3c0d740347b0362331c882c2dee96dbf

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Dec-27 09:03:48
Detected languages English - United States

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • bcdedit.exe
  • vssadmin.exe
  • wbadmin.exe
 Miscellaneous malware strings:
  • cmd.exe
Suspicious The PE is packed or was manually edited. The number of imports reported in the RICH header is inconsistent.
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • GetProcAddress
 Possibly launches other programs:
  • CreateProcessW
 Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
 Interacts with services:
  • EnumServicesStatusW
  • ChangeServiceConfigW
  • OpenServiceW
  • OpenSCManagerW
  • QueryServiceConfigW
 Can shut the system down or lock the screen:
  • InitiateSystemShutdownExW
Malicious VirusTotal score: 51/67 (Scanned on 2018-08-08 00:29:45) MicroWorld-eScan: Trojan.GenericKD.30937489
CAT-QuickHeal: Trojan.Multi
McAfee: Generic Trojan.i
Cylance: Unsafe
VIPRE: Trojan.Win32.Generic!BT
K7GW: Riskware ( 0040eff71 )
K7AntiVirus: Riskware ( 0040eff71 )
Arcabit: Trojan.Generic.D1D81191
TrendMicro: TROJ_DESBACK.A
NANO-Antivirus: Trojan.Win32.Deshacop.exyljh
Symantec: Trojan.Olydestroy
TrendMicro-HouseCall: TROJ_DESBACK.A
Avast: Win32:Malware-gen
Kaspersky: Trojan.Win32.Deshacop.gig
BitDefender: Trojan.GenericKD.30937489
Paloalto: generic.ml
ViRobot: Trojan.Win32.S.Agent.36864.DLR
Tencent: Win32.Trojan.Raas.Auto
Ad-Aware: Trojan.GenericKD.30937489
Emsisoft: Trojan.GenericKD.30937489 (B)
F-Secure: Trojan.GenericKD.30937489
DrWeb: Trojan.KillFiles.62445
Zillya: Trojan.Deshacop.Win32.916
McAfee-GW-Edition: Generic Trojan.i
Sophos: Troj/Olydest-B
SentinelOne: static engine - malicious
Cyren: W32/Trojan.ADHH-4673
Jiangmin: Trojan.Generic.bzhho
Webroot: W32.Trojan.Gen
Avira: TR/AD.RansomHeur.udtuk
Fortinet: W32/OlympicDestroyer.A!tr
Antiy-AVL: Trojan/Win32.Deshacop
Endgame: malicious (high confidence)
Microsoft: Trojan:Win32/Samcrex.A!dha
AegisLab: Uds.Dangerousobject.Multi!c
ZoneAlarm: Trojan.Win32.Deshacop.gig
AhnLab-V3: Backdoor/Win32.PyAgent.C2401827
ALYac: Backdoor.IRCBot.gen
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=100)
VBA32: Trojan.Deshacop
Malwarebytes: Trojan.OlympicDestroyer.Generic
ESET-NOD32: Win32/OlympicDestroyer.A
Rising: Trojan.Win32.Destructor!1.B060 (CLOUD)
Yandex: Trojan.Deshacop!
Ikarus: Trojan-PSW.OlympicDestroyer
GData: Trojan.GenericKD.30937489
AVG: Win32:Malware-gen
Panda: Generic Malware
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.5a2

Hashes

MD5 3c0d740347b0362331c882c2dee96dbf
SHA1 8350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256 ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA3 1947827fa3594ced009df18ef1779e8873b40d8cef2c86b7a66040ade135468d
SSDeep 384:vB4XzGShdqe/7G7orLGYhQP5Kq3F+Go2iNi/EDHVb0nuGz6RDtBWmP+LNAIFi/+:qvnL3hXakNmED1An0RZQm0NOG
Imports Hash 80b8f31030d379934ff5ad396875f2cc

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2017-Dec-27 09:03:48
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x4c00
SizeOfInitializedData 0x4000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000198F (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x6000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0xd000
SizeOfHeaders 0x400
Checksum 0x14268
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 690f1adadac99d418ccc1f6688600a1b
SHA1 be2a319dd54b3e76de9909f7126646207833936d
SHA256 014f3b7d313fa03796a37a4d8f3c5ef99d857e4fcb84ced629e0650c016f1bc9
SHA3 7ec3278ef5f3760d74c3b06c31269db716dd310254ac4180299f694b31456b79
VirtualSize 0x4bc2
VirtualAddress 0x1000
SizeOfRawData 0x4c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.48918

.rdata

MD5 8aa983acdba0b33b5ae77a395f65f5bc
SHA1 99143ba75053edfb7f7e2257c6aff5db88f1c89f
SHA256 88ae41ad70fe08009ebffd42f38112238e514e8ec645a21ed7375471fc25a267
SHA3 de10cba9c881dd45f301179c864415a7d2cce3b203a12ef6e8870fce9fc496d5
VirtualSize 0x263e
VirtualAddress 0x6000
SizeOfRawData 0x2800
PointerToRawData 0x5000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.62339

.data

MD5 938455cf83e19f2e434867c232e71ef3
SHA1 0e21888ae9386018b91dd9fa75aedcca5d30d075
SHA256 50e21b6b71c40d86a3c3e5b564307e333cfbeb1ced4670f5f75b1691988455a3
SHA3 aba381faa47dc40257f28bf10b969b21d4cf829c117d0c46e91797809a35ce70
VirtualSize 0x18c0
VirtualAddress 0x9000
SizeOfRawData 0xc00
PointerToRawData 0x7800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.45065

.rsrc

MD5 cbed5934db097568410d86632c2e360a
SHA1 f073adfedffc1297ed72334fa73b7368aace72d1
SHA256 8f5bcad88b2ab08c3b3131715500ec5ed2a6d8483c7f4f7d8e2d0104f5faf70d
SHA3 4790c8eb398500d3c93bb767f0aa63dc269eacad84b3e53e6d2c4e999f07c06f
VirtualSize 0x1b4
VirtualAddress 0xb000
SizeOfRawData 0x200
PointerToRawData 0x8400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.09798

.reloc

MD5 15b4e9af955cb2509807deb288415785
SHA1 e964531073d67c3246ddcef27104b3c874fc1093
SHA256 80784232ec90cfce6ea7a86c275b66e832ec99c65f21d6e7de5d81063d6348b0
SHA3 9ec18976b8149ea1b34261bb59b85bfd42e2af409d1d5d08478a22ee18c8b7ea
VirtualSize 0x85c
VirtualAddress 0xc000
SizeOfRawData 0xa00
PointerToRawData 0x8600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.99187

Imports

KERNEL32.dll GlobalAlloc
GetSystemDirectoryW
Sleep
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
CreateFileW
SetThreadPriority
FlushFileBuffers
GetFileSizeEx
WriteFile
GlobalFree
FindClose
FindNextFileW
CloseHandle
CreateThread
HeapReAlloc
GetStringTypeW
GetProcessHeap
GetCurrentThread
WaitForSingleObject
HeapFree
GetCurrentProcess
HeapAlloc
CreateProcessW
SetFilePointer
FindFirstFileW
GetLastError
ExitProcess
MultiByteToWideChar
LCMapStringW
HeapSize
RtlUnwind
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
LoadLibraryW
GetCommandLineA
HeapSetInformation
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetProcAddress
GetModuleHandleW
DecodePointer
GetStdHandle
GetModuleFileNameW
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
DeleteCriticalSection
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
IsProcessorFeaturePresent
USER32.dll wsprintfW
ADVAPI32.dll InitiateSystemShutdownExW
AdjustTokenPrivileges
EnumServicesStatusW
ChangeServiceConfigW
LookupPrivilegeValueW
OpenServiceW
OpenSCManagerW
OpenProcessToken
CloseServiceHandle
QueryServiceConfigW
SHLWAPI.dll #156
PathAppendW
PathRemoveArgsW
MPR.dll WNetEnumResourceW
WNetAddConnection2W
WNetCancelConnection2W
WNetOpenEnumW
WNetCloseEnum

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

Version Info

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x409004
SEHandlerTable 0x407b80
SEHandlerCount 3

RICH Header

XOR Key 0x2a497f97
Unmarked objects 0
12 (7291) 1
C objects (8047) 11
14 (7299) 5
Linker (8047) 4
Imports (VS2003 (.NET) build 4035) 7
Total imports 77
C++ objects (VS98 SP6 build 8804) 3

Errors

<-- -->