38fc56965dccd18f39f8a945f6ebc439

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Dec-12 17:58:45
Detected languages Korean - Korea
Comments
CompanyName Microsoft Corporation
FileDescription Windows Remote Assistance SD Server
FileVersion 10.0.10586.0 (th2_release.151029-1700)
InternalName sdchange.exe
LegalCopyright Microsoft Windows Operating System
LegalTrademarks
OriginalFilename sdchange.exe.mui
PrivateBuild
ProductName Microsoft Windows Operating System
ProductVersion 10.0.10586.0
SpecialBuild

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
Enumerates local disk drives:
  • GetVolumeInformationW
Malicious VirusTotal score: 41/68 (Scanned on 2019-09-09 04:54:21) MicroWorld-eScan: Gen:Variant.Graftor.487501
McAfee: Trojan-FPIA!38FC56965DCC
Cylance: Unsafe
BitDefender: Gen:Variant.Graftor.487501
K7GW: Trojan ( 0052cf421 )
Cybereason: malicious.65dccd
Arcabit: Trojan.Graftor.D7704D
TrendMicro: TROJ_FRS.0NA103I819
F-Prot: W32/Trojan3.AOLE
ESET-NOD32: a variant of Win32/NukeSped.AU
APEX: Malicious
Paloalto: generic.ml
Kaspersky: HEUR:Trojan.Win32.Generic
Alibaba: Trojan:Win32/NukeSped.794a34c5
Avast: Win32:Malware-gen
Endgame: malicious (high confidence)
Sophos: Mal/Generic-S
F-Secure: Trojan.TR/NukeSped.iynke
DrWeb: Trojan.HiddenCobra.1
Invincea: heuristic
McAfee-GW-Edition: Trojan-FPIA!38FC56965DCC
Trapmine: malicious.high.ml.score
FireEye: Generic.mg.38fc56965dccd18f
Emsisoft: Gen:Variant.Graftor.487501 (B)
Cyren: W32/Trojan.ACES-2943
Avira: TR/NukeSped.iynke
Antiy-AVL: Trojan/Win32.AGeneric
Microsoft: Trojan:Win32/Casdet!rfn
AegisLab: Trojan.Win32.Generic.4!c
ZoneAlarm: HEUR:Trojan.Win32.Generic
GData: Gen:Variant.Graftor.487501
ALYac: Trojan.Nukesped.A
MAX: malware (ai score=100)
Ad-Aware: Gen:Variant.Graftor.487501
TrendMicro-HouseCall: TROJ_FRS.0NA103I819
Ikarus: Trojan.Win32.NukeSped
Fortinet: W32/Trojan.FPIA!tr
AVG: Win32:Malware-gen
Panda: Trj/CI.A
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: HEUR/QVM07.1.C157.Malware.Gen

Hashes

MD5 38fc56965dccd18f39f8a945f6ebc439
SHA1 50736517491396015afdf1239017b9abd16a3ce9
SHA256 32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11
SHA3 f45a6f13fb5cb3cf6a48fb3d9168f63fa25ecfa8d579d2a1ec34a9785896a4ab
SSDeep 1536:kSQWbe9BzK0xGtGVyDBWikDsD3bG0aII2Tm5TPb+5MI7jcg9YL23O:fQWbIWSG61UD3bGUI2Tm5TP2Njcmn+
Imports Hash 2054fd7bbbbcb62441ba2a21c156d403

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2017-Dec-12 17:58:45
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x17000
SizeOfInitializedData 0x9000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00016F4F (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x18000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x21000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 48f0a09061c556cbde93f864f2adb2e3
SHA1 6d46ce7b741e949df789236fd50b90dbb8281d7f
SHA256 ec05ab731735bc944d7c4752a1f9ece9eb9b6b692f74153aa2b28ccad43289e2
SHA3 2f423413be31f32a1b64882e838b80d104f4f1a67c896f87655a78ee2c999f3f
VirtualSize 0x16205
VirtualAddress 0x1000
SizeOfRawData 0x17000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.47977

.rdata

MD5 65fe1d182b2f7322719d142a81a901a8
SHA1 1de3fd012365d6ebed44cf98c57c57ba80aea513
SHA256 b2fff4c26ca30d097a4cdc07d0b4c42e510c55b22755b0f40c68e8f470ae6332
SHA3 0930dd37a60a11fc5e0395ce79ebc78ce4cfe86b7dc020adee0190f9ed177755
VirtualSize 0x34b2
VirtualAddress 0x18000
SizeOfRawData 0x4000
PointerToRawData 0x18000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.81218

.data

MD5 43cd1b0954c2785708b9e8da200242e9
SHA1 8355f0ad26ff3f3dd6fda506df303ce75bc89293
SHA256 f62206d7483c82a349219dbb78a8bf1e8645525a22d90d9c8f80bc5ccf0a9d20
SHA3 a108e3f4bcdabf7280bc02ae0230c53a98f62c80d585112a56c8f75a649cef0c
VirtualSize 0x3210
VirtualAddress 0x1c000
SizeOfRawData 0x1000
PointerToRawData 0x1c000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.46537

.rsrc

MD5 cab878079ca8c3f53ed3e0d0414e3a3a
SHA1 28774b6e30ae73e855df7ddeb04db3abb36c5b3d
SHA256 23532b41c57385f3f0430f68f8b97a802c52dee299b9fbfcaeeac6e719c96bb3
SHA3 6eb77e2c4f48377cf6108c05ade4ec1cab83bcded347f2ce454e6b98fb63958e
VirtualSize 0x488
VirtualAddress 0x20000
SizeOfRawData 0x1000
PointerToRawData 0x1d000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.19437

Imports

KERNEL32.dll GetProcAddress
LoadLibraryA
GetModuleHandleW
Sleep
GetVolumeInformationW
Module32FirstW
CreateToolhelp32Snapshot
FileTimeToLocalFileTime
GetTickCount
GetSystemInfo
GetVersionExW
WideCharToMultiByte
GetACP
lstrlenW
GetModuleHandleA
GetStartupInfoA
USER32.dll GetSystemMetrics
SHLWAPI.dll wnsprintfW
MSVCRT.dll memset
memmove
memcmp
malloc
free
strstr
sscanf
strlen
localtime
time
__dllonexit
_onexit
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
memcpy
wcstombs
wcsrchr
__CxxFrameHandler
srand
rand
wcsncpy
swprintf
_wtoi
wcscat
_waccess
wcscpy
wcslen
strncmp
??3@YAXPAX@Z

Delayed Imports

1

Type RT_VERSION
Language Korean - Korea
Codepage UNKNOWN
Size 0x424
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.44994
MD5 d9d67a80b39f40b31296db0d983c98c3
SHA1 88c71a01804020c6683a0050359e1951993e8836
SHA256 022296fb41af9fd5532cefdaed9d2483df80ba947fe59fd65cf7c9499ab29551
SHA3 07f7a2f60f1dfaea065c5fa5876f4eb590bc82e9afd1c5e2557fcec63df5741a

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.0.10586.0
ProductVersion 10.0.10586.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language Korean - Korea
Comments
CompanyName Microsoft Corporation
FileDescription Windows Remote Assistance SD Server
FileVersion (#2) 10.0.10586.0 (th2_release.151029-1700)
InternalName sdchange.exe
LegalCopyright Microsoft Windows Operating System
LegalTrademarks
OriginalFilename sdchange.exe.mui
PrivateBuild
ProductName Microsoft Windows Operating System
ProductVersion (#2) 10.0.10586.0
SpecialBuild
Resource LangID Korean - Korea

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x3567593c
Unmarked objects 0
14 (7299) 5
Linker (VS98 build 8168) 2
12 (7291) 2
C objects (VS98 build 8168) 25
Imports (VS2003 (.NET) build 4035) 7
Total imports 111
C++ objects (VS98 build 8168) 10
Resource objects (VS98 cvtres build 1720) 1

Errors