Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2023-Oct-11 08:58:50 |
Info | Matching compiler(s): |
Microsoft Visual C++ 7.1
Microsoft Visual C++ 6.0 - 8.0 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to system / monitoring tools:
|
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 64/71 (Scanned on 2024-03-30 18:38:23) |
ALYac:
Trojan.GenericKD.72136657
APEX: Malicious AVG: Win32:RATX-gen [Trj] Acronis: suspicious AhnLab-V3: Trojan/Win32.Dynamer.R193259 Alibaba: TrojanDownloader:Win32/Carberp.86f482fe Antiy-AVL: Trojan/Win32.Invader Arcabit: Trojan.Generic.D44CB7D1 Avast: Win32:RATX-gen [Trj] Avira: TR/Hijacker.Gen BitDefender: Trojan.GenericKD.72136657 BitDefenderTheta: Gen:NN.ZexaF.36802.HqW@auZ4Nrj Bkav: W32.AIDetectMalware CAT-QuickHeal: Backdoor.Darkvnc ClamAV: Win.Dropper.Miner-7086570-0 CrowdStrike: win/malicious_confidence_100% (W) Cybereason: malicious.e5d801 Cylance: unsafe Cynet: Malicious (score: 100) DeepInstinct: MALICIOUS DrWeb: Trojan.DownLoader23.24387 ESET-NOD32: a variant of Win32/TrojanDownloader.Carberp.BU Elastic: malicious (high confidence) Emsisoft: Trojan.GenericKD.72136657 (B) F-Secure: Trojan.TR/Hijacker.Gen FireEye: Generic.mg.41b5953e5d8016a8 Fortinet: W32/Generic.AP.14B7886!tr GData: Trojan.GenericKD.72136657 Google: Detected Gridinsoft: Trojan.Win32.Downloader.sa Ikarus: Trojan.Win32.PSW Jiangmin: Trojan.Generic.alinp K7AntiVirus: Trojan-Downloader ( 004fbdbc1 ) K7GW: Trojan-Downloader ( 004fbdbc1 ) Kaspersky: Backdoor.Win32.DarkVNC.xr Kingsoft: Win32.HeurC.KVMH017.a Lionic: Trojan.Win32.Carberp.m!c MAX: malware (ai score=84) Malwarebytes: Generic.Malware.AI.DDS MaxSecure: Trojan.Malware.1728101.susgen McAfee: GenericRXKB-SV!41B5953E5D80 MicroWorld-eScan: Trojan.GenericKD.72136657 Microsoft: Trojan:Win32/Leonem NANO-Antivirus: Trojan.Win32.Invader.fwxjbq Panda: Trj/Genetic.gen Sangfor: Trojan.Win32.Save.a SentinelOne: Static AI - Malicious PE Skyhigh: BehavesLike.Win32.Generic.hh Sophos: Mal/Hvnc-A Symantec: ML.Attribute.HighConfidence TACHYON: Trojan/W32.Invader.549888 Tencent: Malware.Win32.Gencirc.10bd8a70 Trapmine: malicious.high.ml.score TrendMicro: TROJ_GEN.R002C0PCM24 TrendMicro-HouseCall: TROJ_GEN.R002C0PCM24 VBA32: BScope.Trojan.Invader VIPRE: Trojan.GenericKD.72136657 Varist: W32/ABDownloader.NDBP-8877 VirIT: Backdoor.Win32.DarkVNC.C Xcitium: Malware@#5c7wsydl4dzw Yandex: Trojan.GenAsa!eJ2W40k2TSg Zillya: Trojan.Carberp.Win32.4948 ZoneAlarm: Backdoor.Win32.DarkVNC.xr alibabacloud: Backdoor:Win/Carberp.BU |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2023-Oct-11 08:58:50 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 12.0 |
SizeOfCode | 0x3800 |
SizeOfInitializedData | 0x82a00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00001640 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x5000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.0 |
ImageVersion | 0.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x89000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
ntdll.dll |
NtQueryVirtualMemory
RtlUnwind NtSetContextThread NtGetContextThread ZwQueryInformationProcess RtlNtStatusToDosError ZwClose NtUnmapViewOfSection NtMapViewOfSection NtCreateSection memcpy memset |
---|---|
SHLWAPI.dll |
StrChrA
StrRChrA PathCombineW |
PSAPI.DLL |
EnumProcessModules
|
KERNEL32.dll |
GetThreadContext
GetFileSize LoadLibraryA FreeLibrary lstrcmpA LeaveCriticalSection EnterCriticalSection VirtualProtect CreateFileA GetModuleFileNameA lstrlenA lstrcatA lstrcpyA lstrcmpiA SetFilePointer GetCurrentProcess VirtualAllocEx CloseHandle CreateProcessW GetModuleHandleA LocalAlloc LocalFree GetLastError Sleep GetCurrentProcessId SwitchToThread SuspendThread ResumeThread VirtualFree OpenProcess VirtualProtectEx ReadProcessMemory WriteProcessMemory GetModuleHandleW GetVersion CreateEventA GetProcAddress VirtualAlloc ReadFile |
SHELL32.dll |
SHGetFolderPathW
|
XOR Key | 0x1cdc536c |
---|---|
Unmarked objects | 0 |
Imports (65501) | 8 |
Total imports | 66 |
Imports (VS2003 (.NET) build 4035) | 3 |
C objects (VS2003 (.NET) build 4035) | 1 |
ASM objects (VS2003 (.NET) build 4035) | 3 |
ASM objects (VS2013 UPD2 build 30501) | 1 |
C objects (VS2013 UPD2 build 30501) | 9 |
Linker (VS2013 UPD2 build 30501) | 1 |