41cc0e40bb4dd40348e13a28ea8bf0da

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 1970-Jan-01 00:00:00
TLS Callbacks 1 callback(s) detected.
Debug artifacts Embedded COFF debugging symbols

Plugin Output

Info Cryptographic algorithms detected in the binary: Uses known Mersenne Twister constants
Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
Unusual section name found: UPX2
The PE only has 9 import(s).
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Leverages the raw socket API to access the Internet:
  • bind
Suspicious The file contains overlay data. 433991 bytes of data starting at offset 0x3fe00.
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 41cc0e40bb4dd40348e13a28ea8bf0da
SHA1 860daf396fa72ea522dba437645b86efe865fbd9
SHA256 c41c913d511b643a44532342d49c474c4faf8e0eebab66595115574f9de67f22
SHA3 c2b33c43281130b260eecae8d256b1a4de2dfe4d957dd08a5fbea950008c93d7
SSDeep 12288:gPE+X9yAznhJ5APdq8khQrnssdRhkYP2rfv2L+siZ:gldn76dxkyrnHdlP2rfv2L+siZ
Imports Hash 939c657fc49a998adb1354a3fa646c2e

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 3
TimeDateStamp 1970-Jan-01 00:00:00
PointerToSymbolTable 0xf8000
NumberOfSymbols 6429
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32+
LinkerVersion 3.0
SizeOfCode 0x40000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0x1cb000
AddressOfEntryPoint 0x000000000020B590 (Section: UPX1)
BaseOfCode 0x1cc000
ImageBase 0x100000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 1.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x20d000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
SizeofStackReserve 0x1000000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x1cb000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 2127095665e0941b9f0399ce679175e1
SHA1 f6bcdeef78580650513dd0b40d6d56fb2b121032
SHA256 b66c0049e00d1fd68f7c2a0cada90a84809ff9681d395e9373719a43292812c3
SHA3 c593eb601a080cfefd603a050cbd556a586e69926c986e906817238450732c46
VirtualSize 0x40000
VirtualAddress 0x1cc000
SizeOfRawData 0x3fa00
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.89193

UPX2

MD5 866cbffd3e08872369b18ba150653921
SHA1 2be836c947334474c5c60fb11292c4b8db01ecdb
SHA256 8b127b374befa510bbbe7eea0296391c838d62551e21acf6b2fddf3048fef460
SHA3 ce7625e3c226fc418139d3d70ad9b59b4a5e3cd62106eb9a8f81879339b20ab3
VirtualSize 0x1000
VirtualAddress 0x20c000
SizeOfRawData 0x200
PointerToRawData 0x3fc00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.6671

Imports

advapi32.dll ReportEventA
KERNEL32.DLL LoadLibraryA
ExitProcess
GetProcAddress
VirtualProtect
oleaut32.dll VariantCopy
user32.dll CharUpperA
ws2_32.dll bind
wsock32.dll WSAStartup

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData 0x10020b830
EndAddressOfRawData 0x10020b830
AddressOfIndex 0x1000648e0
AddressOfCallbacks 0x10020b830
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks 0x000000010020B7E1

Load Configuration

RICH Header

Errors

[!] Error: Could not read a COFF symbol. [*] Warning: Section UPX0 has a size of 0!
<-- -->