3cd1a0301c22df1409cefd2486f7e342

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-May-23 11:58:52

Plugin Output

Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX -> www.upx.sourceforge.net
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser
Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
The PE only has 6 import(s).
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
Malicious The file contains overlay data. 478 bytes of data starting at offset 0x1c000.
The file contains a Zip Compressed Archive after the PE data.
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 3cd1a0301c22df1409cefd2486f7e342
SHA1 9bd9b3d7bcbdcef0ada31f0efa1f8e88e96c2901
SHA256 7812446d1d309647e58dc436b12d3d5851fbd86cd29acc9436f9fced0d275370
SHA3 9c40f405a57c56c45bb67d9ffb7bcba4c8f3f570385c1f60a810a0729b6cd32a
SSDeep 1536:8ctc+AsTqAjg0ae2wbTbryvwq9c4ZVXNqXvGLUH5EUcAtGW+tc8BsYuz2o20:xtc+9njgy2w6vvzfXYftuEn+tLu2H0
Imports Hash e58ab46f2a279ded0846d81bf0fa21f7

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x108

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2017-May-23 11:58:52
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x1a000
SizeOfInitializedData 0x3000
SizeOfUninitializedData 0x4f000
AddressOfEntryPoint 0x00069460 (Section: UPX1)
BaseOfCode 0x50000
BaseOfData 0x6a000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x6d000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x4f000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

UPX1

MD5 009bfd1d682b069a8263461ae157cc4c
SHA1 ef927ff40b3bc150e962766448df560503d41f48
SHA256 577bdfa2b4b03a14f3a47cd051afd9212e98764804aa1613072b28a86e795bb7
SHA3 28420ac7c2cf25b0958b63590170c512034d8cde0fbf52745fe351d495391c9d
VirtualSize 0x1a000
VirtualAddress 0x50000
SizeOfRawData 0x19800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.88759

.rsrc

MD5 a7db6c4b7d9a56f8044cf917104c1e72
SHA1 715d814a0af3f193528bfaf7e1aae69905352dd1
SHA256 d35b0badacc6b420bfc576f6651434dc4498704240c3e057d8a27cee2ef262a2
SHA3 f70b71dcbcbbf90e0462f72694a68280b2c6c41dd661070251a360db1efe6eaa
VirtualSize 0x3000
VirtualAddress 0x6a000
SizeOfRawData 0x2400
PointerToRawData 0x19c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.3116

Imports

KERNEL32.DLL LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Could not read the Delay-Load Directory Table! [!] Error: Could not read the IMAGE_EXPORT_DIRECTORY. [*] Warning: Section UPX0 has a size of 0! [*] Warning: Section UPX0 has a size of 0!