HeapReAlloc
WriteConsoleW
SetStdHandle
CreateFileA
CreateFileW
SetEndOfFile
GetProcessHeap

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2014-Dec-04 06:07:41
Version 0.0
SizeofData 103
AddressOfRawData 0x17130
PointerToRawData 0x16530
Referenced File C:\Users\Malware\Desktop\kaizen\November\cryptorLv1_1\Release\cryptorLv1_w.pdb

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x419494
SEHandlerTable 0x417a40
SEHandlerCount 29

RICH Header

XOR Key 0xd95ad367
Unmarked objects 0
ASM objects (VS2010 SP1 build 40219) 17
C++ objects (VS2010 SP1 build 40219) 44
C objects (VS2010 SP1 build 40219) 116
Imports (VS2008 SP1 build 30729) 3
Total imports 79
175 (VS2010 SP1 build 40219) 3
Linker (VS2010 SP1 build 40219) 1

Errors

<-- -->