42d2bf6f6acc6e6db182023eb7917c70

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 1970-Jan-01 00:00:00
Debug artifacts m:\games\quake2\anticheat.pdb

Plugin Output

Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Suspicious The PE is possibly packed. Unusual section name found:
Section is both writable and executable.
Unusual section name found:
Unusual section name found:
Unusual section name found:
Section is both writable and executable.
The PE only has 2 import(s).
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Malicious VirusTotal score: 13/61 (Scanned on 2017-05-14 06:01:38) CMC: Virus.Win32.Sality!O
McAfee: Artemis!42D2BF6F6ACC
AegisLab: Troj.Gen!c
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9998
Symantec: Trojan.Gen.8!cloud
ClamAV: Win.Trojan.Sality-67775
Invincea: trojan.win32.swrort.a
McAfee-GW-Edition: BehavesLike.Win32.Dropper.tc
Webroot: W32.Trojan.Gen
Endgame: malicious (high confidence)
AhnLab-V3: Malware/Win32.Generic.C1502052
Rising: Malware.Undefined!8.C (cloud:l6pm0ZxzYkH)
CrowdStrike: malicious_confidence_87% (D)

Hashes

MD5 42d2bf6f6acc6e6db182023eb7917c70
SHA1 4300f81033f54a2eefecd39855d8362c0340f32d
SHA256 4cca354ec677172c0c04e729ae485ffa3b59c3ad4bba93c9e60e2f8a2140a674
SHA3 b75f3aa8e4ecb95d4fee55ec18e7b290bdb382b92d8bfcef06112b85a8348030
SSDeep 24576:qgUAEkTYZREdeC7nrruIPPTOCfOMMizSLhoCEwKJJDzqae1dZC06KTrzs4aPSOQC:qgnMZREXrrumTOCWUzSLhPE1/DGae1do
Imports Hash 87bed5a7cba00c7e1f4015f1bdae2183

DOS Header

e_magic MZ
e_cblp 0
e_cp 0
e_crlc 0
e_cparhdr 0
e_minalloc 0
e_maxalloc 0
e_ss 0
e_sp 0
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x18

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 1970-Jan-01 00:00:00
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 0.0
SizeOfCode 0x121c00
SizeOfInitializedData 0x68000
SizeOfUninitializedData 0x18
AddressOfEntryPoint 0x0018B060 (Section: )
BaseOfCode 0x1000
BaseOfData 0x123000
ImageBase 0x66ac0000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 0.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x18d000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_NO_BIND
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

MD5 d4519fa02765c8df34cba013e04100a3
SHA1 102f6bfc2b84aa1c0ee3155d582724a031a4b21d
SHA256 b77508fa21224e9f0f70c513a25785e8cc7117c76835994ff1c5cf7dc0c3a6d7
SHA3 07b952d87b9544b1f8abcb1c656307b65442d7ed7f04de822805f1e524764688
VirtualSize 0x121be8
VirtualAddress 0x1000
SizeOfRawData 0x121c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.99702

(#2)

MD5 cf9da09ae3841ffe3de82ac43b54231f
SHA1 e8b454e51471a561825ecc0ffcf55ea5be7c11ac
SHA256 1f0ef9983a2fc2e388e6cb78a0b9783947ce0bd5a0f83620b6f5fa3cb65b6016
SHA3 2e242071b1a008ea3b8f5c926737ea57d8feb317ce46c083b848f7f2ec9d614c
VirtualSize 0x42e56
VirtualAddress 0x123000
SizeOfRawData 0x43000
PointerToRawData 0x122000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.88253

(#3)

MD5 4e50e1fa854921501b7737578d23c611
SHA1 17463cf3b72d6240884c7cec87ed6bf97a5b5711
SHA256 a37d01e25cb25eb23c64a1511f9902748c8928ec4cafd332e18ef7598869e91e
SHA3 127e9949f419c2e4cfe0b458d2750c26f5a7a9748c9fd5ab78d61e4632e92554
VirtualSize 0x24ea0
VirtualAddress 0x166000
SizeOfRawData 0xbe00
PointerToRawData 0x165000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.90969

(#4)

MD5 03d899964f360b60630d3658ecb6e1e5
SHA1 085feb99d982ab823bb63cada61494c9ecc932f7
SHA256 d9d264c8e754a032e1290989f4683a4a4ffd2d88f4e84f3d672d9ee3fcd80d4d
SHA3 cde69be880515b8a5d8f98bb21e44dcdedc139afd26fc101a529842c75299d4b
VirtualSize 0x2000
VirtualAddress 0x18b000
SizeOfRawData 0xd7b
PointerToRawData 0x170e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.2431

Imports

KERNEL32.dll LoadLibraryA
GetProcAddress

Delayed Imports

Initialize

Ordinal 1
Address 0x38da8

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2016-May-12 01:34:55
Version 0.0
SizeofData 54
AddressOfRawData 0x1640c0
PointerToRawData 0x1630c0
Referenced File m:\games\quake2\anticheat.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2016-May-12 01:34:55
Version 0.0
SizeofData 20
AddressOfRawData 0x1640f8
PointerToRawData 0x1630f8

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x66c2bd10
SEHandlerTable 0
SEHandlerCount 0

RICH Header

Errors

<-- -->