4663bba7172a24a9a46a1e2b8d1ed0df
Summary
| Architecture |
IMAGE_FILE_MACHINE_AMD64
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 2005-Feb-10 16:58:29 |
| Detected languages |
Russian - Russia
|
Plugin Output
| Info | The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
|
| Info | The PE's resources present abnormal characteristics. | Resource 127 is possibly compressed or encrypted. |
| Suspicious | The file contains overlay data. | 6 bytes of data starting at offset 0x64c00. |
| Malicious | VirusTotal score: 9/67 (Scanned on 2021-07-28 18:08:54) |
FireEye:
Generic.mg.4663bba7172a24a9
ESET-NOD32: a variant of Win64/TrojanDownloader.Agent.LG Paloalto: generic.ml Kaspersky: UDS:Backdoor.Win32.Bazdor Jiangmin: Trojan.Shelma.izt Kingsoft: Win32.Troj.Undef.(kcloud) Microsoft: Trojan:Win32/Wacatac.B!ml Cynet: Malicious (score: 100) MaxSecure: Trojan.Malware.300983.susgen |
Hashes
DOS Header
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0x110 |
PE Header
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_AMD64
|
| NumberofSections | 6 |
| TimeDateStamp | 2005-Feb-10 16:58:29 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xf0 |
| Characteristics |
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Image Optional Header
| Magic | PE32+ |
|---|---|
| LinkerVersion | 219.0 |
| SizeOfCode | 0x21200 |
| SizeOfInitializedData | 0x44a00 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x000000000001845C (Section: .text) |
| BaseOfCode | 0x1000 |
| ImageBase | 0x180000000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 6.0 |
| ImageVersion | 0.0 |
| SubsystemVersion | 6.0 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x6a000 |
| SizeOfHeaders | 0x400 |
| Checksum | 0 |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
|
| SizeofStackReserve | 0x100000 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
.text
.rdata
.data
.pdata
.rsrc
.reloc
Imports
| KERNEL32.dll |
FindFirstFileA
FindNextFileA CreateFileA CreatePipe GetProcessHeap GetProcAddress ExitProcess CreateFileW QueryPerformanceCounter GetCurrentProcessId GetCurrentThreadId GetSystemTimeAsFileTime InitializeSListHead RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind IsDebuggerPresent UnhandledExceptionFilter SetUnhandledExceptionFilter GetStartupInfoW IsProcessorFeaturePresent GetModuleHandleW RtlUnwindEx InterlockedFlushSList RtlPcToFileHeader RaiseException GetLastError SetLastError EnterCriticalSection LeaveCriticalSection DeleteCriticalSection InitializeCriticalSectionAndSpinCount TlsAlloc TlsGetValue TlsSetValue TlsFree FreeLibrary LoadLibraryExW GetCurrentProcess TerminateProcess GetModuleHandleExW GetModuleFileNameA MultiByteToWideChar WideCharToMultiByte HeapAlloc HeapFree FindClose FindFirstFileExA IsValidCodePage GetACP GetOEMCP GetCPInfo GetCommandLineA GetCommandLineW GetEnvironmentStringsW FreeEnvironmentStringsW LCMapStringW GetStdHandle GetFileType GetStringTypeW HeapSize HeapReAlloc SetStdHandle WriteFile FlushFileBuffers GetConsoleCP GetConsoleMode SetFilePointerEx WriteConsoleW CloseHandle |
|---|
Delayed Imports
StartW
| Ordinal | 1 |
|---|---|
| Address | 0x9570 |
ajhqkcldxvhpmnbs
| Ordinal | 2 |
|---|---|
| Address | 0xa9a0 |
dbyvvql
| Ordinal | 3 |
|---|---|
| Address | 0xb350 |
degrteurwtvqfdpm
| Ordinal | 4 |
|---|---|
| Address | 0xab90 |
dgpsjrjtpclpituj
| Ordinal | 5 |
|---|---|
| Address | 0xb2d0 |
dingkpynhjpjybpl
| Ordinal | 6 |
|---|---|
| Address | 0xb010 |
dnbmxrtjygfwyuu
| Ordinal | 7 |
|---|---|
| Address | 0xb450 |
dqxxyynlks
| Ordinal | 8 |
|---|---|
| Address | 0xb2e0 |
ezkkuqdggcvnbl
| Ordinal | 9 |
|---|---|
| Address | 0xa9c0 |
fceuizrtxyqy
| Ordinal | 10 |
|---|---|
| Address | 0xa9b0 |
gpltroqelxb
| Ordinal | 11 |
|---|---|
| Address | 0xad70 |
gvldutwhyi
| Ordinal | 12 |
|---|---|
| Address | 0xb8b0 |
hbtrgnfzqcddh
| Ordinal | 13 |
|---|---|
| Address | 0xaaa0 |
icllypwwsm
| Ordinal | 14 |
|---|---|
| Address | 0xb540 |
ipvljvexiggspmvpp
| Ordinal | 15 |
|---|---|
| Address | 0xb6e0 |
jedmpzkrwfxg
| Ordinal | 16 |
|---|---|
| Address | 0xb100 |
jeswtoquvjmhczrez
| Ordinal | 17 |
|---|---|
| Address | 0xb6f0 |
jqphpzshykkphl
| Ordinal | 18 |
|---|---|
| Address | 0xb020 |
juvybcptqimkwzt
| Ordinal | 19 |
|---|---|
| Address | 0xb2f0 |
kcgpyesjmkfi
| Ordinal | 20 |
|---|---|
| Address | 0xac80 |
kzrdmotwjdsxa
| Ordinal | 21 |
|---|---|
| Address | 0xb430 |
lgjctck
| Ordinal | 22 |
|---|---|
| Address | 0xb110 |
nsrgxriqvsmpwch
| Ordinal | 23 |
|---|---|
| Address | 0xb610 |
nwoncweloozaiz
| Ordinal | 24 |
|---|---|
| Address | 0xb330 |
oucjqal
| Ordinal | 25 |
|---|---|
| Address | 0xb2c0 |
oxzbrsgqpgwif
| Ordinal | 26 |
|---|---|
| Address | 0xae60 |
oyagefuhqjx
| Ordinal | 27 |
|---|---|
| Address | 0xb890 |
phwgikfmfaosh
| Ordinal | 28 |
|---|---|
| Address | 0xb030 |
pxeofsrgxkklo
| Ordinal | 29 |
|---|---|
| Address | 0xad80 |
ralixgfywasek
| Ordinal | 30 |
|---|---|
| Address | 0xb460 |
rrhohtqlnkzuw
| Ordinal | 31 |
|---|---|
| Address | 0xb1e0 |
rtvorir
| Ordinal | 32 |
|---|---|
| Address | 0xaab0 |
sgexgqpcuqtonmm
| Ordinal | 33 |
|---|---|
| Address | 0xb310 |
torbziekvewyhrx
| Ordinal | 34 |
|---|---|
| Address | 0xb470 |
trpyzmpqytjjzlz
| Ordinal | 35 |
|---|---|
| Address | 0xac70 |
ttkllaup
| Ordinal | 36 |
|---|---|
| Address | 0xaf40 |
ufmwoljsw
| Ordinal | 37 |
|---|---|
| Address | 0xb7c0 |
ujctkjrfcmpn
| Ordinal | 38 |
|---|---|
| Address | 0xb300 |
vcctiohcb
| Ordinal | 39 |
|---|---|
| Address | 0xaa90 |
vemuycsheyzvjmd
| Ordinal | 40 |
|---|---|
| Address | 0xac90 |
vsalaplyzhpdr
| Ordinal | 41 |
|---|---|
| Address | 0xb320 |
wwkyozshqalgcgdz
| Ordinal | 42 |
|---|---|
| Address | 0xb8a0 |
yhwnhwcmbc
| Ordinal | 43 |
|---|---|
| Address | 0xb440 |
ylgspdrukxmmbqfiq
| Ordinal | 44 |
|---|---|
| Address | 0xb340 |
127
Version Info
IMAGE_DEBUG_TYPE_POGO
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2021-Jul-28 08:53:59 |
| Version | 0.0 |
| SizeofData | 708 |
| AddressOfRawData | 0x2d674 |
| PointerToRawData | 0x2bc74 |
IMAGE_DEBUG_TYPE_ILTCG
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2021-Jul-28 08:53:59 |
| Version | 0.0 |
| SizeofData | 0 |
| AddressOfRawData | 0 |
| PointerToRawData | 0 |
TLS Callbacks
Load Configuration
| Size | 0x100 |
|---|---|
| TimeDateStamp | 1970-Jan-01 00:00:00 |
| Version | 0.0 |
| GlobalFlagsClear | (EMPTY) |
| GlobalFlagsSet | (EMPTY) |
| CriticalSectionDefaultTimeout | 0 |
| DeCommitFreeBlockThreshold | 0 |
| DeCommitTotalFreeThreshold | 0 |
| LockPrefixTable | 0 |
| MaximumAllocationSize | 0 |
| VirtualMemoryThreshold | 0 |
| ProcessAffinityMask | 0 |
| ProcessHeapFlags | (EMPTY) |
| CSDVersion | 0 |
| Reserved1 | 0 |
| EditList | 0 |
| SecurityCookie | 0x180030790 |
RICH Header
| XOR Key | 0xcdfb2b18 |
|---|---|
| Unmarked objects | 0 |
| C objects (23917) | 13 |
| ASM objects (23917) | 5 |
| C++ objects (23917) | 120 |
| C++ objects (VS 2015/2017 runtime 26706) | 32 |
| C objects (VS 2015/2017 runtime 26706) | 14 |
| ASM objects (VS 2015/2017 runtime 26706) | 8 |
| Imports (23917) | 3 |
| Total imports | 90 |
| Unmarked objects (#2) | 9 |
| Exports (27045) | 1 |
| Resource objects (27045) | 1 |
| Linker (27045) | 1 |