4bb302094b87e7e800826d95da948393

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2020-Mar-11 00:58:39

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentControlSet\Services
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Can access the registry:
  • RegEnumKeyExA
  • RegGetValueA
  • RegCreateKeyExA
  • RegSetValueExA
  • RegQueryInfoKeyA
  • RegOpenKeyExA
  • RegCloseKey
 Possibly launches other programs:
  • CreateProcessA
 Has Internet access capabilities:
  • WinHttpCloseHandle
  • WinHttpReceiveResponse
  • WinHttpSendRequest
  • WinHttpOpenRequest
  • WinHttpSetOption
  • WinHttpQueryDataAvailable
  • WinHttpReadData
  • WinHttpConnect
  • WinHttpOpen
Malicious VirusTotal score: 16/71 (Scanned on 2025-04-03 11:36:03) APEX: Malicious
Antiy-AVL: GrayWare/Win32.Wacapew
CAT-QuickHeal: Trojan.Ghanarava.1743174020948393
CTX: exe.trojan.zpevdo
CrowdStrike: win/malicious_confidence_60% (W)
Cylance: Unsafe
DeepInstinct: MALICIOUS
FireEye: Generic.mg.4bb302094b87e7e8
Kingsoft: malware.kb.a.735
Lionic: Trojan.Win32.Zpevdo.4!c
McAfee: Artemis!4BB302094B87
Microsoft: Trojan:Win32/Zpevdo.B
Paloalto: generic.ml
Panda: Trj/Chgt.AD
Rising: Trojan.Zpevdo!8.F912 (CLOUD)
SentinelOne: Static AI - Suspicious PE

Hashes

MD5 4bb302094b87e7e800826d95da948393
SHA1 939a4088f9aea304f55c0a6f040b8e1b4836dc63
SHA256 0eeae3907d410e924fabb5683d8e1dbf021c0bd75fde7878c0725e5d3b09ece7
SHA3 4dc1537a70e4231999b0fb71811187043fed814af5ab78fba0ce118dec2b1dab
SSDeep 3072:v2ltC+xSBLo5VglGTV3CI3gCdKnNUgI3dPFRR092xy6L2llnNCRrpgV0eO:OltCUkLoPglE4IQnNUXNFu2Z22iU
Imports Hash b9321ce1adfdd96fc41fc682427fb187

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2020-Mar-11 00:58:39
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x1bc00
SizeOfInitializedData 0x9e00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00007E84 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1d000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x29000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 34606a10c0d8846fc335762f276fb635
SHA1 4465b5fe540259b8833c9edc07c9efd5107b9f98
SHA256 8b0471e786665c1cb421e6dd7898e886548b81e6f6c7dc1522beb3e5cb7ff7c3
SHA3 09fb4ab85a5d66918482bec7e03276a44cf4aa52a8667caed4b2bde425acb731
VirtualSize 0x1ba9f
VirtualAddress 0x1000
SizeOfRawData 0x1bc00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.56479

.rdata

MD5 573e5db22ebb1d87734eec26d7b61ba6
SHA1 7016bfa6a4921c029f9f4d7b701ea674c9bac592
SHA256 7c65846deafac14de66feec587d7ac5c9c2a9070cbd8faefa8c22866c63ad12e
SHA3 0ecec458748cfa5ad68a4d9ee179886fd902daedaf3d3a509a24c79bb7783f8c
VirtualSize 0x721c
VirtualAddress 0x1d000
SizeOfRawData 0x7400
PointerToRawData 0x1c000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.21245

.data

MD5 23882e54ee92082a4d31c7153703d053
SHA1 b6b877da14aff211d62c5a155cd0bcea560cedb3
SHA256 af57e575241a7a5dd0c4833f97765e55dc8f9adb1a6424a9a9f359d26a6b81f1
SHA3 e3e4624aa3b8cbf0ded39346a97983d3cd19936dafd6a9c61abc3122983a056b
VirtualSize 0x146c
VirtualAddress 0x25000
SizeOfRawData 0xa00
PointerToRawData 0x23400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.48112

.reloc

MD5 59d724e1b417e5bbffeccdb7542b2e85
SHA1 deb84b5905cb0d2d506c9a0d9af3a80e4527f137
SHA256 fecde1d30fa0ea4f54c9c8cb36b88e3eb1f262f9165c44b1132fd9e96b9f2bea
SHA3 fe90821463d05df762e3d306cbcf03efc387cefbd4f27675c4c3cd14e5779a1d
VirtualSize 0x13ac
VirtualAddress 0x27000
SizeOfRawData 0x1400
PointerToRawData 0x23e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.54777

Imports

WINHTTP.dll WinHttpCloseHandle
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpOpenRequest
WinHttpSetOption
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpConnect
WinHttpOpen
IPHLPAPI.DLL GetAdaptersInfo
ADVAPI32.dll RegEnumKeyExA
RegGetValueA
RegCreateKeyExA
StartServiceCtrlDispatcherA
SetServiceStatus
RegisterServiceCtrlHandlerA
ReportEventA
RegisterEventSourceA
DeregisterEventSource
RegSetValueExA
RegQueryInfoKeyA
RegOpenKeyExA
RegCloseKey
KERNEL32.dll SetStdHandle
GetStringTypeW
FlushFileBuffers
CreateFileW
HeapSize
HeapReAlloc
SetEndOfFile
WriteConsoleW
RtlUnwind
Sleep
FindClose
FindFirstFileA
FindNextFileA
GetLastError
CreateProcessA
GetModuleFileNameA
SetEvent
WaitForSingleObject
CreateMutexA
CreateEventA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RaiseException
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
DecodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
ExitProcess
GetModuleHandleExW
ReadFile
GetModuleFileNameW
GetStdHandle
WriteFile
GetCommandLineA
GetCommandLineW
HeapAlloc
HeapFree
CompareStringW
LCMapStringW
GetFileType
CloseHandle
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleCP
GetFileSizeEx
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2020-Mar-11 00:58:39
Version 0.0
SizeofData 712
AddressOfRawData 0x22eec
PointerToRawData 0x21eec

TLS Callbacks

Load Configuration

Size 0xa4
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x425010
SEHandlerTable 0x422ee0
SEHandlerCount 3

RICH Header

XOR Key 0x8678bb24
Unmarked objects 0
ASM objects (VS2017 v14.15 compiler 26715) 11
C++ objects (VS2017 v14.15 compiler 26715) 149
C objects (VS2017 v14.15 compiler 26715) 18
C objects (26504) 17
ASM objects (26504) 19
Imports (VS2017 v14.15 compiler 26715) 9
Total imports 113
C++ objects (26504) 42
C++ objects (VS2019 Update 2 (16.2) compiler 27905) 4
Linker (VS2019 Update 2 (16.2) compiler 27905) 1

Errors

<-- -->