34e56056e5741f33d823859e77235ed9

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Aug-12 07:44:57
Detected languages Korean - Korea

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
MASM/TASM - sig1(h)
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
Enumerates local disk drives:
  • GetVolumeInformationW
Malicious VirusTotal score: 36/69 (Scanned on 2019-09-08 22:57:45) MicroWorld-eScan: Gen:Variant.Graftor.487501
McAfee: Trojan-FPIA!34E56056E574
Cylance: Unsafe
CrowdStrike: win/malicious_confidence_100% (W)
BitDefender: Gen:Variant.Graftor.487501
Arcabit: Trojan.Graftor.D7704D
Invincea: heuristic
Symantec: ML.Attribute.HighConfidence
ESET-NOD32: a variant of Win32/NukeSped.AU
APEX: Malicious
Avast: Win32:Dh-A [Heur]
Kaspersky: HEUR:Trojan.Win32.Generic
Alibaba: Trojan:Win32/Autophyte.c39c2d36
Paloalto: generic.ml
AegisLab: Trojan.Win32.Generic.4!c
Ad-Aware: Gen:Variant.Graftor.487501
TrendMicro: TROJ_FRS.0NA103I819
McAfee-GW-Edition: BehavesLike.Win32.Mabezat.ch
Trapmine: malicious.high.ml.score
FireEye: Generic.mg.34e56056e5741f33
Emsisoft: Gen:Variant.Graftor.487501 (B)
SentinelOne: DFI - Malicious PE
Avira: HEUR/AGEN.1023221
Microsoft: Trojan:Win32/Autophyte.E!dha
Endgame: malicious (high confidence)
ZoneAlarm: HEUR:Trojan.Win32.Generic
GData: Gen:Variant.Graftor.487501
ALYac: Gen:Variant.Graftor.487501
MAX: malware (ai score=85)
TrendMicro-HouseCall: TROJ_FRS.0NA103I819
Ikarus: Trojan.Win32.NukeSped
Fortinet: W32/NukeSped.AU!tr
AVG: Win32:Dh-A [Heur]
Cybereason: malicious.6e5741
Panda: Trj/CI.A
Qihoo-360: Win32/Trojan.e04

Hashes

MD5 34e56056e5741f33d823859e77235ed9
SHA1 fcc2dcbac7d3cbcf749f6aab2f37cc4b62d0bb64
SHA256 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571
SHA3 f688f9bb9adbf2d7ed1cffde4c869cb387fbf57221aa965f1ccca03f69bdf924
SSDeep 3072:nQWbIWSGw0CkXbhM1Vsm5TJYwMrzPoXL8GnQj3y3:nR3SGQYM16m5TJDwPo7bUC3
Imports Hash e93a06b89e75751a9ac2c094ca7da8b0

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2017-Aug-12 07:44:57
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x18000
SizeOfInitializedData 0xf000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0001899F (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x19000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x28000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 2b9f5ce0725453a209a416ab7a13f3df
SHA1 20308d54638127c4b9d3bced75ce6d2c60a9c69e
SHA256 10b763cb59800b883c044df1ad0f38a3e8f380da290235886ce07d27ce002865
SHA3 e55df40417daeaa1a88e506e95a09b03c3f768f92404601aaeebd289ad666702
VirtualSize 0x17c15
VirtualAddress 0x1000
SizeOfRawData 0x18000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.57681

.rdata

MD5 03605ec3eefe3b70e118cea4b8655229
SHA1 728244fb98c512090ac6d4ff4fce9888862d8d5f
SHA256 9f2f5d8374f7bbbeea84b884b44e7c8d92564133b7e8ee0c156b36a69f50b9cd
SHA3 a365d16c85064950b23f48ba7b834556d6d89fb71f812c0ed423e20a82390d26
VirtualSize 0x3560
VirtualAddress 0x19000
SizeOfRawData 0x4000
PointerToRawData 0x19000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.86614

.data

MD5 5ac0ab0641ec076e15dd1468e11c57cd
SHA1 9becd7bb9421703d5f37b1d5c1603df6aaf86a1b
SHA256 05865461376d6411f313cb47966495e75206df7bab3d73b39b108f65e33686a4
SHA3 a0eb2aea3955df7705f2edb75a278d3f39fb88eaf2334ea16df0b04a4baea763
VirtualSize 0x3320
VirtualAddress 0x1d000
SizeOfRawData 0x1000
PointerToRawData 0x1d000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.68002

.rsrc

MD5 58ede934084bbe73fa7f9e0d32c4fafb
SHA1 bc57d5bf82722f7c8d44ef93ad777883985eded2
SHA256 eb1bdfc65b397da9ef4bb287c961fa2dc14b4771322c838fa7b0f9b13f28ff0d
SHA3 980b6dac007553dde36906c6871c1f0ea369bbd2e14d8837e48b77f57a224e46
VirtualSize 0x6a38
VirtualAddress 0x21000
SizeOfRawData 0x7000
PointerToRawData 0x1e000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.04529

Imports

KERNEL32.dll GetProcAddress
LoadLibraryA
GetModuleHandleW
GetVolumeInformationW
Module32FirstW
CreateToolhelp32Snapshot
FileTimeToLocalFileTime
GetTickCount
GetSystemInfo
GetVersionExW
WideCharToMultiByte
CreateDirectoryW
Sleep
CopyFileW
FileTimeToSystemTime
GetACP
lstrlenW
GetModuleHandleA
GetStartupInfoA
USER32.dll GetSystemMetrics
MSVCRT.dll memcpy
strlen
memset
memmove
memcmp
malloc
free
strstr
sscanf
wcstombs
localtime
time
__dllonexit
_onexit
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
wcsrchr
_wfopen
fwprintf
fclose
__CxxFrameHandler
srand
rand
_vsnwprintf
wcscmp
wprintf
wcschr
_wcsicmp
wcscat
wcsncpy
swprintf
_wtoi
_waccess
wcscpy
wcslen
strncmp
??3@YAXPAX@Z

Delayed Imports

103

Type IMAG
Language Korean - Korea
Codepage UNKNOWN
Size 0x1e5f
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.93118
Detected Filetype JPEG graphic file
MD5 88b9b1e084f1485046518319cdfa2b9b
SHA1 b81fc5e237bd2d63fffdc74b45df9d8bfc5ca9a1
SHA256 fb3ba2f4a0bba29140cf86fa5000c1d521501ff44931d57c2be63a2f8901c0ae
SHA3 48a6d06f0b6cbdc8b0355514edc0d6ab1162cd8a69c2910e4c1aef545133734b

101

Type IMG
Language Korean - Korea
Codepage UNKNOWN
Size 0x4b14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.94205
Detected Filetype PNG graphic file
MD5 b6fe0df82dedaea3e24e410ca4a9e772
SHA1 6c055ece90935056d36336987e19fd19bc5f60c0
SHA256 b6edc138b0412391ed50416cd423a0bfab3bad47c140084ac782de4b0f8f7117
SHA3 6f3d13e435089122829c4805c3f05b065223bad4d601846086531843022e8a68

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x92817024
Unmarked objects 0
14 (7299) 5
Linker (VS98 build 8168) 2
12 (7291) 2
C objects (VS98 build 8168) 25
Imports (VS2003 (.NET) build 4035) 5
Total imports 115
C++ objects (VS98 build 8168) 10
Resource objects (VS98 cvtres build 1720) 1

Errors