| Architecture |
IMAGE_FILE_MACHINE_AMD64
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 2021-Apr-15 05:29:57 |
| Suspicious | Strings found in the binary may indicate undesirable behavior: |
Looks for Qemu presence:
|
| Info | Cryptographic algorithms detected in the binary: | Uses constants related to CRC32 |
| Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
| Suspicious | The file contains overlay data. |
22542637 bytes of data starting at offset 0x43a00.
The overlay data has an entropy of 7.99733 and is possibly compressed or encrypted. Overlay data amounts for 98.7862% of the executable. |
| Malicious | VirusTotal score: 5/68 (Scanned on 2021-08-06 10:08:10) |
Cynet:
Malicious (score: 100)
Zillya: Trojan.Badur.Win32.34336 Antiy-AVL: Trojan/Generic.ASMalwS.329A072 Malwarebytes: Spyware.PasswordStealer.Python Fortinet: PossibleThreat.PALLAS.H |
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0x108 |
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_AMD64
|
| NumberofSections | 7 |
| TimeDateStamp | 2021-Apr-15 05:29:57 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xf0 |
| Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
| Magic | PE32+ |
|---|---|
| LinkerVersion | 14.0 |
| SizeOfCode | 0x20e00 |
| SizeOfInitializedData | 0x22800 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x00000000000088FC (Section: .text) |
| BaseOfCode | 0x1000 |
| ImageBase | 0x140000000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 5.2 |
| ImageVersion | 0.0 |
| SubsystemVersion | 5.2 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x57000 |
| SizeOfHeaders | 0x400 |
| Checksum | 0x15c6f8a |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve | 0x100000 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
| USER32.dll |
MessageBoxW
MessageBoxA |
|---|---|
| KERNEL32.dll |
GetModuleFileNameW
GetProcAddress GetCommandLineW GetEnvironmentVariableW SetEnvironmentVariableW ExpandEnvironmentStringsW CreateDirectoryW GetTempPathW WaitForSingleObject Sleep SetDllDirectoryW CreateProcessW GetStartupInfoW LoadLibraryExW CloseHandle GetCurrentProcess LoadLibraryA LocalFree FormatMessageW MultiByteToWideChar WideCharToMultiByte HeapReAlloc GetLastError WriteConsoleW SetEndOfFile GetExitCodeProcess FreeLibrary RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind UnhandledExceptionFilter SetUnhandledExceptionFilter TerminateProcess IsProcessorFeaturePresent QueryPerformanceCounter GetCurrentProcessId GetCurrentThreadId GetSystemTimeAsFileTime InitializeSListHead IsDebuggerPresent GetModuleHandleW RtlUnwindEx SetLastError EnterCriticalSection LeaveCriticalSection DeleteCriticalSection InitializeCriticalSectionAndSpinCount TlsAlloc TlsGetValue TlsSetValue TlsFree RaiseException GetCommandLineA ReadFile CreateFileW GetDriveTypeW GetFileInformationByHandle GetFileType PeekNamedPipe SystemTimeToTzSpecificLocalTime FileTimeToSystemTime GetFullPathNameW RemoveDirectoryW FindClose FindFirstFileExW FindNextFileW SetStdHandle SetConsoleCtrlHandler DeleteFileW GetStdHandle WriteFile ExitProcess GetModuleHandleExW HeapAlloc HeapFree GetConsoleMode ReadConsoleW SetFilePointerEx GetConsoleCP GetFileSizeEx CompareStringW LCMapStringW GetCurrentDirectoryW FlushFileBuffers GetFileAttributesExW IsValidCodePage GetACP GetOEMCP GetCPInfo GetEnvironmentStringsW FreeEnvironmentStringsW GetStringTypeW GetProcessHeap GetTimeZoneInformation HeapSize |
| ADVAPI32.dll |
ConvertSidToStringSidW
GetTokenInformation OpenProcessToken ConvertStringSecurityDescriptorToSecurityDescriptorW |
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2021-Apr-15 05:29:57 |
| Version | 0.0 |
| SizeofData | 676 |
| AddressOfRawData | 0x2f580 |
| PointerToRawData | 0x2e780 |
| Size | 0x138 |
|---|---|
| TimeDateStamp | 1970-Jan-01 00:00:00 |
| Version | 0.0 |
| GlobalFlagsClear | (EMPTY) |
| GlobalFlagsSet | (EMPTY) |
| CriticalSectionDefaultTimeout | 0 |
| DeCommitFreeBlockThreshold | 0 |
| DeCommitTotalFreeThreshold | 0 |
| LockPrefixTable | 0 |
| MaximumAllocationSize | 0 |
| VirtualMemoryThreshold | 0 |
| ProcessAffinityMask | 0 |
| ProcessHeapFlags | (EMPTY) |
| CSDVersion | 0 |
| Reserved1 | 0 |
| EditList | 0 |
| SecurityCookie | 0x140032018 |
| XOR Key | 0xfaefc3e3 |
|---|---|
| Unmarked objects | 0 |
| C objects (26715) | 10 |
| ASM objects (26715) | 7 |
| C++ objects (26715) | 185 |
| 199 (41118) | 3 |
| C++ objects (VS 2015/2017/2019 runtime 29118) | 38 |
| C objects (VS 2015/2017/2019 runtime 29118) | 17 |
| ASM objects (VS 2015/2017/2019 runtime 29118) | 9 |
| Imports (26715) | 7 |
| Total imports | 116 |
| C objects (VS2019 Update 8 (16.8.4) compiler 29336) | 16 |
| Resource objects (VS2019 Update 8 (16.8.4) compiler 29336) | 1 |
| Linker (VS2019 Update 8 (16.8.4) compiler 29336) | 1 |
No comments yet.