32b8d08e67cf509236ae8142fbeb30b3

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2018-Jan-10 14:07:16
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
MASM/TASM - sig1(h)
Microsoft Visual C++
Microsoft Visual C++ v6.0
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to security software:
  • rshell.exe
Miscellaneous malware strings:
  • cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
Possibly launches other programs:
  • CreateProcessW
  • CreateProcessAsUserW
  • ShellExecuteW
Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
Has Internet access capabilities:
  • WinHttpOpen
  • WinHttpQueryDataAvailable
  • WinHttpSetTimeouts
  • WinHttpCloseHandle
  • WinHttpConnect
  • WinHttpOpenRequest
  • WinHttpSendRequest
  • WinHttpGetIEProxyConfigForCurrentUser
  • WinHttpSetOption
  • WinHttpReceiveResponse
  • WinHttpGetProxyForUrl
  • WinHttpReadData
  • WinHttpWriteData
  • WinHttpAddRequestHeaders
  • WinHttpQueryHeaders
Leverages the raw socket API to access the Internet:
  • #12
  • #15
Functions related to the privilege level:
  • OpenProcessToken
  • AdjustTokenPrivileges
Interacts with services:
  • OpenSCManagerW
  • OpenServiceA
Enumerates local disk drives:
  • GetDriveTypeW
Manipulates other processes:
  • OpenProcess
  • Process32FirstW
  • Process32NextW
Can take screenshots:
  • GetDC
  • BitBlt
  • CreateCompatibleDC
Malicious VirusTotal score: 58/70 (Scanned on 2019-11-11 01:16:10) Bkav: W32.HfsAutoB.
MicroWorld-eScan: Trojan.GenericKD.30565346
FireEye: Generic.mg.32b8d08e67cf5092
CAT-QuickHeal: Backdoor.Agent
Qihoo-360: Win32/Backdoor.c25
McAfee: Trojan-FQCD!32B8D08E67CF
Cylance: Unsafe
Zillya: Backdoor.Agent.Win32.67931
K7AntiVirus: Trojan ( 0052d26b1 )
Alibaba: Backdoor:Win32/Agent.bd2792f9
K7GW: Trojan ( 0052d26b1 )
Cybereason: malicious.e67cf5
Arcabit: Trojan.Generic.D1D263E2
TrendMicro: BKDR_POWPOOL.A
BitDefenderTheta: Gen:NN.ZexaF.32245.muW@a44EV1di
Cyren: W32/Popool.A.gen!Eldorado
Symantec: Backdoor.Trojan
TrendMicro-HouseCall: BKDR_POWPOOL.A
Paloalto: generic.ml
ClamAV: Win.Trojan.Agent-6674623-0
BitDefender: Trojan.GenericKD.30565346
NANO-Antivirus: Trojan.Win32.Generic.ezqbfh
ViRobot: Backdoor.Win32.S.Agent.198656.I
Avast: Win32:Malware-gen
Endgame: malicious (moderate confidence)
Emsisoft: Trojan.GenericKD.30565346 (B)
Comodo: Malware@#21uhcz1g9c0gi
F-Secure: Backdoor.BDS/Agent.ospwe
DrWeb: BackDoor.Spy.3610
VIPRE: Trojan.Win32.Generic!BT
McAfee-GW-Edition: BehavesLike.Win32.Dropper.ch
SentinelOne: DFI - Malicious PE
Trapmine: malicious.moderate.ml.score
Sophos: Troj/Bckdoor-AD
APEX: Malicious
F-Prot: W32/Popool.A.gen!Eldorado
Jiangmin: Backdoor.Agent.ecf
Webroot: W32.Trojan.GenKD
Avira: BDS/Agent.ospwe
Fortinet: W32/Agent.SZS!tr
Antiy-AVL: Trojan[Backdoor]/Win32.Agent
Microsoft: Trojan:Win32/Popool.A
AegisLab: Trojan.Win32.Agent.4!c
TACHYON: Backdoor/W32.Agent.198656.AG
AhnLab-V3: Trojan/Win32.Backdoor.C2699360
VBA32: Trojan.Agent
ALYac: Backdoor.Agent.Cypress
MAX: malware (ai score=100)
Ad-Aware: Trojan.GenericKD.30565346
ESET-NOD32: a variant of Win32/Agent.SZS
Rising: Backdoor.Agent!8.C5D (TFE:5:bnSzInUyaSL)
Yandex: Backdoor.Agent!TAhr/VvY9Io
Ikarus: Trojan.Win32.Agent
GData: Trojan.GenericKD.30565346
AVG: Win32:Malware-gen
Panda: Trj/GdSda.A
CrowdStrike: win/malicious_confidence_100% (W)
MaxSecure: Trojan.Malware.320772.susgen

Hashes

MD5 32b8d08e67cf509236ae8142fbeb30b3
SHA1 038f75dcf1e5277565c68d57fa1f4f7b3005f3f3
SHA256 8c2e729bc086921062e214b7e4c9c4ddf324a0fa53b4ed106f1341cfe8274fe4
SHA3 9066eab895e9544def26031ed67180e49ffb214c2a284a6a496b3ae9d9ea7668
SSDeep 3072:y0FPC7QAKohdraoNpLOxx85wzWVTBfGGMZhm05Pb8QOutp:ba7zfragLOxx85JVTBezZXbLOut
Imports Hash 61087c663456abc9f3633ddfba9a5df6

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2018-Jan-10 14:07:16
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 9.0
SizeOfCode 0x1f600
SizeOfInitializedData 0x10e00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0001175B (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x21000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x39000
SizeOfHeaders 0x400
Checksum 0x3d1c2
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 9545fa0fdc88600655516157c4aeb613
SHA1 c37215fac423c3b7c79ea9960b6de3b5a970b44f
SHA256 5f913b8eda91ff5b163ff71591cbb7020978f6566b4877ba44a7e7537ad948b3
SHA3 d99856231e7d3729a026f961e90c7c3eba7983533e4ff22cda1f69bcdd3374ee
VirtualSize 0x1f45b
VirtualAddress 0x1000
SizeOfRawData 0x1f600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.67266

.rdata

MD5 a6c31444446bb7d730971794dfb8cc1c
SHA1 8a09dd973303a6213049070fbdf0ad75094f89fe
SHA256 705b53716a8f69bd93c325732a32f4775dc6abc0aa587a124db14cc3f1accbc8
SHA3 a9550adeb9c3b9a5471f41149056baec13008e589bd8a54fcd9550393fd6d793
VirtualSize 0x91f8
VirtualAddress 0x21000
SizeOfRawData 0x9200
PointerToRawData 0x1fa00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.07204

.data

MD5 084664d5be6be837684d83a3e200366f
SHA1 c1bcb3a0c0845be6ff697c112872e20412f4fddc
SHA256 39bacf0175f4da751e082e567bad1fbd2cf7515c83671ba6feba74dfc8952815
SHA3 cf62402acec18fa6b7b850e0e68ba8a7ed194aee8a3b174cef903a85ceba97ff
VirtualSize 0x9cdc
VirtualAddress 0x2b000
SizeOfRawData 0x5400
PointerToRawData 0x28c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.19096

.rsrc

MD5 53b95dc11b381ccb0a039a33e2c141be
SHA1 211ce4138c71dcbe7487be7fe0ccaa5048f4c257
SHA256 cd0cd1913e1eeb1f5b22c8bb5d49b8403009cafa0af8bfd867baf0fd07583c92
SHA3 ea37aeba2919e9590d97b0ae5b426a12de0f3074e4e9cb6a3b5c1d2475aa0457
VirtualSize 0x1b4
VirtualAddress 0x35000
SizeOfRawData 0x200
PointerToRawData 0x2e000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.10247

.reloc

MD5 b49509bdf66d695e0a2a18320db6d35d
SHA1 5573284bcf144222a7df175378b3533aeda6d96b
SHA256 e95782c882a2fd0b9077bb1a96f0b280fa98a43ade6cd98fe16bff3c2f06d07c
SHA3 e636b33b1aae62ccd5c4dbdbf5cfa4b108d679bc840bb97bf4c07d0bc4d911a7
VirtualSize 0x24c0
VirtualAddress 0x36000
SizeOfRawData 0x2600
PointerToRawData 0x2e200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.76754

Imports

KERNEL32.dll FileTimeToLocalFileTime
GetComputerNameW
GetVersionExW
FindVolumeClose
GetCurrentProcess
OpenProcess
FindNextVolumeW
GetVolumePathNamesForVolumeNameW
TerminateProcess
Process32FirstW
QueryDosDeviceW
Process32NextW
CreateToolhelp32Snapshot
FindFirstVolumeW
CreateMutexW
GetModuleFileNameW
IsWow64Process
GetExitCodeThread
SetCurrentDirectoryW
GetCurrentThreadId
CompareStringW
CompareStringA
GetProcessHeap
SetEndOfFile
FindNextFileW
FileTimeToSystemTime
GetDriveTypeW
FindFirstFileW
GetCurrentDirectoryW
GetLastError
MultiByteToWideChar
ExitThread
WideCharToMultiByte
GetSystemDefaultLangID
GetProcAddress
GetStartupInfoW
Wow64RevertWow64FsRedirection
Wow64DisableWow64FsRedirection
Sleep
TerminateThread
GetModuleHandleW
CreateProcessW
CreateThread
DeleteFileW
CloseHandle
WTSGetActiveConsoleSessionId
GlobalFree
EnterCriticalSection
InterlockedExchange
GlobalUnlock
CreateFileW
ReadFile
LeaveCriticalSection
GlobalAlloc
WriteFile
WaitForSingleObject
GetLocaleInfoA
GetStringTypeW
GetStringTypeA
LCMapStringW
LCMapStringA
CreateFileA
SetStdHandle
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
LoadLibraryA
InitializeCriticalSectionAndSpinCount
IsValidCodePage
SetEnvironmentVariableA
GetOEMCP
GetACP
GetCPInfo
HeapSize
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
GetStartupInfoA
GetFileType
SetHandleCount
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
InterlockedDecrement
SetLastError
InterlockedIncrement
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
GetTimeZoneInformation
FlushFileBuffers
GetConsoleMode
GetConsoleCP
GetModuleFileNameA
GetStdHandle
ExitProcess
VirtualFree
HeapCreate
RtlUnwind
GlobalLock
GlobalSize
SetFilePointer
GetFileSize
GetSystemTimeAsFileTime
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
HeapReAlloc
VirtualQuery
GetSystemInfo
RaiseException
InitializeCriticalSection
DeleteCriticalSection
HeapFree
HeapAlloc
VirtualProtect
VirtualAlloc
USER32.dll ReleaseDC
GetDesktopWindow
GetDC
PostThreadMessageW
wsprintfW
GetWindowRect
GDI32.dll GetObjectW
GetDIBits
SelectPalette
RealizePalette
BitBlt
DeleteDC
CreateDIBSection
GetDeviceCaps
CreateCompatibleBitmap
SetDIBColorTable
CreateDCW
DeleteObject
SelectObject
CreateCompatibleDC
GetStockObject
ADVAPI32.dll ImpersonateLoggedOnUser
RevertToSelf
GetUserNameW
OpenProcessToken
SetServiceStatus
RegisterServiceCtrlHandlerA
OpenSCManagerW
StartServiceCtrlDispatcherA
CloseServiceHandle
OpenServiceA
AdjustTokenPrivileges
LookupAccountSidW
LookupPrivilegeValueW
GetTokenInformation
CreateProcessAsUserW
SHELL32.dll ShellExecuteW
ole32.dll GetHGlobalFromStream
CreateStreamOnHGlobal
gdiplus.dll GdipDrawImageI
GdipBitmapUnlockBits
GdipDeleteGraphics
GdipCreateBitmapFromScan0
GdipGetImagePixelFormat
GdipCreateBitmapFromStream
GdipGetImagePalette
GdipGetImageHeight
GdipFree
GdipSaveImageToStream
GdiplusShutdown
GdipAlloc
GdipGetImageEncodersSize
GdipDisposeImage
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdipGetImagePaletteSize
GdipBitmapLockBits
GdipGetImageWidth
GdiplusStartup
GdipCloneImage
GdipGetImageGraphicsContext
WINHTTP.dll WinHttpOpen
WinHttpQueryDataAvailable
WinHttpSetTimeouts
WinHttpCloseHandle
WinHttpConnect
WinHttpOpenRequest
WinHttpSendRequest
WinHttpGetIEProxyConfigForCurrentUser
WinHttpSetOption
WinHttpReceiveResponse
WinHttpGetProxyForUrl
WinHttpReadData
WinHttpWriteData
WinHttpAddRequestHeaders
WinHttpQueryHeaders
VERSION.dll GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW
IPHLPAPI.DLL GetExtendedTcpTable
GetExtendedUdpTable
GetAdaptersInfo
WS2_32.dll #12
#15
PSAPI.DLL GetModuleFileNameExW
WTSAPI32.dll WTSQueryUserToken

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xc256de2a
Unmarked objects 0
ASM objects (VS2008 SP1 build 30729) 23
C objects (VS2008 SP1 build 30729) 136
C objects (VS2012 build 50727 / VS2005 build 50727) 9
ASM objects (VS2012 build 50727 / VS2005 build 50727) 2
C++ objects (VS2012 build 50727 / VS2005 build 50727) 1
C++ objects (VS2008 SP1 build 30729) 55
C objects (VS2012 build 50727 / VS2005 build 50727) (#2) 1
Imports (VS2012 build 50727 / VS2005 build 50727) 29
Total imports 219
138 (VS2008 SP1 build 30729) 10
Resource objects (VS2008 SP1 build 30729) 1

Errors

[*] Warning: New version of yara_rules/suspicious_strings.yara detected. The rules will be recompiled.