Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2010-Aug-01 10:32:37 |
Detected languages |
English - United States
|
Info | Matching compiler(s): | MASM/TASM - sig2(h) |
Suspicious | PEiD Signature: |
FASM 1.5x
FASM v1.5x |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains another PE executable:
|
Suspicious | The PE is possibly packed. |
Section .code is both writable and executable.
Unusual section name found: .NewSec Section .NewSec is both writable and executable. |
Info | The PE contains common functions which appear in legitimate applications. |
Possibly launches other programs:
|
Suspicious | The PE header may have been manually modified. |
The resource timestamps differ from the PE header:
|
Suspicious | The file contains overlay data. |
2485774 bytes of data starting at offset 0x8000.
Overlay data amounts for 98.6989% of the executable. |
Malicious | VirusTotal score: 64/73 (Scanned on 2020-07-18 01:08:44) |
Bkav:
W32.OverlayND.PE
MicroWorld-eScan: Trojan.Agent.EMNR FireEye: Generic.mg.4d037478ca682c5e CAT-QuickHeal: Trojan.Ausiv.S12202810 McAfee: Packed-SU!4D037478CA68 Cylance: Unsafe Zillya: Trojan.Black.Win32.51155 Sangfor: Malware K7AntiVirus: Trojan ( 005205011 ) Alibaba: virus:Win32/InfectPE.ali2000007 K7GW: Trojan ( 00517a0d1 ) Cybereason: malicious.8ca682 Arcabit: Trojan.Agent.EMNR Invincea: heuristic F-Prot: W32/S-a846205f!Eldorado Symantec: W32.Suviapen APEX: Malicious ClamAV: Win.Virus.VMProtBad-6450060-0 Kaspersky: Packed.Win32.Krap.jc BitDefender: Trojan.Agent.EMNR NANO-Antivirus: Trojan.Win32.Krap.espnuv ViRobot: Trojan.Win32.Agent.Gen.C Avast: Win32:Agent-BCFZ [Trj] Tencent: Trojan.Win32.Kryptik.fwwy Ad-Aware: Trojan.Agent.EMNR TACHYON: Worm/W32.Sivis.Zen Emsisoft: Trojan.Agent.EMNR (B) Comodo: Virus.Win32.VirLock.GA@7lv9go F-Secure: Trojan.TR/ATRAPS.Gen2 DrWeb: Trojan.Encoder.14453 VIPRE: Trojan.Win32.Generic!BT TrendMicro: PE_LUMER.MR Trapmine: malicious.high.ml.score Sophos: W32/Sivis-B Ikarus: Trojan.Win32.Ausiv Cyren: W32/S-a846205f!Eldorado Jiangmin: Packed.Krap.fyig Webroot: W32.Trojan.Fileinfector-2 Avira: TR/ATRAPS.Gen2 Fortinet: W32/Ausiv.A Antiy-AVL: Trojan[Packed]/Win32.Krap Endgame: malicious (high confidence) Microsoft: Trojan:Win32/Ausiv!rfn AegisLab: Hacktool.Win32.Krap.x!e ZoneAlarm: Packed.Win32.Krap.jc Cynet: Malicious (score: 100) AhnLab-V3: Trojan/Win32.Ransom.R213603 Acronis: suspicious BitDefenderTheta: Gen:NN.ZexaF.34136.zAZ@a8Hp6rci ALYac: Trojan.Agent.EMNR MAX: malware (ai score=82) VBA32: Trojan.Encoder Malwarebytes: Ransom.Winlock ESET-NOD32: Win32/Ausiv.A TrendMicro-HouseCall: PE_LUMER.MR Rising: Virus.Sivis!1.A647 (CLOUD) Yandex: Trojan.Encoder!pNjka2bf5mk SentinelOne: DFI - Malicious PE eGambit: Unsafe.AI_Score_100% GData: Trojan.Agent.EMNR MaxSecure: Packed.Krap.JC AVG: Win32:Agent-BCFZ [Trj] CrowdStrike: win/malicious_confidence_100% (W) Qihoo-360: HEUR/QVM19.1.A30F.Malware.Gen |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x80 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 6 |
TimeDateStamp | 2010-Aug-01 10:32:37 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 2.0 |
SizeOfCode | 0x3200 |
SizeOfInitializedData | 0x1e00 |
SizeOfUninitializedData | 0x1000 |
AddressOfEntryPoint | 0x00001000 (Section: .code) |
BaseOfCode | 0x1000 |
BaseOfData | 0x4000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x8000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
MSVCRT.dll |
memset
memcpy _stricmp strncmp _strnicmp strcmp memmove strlen strcpy strcat strncpy |
---|---|
KERNEL32.dll |
GetModuleHandleA
HeapCreate HeapDestroy ExitProcess GetCurrentThreadId GetTickCount HeapAlloc HeapFree WriteFile CloseHandle CreateFileA GetFileSize ReadFile SetFilePointer InitializeCriticalSection GetModuleFileNameA GetCurrentProcess DuplicateHandle CreatePipe GetStdHandle CreateProcessA WaitForSingleObject EnterCriticalSection LeaveCriticalSection GetCurrentProcessId GetDriveTypeA FindFirstFileA FindClose GetFileAttributesA CreateDirectoryA GetLastError FindNextFileA SetFileAttributesA HeapReAlloc |
COMCTL32.DLL |
InitCommonControls
|
USER32.DLL |
MessageBoxA
GetWindowThreadProcessId IsWindowVisible IsWindowEnabled GetForegroundWindow EnableWindow EnumWindows |
SHELL32.DLL |
ShellExecuteExA
|
OLE32.DLL |
CoInitialize
|