4280aac55c1d3c327a6c00f0f0085677

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2009-May-14 17:12:41
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 8.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Suspicious The PE contains functions most legitimate programs don't use. Possibly launches other programs:
  • CreateProcessA
Leverages the raw socket API to access the Internet:
  • #9
  • #4
  • #23
  • #115
  • #19
  • #11
  • #16
  • #3
Malicious VirusTotal score: 57/68 (Scanned on 2018-10-06 07:23:14) MicroWorld-eScan: Trojan.Generic.14947061
CMC: Backdoor.Win32.Small!O
CAT-QuickHeal: Backdoor.Neporoot
McAfee: BackDoor-ZZX
Cylance: Unsafe
Zillya: Backdoor.Small.Win32.3644
TheHacker: Backdoor/Small.aad
BitDefender: Trojan.Generic.14947061
K7GW: Backdoor ( 0011b9be1 )
K7AntiVirus: Backdoor ( 0011b9be1 )
TrendMicro: BKDR_SMALL.LIY
F-Prot: W32/MalwareS.BJDC
Symantec: Backdoor.Trojan
ESET-NOD32: a variant of Win32/CMDer.AA
TrendMicro-HouseCall: BKDR_SMALL.LIY
Paloalto: generic.ml
ClamAV: Win.Malware.Agent-6361001-0
Kaspersky: Backdoor.Win32.Small.aad
NANO-Antivirus: Trojan.Win32.Small.cgfnz
ViRobot: Backdoor.Win32.A.Small.8192.J
SUPERAntiSpyware: Backdoor.Small/Variant
Avast: Win32:Trojan-gen
Tencent: Win32.Backdoor.Small.Pboy
Ad-Aware: Trojan.Generic.14947061
Sophos: Troj/Bdoor-BET
F-Secure: Trojan.Generic.14947061
DrWeb: BackDoor.Siggen2.329
VIPRE: Trojan.Win32.Generic!BT
McAfee-GW-Edition: BehavesLike.Win32.Generic.xm
Emsisoft: Trojan.Generic.14947061 (B)
Cyren: W32/Risk.EHGV-6738
Jiangmin: Backdoor/Small.cqd
Webroot: W32.Trojan.Gen
Avira: BDS/Small.L
Antiy-AVL: Trojan[Backdoor]/Win32.Small
Kingsoft: Win32.Hack.Small.(kcloud)
Microsoft: Backdoor:Win32/Neporoot.A
Endgame: malicious (high confidence)
Arcabit: Trojan.Generic.DE412F5
AegisLab: Trojan.Win32.Small.m!c
ZoneAlarm: Backdoor.Win32.Small.aad
GData: Trojan.Generic.14947061
TACHYON: Backdoor/W32.Small.8192.U
AhnLab-V3: Trojan/Win32.Downloader.C113283
ALYac: Trojan.Generic.14947061
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=100)
VBA32: Backdoor.Small
Rising: Backdoor.Neporoot!8.48D3 (CLOUD)
Yandex: Backdoor.Small!WDCa3SQo16g
Ikarus: Backdoor.Win32.Small
Fortinet: W32/CMDer.AA!tr
AVG: Win32:Trojan-gen
Cybereason: malicious.55c1d3
Panda: Trj/CI.A
CrowdStrike: malicious_confidence_80% (D)
Qihoo-360: HEUR/QVM07.1.Malware.Gen

Hashes

MD5 4280aac55c1d3c327a6c00f0f0085677
SHA1 e006036ff66277bda3e811b260a6441aec64dc73
SHA256 84b7967aad00e982842045e7b9744af0a457d46bba70456e5f99e7eb9cd783c7
SHA3 de9ac161b64b73682fdf8972ee4e61e2612bfd70493ddbca9f117df80e373144
SSDeep 96:UHAda4xt6WvkZq2yPJbKrApZyRKONWwdxbpMSnaXpMSD+H57PtboynFj8M:utbjQwMPK1buxueQ57P1oynKM
Imports Hash 92f16fc764b9826e6559477bacf4538d

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2009-May-14 17:12:41
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x1000
SizeOfInitializedData 0xc00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001CDA (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x2000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x5000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 562b990796940dcf43cddc00f435334b
SHA1 7d92846f02ac1766d04ee49c13760222c6540121
SHA256 a34d790bfd08a83e378c53ce2b9d1b2267fc8a9b78065980ffc3e5bb421305e7
SHA3 b71fcbc550b50d758e77d493da0a16e984bfaa3a981b370247ebfce88fd8f467
VirtualSize 0xea6
VirtualAddress 0x1000
SizeOfRawData 0x1000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.92587

.rdata

MD5 e676d73aa315b095f47a0183feb9b7d9
SHA1 2fc720a5b8ed5c4f872ab7409df79513b8b2422b
SHA256 b95d23e00208320a5eee33aa14c4ff38f70a450d2467c6b024d874a35190f521
SHA3 fad9c51e057b9d676b5bf7e6b376cec133dbf6da3355dc48e2cd25def882a8ce
VirtualSize 0x67e
VirtualAddress 0x2000
SizeOfRawData 0x800
PointerToRawData 0x1400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.42392

.data

MD5 74c99e468eb65e0c50c6f13833b3eec2
SHA1 54dd817affc18570b51c1a8c9157dafa5532e22b
SHA256 bc7be3d89a2ce73e468127eafca394663e25204e13000beb1975a0984bac7c27
SHA3 5497ddea45e40efd2e0427a756d0127ebcb1456c71f62c121dabe0506006fbd6
VirtualSize 0x628
VirtualAddress 0x3000
SizeOfRawData 0x200
PointerToRawData 0x1c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.88508

.rsrc

MD5 7cbc614f9912a21b6c50b9e94e0d1bef
SHA1 280fe56cbaca526b078d13bc7e27b1129be8d743
SHA256 bfef99e04cca56a6bbb27d5f2c1da5793e1d28af9d407a7eea8f4b6ea3a54621
SHA3 f7090d2128ebb62a7f39949646b7a9ed363d01f87306e0fa170d4b59cee746d9
VirtualSize 0x7c
VirtualAddress 0x4000
SizeOfRawData 0x200
PointerToRawData 0x1e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.3838

Imports

KERNEL32.dll CloseHandle
WaitForSingleObject
CreateEventA
ExitThread
Sleep
GetComputerNameA
CreatePipe
DisconnectNamedPipe
TerminateProcess
WaitForMultipleObjects
TerminateThread
CreateThread
CreateProcessA
DuplicateHandle
GetCurrentProcess
ReadFile
PeekNamedPipe
SetEvent
WriteFile
SetProcessPriorityBoost
SetThreadPriority
GetCurrentThread
SetPriorityClass
lstrcatA
lstrcpyA
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
GetStartupInfoA
GetModuleHandleA
USER32.dll LoadStringA
SHELL32.dll ShellExecuteExA
SHChangeNotify
MSVCRT.dll _controlfp
_beginthread
_strnicmp
sprintf
atol
strchr
free
malloc
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_itoa
WS2_32.dll #9
#4
#23
#115
#19
#11
#16
#3

Delayed Imports

1

Type RT_STRING
Language English - United States
Codepage Latin 1 / Western European
Size 0x24
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.55269
MD5 e10550c684f9c903530a195d8c97236b
SHA1 f8bea00ecf2076d4649ac3d78ce1eb471f64ca40
SHA256 fd48e366061ed8af0b3d57fd651eacd5f9d3d136326fb961eadf6032b47b1e81
SHA3 d564da115cb6d3d7741b6a2f2c510cf4e2e8d34e461c513ca813b72ad5320e54

String Table contents

60.248.52.95:443
䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄义塇偘䑁䥄䝎䅐䑄

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xc27c8a6f
Unmarked objects 0
12 (7291) 1
C objects (VS98 build 8168) 11
14 (7299) 1
Linker (VS98 build 8168) 2
Imports (2179) 11
Total imports 70
C++ objects (VS98 build 8168) 3
Resource objects (VS98 cvtres build 1720) 1

Errors