35d2ce0651d8bc045e920c10fd52a178

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Jan-19 08:33:43

Plugin Output

Info Matching compiler(s): MASM/TASM - sig2(h)
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Can create temporary files:
  • CreateFileA
  • GetTempPathA
 Can take screenshots:
  • GetDC
  • CreateCompatibleDC
  • BitBlt
Malicious VirusTotal score: 49/66 (Scanned on 2018-11-05 12:45:59) MicroWorld-eScan: Trojan.GenericKD.40144676
CAT-QuickHeal: Trojan.GenericPMF.S1550930
McAfee: Artemis!35D2CE0651D8
Cylance: Unsafe
BitDefender: Trojan.GenericKD.40144676
K7GW: Trojan-Downloader ( 0053aede1 )
K7AntiVirus: Trojan-Downloader ( 0053aede1 )
Invincea: heuristic
F-Prot: W32/Trojan2.PTGS
Symantec: Trojan Horse
ESET-NOD32: VBS/Starter.NBS
TrendMicro-HouseCall: TROJ_RUNNER.GBE
Paloalto: generic.ml
Kaspersky: HEUR:Trojan.Script.Agent.gen
NANO-Antivirus: Trojan.Win32.Betload.eljjjk
ViRobot: Trojan.Win32.S.Agent.68608.KM
Avast: FileRepMalware
Ad-Aware: Trojan.GenericKD.40144676
Sophos: Troj/Agent-AZAG
F-Secure: Trojan.GenericKD.40144676
DrWeb: Trojan.BtcMine.1177
Zillya: Downloader.Betload.Win32.65
TrendMicro: TROJ_RUNNER.GBE
McAfee-GW-Edition: BehavesLike.Win32.Downloader.kh
Emsisoft: Trojan.GenericKD.40144676 (B)
Ikarus: Trojan.Win32.Dynamer
Cyren: W32/Trojan.QIDT-4071
Jiangmin: TrojanDownloader.Betload.i
Webroot: W32.Trojan.Gen
Avira: TR/ScriptDldr.B
Antiy-AVL: Trojan/Script.Agent
Microsoft: Trojan:Win32/Tiggre!rfn
Endgame: malicious (high confidence)
Arcabit: Trojan.Generic.D2648F24
AegisLab: Trojan.Script.Agent.4!c
ZoneAlarm: HEUR:Trojan.Script.Agent.gen
GData: Win32.Trojan.Agent.AAV
AhnLab-V3: Trojan/Win32.DownLoader.C2567045
VBA32: Trojan.Script
ALYac: Trojan.Script.Agent
MAX: malware (ai score=99)
Yandex: Trojan.BtcMine!
SentinelOne: static engine - malicious
Fortinet: W32/Agent.OYC!tr
AVG: FileRepMalware
Cybereason: malicious.651d8b
Panda: Trj/Genetic.gen
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.Script.af7

Hashes

MD5 35d2ce0651d8bc045e920c10fd52a178
SHA1 a1387c8caa2645741df50f9338f70a2fbf3caa32
SHA256 abbad7acd50754f096fdc6551e728aa6054dcf8e55946f90a02b17db552471ca
SHA3 92425dc95eb7d7bb7d9cdc73eea02231b8fcc63e6e4770197f952140469f8cc4
SSDeep 768:iVwUechwtKiA9lYoorLetH42zlU82GTQ1Q3+lGfuzRLsAV0LSEM/3jL9LfJ5B3yN:oechwOU3L32utGT1fkQLSL3jLpfrOO2
Imports Hash 38d661bf84f5e3c466538973190b8d97

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2017-Jan-19 08:33:43
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 2.0
SizeOfCode 0xe400
SizeOfInitializedData 0x2400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001000 (Section: .code)
BaseOfCode 0x1000
BaseOfData 0x11000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x15000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.code

MD5 89d63a7d4888942d4e99334890c98d59
SHA1 b9ede1f49ef04a974d3a7193241a45ff305ca06c
SHA256 de9334d7bac7bb4722bfee8d1fb6776b0f45786393d205a530e3dd0a181863f8
SHA3 a5affb738887abf97643e420073fa6da32635a6f381eee6db56e59892116b039
VirtualSize 0x3063
VirtualAddress 0x1000
SizeOfRawData 0x3200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.10595

.text

MD5 e952f42562232d2c6c9d1c2e47a845d0
SHA1 6066f509f063e4545c56f74dff299efb0609527f
SHA256 35b01a30851656d7323fbc7d235ad8466eed2bb51aef3fc2297a391ef99f80f9
SHA3 5577b8d415207fb43c04c3ac3b10c0e2dfbfd0d4d51d1f796297b02c1e6e6174
VirtualSize 0xb175
VirtualAddress 0x5000
SizeOfRawData 0xb200
PointerToRawData 0x3600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.59876

.rdata

MD5 85d1afefc9b63e99f53ae62acd1bd297
SHA1 2c3f5cd36f04c1df10e8fb94007c2b8469231728
SHA256 e9bba2d0068b08137edd9efa357bc1d29d200588d2078b5d256c137781d40475
SHA3 c57a1d8df8b770c745b42d62a9f7cbafab3e846af4847c48425b626706c6a40b
VirtualSize 0x97e
VirtualAddress 0x11000
SizeOfRawData 0xa00
PointerToRawData 0xe800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.61063

.data

MD5 ceb9b331de4e5c36246aa53619212439
SHA1 8b2bb03ef07b30084b50b6d2d27f0ce754eb8624
SHA256 690f765ea8f4b8267208ee864f8ef3c72040a29de7ced3b5644f5fd406e8497b
SHA3 7f76c76169f7ebec54c36b7eea536396d9f986ebd19af2c19fdf913e93b5fcbb
VirtualSize 0x1aa8
VirtualAddress 0x12000
SizeOfRawData 0x1400
PointerToRawData 0xf200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.47861

.rsrc

MD5 16dd660d9609fd1308860b4e207acb53
SHA1 b2f9fb63d6884d5ff79595fbb69d3443d8243fe3
SHA256 74f6ac6e90c102df75bf07f26929daf7d2d384c54cd990c03febe71c93aad7c8
SHA3 932a1b59f1afa8aeda36843291345214ce8ba3866969e8d3560f0268872a9420
VirtualSize 0x4b8
VirtualAddress 0x14000
SizeOfRawData 0x600
PointerToRawData 0x10600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.48954

Imports

MSVCRT.dll memset
strncmp
memmove
strncpy
strstr
_strnicmp
_stricmp
strlen
strcmp
memcpy
sprintf
fabs
ceil
malloc
floor
free
fclose
strcpy
tolower
KERNEL32.dll GetModuleHandleA
HeapCreate
HeapDestroy
ExitProcess
RemoveDirectoryA
GetExitCodeProcess
GetTempFileNameA
GetNativeSystemInfo
FindResourceA
LoadResource
SizeofResource
GetShortPathNameA
GetWindowsDirectoryA
GetSystemDirectoryA
HeapAlloc
HeapFree
Sleep
LoadLibraryA
GetProcAddress
FreeLibrary
GetCurrentThreadId
GetCurrentProcessId
CloseHandle
InitializeCriticalSection
GetCommandLineA
GetModuleFileNameA
GetEnvironmentVariableA
SetEnvironmentVariableA
CreateFileA
ReadFile
WriteFile
SetFilePointer
DeleteFileA
GetFileSize
HeapReAlloc
GetCurrentProcess
TerminateProcess
SetUnhandledExceptionFilter
EnterCriticalSection
LeaveCriticalSection
GetVersionExA
SetLastError
HeapSize
TlsAlloc
CreateDirectoryA
GetCurrentDirectoryA
SetCurrentDirectoryA
SetFileAttributesA
GetTempPathA
DeleteCriticalSection
MultiByteToWideChar
WideCharToMultiByte
USER32.DLL CharUpperA
CharLowerA
MessageBoxA
SendMessageA
PostMessageA
GetWindowThreadProcessId
IsWindowVisible
GetWindowLongA
GetForegroundWindow
IsWindowEnabled
EnableWindow
EnumWindows
SetWindowPos
DestroyWindow
GetDC
GetWindowTextLengthA
GetWindowTextA
SetRect
DrawTextA
GetSystemMetrics
ReleaseDC
GetSysColor
GetSysColorBrush
CreateWindowExA
CallWindowProcA
SetWindowLongA
SetFocus
RedrawWindow
RemovePropA
DefWindowProcA
SetPropA
GetParent
GetPropA
GetWindow
SetActiveWindow
UnregisterClassA
DestroyAcceleratorTable
LoadIconA
LoadCursorA
RegisterClassA
AdjustWindowRectEx
ShowWindow
CreateAcceleratorTableA
PeekMessageA
MsgWaitForMultipleObjects
GetMessageA
GetActiveWindow
TranslateAcceleratorA
TranslateMessage
DispatchMessageA
GetFocus
GetClientRect
FillRect
EnumChildWindows
DefFrameProcA
GetWindowRect
IsChild
GetClassNameA
GetKeyState
DestroyIcon
RegisterWindowMessageA
GDI32.DLL GetStockObject
SelectObject
SetBkColor
SetTextColor
GetTextExtentPoint32A
CreateSolidBrush
DeleteObject
GetObjectA
CreateCompatibleDC
GetDIBits
DeleteDC
GetObjectType
CreateDIBSection
BitBlt
CreateBitmap
SetPixel
COMCTL32.DLL InitCommonControlsEx
OLE32.DLL CoInitialize
CoTaskMemFree
RevokeDragDrop
SHELL32.DLL ShellExecuteExA
WINMM.DLL timeBeginPeriod
SHLWAPI.DLL PathQuoteSpacesA
PathAddBackslashA
PathRenameExtensionA
PathUnquoteSpacesA

Delayed Imports

4CC738C501D989FF5EBD2647402E3D73

Type RT_RCDATA
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x6
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 0.918296
MD5 017d7be9f983573513f205ea31673845
SHA1 faf1cd4bdf2d59261beed066baf3c3e69ee5d9f7
SHA256 1a71797cab8ed23c72233b7706b166a33049e4e87dfbc55b9e252f9c1843eca6
SHA3 8b9db0bb67ad0b482fc745462d2ff8d60da07193027752119095c26ee7a6bc79

B3665489866980A08D7E92674A3FBAEE

Type RT_RCDATA
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x10
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4
MD5 c490dd682d4132992dc76e0a70621fd7
SHA1 01858ee922919ba7afd60ad7846298d32246491d
SHA256 1409ba843d9c6775e87cd2c05280703fdff3e67e8c1902f9245f58323f628614
SHA3 aa8da2dafb1a252138c88f4a9de118af70fb35bfdb53ebb719f24002aea5e390

BBDEA9D7D9833171E821D5FF3C43A6A2

Type RT_RCDATA
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x71
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.53031
MD5 42c5aaf3622c44e70708a59951f61c04
SHA1 91c4c0459f841a0f47e2d3d24df893b894df9abe
SHA256 dad74bed43d68a6c07700d26f5cab7dad2ed780b381c5fa897830c911b036ac1
SHA3 5a0004d138aa90f6ca33581310ea26f997ba612aac3f09002dc5f531e7cba838

1

Type RT_MANIFEST
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x263
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.92322
MD5 841795bb3b61ebd511249778aa26af77
SHA1 59f426938522ef9906b0740821e8cc270d1ca897
SHA256 be809cba9d14bfb52a969d766992832b10e99e133babcdd99dc6d1bba5597cf7
SHA3 5fa5c36711cc5c3661248b1180ce35543201ff1dc77d158129b844f03a2144c9

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

<-- -->