3c6218aa31d514510b11251318631914

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2009-Dec-05 22:50:46
Detected languages English - United States
Russian - Russia
CompanyName diakov.net
FileDescription StartIsBack++ 2.9.0

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • diakov.net
  • http://nsis.sf.net
  • http://nsis.sf.net/NSIS_Error
  • nsis.sf.net
Suspicious The PE is an NSIS installer Unusual section name found: .ndata
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • LoadLibraryExA
  • GetProcAddress
Can access the registry:
  • RegQueryValueExA
  • RegSetValueExA
  • RegEnumKeyA
  • RegEnumValueA
  • RegOpenKeyExA
  • RegDeleteKeyA
  • RegDeleteValueA
  • RegCloseKey
  • RegCreateKeyExA
Possibly launches other programs:
  • CreateProcessA
  • ShellExecuteA
Can create temporary files:
  • CreateFileA
  • GetTempPathA
Can shut the system down or lock the screen:
  • ExitWindowsEx
Suspicious The file contains overlay data. 1286176 bytes of data starting at offset 0x13000.
The overlay data has an entropy of 7.97762 and is possibly compressed or encrypted.
Overlay data amounts for 94.2944% of the executable.
Malicious VirusTotal score: 3/70 (Scanned on 2021-03-09 03:42:09) Bkav: W32.AIDetect.malware1
APEX: Malicious
Jiangmin: Trojan.Injuke.cj

Hashes

MD5 3c6218aa31d514510b11251318631914
SHA1 dd63137687548c166c13c67e7802969ae9943385
SHA256 36f7085ad15b48d3870728e8e154a2c580829b7670e0a4bd352d52b151908186
SHA3 a32393026357a284b31e239ab359cfc869f2db251c5ee5a63ae50e25a8ab376a
SSDeep 24576:NjKpnIYr6nC5NOklgc92dCNS2dh4OIxj8R+g5pzKodjeEQoWPFYd9TKXJc:iZACPOkqc92dCSBWRQqMPaai
Imports Hash 099c0646ea7282d232219f8807883be0

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2009-Dec-05 22:50:46
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x5c00
SizeOfInitializedData 0x1d400
SizeOfUninitializedData 0x400
AddressOfEntryPoint 0x0000323C (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x7000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 6.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x3d000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 0bc2ffd32265a08d72b795b18265828d
SHA1 dd2a446014a37556f39173b802c63a4e46e09366
SHA256 c5ee0a2892a4f9c317f9b33bfc3531e0235faa9a2a3b4c41bd71d39e4fd87d6f
SHA3 11ea595bc9adc98eea7c16af8a6b74aa6435a680e4c4d3de0baa4e919d3f2e25
VirtualSize 0x5a5a
VirtualAddress 0x1000
SizeOfRawData 0x5c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.4177

.rdata

MD5 f179218a059068529bdb4637ef5fa28e
SHA1 6035d27db526131eb0f29aee60cfcdbb5072ed7d
SHA256 f80bf00310bd25e46e26c4b2042fa8215c3e5ce759947fe081d25b454dfc0fbe
SHA3 1a90c2506162a31f6264cafaafb479568941dc807c95a93babd7ebe526f2181f
VirtualSize 0x1190
VirtualAddress 0x7000
SizeOfRawData 0x1200
PointerToRawData 0x6000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.18163

.data

MD5 975304d6dd6c4a4f076b15511e2bbbc0
SHA1 1f65340672c91ffd0f2583ff104beaece43c7855
SHA256 1e9a47766ca6c6ff180369d74d6db2eea7fd80b802eb3c8f1c1da79cfcafebc7
SHA3 bfd0fac532943cab215e411ffa4d4dd8a8a1063e6169fbe8f202a02192a9acae
VirtualSize 0x1af98
VirtualAddress 0x9000
SizeOfRawData 0x400
PointerToRawData 0x7200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.70903

.ndata

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0xd000
VirtualAddress 0x24000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc

MD5 3ed0373ce9fd9405f0f57280444c2c39
SHA1 bbaaee85d9773f43a7b69245b857ca6870773d3c
SHA256 71b151ee5711691620996faf08e4d13633eba06d655ef38a338f8f3963b25890
SHA3 7169296731454e98c8a60929b561050e9e6d48103c2578b14cf897575d2014a8
VirtualSize 0xba00
VirtualAddress 0x31000
SizeOfRawData 0xba00
PointerToRawData 0x7600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.98306

Imports

KERNEL32.dll CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
SetFileTime
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetWindowsDirectoryA
USER32.dll EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow
GDI32.dll SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject
SHELL32.dll SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation
ADVAPI32.dll RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA
COMCTL32.dll ImageList_AddMasked
ImageList_Destroy
#17
ImageList_Create
ole32.dll CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance
VERSION.dll GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x4228
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.76851
MD5 7a57c333a8215b53bd30f9db2ef8b8a5
SHA1 34270812d5f5e1f9fd50c98605abd3687f7c7ff7
SHA256 6c15d25b119f52782a0a4da05b711f7e2cdc4fd2b10c5b95fb39e61df602de77
SHA3 f108394c87d8817434aa425c29d9ef0dd5290e26552ddafab664730f45074ae2

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x2faa
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.79003
Detected Filetype PNG graphic file
MD5 50c8bb3cb0bbe8512fc5e87797dfa76e
SHA1 85820207272ad75381d9df632af4cba2a88a0281
SHA256 cebf061dabc7cf01c698d0dfecd6feb3bba81e5b39a8c9df7a7720ea8bf7c3dd
SHA3 6fd2826829dcd01ddf37b7e28c278eaf6d02404a9fbd8ffc65665066866f5ba6

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.81783
MD5 e276fe303d361d4d5588a41dccea1cb6
SHA1 9c06f6db8d3bbf2918633c37b2fa7ae3fede256d
SHA256 6bc6ae1410f763a4d2873ac7736b834fb409086f1823b2a1dc4103cfaa4c4fa1
SHA3 45a5d3443ada2f4e1386fa38967c7e56987439ee04cb0116b3f3106382c7fc6e

4

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.75654
MD5 bc57d4129e0ea648002ecd7f6726268d
SHA1 93564fdedb2531cd0f6f8fc6a3c90b77152e8f71
SHA256 4f430ae348e8cd67700d429f420004026d29886b84b903887dc9ab1057f570bc
SHA3 7d58e128e38b238925903621f6db0a28b41a58e684b68876f956143b0bba2351

5

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.82862
MD5 173d82a7f74f5e40fa6a20d9122e5a74
SHA1 81f4522f9dbfa133fc90439b5359b4b9c213c3c7
SHA256 00467314daf6eb806bb93c44fc3da1329705e2757138ed808ee0cdae837401fc
SHA3 34aad4a04a6ffed106f015073fb06a51d182789f76b4c9e193d79efe042256b2

6

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 0
MD5 809457c05fe696f5d34ac5ac8768cdd4
SHA1 a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9
SHA256 1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be
SHA3 002d1b10f28d74c7572fc7c5b403eb32f2a0540c4958d7878ef67edfd17c8109

7

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x128
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 0
MD5 982079681d7ad12766abc44f06946f3e
SHA1 50f73ed0787bf5911bb907e487efbc84a9714e48
SHA256 250f52cb2d6f1966a29f6ac771fa1cd185b8f8531396c8a4026c0fe635617e0c
SHA3 b8805d45012d79cfa8bb45e23c9b4a4421cd91538d569e58437efa0f545cf4d4

105

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x100
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.51583
MD5 93da99c210fd220680d35ede466fccd5
SHA1 6f17e52a35a221240a3a6cfd8c65294f7bb93f14
SHA256 b186204de4669e0e1a8fbc2d883478ae0a2b7f54e56f63574e540e4b17979fd8
SHA3 b5bc5f45bc7abbab06556969df7f182fac5997e80c6ba134f17479304dd347a4

106

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x11c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.87057
MD5 db490c7adf91909af24b66d6a1e2b7cf
SHA1 8b874aaca961ce7107215471dcf2a0a812a4f989
SHA256 8203ab181593a548c80ed642a3cb2aea8de256bf30c797f76d9095b913c10132
SHA3 082e34f3f812097b1b29cfa07f4548946f08910c2e87731251313d70404f4827

111

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x60
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.48825
MD5 6be4e1387d369cf86e68eacbdd0e81dd
SHA1 351970fe2681b9b35b5d59ad052011ed96a96e17
SHA256 85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0
SHA3 45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb

103

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x68
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.02243
Detected Filetype Icon file
MD5 f8ef74a3ec9139d9908f57a5c165ec60
SHA1 0e87033a0278c5b96127ad58be5338fb8de501f5
SHA256 0b00e48de90adf8bc9e49c57a507c725f26ce44da39e4c5aafa2dd239236b404
SHA3 1ffda8736da29d14e908d4927c8e29caee1088f3c864295e4e5a31ee622db676

1 (#2)

Type RT_VERSION
Language Russian - Russia
Codepage UNKNOWN
Size 0x164
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.13668
MD5 5e09e5e0220ab54a073e48d2ff2037c4
SHA1 5b7099e97a5144accbd24fa6f893ba7ce6e2bb82
SHA256 70372c89a90e0e697a35b4c9d5126160a5f22e50d583e93cf862c7971bb60ba3
SHA3 659d52aa46781a73973f927edcf51e0031fdcd873bd42c9a3aca7a2da653bf19

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x215
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.10394
MD5 6f1fa2dee815707f6c8db07afb4b18c1
SHA1 c96d1933d55c50e9d6ef96edd688ceedd40bb203
SHA256 88c91f1165efa7a0b506ba4eba225b865b4f41798c813648a1677f6bf3e1efcd
SHA3 ec52942465ed8024f844234fed6211fe66082c8fe074eed5103b3e825c09b617

Version Info

Signature 0xfeef04bd
StructVersion 0
FileVersion 2.9.0.0
ProductVersion 2.9.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language Russian - Russia
CompanyName diakov.net
FileDescription StartIsBack++ 2.9.0
Resource LangID Russian - Russia

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x69ead975
Unmarked objects 0
C objects (VS2003 (.NET) build 4035) 2
Total imports 155
Imports (VS2003 (.NET) build 4035) 17
48 (9044) 10
Resource objects (VS98 SP6 cvtres build 1736) 1

Errors

[*] Warning: Section .ndata has a size of 0!
<-- -->