3edce4d49a2f31b8ba9bad0b8ef54963

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Jul-11 18:26:59

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++ 6.0 DLL
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
Can access the registry:
  • SHDeleteKeyW
Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
Enumerates local disk drives:
  • GetVolumeInformationW
Malicious VirusTotal score: 39/66 (Scanned on 2019-09-08 22:57:39) MicroWorld-eScan: Gen:Variant.Zusy.290462
FireEye: Generic.mg.3edce4d49a2f31b8
ALYac: Gen:Variant.Zusy.290462
Cylance: Unsafe
BitDefender: Gen:Variant.Zusy.290462
K7GW: Trojan ( 0052cf421 )
CrowdStrike: win/malicious_confidence_100% (W)
Arcabit: Trojan.Zusy.D46E9E
TrendMicro: TROJ_GEN.R002C0DI819
ESET-NOD32: a variant of Win32/NukeSped.AU
Paloalto: generic.ml
Kaspersky: HEUR:Trojan.Win32.Generic
Alibaba: Trojan:Win32/Autophyte.172408e5
AegisLab: Trojan.Win32.Generic.4!c
Avast: FileRepMalware
Tencent: Win32.Trojan.Generic.Lpce
Ad-Aware: Gen:Variant.Zusy.290462
Sophos: Mal/Generic-S
Invincea: heuristic
McAfee-GW-Edition: Trojan-HidCobra
Trapmine: suspicious.low.ml.score
Emsisoft: Gen:Variant.Zusy.290462 (B)
SentinelOne: DFI - Suspicious PE
Jiangmin: Trojan.Generic.bllix
Avira: TR/NukeSped.bqdkl
Endgame: malicious (high confidence)
Microsoft: Trojan:Win32/Autophyte.E!dha
ZoneAlarm: HEUR:Trojan.Win32.Generic
GData: Gen:Variant.Zusy.290462
AhnLab-V3: Trojan/Win32.Akdoor.R206569
McAfee: Trojan-HidCobra
MAX: malware (ai score=84)
TrendMicro-HouseCall: TROJ_GEN.R002C0DI819
Rising: Trojan.Agent!8.B1E (TFE:6:TEbwi7SsEO)
Ikarus: Trojan.Win32.NukeSped
Fortinet: W32/Generic.AU!tr
AVG: FileRepMalware
Panda: Trj/GdSda.A
Qihoo-360: Win32/Trojan.e6d

Hashes

MD5 3edce4d49a2f31b8ba9bad0b8ef54963
SHA1 1209582451283c46f29a5185f451aa3c989723c9
SHA256 73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33
SHA3 e769220e3570c8563aa99da7367118d9e67b4c069c8797cefb0ae97e4140656e
SSDeep 3072:bQGYFFzsaXlvJdbx9NAzDZWaNoh05WKRYW7IWwh7:bSFhLlh9N8DZWaNoG5W8VIWC
Imports Hash cf3e2269004b18054d77ec54601edfd1

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2017-Jul-11 18:26:59
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x1d000
SizeOfInitializedData 0x9000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0001D83A (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1e000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x27000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 0b401c68fa1a8f024f25189b31fd8caf
SHA1 253f3a75d8c0fdeaee69a1306e571b470610b380
SHA256 e0d3300d7cc3a0796d3ec6de227cc18d5ecabd56ced9313754a3656415259590
SHA3 b06f506e30a5f8fb6cc582b91718e7f3d4ade06f3456b15a85c38cc15118acc5
VirtualSize 0x1ca10
VirtualAddress 0x1000
SizeOfRawData 0x1d000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.63451

.rdata

MD5 78ad5231f5184af8093a2f31ef1f9952
SHA1 36e70b873c62fdb73d8a9372899de1d517e88eaa
SHA256 bba885ecce65bbe4a3bffa97d4e44bd1a88e3f9ce82332fcfe830f6ed4dcaefa
SHA3 d605262a57753974e0607662b896e7a76c17cffd9b85fe01084019676d004632
VirtualSize 0x398b
VirtualAddress 0x1e000
SizeOfRawData 0x4000
PointerToRawData 0x1e000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.12622

.data

MD5 8c48fdefd1785500380702796882a0b6
SHA1 e6263aff0f2709b3fa0264475db595509bfa1c2d
SHA256 efb1d7795f7b0d4227464c5f24045592052cba3e40b620fba6b171bcd6d66a03
SHA3 78fd3fba941a104e215195e9e3c47ad34dd463d83353b30fc4feff1175d08b55
VirtualSize 0x36bc
VirtualAddress 0x22000
SizeOfRawData 0x1000
PointerToRawData 0x22000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.86014

.reloc

MD5 e6b0be8044e573ca9fc84de173a7ca3d
SHA1 5dfd0e40d66a73d26c87c4867ba923c4a94a5379
SHA256 7e9152a9f905a7445b6e42d5924d78b604b926e1180979ce8c17bd16c0f02cb0
SHA3 f5a96ad6ed20a18dbe5156491e3820bff07c43672770d95b50a31563036a4f4f
VirtualSize 0xddc
VirtualAddress 0x26000
SizeOfRawData 0x1000
PointerToRawData 0x23000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.40474

Imports

KERNEL32.dll GetProcessHeap
VirtualAlloc
VirtualProtect
VirtualFree
IsBadReadPtr
HeapFree
FreeLibrary
CloseHandle
CreateThread
LocalFree
FreeLibraryAndExitThread
Sleep
ReadFile
LocalAlloc
GetFileSize
CreateFileW
GetSystemDirectoryW
HeapAlloc
GetVolumeInformationW
Module32FirstW
CreateToolhelp32Snapshot
FileTimeToLocalFileTime
GetTickCount
GetSystemInfo
GetVersionExW
WideCharToMultiByte
CreateDirectoryW
CopyFileW
FileTimeToSystemTime
GetACP
lstrlenW
FindFirstFileW
LoadLibraryA
GetModuleHandleW
GetProcAddress
FindNextFileW
GetLastError
FindClose
UnmapViewOfFile
WriteFile
GetCurrentProcess
DuplicateHandle
CreateFileMappingW
MapViewOfFile
GetFileType
GetFileInformationByHandle
GetSystemTime
GetLocalTime
SystemTimeToFileTime
SetFilePointer
FileTimeToDosDateTime
USER32.dll GetSystemMetrics
ADVAPI32.dll SetServiceStatus
RegisterServiceCtrlHandlerW
SHLWAPI.dll SHDeleteKeyW
MSVCRT.dll _wcsicmp
rand
srand
__CxxFrameHandler
fclose
fwprintf
_wfopen
wcsrchr
wcstombs
memcpy
strlen
memset
memmove
memcmp
malloc
strstr
sscanf
localtime
time
mktime
??2@YAPAXI@Z
_EH_prolog
strcat
strcpy
_stricmp
_tzset
__dllonexit
_onexit
_initterm
_adjust_fdiv
wcscat
wcsncpy
swprintf
_wtoi
_waccess
wcscpy
wcslen
_vsnwprintf
wcscmp
wcsncmp
free
realloc
strncmp
??3@YAXPAX@Z
wcschr

Delayed Imports

ServiceCtrlHandler

Ordinal 1
Address 0x7b30

DllMain

Ordinal 2
Address 0x7a90

ServiceMain

Ordinal 3
Address 0x7bb0

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x7073cdf1
Unmarked objects 0
14 (7299) 5
12 (7291) 3
Imports (VS2003 (.NET) build 4035) 9
Total imports 115
C objects (VS98 build 8168) 19
C++ objects (VS98 build 8168) 10
Linker (VS98 build 8168) 3

Errors