41f32f75482b61287d2662b58a12dc5a

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2018-Apr-09 06:50:10
Detected languages Chinese - PRC
English - United States
Comments Windows 服务主进程
FileDescription Windows 服务主进程
FileVersion 1, 0, 0, 1
InternalName mm
LegalCopyright Copyright (C) 2018
OriginalFilename mm.exe
ProductName Windows 服务主进程
ProductVersion 1, 0, 0, 1

Plugin Output

Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX -> www.upx.sourceforge.net
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Can access the registry:
  • RegOpenKeyA
Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
Leverages the raw socket API to access the Internet:
  • #23
Malicious VirusTotal score: 11/67 (Scanned on 2018-07-09 12:38:53) Bkav: W32.eHeur.Malware14
Cylance: Unsafe
TheHacker: Posible_Worm32
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9553
TrendMicro-HouseCall: TROJ_GEN.R002H0AG418
Sophos: Mal/Generic-S
Webroot: W32.Trojan.Gen
Avira: TR/Tiny.qybuo
VBA32: suspected of Trojan.Downloader.gen.h
ESET-NOD32: a variant of Win32/Tiny.NCV
CrowdStrike: malicious_confidence_80% (W)

Hashes

MD5 41f32f75482b61287d2662b58a12dc5a
SHA1 27bd79b9b9295ef5524dc4b5ec41a4a9b8548567
SHA256 6fe391d939b348bb1be235cdf3a963851d3f3d14cfb29dea21cf2b219005b18d
SHA3 34d3ccac2cbd0bfdcb954c7e4755af292b5ab05a8380c7f819caa9dfc5779cf4
SSDeep 192:B8b/K3DgmYuAr57hios/4eStG6mZQE3vC:B87aDlvAr5UosQ1AtaE3vC
Imports Hash 41e9b5bd48c0626db5dafe86570641b0

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2018-Apr-09 06:50:10
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 9.0
SizeOfCode 0x2000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0x6000
AddressOfEntryPoint 0x00008570 (Section: UPX1)
BaseOfCode 0x7000
BaseOfData 0x9000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0xa000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x6000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 292b52c697b1a8a855de524e27aee6b9
SHA1 36bc61df47c539906966d53acb33963701f24700
SHA256 662c1b5198d5333988b7d1beacc7d1165d3f3f3a48b04d1b0fcae79bb3f0a766
SHA3 559e2bf309ea7d4350e8463bb7fc3e35708008d8d3e48c727c731aef32736645
VirtualSize 0x2000
VirtualAddress 0x7000
SizeOfRawData 0x1800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.40608

.rsrc

MD5 46e0153d7fc12cd46c38b668871395ae
SHA1 f166f90c1f6d093b382f991645b1d8cae818b016
SHA256 ad2f05502355691b6b34ea5cf649244ae93089cf7ee64fd862b2338932596732
SHA3 c356c6482891b48661880c4e396ab8bec70f5c27f924a76e29b8e9345c63cc05
VirtualSize 0x1000
VirtualAddress 0x9000
SizeOfRawData 0xc00
PointerToRawData 0x1c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.94555

Imports

KERNEL32.DLL LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
ADVAPI32.dll RegOpenKeyA
IPHLPAPI.DLL GetAdaptersInfo
MSVCR90.dll exit
SHLWAPI.dll SHSetValueA
USER32.dll wsprintfA
WS2_32.dll #23

Delayed Imports

109

Type RT_MENU
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x50
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.24529
MD5 3768d661f1606dafe0bbd6dbcbb1aa50
SHA1 250a2f56a3becde33eceeb3ef69a502fc3bdfcca
SHA256 8f0d417b64215ec2f33379d29e91fbdcd15cd710652ef28e0478c7f4be0a030c
SHA3 e3cf07897350f1c39ad0376f00125782ae1786e1592554044d93e4f679f73935

103

Type RT_DIALOG
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x108
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.1879
MD5 ffdf9578f442ec6bdd394df41722d974
SHA1 e54a3e0c329a9683ef61a36ad02a57ac2800da47
SHA256 c8f0ac03103094d6ad9b77ced23db02a2bd3d2b4c88861254efe04be6cefb2f1
SHA3 083e7550d9458ceb7c3a68a32baf184c2126b68efc63d6fa84f0ca0b8826e294

7

Type RT_STRING
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x28
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 0.847585
MD5 7b0515a2fb3cb8929c8768fd17407af8
SHA1 fc4a79d098739afbc3267c7ebc01fb38fee8b995
SHA256 fe0735f94dfe8c6c193639b81d788ab87428e4d572b1705fac8f82d06a0ffd04
SHA3 52ff9615fefa82bff273dc412a53b2116ade25815d61ab3f1691b9e821ee97c8

109 (#2)

Type RT_ACCELERATOR
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x10
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.79879
MD5 3d2b1af3424dbcd504f73918619c7d99
SHA1 10d6ed54ea742211a14a05414883f6c00c03080a
SHA256 c2f0c188d6c493d7827bf83fb89c704815796445a0178bb2ae79658d96703a3c
SHA3 b8c5f28d2c132e5bc304e4dc1b314a3f32a2e48675c06828a2a8a014ea05e7fb

1

Type RT_VERSION
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x2b0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.54863
MD5 968e93102991b061c313be76e9d87aa3
SHA1 3959f1ce3967c284b09a108fd0b715b5db9ab799
SHA256 031c94b6309300f90e32e8d7cde78b99d8b89ff142a04d9ea7ea7ead7209f7de
SHA3 32e628da0c8e1c7561187a269adc18344b249af8c62a5bc73afa3fdee7e5224d

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x256
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.0207
MD5 5a32206e4bb9d06170ae00fa980db49b
SHA1 126a45f48625322ba11eb0acf1ade9115ad6802b
SHA256 9f2fc067639866642bb1a73fb43006d233e569d25566b16dedec472fe5d3c5c3
SHA3 bfab9d66b065ea131bdc44ac811cfcf4d5c43a1075f9b6d16f0c8f2f20237cac

String Table contents

mm
MM

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.1
ProductVersion 1.0.0.1
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language Chinese - PRC
Comments Windows 服务主进程
FileDescription Windows 服务主进程
FileVersion (#2) 1, 0, 0, 1
InternalName mm
LegalCopyright Copyright (C) 2018
OriginalFilename mm.exe
ProductName Windows 服务主进程
ProductVersion (#2) 1, 0, 0, 1
Resource LangID Chinese - PRC

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x404000
SEHandlerTable 0x4034b0
SEHandlerCount 1

RICH Header

XOR Key 0xfd519a1
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 2
ASM objects (VS2008 SP1 build 30729) 3
C objects (VS2008 SP1 build 30729) 21
C++ objects (VS2008 SP1 build 30729) 2
Imports (VS2012 build 50727 / VS2005 build 50727) 13
Total imports 69
138 (VS2008 SP1 build 30729) 2
Linker (VS2008 build 21022) 1
Resource objects (VS2008 SP1 build 30729) 1

Errors

[*] Warning: Section UPX0 has a size of 0!