41b5953e5d8016a817f4f793f7eb708c

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2023-Oct-11 08:58:50

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 7.1
Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • control.exe
  • taskmgr.exe
 Contains references to internet browsers:
  • chrome.exe
  • firefox.exe
 May have dropper capabilities:
  • CurrentControlSet\services
 Contains another PE executable:
  • This program cannot be run in DOS mode.
 Miscellaneous malware strings:
  • cmd.exe
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Functions which can be used for anti-debugging purposes:
  • SwitchToThread
 Code injection capabilities:
  • VirtualAllocEx
  • OpenProcess
  • WriteProcessMemory
  • VirtualAlloc
 Code injection capabilities (process hollowing):
  • NtSetContextThread
  • ResumeThread
  • WriteProcessMemory
 Possibly launches other programs:
  • CreateProcessW
 Uses Windows's Native API:
  • NtQueryVirtualMemory
  • NtSetContextThread
  • NtGetContextThread
  • ZwQueryInformationProcess
  • ZwClose
  • NtUnmapViewOfSection
  • NtMapViewOfSection
  • NtCreateSection
 Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAllocEx
  • VirtualProtectEx
  • VirtualAlloc
 Manipulates other processes:
  • EnumProcessModules
  • OpenProcess
  • ReadProcessMemory
  • WriteProcessMemory
Malicious VirusTotal score: 64/71 (Scanned on 2024-03-30 18:38:23) ALYac: Trojan.GenericKD.72136657
APEX: Malicious
AVG: Win32:RATX-gen [Trj]
Acronis: suspicious
AhnLab-V3: Trojan/Win32.Dynamer.R193259
Alibaba: TrojanDownloader:Win32/Carberp.86f482fe
Antiy-AVL: Trojan/Win32.Invader
Arcabit: Trojan.Generic.D44CB7D1
Avast: Win32:RATX-gen [Trj]
Avira: TR/Hijacker.Gen
BitDefender: Trojan.GenericKD.72136657
BitDefenderTheta: Gen:NN.ZexaF.36802.HqW@auZ4Nrj
Bkav: W32.AIDetectMalware
CAT-QuickHeal: Backdoor.Darkvnc
ClamAV: Win.Dropper.Miner-7086570-0
CrowdStrike: win/malicious_confidence_100% (W)
Cybereason: malicious.e5d801
Cylance: unsafe
Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
DrWeb: Trojan.DownLoader23.24387
ESET-NOD32: a variant of Win32/TrojanDownloader.Carberp.BU
Elastic: malicious (high confidence)
Emsisoft: Trojan.GenericKD.72136657 (B)
F-Secure: Trojan.TR/Hijacker.Gen
FireEye: Generic.mg.41b5953e5d8016a8
Fortinet: W32/Generic.AP.14B7886!tr
GData: Trojan.GenericKD.72136657
Google: Detected
Gridinsoft: Trojan.Win32.Downloader.sa
Ikarus: Trojan.Win32.PSW
Jiangmin: Trojan.Generic.alinp
K7AntiVirus: Trojan-Downloader ( 004fbdbc1 )
K7GW: Trojan-Downloader ( 004fbdbc1 )
Kaspersky: Backdoor.Win32.DarkVNC.xr
Kingsoft: Win32.HeurC.KVMH017.a
Lionic: Trojan.Win32.Carberp.m!c
MAX: malware (ai score=84)
Malwarebytes: Generic.Malware.AI.DDS
MaxSecure: Trojan.Malware.1728101.susgen
McAfee: GenericRXKB-SV!41B5953E5D80
MicroWorld-eScan: Trojan.GenericKD.72136657
Microsoft: Trojan:Win32/Leonem
NANO-Antivirus: Trojan.Win32.Invader.fwxjbq
Panda: Trj/Genetic.gen
Sangfor: Trojan.Win32.Save.a
SentinelOne: Static AI - Malicious PE
Skyhigh: BehavesLike.Win32.Generic.hh
Sophos: Mal/Hvnc-A
Symantec: ML.Attribute.HighConfidence
TACHYON: Trojan/W32.Invader.549888
Tencent: Malware.Win32.Gencirc.10bd8a70
Trapmine: malicious.high.ml.score
TrendMicro: TROJ_GEN.R002C0PCM24
TrendMicro-HouseCall: TROJ_GEN.R002C0PCM24
VBA32: BScope.Trojan.Invader
VIPRE: Trojan.GenericKD.72136657
Varist: W32/ABDownloader.NDBP-8877
VirIT: Backdoor.Win32.DarkVNC.C
Xcitium: Malware@#5c7wsydl4dzw
Yandex: Trojan.GenAsa!eJ2W40k2TSg
Zillya: Trojan.Carberp.Win32.4948
ZoneAlarm: Backdoor.Win32.DarkVNC.xr
alibabacloud: Backdoor:Win/Carberp.BU

Hashes

MD5 41b5953e5d8016a817f4f793f7eb708c
SHA1 c8f1fc586c61c93b9cb2d9ab3401ac548e3d10e7
SHA256 636f2b1624573965b7fc093117d8927ebffdbc0d852c241aede59fe81fece84f
SHA3 7d269c973e05d4c2eb4f407062aa22764c55935f22ea5b88ef002e021f3c7d94
SSDeep 6144:ScBUcxlczk0VXhumbeBJ1UW04tWu1lTWVwzYGK8zm4vK3JQErTw6f:xxlMVXhFbsVEujTWG8GTzqrTw6f
Imports Hash faf16be05abc0234db15c73412fc4a90

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2023-Oct-11 08:58:50
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 12.0
SizeOfCode 0x3800
SizeOfInitializedData 0x82a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001640 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x5000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x89000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 1205753b19af7115c73271ac518e9651
SHA1 e24a36d312cb16a01ed8678b36e65c7f1e7423a3
SHA256 b6219baff23f6be30114302199842f8370040c44568e8a9484c73585829184ec
SHA3 34f81e8f25694c95bd2512aaf6035677b1966b6fac867ef25d1c5b9009f16810
VirtualSize 0x3652
VirtualAddress 0x1000
SizeOfRawData 0x3800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.32301

.rdata

MD5 1a5390658faf6ec5dfbfba52dad2f874
SHA1 0cae27cd4d41d8ee70bbcf8f06efe2b59ab3c37c
SHA256 657bdfadbf6c11d92d859cdd62be35d2867ee9a36eb0034dd7249b802cc55865
SHA3 5c3cc9bc6869dfea199ddd024f1edef6f53e94cecc1174035a8ed26d33df77fd
VirtualSize 0x8e6
VirtualAddress 0x5000
SizeOfRawData 0xa00
PointerToRawData 0x3c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.65718

.data

MD5 cee8b2f47d0a537cd5fbb7a6f06b1c2f
SHA1 dea89f07de55428389fd7c8491952ea845886aa2
SHA256 f63536f1c4b158c5ea63792147bd7136da7aedd09b3ffec1a92da78b034477d6
SHA3 46d3e3f66f991bf9b475dad050b989ee0a9d36d51dc0f42ccb344c0450c54137
VirtualSize 0x81a40
VirtualAddress 0x6000
SizeOfRawData 0x81a00
PointerToRawData 0x4600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.42588

.reloc

MD5 d7173a080d432fd35ae6cde1d21653d6
SHA1 141292bc12d3c38424914843577170ff2686d1c5
SHA256 db17af78e36bbf583993652dd1277890c7962108d46e097bdcf11e5813fc4a60
SHA3 7d411dea3ac56b56175078ced2259b77ceff6aa0a31332d6e4f5b89a6faee47f
VirtualSize 0x368
VirtualAddress 0x88000
SizeOfRawData 0x400
PointerToRawData 0x86000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.01727

Imports

ntdll.dll NtQueryVirtualMemory
RtlUnwind
NtSetContextThread
NtGetContextThread
ZwQueryInformationProcess
RtlNtStatusToDosError
ZwClose
NtUnmapViewOfSection
NtMapViewOfSection
NtCreateSection
memcpy
memset
SHLWAPI.dll StrChrA
StrRChrA
PathCombineW
PSAPI.DLL EnumProcessModules
KERNEL32.dll GetThreadContext
GetFileSize
LoadLibraryA
FreeLibrary
lstrcmpA
LeaveCriticalSection
EnterCriticalSection
VirtualProtect
CreateFileA
GetModuleFileNameA
lstrlenA
lstrcatA
lstrcpyA
lstrcmpiA
SetFilePointer
GetCurrentProcess
VirtualAllocEx
CloseHandle
CreateProcessW
GetModuleHandleA
LocalAlloc
LocalFree
GetLastError
Sleep
GetCurrentProcessId
SwitchToThread
SuspendThread
ResumeThread
VirtualFree
OpenProcess
VirtualProtectEx
ReadProcessMemory
WriteProcessMemory
GetModuleHandleW
GetVersion
CreateEventA
GetProcAddress
VirtualAlloc
ReadFile
SHELL32.dll SHGetFolderPathW

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x1cdc536c
Unmarked objects 0
Imports (65501) 8
Total imports 66
Imports (VS2003 (.NET) build 4035) 3
C objects (VS2003 (.NET) build 4035) 1
ASM objects (VS2003 (.NET) build 4035) 3
ASM objects (VS2013 UPD2 build 30501) 1
C objects (VS2013 UPD2 build 30501) 9
Linker (VS2013 UPD2 build 30501) 1

Errors

<-- -->