39e88656f1ca4486a80bb2d9fb1b4547

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2006-Mar-04 17:05:21
Detected languages English - United States

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • virus
Suspicious The PE is an NSIS installer Unusual section name found: .ndata
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Can access the registry:
  • RegQueryValueExA
  • RegSetValueExA
  • RegEnumKeyA
  • RegEnumValueA
  • RegOpenKeyExA
  • RegDeleteKeyA
  • RegDeleteValueA
  • RegCloseKey
  • RegCreateKeyExA
 Possibly launches other programs:
  • CreateProcessA
  • ShellExecuteA
 Can create temporary files:
  • GetTempPathA
  • CreateFileA
 Can shut the system down or lock the screen:
  • ExitWindowsEx
Suspicious The file contains overlay data. 2148468 bytes of data starting at offset 0xdc00.
The overlay data has an entropy of 7.99991 and is possibly compressed or encrypted.
Overlay data amounts for 97.4456% of the executable.
Malicious VirusTotal score: 3/72 (Scanned on 2024-07-23 19:29:42) CrowdStrike: win/grayware_confidence_60% (D)
Google: Detected
Kingsoft: malware.kb.a.871

Hashes

MD5 39e88656f1ca4486a80bb2d9fb1b4547
SHA1 79e97d075ea6c116a7beed07debda9de9bb0fc79
SHA256 8fb7f926f77a5de69b230bae14817ad2aaf4c195d2ded3850217fa364c6b4bd4
SHA3 34f3893e40b6738eccf890c3e4661bf8704a67847d59b492827ae5d7ca50e7e1
SSDeep 49152:m7WDfvaVqfI3CPtg2IoPHu894yIbv0lQn0fb6v:fCXCPy2IoPHu8SyIbvZn0fb6v
Imports Hash 18bc6fa81e19f21156316b1ae696ed6b

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2006-Mar-04 17:05:21
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x5a00
SizeOfInitializedData 0x1d800
SizeOfUninitializedData 0x400
AddressOfEntryPoint 0x0000313E (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x7000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x37000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 f8454dd903a7a9ebc5ee7888c9188af2
SHA1 7929cb3c51bad962d6688daca5e38cfd78c873cc
SHA256 186bc914508bc15dbf25d09a12955547af9c2d890c4a478485f12c811f93ae56
SHA3 5381443d51cbd03f8669b324c11a6efc349b6502b716b431cff0d7cf68389e06
VirtualSize 0x587a
VirtualAddress 0x1000
SizeOfRawData 0x5a00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.39347

.rdata

MD5 f47fe79f4f3cdd662160aa57bd28b002
SHA1 81b90c9c0ee7f8d88a208ef81aa43fabe894808a
SHA256 903cc234844e99aca663b9ec51b4ca60cb2881cf3ce2c2aaedb0274c14108cbc
SHA3 7e4e51f1dd6a4c0f4f6bd0379369c480d8bb2820d4d1751325f3cbafcbf0ae57
VirtualSize 0x10ee
VirtualAddress 0x7000
SizeOfRawData 0x1200
PointerToRawData 0x5e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.0375

.data

MD5 ffc3dff3be72fa1eaeee3fdf1b6ede1c
SHA1 ca18277925bf01392aa953beaf3daee992da3b48
SHA256 589fa8b3e4ce907af05254f33ac2974f4441d2113922073efb2e8fe334979f6e
SHA3 c3adb81da47f0e61dd8c384949ff8ffce685ec9a67d12b6d5d87a5bde4e16453
VirtualSize 0x1b3d4
VirtualAddress 0x9000
SizeOfRawData 0x400
PointerToRawData 0x7000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.06091

.ndata

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0xb000
VirtualAddress 0x25000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc

MD5 9851f3b65f365d0960fc2093b7cb61aa
SHA1 fa2695496d61d9218b4494653b73978a5914a6c8
SHA256 270bb3d4771fb5c84da9ae0954fcee7f3b40623818e334797602fe2ec6c86d5a
SHA3 102c1dd684768f4671481d78307a41156ccd910bd69049687985827bd8ec9bc9
VirtualSize 0x7000
VirtualAddress 0x30000
SizeOfRawData 0x6800
PointerToRawData 0x7400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.20305

Imports

KERNEL32.dll CloseHandle
SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetFileSize
GetModuleFileNameA
GetTickCount
GetCurrentProcess
lstrcmpiA
ExitProcess
GetCommandLineA
GetWindowsDirectoryA
GetTempPathA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
lstrcmpA
GetEnvironmentVariableA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
SetErrorMode
GetModuleHandleA
LoadLibraryA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
CopyFileA
USER32.dll ScreenToClient
GetWindowRect
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
EndDialog
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxA
CharPrevA
DispatchMessageA
PeekMessageA
CreateDialogParamA
DestroyWindow
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
RegisterClassA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
TrackPopupMenu
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow
GDI32.dll SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject
SHELL32.dll SHGetMalloc
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation
ADVAPI32.dll RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA
COMCTL32.dll ImageList_AddMasked
ImageList_Destroy
#17
ImageList_Create
ole32.dll OleInitialize
OleUninitialize
CoCreateInstance
VERSION.dll GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x568
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.32368
MD5 8dbf2f4af81697ee8cdd9381ea302abd
SHA1 620528e5b200ad9c77d0e661cfb03dd087e7350b
SHA256 fa0d1cdeb888bbac7f8c2bb786f1f7546fafcf8b3dab8c11735d48882ec45045
SHA3 115cb13dfc9dd942066ba975631232e4df768a9ef756ff0782d9a4a1de041333

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x128
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.57627
MD5 5f198b54e1f269eac337ad5cc0c9c9f4
SHA1 1256068b1512c79dab0059f59d003e52125b1a0a
SHA256 6094535ba2f4f089992931a2ba3324f19e6d17b9138237a4d8e7dae3e6949edb
SHA3 47c9f5a69db5d9437eb840fe9d8d1b73e5332e260f7f74e46f125f4477518782

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.69023
MD5 63a4193b244c87cba20defe5cdde49ce
SHA1 3aa598fa2c42e3de27a28871a6514579d8f2855d
SHA256 a9dfeb025bbc82b7ccd811c4998ac1641f2b62b27c83f6d01603bef0b62cc3f3
SHA3 9d4108a7d40db86d793da875630ddf4a2b784fde5a2a950f9626e95883d9a89f

4

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0xca8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.21817
MD5 f739bdcf0ffa5ee77004d3cc7b0afaf1
SHA1 e96546747cc7ba87bae868d34a809c7816b3d797
SHA256 2ee59aa544133ae308aab355d79b73ba51001f63166b3c52a7d4593b5eaee8a8
SHA3 d0364db1af6421b8400b6fe49651af9b8e6a5070fdcfb52ff70e91b7abb663b9

5

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x1ca8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.31484
MD5 24306406702d9b0045b7dedeae9b49e0
SHA1 cfbc4ca1ffddd61142ef8e665513bd06755709c9
SHA256 623864a3c80ee0f46ec8d6494ff31f6fa66acb2d702045cdbd9e69e7d548f89e
SHA3 a80e222b46fcc98070b34a42114d5ea30f6b348c9dd37a9803786cff0e717bc5

6

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0xea8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.70435
MD5 7f5e3cd09527262169cb016485ab10cc
SHA1 0a7fcb8619ba817a28473bd647f82916111bb429
SHA256 d248e5e3905d8cfa0c273985410bf07369500df62c2786f97064c5a49dd98150
SHA3 2487fbe25711e9a1bf4f5bd887a9f666e496fbb2ac6190f3bd805cb073dd653a

7

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x1ca8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.30301
MD5 7e4f0452c575e6b41adeb8746d7148db
SHA1 20c643d3b39db01a2f48fa77dfb7d726645aaac9
SHA256 0353ea99167fb780b651271ac2696fd66e676f3b1dca2e833a17faa2cb9120cb
SHA3 e28fe9a483054211d7ab574e63fe888cbef6cbaaa77e6e044bc8fa02e914161b

105

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x202
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.73893
MD5 386770584473e271f23dced36427f4ff
SHA1 d14ce95f784b35e4e3ebee535476ebcd3e380c19
SHA256 425b8270f7ca42a927eae6bea468acf414a3e4b58b5ba2c56aaae4d1b2c11014
SHA3 db13e5969376b27e8443eebff685230e2b74685aeb2fba73973f06e5cddc8662

106

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0xf8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.91148
MD5 fa83652660409e90e0db9731ad2adb17
SHA1 0a8f0af67723c87fe26ccf676b8e19ec6357b4dc
SHA256 4a55bd714f5d50cd8eabba10e57f0618f1842717dcfa582d73a917b1933cd1d4
SHA3 5b3e1cb25be7a2dbae4f08f0d4794ed23dbd6ea37a3f9702be12dba588f42a7b

111

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0xee
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.92787
MD5 5dfa289639a3bcc0497da8db163f01fe
SHA1 6e2c6ea1e2594b66f563fb589276642c127e875f
SHA256 18466509968c3c0bf92ba410fea075def2b257a5a799a113cbc60f13e75f4b01
SHA3 85abdc8c431d91c72f3595a39881c96637ead09a0278d3cec0c1c9a8d873f031

103

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x68
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.36171
Detected Filetype Icon file
MD5 246f8f3054c4719d13ed255ded46616b
SHA1 67434e8fbec19eb7a8a1fb02d4e1491daad16a12
SHA256 a313a5faef29f23f23a10e2fd2e2f6c1acf721936a12536956472370ae81add4
SHA3 e106f13810dc7609e43b4c302d998e1a353bbc077f07c8b93a85b8cbc37ac634

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x214
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.10105
MD5 6e2d798d9abdbe0f7330de50cc0fd047
SHA1 2fb13204c35e7bfc291d708afc334598ebdcfd35
SHA256 6b8433129cecd4749949f369d536732da27b0d0ad2138797cfc37e2e2930b895
SHA3 af4be3e7e827fb497cc1986512d1e985aa2730d9bb70ac2971e488bb59805dd8

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xfb240da1
Unmarked objects 0
C objects (2190) 2
Total imports 152
Imports (2179) 17
48 (9044) 9
Resource objects (VS98 SP6 cvtres build 1736) 1

Errors

[*] Warning: Section .ndata has a size of 0!
<-- -->