40dff9cd2688b286b984509acce3b788

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2016-Nov-11 16:04:47
Detected languages English - United States
TLS Callbacks 2 callback(s) detected.
FileVersion 12.6.5.0
InternalName exiftool.exe
OriginalFilename exiftool.exe
ProductVersion 12.6.5.0

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • Programs\Startup
 Contains another PE executable:
  • This program cannot be run in DOS mode.
 Miscellaneous malware strings:
  • cmd.exe
 Contains domain names:
  • ActiveState.com
  • bugzilla.redhat.com
  • command.com
  • ftp.info-zip.org
  • ftp://ftp.info-zip.org
  • ftp://ftp.info-zip.org/pub/infozip/license.html
  • git.perl.org
  • github.com
  • http://perl5.git.perl.org
  • http://perl5.git.perl.org/perl.git/blob/HEAD
  • http://rt.cpan.org
  • http://rt.cpan.org/Ticket/Display.html?id
  • http://www.ActiveState.com
  • http://www.cpan.org
  • http://www.cpan.org/modules/by-authors/id/\U$3/$2/$1\E/
  • http://www.gzip.org
  • http://www.gzip.org/format.txt
  • http://www.info-zip.org
  • http://www.info-zip.org/pub/infozip/
  • http://www.perl.org
  • http://www.perl.org/,
  • https://bugzilla.redhat.com
  • https://bugzilla.redhat.com/show_bug.cgi?id
  • https://github.com
  • https://rt.cpan.org
  • https://rt.cpan.org/Public/Bug/Display.html?id
  • https://rt.cpan.org/Ticket/Display.html?id
  • ig.co.uk
  • info-zip.org
  • leonerd.org.uk
  • newman.upenn.edu
  • perl5.git.perl.org
  • pobox.com
  • redhat.com
  • rt.cpan.org
  • upenn.edu
  • www.ActiveState.com
  • www.cpan.org
  • www.gzip.org
  • www.info-zip.org
  • www.perl.org
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to SHA1
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
  • LoadLibraryW
Suspicious The file contains overlay data. 7368513 bytes of data starting at offset 0x1eea00.
The overlay data has an entropy of 7.90069 and is possibly compressed or encrypted.
Overlay data amounts for 78.4344% of the executable.
Safe VirusTotal score: 0/71 (Scanned on 2023-09-17 00:14:50) All the AVs think this file is safe.

Hashes

MD5 40dff9cd2688b286b984509acce3b788
SHA1 ccd69ce62c41865bafaec547b4cb8e143da45165
SHA256 5cd8c65308429a682114ca440ebba984918da822b4d6ec0bbe40c9d6a1166293
SHA3 14293373b73ba7481ccc23cc84cc8890dc2229093421b6ce7c3d946d1452f2d2
SSDeep 196608:rhT227p+VDtj4Z/X8SxFC/KnfzNg1mPvKQ2jptOjt6W4vkl35q+y8MkJRhMCTwsN:7Jhl35dy8vMCssqLGVmy4jk
Imports Hash 01a51283eb6f28bfb27dd220873cc756

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 8
TimeDateStamp 2016-Nov-11 16:04:47
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 2.0
SizeOfCode 0x4200
SizeOfInitializedData 0x1ee600
SizeOfUninitializedData 0x8600
AddressOfEntryPoint 0x000014E0 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x6000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 1.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x1fd000
SizeOfHeaders 0x400
Checksum 0x1f64a3
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
SizeofStackReserve 0x200000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 5af57aa2b8c8bf8f7155fc61ee59e583
SHA1 aebcf3973363e823cece181a94a34801b828bb3d
SHA256 5211e4c3f2c03ee2d3573f73bafd5be271dfa5a79979952de56282b1306bd977
SHA3 be8b07cb7425de7dffcd5e68a83737874ccbf422d62a6ea11dddf25bb6189dae
VirtualSize 0x4164
VirtualAddress 0x1000
SizeOfRawData 0x4200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_2048BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_8BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.33156

.data

MD5 38c02b5344dfd0135d3f559bdaaa4fa5
SHA1 d8cd72f00b17da5ed3f7ea2179b1be633d7c9745
SHA256 02903a7e675c112394b31015662d8eccb87ba3bd428743dfe0b03eddb6318f9e
SHA3 fc33e520318c5fad506b408ecca0e4929cb24448123c669e866e2e0f81a9155d
VirtualSize 0x1e6a48
VirtualAddress 0x6000
SizeOfRawData 0x1e6c00
PointerToRawData 0x4600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_2048BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_8BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.10105

.rdata

MD5 2f06505394a1094ce31c0e053d0b3fc3
SHA1 4fbbcfd65e97dfeccc9ea5560332ca923d8eb796
SHA256 482a8646ab8907d9aea667150157fe0e32eb265d57cc21397285a694fe0f590c
SHA3 0b025a5976eff4dca58decdff429d7811d45c7bb7df77594f4e339aeba97e049
VirtualSize 0x5f0
VirtualAddress 0x1ed000
SizeOfRawData 0x600
PointerToRawData 0x1eb200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.39957

.bss

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x840c
VirtualAddress 0x1ee000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_2048BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_8BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata

MD5 097b15ff5e9600f5d830c5bd8b971b14
SHA1 2868429975db8b870b6981376fea293dd21e1084
SHA256 5dabfd20762cc902f37d3bfb8fb5ddd2ae6f9b9748154b7a928c02d448d4af03
SHA3 0906fc55d809d7190a84bc10691f1d6cb9af15d58fdbc975a7ed88be8e417a56
VirtualSize 0x928
VirtualAddress 0x1f7000
SizeOfRawData 0xa00
PointerToRawData 0x1eb800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.76085

.CRT

MD5 e0abf3a52c83f3780072c36cb55f92dd
SHA1 8841c9a62f5bf1e880a1c2432afa4ca447a800e9
SHA256 04a60a9175a172bb407540a42f35d48fde6022a60a8070231b44b6ffa83dc9ad
SHA3 86e397db118bb315fd84ec8728ebabbc5d5d3ce4f44542659a20345d035bc3e3
VirtualSize 0x34
VirtualAddress 0x1f8000
SizeOfRawData 0x200
PointerToRawData 0x1ec200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.24913

.tls

MD5 f4b2628deaa8d3b5ce299c8cf6ce7983
SHA1 e8d41a63123002c6f74aa512bf7ed5d47a8728fb
SHA256 23ad589d955b82a1b2c1ff2fc6b4e9b135f07fad591a9b66f5c3de199e5153f5
SHA3 985e1e0647514089765b1836fb4d2a39fab9c3c1da9c888298c202a3ed7393a6
VirtualSize 0x20
VirtualAddress 0x1f9000
SizeOfRawData 0x200
PointerToRawData 0x1ec400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.22482

.rsrc

MD5 873bf5cd375eeb3cfdf6520dc296c2ac
SHA1 b6a0217e2c420973eb31f7f6d6544b0e9c5b3924
SHA256 f4d9ea1e0f4f102df023d0ffb2c812f6c52b8ce19bce1b3780c92cc37e255b91
SHA3 26a819274e32c2a7e944bd941261d622db4f28b03f3e12b190583c0682d979e6
VirtualSize 0x23f0
VirtualAddress 0x1fa000
SizeOfRawData 0x2400
PointerToRawData 0x1ec600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.44238

Imports

ADVAPI32.dll GetUserNameA
KERNEL32.dll DeleteCriticalSection
EnterCriticalSection
FreeLibrary
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
QueryPerformanceCounter
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
msvcrt.dll _access
_chmod
_close
_getpid
_lseek
_open
_read
_spawnvpe
_strdup
_strnicmp
_write
msvcrt.dll (#2) _access
_chmod
_close
_getpid
_lseek
_open
_read
_spawnvpe
_strdup
_strnicmp
_write

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x568
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.96054
MD5 a813dc9aaaf643c0e998eddb333b3ea1
SHA1 0415bb92c0e44f238571afef3644a146b486b159
SHA256 e684dff8fa16538d9d47d3f0c7e7de75d9050463622a332e16475e42480f13ed
SHA3 6975972047ed3fd20acf89d3e024699793e1d5c4cf0f68440767abf1a91283c5

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.19723
MD5 bf2cd1f86c2394b548feee2acbc5189b
SHA1 6bf9c86a2715d997f508434d154764f5b2ee13d3
SHA256 72900b466f8b841f09f4989337908e520aa82ffbeb8ba9441d6574a2b02d424f
SHA3 b81eda4600f2b192b855877a45b76f031a6fc96fc9fca9ca721395a2958f38fe

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x568
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.96054
MD5 a813dc9aaaf643c0e998eddb333b3ea1
SHA1 0415bb92c0e44f238571afef3644a146b486b159
SHA256 e684dff8fa16538d9d47d3f0c7e7de75d9050463622a332e16475e42480f13ed
SHA3 6975972047ed3fd20acf89d3e024699793e1d5c4cf0f68440767abf1a91283c5

4

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.19723
MD5 bf2cd1f86c2394b548feee2acbc5189b
SHA1 6bf9c86a2715d997f508434d154764f5b2ee13d3
SHA256 72900b466f8b841f09f4989337908e520aa82ffbeb8ba9441d6574a2b02d424f
SHA3 b81eda4600f2b192b855877a45b76f031a6fc96fc9fca9ca721395a2958f38fe

WINEXE

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x3e
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.48614
Detected Filetype Icon file
MD5 336806d34ad9306b288cf590b65a06ea
SHA1 1c9d2ae54b62c3761b1490a861a8cb40c9f210d0
SHA256 0493b9de18a4f23d34fccaebf063f5477bfd276c20467877f9ce2da433d96d4c
SHA3 0da9bc2def16ebcf4f97b9d2736c0a01cf02f21cba8c6acdbd38e21835374da1

1 (#2)

Type RT_VERSION
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x27c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.25128
MD5 638eec9c217781a13e0f5a8d0df10bef
SHA1 ce1fad256c2cb34f873bf5dc0a289e3aff827ff8
SHA256 8a08b6ca4b3cb2912fab9ac3c4e42c5563fec42c7b66b31a4060c53e45402356
SHA3 315eb7042a1a3335645c59095c4f420ab21c16d876643d2a654aa68e03de4968

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x33e
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.94733
MD5 3ecff14274248a9ed28b656bc91338bf
SHA1 7c1b013f9189eaa92b6c697907951a07c71a1932
SHA256 4294315269211a29e03d7ae20ef4a8e53680eff603fdf67552b3db4b99741fbe
SHA3 024297c88990972557d6561baa1641edfe461a0bcea947b9ab230254035fa9dd

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 12.6.5.0
ProductVersion 12.6.5.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
FileVersion (#2) 12.6.5.0
InternalName exiftool.exe
OriginalFilename exiftool.exe
ProductVersion (#2) 12.6.5.0
Resource LangID UNKNOWN

TLS Callbacks

StartAddressOfRawData 0x5f9018
EndAddressOfRawData 0x5f901c
AddressOfIndex 0x5f6050
AddressOfCallbacks 0x5f8020
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks 0x00403870
0x00403820

Load Configuration

RICH Header

Errors

[*] Warning: Section .bss has a size of 0!
<-- -->