Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 1992-Jun-19 22:22:17 |
Suspicious | PEiD Signature: |
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX v2.0 -> Markus, Laszlo & Reiser (h) UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser UPX -> www.upx.sourceforge.net UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser |
Suspicious | The PE is packed with UPX |
Unusual section name found: UPX0
Section UPX0 is both writable and executable. Unusual section name found: UPX1 Section UPX1 is both writable and executable. The PE only has 7 import(s). |
Info | The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
|
Suspicious | The PE header may have been manually modified. |
Resource 4090 is possibly compressed or encrypted.
Resource 4091 is possibly compressed or encrypted. Resource 4092 is possibly compressed or encrypted. Resource 4093 is possibly compressed or encrypted. Resource 4094 is possibly compressed or encrypted. Resource 4095 is possibly compressed or encrypted. Resource 4096 is possibly compressed or encrypted. The resource timestamps differ from the PE header:
|
Suspicious | The file contains overlay data. | 21 bytes of data starting at offset 0xa000. |
Malicious | VirusTotal score: 32/71 (Scanned on 2020-10-29 05:03:52) |
Elastic:
malicious (high confidence)
MicroWorld-eScan: Trojan.GenericKD.32731475 McAfee: RDN/Autorun.worm.gen Cylance: Unsafe CrowdStrike: win/malicious_confidence_100% (W) Alibaba: Worm:Win32/Autorun.25b6ebf3 K7GW: Riskware ( 0040eff71 ) K7AntiVirus: Riskware ( 0040eff71 ) Symantec: ML.Attribute.HighConfidence APEX: Malicious Paloalto: generic.ml BitDefender: Trojan.GenericKD.32731475 Ad-Aware: Trojan.GenericKD.32731475 Sophos: Mal/Emogen-I Comodo: Malware@#11lqir733njld Invincea: Mal/Generic-R + Mal/Emogen-I McAfee-GW-Edition: BehavesLike.Win32.Generic.pc FireEye: Generic.mg.4d8f6dfbe49ef6a4 Emsisoft: Trojan.GenericKD.32731475 (B) eGambit: Unsafe.AI_Score_89% Microsoft: Trojan:Win32/Zpevdo.A Arcabit: Trojan.Generic.D1F37153 AegisLab: Virus.Win32.Lamer.lmQV GData: Trojan.GenericKD.32731475 AhnLab-V3: Malware/Win32.Generic.C2822172 BitDefenderTheta: Gen:NN.ZelphiF.34590.cmHfam9n3zb ALYac: Trojan.GenericKD.32731475 MAX: malware (ai score=100) Panda: Trj/GdSda.A Fortinet: W32/Emogen.I!worm Webroot: W32.Malware.Gen Cybereason: malicious.be49ef |
e_magic | MZ |
---|---|
e_cblp | 0x50 |
e_cp | 0x2 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0xf |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0x1a |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x100 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 3 |
TimeDateStamp | 1992-Jun-19 22:22:17 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 2.0 |
SizeOfCode | 0xa000 |
SizeOfInitializedData | 0x1000 |
SizeOfUninitializedData | 0x14000 |
AddressOfEntryPoint | 0x0001E460 (Section: UPX1) |
BaseOfCode | 0x15000 |
BaseOfData | 0x1f000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x20000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x4000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
advapi32.dll |
RegCloseKey
|
---|---|
KERNEL32.DLL |
LoadLibraryA
ExitProcess GetProcAddress VirtualProtect |
oleaut32.dll |
VariantCopy
|
user32.dll |
CharNextA
|