Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2021-Sep-29 09:39:21 |
Info | Interesting strings found in the binary: |
Contains domain names:
|
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 23/70 (Scanned on 2021-11-23 14:51:49) |
Lionic:
Trojan.Win32.Generic.4!c
MicroWorld-eScan: Trojan.GenericKDZ.79338 FireEye: Trojan.GenericKDZ.79338 McAfee: GenericRXAA-AA!46351B8DBEE9 Zillya: Backdoor.PMax.Win32.4846 Sangfor: Trojan.Win32.GenericKDZ.79338 Alibaba: Trojan:Win64/BackdoorX.ecde8b79 Symantec: Trojan.Gen.MBT TrendMicro-HouseCall: TROJ_GEN.R002H09JV21 BitDefender: Trojan.GenericKDZ.79338 Ad-Aware: Trojan.GenericKDZ.79338 Sophos: Generic PUA EC (PUA) Emsisoft: Trojan.GenericKDZ.79338 (B) GData: Trojan.GenericKDZ.79338 MAX: malware (ai score=89) Antiy-AVL: Trojan/Generic.ASMalwS.34BD23A Gridinsoft: Trojan.Win64.Sabsik.oa!s1 Microsoft: Trojan:Win32/Wacatac.B!ml ALYac: Trojan.GenericKDZ.79338 Avast: Win64:BackdoorX-gen [Trj] Fortinet: W32/PossibleThreat AVG: Win64:BackdoorX-gen [Trj] Qihoo-360: Win64/Backdoor.Generic.HgEASfkA |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x108 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 6 |
TimeDateStamp | 2021-Sep-29 09:39:21 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x2e600 |
SizeOfInitializedData | 0x61a00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000000000000DBAC (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.0 |
ImageVersion | 0.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x94000 |
SizeOfHeaders | 0x400 |
Checksum | 0x98fad |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
CreateNamedPipeW
CreateFileW GetLastError SetFileInformationByHandle LoadLibraryA HeapReAlloc CloseHandle HeapAlloc GetCurrentDirectoryW GetProcAddress ExpandEnvironmentStringsW ExitProcess GetProcessHeap GetModuleHandleW lstrcmpiW GetTickCount ConnectNamedPipe SetEndOfFile WriteConsoleW HeapSize SetStdHandle WriteFile GetCurrentProcess GetFullPathNameW HeapFree WriteProcessMemory VirtualAllocEx ReadFile SetEnvironmentVariableW FreeEnvironmentStringsW GetEnvironmentStringsW GetOEMCP GetACP IsValidCodePage FindNextFileW FindFirstFileExW FindClose FlushFileBuffers GetConsoleCP GetFileSizeEx EnumSystemLocalesW GetUserDefaultLCID IsValidLocale MultiByteToWideChar WideCharToMultiByte GetStringTypeW EnterCriticalSection LeaveCriticalSection DeleteCriticalSection SetLastError InitializeCriticalSectionAndSpinCount SwitchToThread TlsAlloc TlsGetValue TlsSetValue TlsFree GetSystemTimeAsFileTime EncodePointer DecodePointer CompareStringW LCMapStringW GetLocaleInfoW GetCPInfo QueryPerformanceCounter GetCurrentProcessId GetCurrentThreadId InitializeSListHead RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind IsDebuggerPresent UnhandledExceptionFilter SetUnhandledExceptionFilter GetStartupInfoW IsProcessorFeaturePresent TerminateProcess RtlUnwindEx RtlPcToFileHeader RaiseException FreeLibrary LoadLibraryExW GetStdHandle GetModuleFileNameW GetModuleHandleExW GetCommandLineA GetCommandLineW SetFilePointerEx GetConsoleMode ReadConsoleW GetFileType |
---|---|
SHELL32.dll |
ShellExecuteW
|
ntdll.dll |
NtCreateProcessEx
strcspn NtClose NtCreateSection NtQueryInformationProcess RtlInitUnicodeString NtReadVirtualMemory _local_unwind strrchr wcschr |
SHLWAPI.dll |
StrStrW
StrCpyW StrRChrW |
USERENV.dll |
CreateEnvironmentBlock
|
Characteristics |
0
|
---|---|
TimeDateStamp | 2021-Sep-29 09:39:21 |
Version | 0.0 |
SizeofData | 776 |
AddressOfRawData | 0x42a1c |
PointerToRawData | 0x4141c |
Characteristics |
0
|
---|---|
TimeDateStamp | 2021-Sep-29 09:39:21 |
Version | 0.0 |
SizeofData | 0 |
AddressOfRawData | 0 |
PointerToRawData | 0 |
Size | 0x100 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x140047088 |
XOR Key | 0x27925333 |
---|---|
Unmarked objects | 0 |
C objects (26715) | 17 |
ASM objects (26715) | 10 |
C++ objects (26715) | 174 |
199 (41118) | 1 |
ASM objects (VS 2015/2017 runtime 26706) | 9 |
C++ objects (VS 2015/2017 runtime 26706) | 64 |
C objects (VS 2015/2017 runtime 26706) | 28 |
Imports (VS2008 SP1 build 30729) | 2 |
Imports (40310) | 2 |
Imports (26715) | 13 |
Total imports | 139 |
265 (27045) | 1 |
Linker (27045) | 1 |