52af7649ae5fa8101d7a0f010f54443b

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2012-Mar-08 15:59:48
Detected languages English - United States
French - France
Debug artifacts C:\Projets\vbsedit_source\script2exe\Release\mywscript.pdb
FileVersion 1, 0, 0, 0
ProductVersion 1, 0, 0, 0
LegalCopyright Copyright (C) 2018
FileDescription
ProductName NisWatchII

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryExW
  • LoadLibraryW
  • LoadLibraryA
  • GetProcAddress
Can access the registry:
  • RegSetValueExW
  • RegEnumKeyW
  • RegDeleteKeyW
  • RegQueryValueW
  • RegOpenKeyW
  • RegCreateKeyExW
  • RegCloseKey
  • RegQueryValueExW
  • RegEnumKeyExW
  • RegOpenKeyExW
Uses functions commonly found in keyloggers:
  • CallNextHookEx
  • GetForegroundWindow
Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
Enumerates local disk drives:
  • GetVolumeInformationW
Info The PE's resources present abnormal characteristics. Resource 129 is possibly compressed or encrypted.
Malicious VirusTotal score: 25/71 (Scanned on 2019-11-01 18:33:35) VBA32: TrojanDropper.MSIL.Agent
CrowdStrike: win/malicious_confidence_60% (W)
Invincea: heuristic
ClamAV: Win.Malware.Dexel-6910198-0
Kaspersky: Trojan.Win32.Agent.xaaimm
NANO-Antivirus: Trojan.Win32.Dapato.cqtyqs
Paloalto: generic.ml
Sophos: Mal/Generic-S
Comodo: TrojWare.Win32.TrojanDropper.Dexel.A@6k1yft
Zillya: Dropper.Agent.Win32.104010
CMC: Trojan-Downloader.Win32.Gamarue.2!O
SentinelOne: DFI - Suspicious PE
Cyren: W32/Trojan.ORZX-4617
eGambit: Trojan.Generic
Microsoft: Trojan:Win32/Zpevdo.B
AegisLab: Trojan.Win32.Generic.4!c
ZoneAlarm: Trojan.Win32.Agent.xaaimm
AhnLab-V3: Malware/Win32.Generic.C3278571
Zoner: Trojan.Win32.34274
Rising: Trojan.Generic@ML.100 (RDML:mkkSB5BIiRBNb801CO6/ew)
Yandex: Trojan.Agent!4xFGLKGgIf4
BitDefenderTheta: Gen:NN.ZexaE.31176.su0@aWohjOom
AVG: FileRepMalware
Cybereason: malicious.15259f
Qihoo-360: Win32/Trojan.IM.3d2

Hashes

MD5 52af7649ae5fa8101d7a0f010f54443b
SHA1 ce879ab15259fb1a40e36b4231a9ed28c4194fa6
SHA256 eed79e2a580045d1be557b4bfdd91d7ee118ce1d8596184ca7ee978a6cc552f4
SHA3 cd16daf8f960088850b05613bf73d9c3c66ad532ff978ba216d966e2a693e539
SSDeep 6144:17v2qpIYih+xyrQrVmdzBlZlKLcmPm93nskQEX+VabQX4K:173yWmdzBlZlK/PmdskVRbQX4K
Imports Hash 2691b9b51544cc45c4175204fe1d1626

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2012-Mar-08 15:59:48
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 9.0
SizeOfCode 0x29400
SizeOfInitializedData 0x1fa00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00017C69 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x2b000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x51000
SizeOfHeaders 0x400
Checksum 0x44a01
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 55b1a4672609887b96340471a7d12198
SHA1 f1ef30142b52535d53ac00bce16b164d6e5eea73
SHA256 3d1787e49598b5b2069f85a0622a47ce220b525c2defc3f274cabbac4a8fd617
SHA3 083342f4e3c9cef45e4fd8bd19d4f8f6adcffd3a4ff700676ab72ca989a42e7d
VirtualSize 0x2923b
VirtualAddress 0x1000
SizeOfRawData 0x29400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.60251

.rdata

MD5 f34756becee4ac0c36195689a1ad7ae2
SHA1 5e8b668bf2b30f90680f6a909a4a835d258f6dfd
SHA256 75691e05bb8e9a2e535b3c28e310167b0a61b9133f7aa627c1a9379b8efac689
SHA3 f4f63c6b9f63bc6019c52b7385a780d7d0360eaf9797ed0bc5d86e6d6269537d
VirtualSize 0xa9b8
VirtualAddress 0x2b000
SizeOfRawData 0xaa00
PointerToRawData 0x29800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.75546

.data

MD5 1122c2c1568e7169abcafad6930a6768
SHA1 9c5e3fb4f7ed5765a36a84d93989ed71763ada53
SHA256 d96651b5eb7ef9397459a1a2cc11e28fb872c9c3e081a2ce4b576d05bfaf6fab
SHA3 4db25e078a8f4a26a6cc43e61d58f64792111bcba5a1e141c73df1701614363f
VirtualSize 0x6118
VirtualAddress 0x36000
SizeOfRawData 0x2600
PointerToRawData 0x34200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.86216

.rsrc

MD5 57499fff25399d79672162bc6a4e16b6
SHA1 e1df59c1a4eefda16c1dbf21f8abcf8113582aa4
SHA256 87aea98c3ffa23a4b8ad6715ce640cfc3a47ad0b5e905e738ff6231adaf720d0
SHA3 e5d69b6671a8bd2e32bc604ec1a944953291463e74a2735e4c09d604d88f5c31
VirtualSize 0xb1ac
VirtualAddress 0x3d000
SizeOfRawData 0xb200
PointerToRawData 0x36800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.0662

.reloc

MD5 0fd26a531b938bc58f0942d138627ef7
SHA1 a767ced845007d312d5b44a5556f08439c6fc495
SHA256 80df48faa36134cbce30a9c33781f5eeb1b7959e8df17453a587c1b56f4bbf14
SHA3 0667be0419fb745266087a35957d5a5457f490614998fa84cd29b1c93239671b
VirtualSize 0x77e6
VirtualAddress 0x49000
SizeOfRawData 0x7800
PointerToRawData 0x41a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 3.31586

Imports

KERNEL32.dll GetFileAttributesW
GetFileSizeEx
GetFileTime
GetStartupInfoW
HeapAlloc
HeapFree
RtlUnwind
HeapReAlloc
RaiseException
VirtualProtect
VirtualAlloc
GetSystemInfo
VirtualQuery
HeapSize
SetUnhandledExceptionFilter
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
HeapCreate
VirtualFree
QueryPerformanceCounter
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
IsDebuggerPresent
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
InitializeCriticalSectionAndSpinCount
GetTimeZoneInformation
GetConsoleCP
GetConsoleMode
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
CreateFileA
SetEnvironmentVariableA
FileTimeToLocalFileTime
CreateFileW
GetFullPathNameW
GetVolumeInformationW
FindFirstFileW
FindClose
GetCurrentProcess
DuplicateHandle
GetFileSize
SetEndOfFile
UnlockFile
LockFile
FlushFileBuffers
SetFilePointer
WriteFile
ReadFile
WritePrivateProfileStringW
GetModuleHandleA
GlobalFlags
TlsFree
DeleteCriticalSection
LocalReAlloc
TlsSetValue
TlsAlloc
InitializeCriticalSection
GlobalHandle
GlobalReAlloc
EnterCriticalSection
TlsGetValue
LeaveCriticalSection
LocalAlloc
FileTimeToSystemTime
GetCurrentProcessId
SetErrorMode
GetCurrentThread
ConvertDefaultLocale
EnumResourceLanguagesW
GetLocaleInfoW
LoadLibraryExW
CompareStringA
InterlockedExchange
InterlockedIncrement
lstrlenA
lstrcmpA
CloseHandle
GetCurrentThreadId
GlobalAddAtomW
GlobalFindAtomW
GlobalDeleteAtom
LoadLibraryW
CompareStringW
LoadLibraryA
lstrcmpW
GetVersionExA
FreeLibrary
InterlockedDecrement
GetProcAddress
GetLastError
SetLastError
GlobalFree
GlobalAlloc
GlobalLock
GlobalUnlock
FormatMessageW
LocalFree
lstrlenW
WideCharToMultiByte
WriteConsoleW
ExitProcess
GetModuleFileNameW
ExpandEnvironmentStringsW
GetStdHandle
Sleep
GetModuleHandleW
GetCommandLineW
MultiByteToWideChar
FindResourceW
LoadResource
LockResource
GetTickCount
SizeofResource
USER32.dll CharUpperW
SetCursor
GrayStringW
DrawTextExW
DrawTextW
TabbedTextOutW
ClientToScreen
DestroyMenu
ShowWindow
SetWindowTextW
LoadCursorW
GetDC
ReleaseDC
GetSysColorBrush
GetWindowThreadProcessId
IsWindowEnabled
PostQuitMessage
SetMenuItemBitmaps
LoadBitmapW
ModifyMenuW
CheckMenuItem
GetMessageW
TranslateMessage
GetCursorPos
ValidateRect
RegisterWindowMessageW
LoadIconW
WinHelpW
GetCapture
SetWindowsHookExW
CallNextHookEx
GetClassLongW
GetClassNameW
SetPropW
GetPropW
RemovePropW
GetFocus
IsWindow
GetWindowTextW
GetForegroundWindow
GetLastActivePopup
DispatchMessageW
GetDlgItem
GetTopWindow
DestroyWindow
GetMessageTime
GetMessagePos
PeekMessageW
MapWindowPoints
MessageBoxW
GetActiveWindow
GetSubMenu
GetKeyState
SetMenu
EnableWindow
SetForegroundWindow
IsWindowVisible
GetClientRect
PostMessageW
GetMenuCheckMarkDimensions
GetMenuItemCount
GetMenuItemID
GetMenuState
UnhookWindowsHookEx
GetWindow
GetSystemMetrics
GetWindowRect
GetWindowPlacement
IsIconic
SystemParametersInfoA
SetWindowPos
SetWindowLongW
GetWindowLongW
GetMenu
PtInRect
CopyRect
CallWindowProcW
DefWindowProcW
SendMessageW
CreateWindowExW
GetClassInfoExW
GetClassInfoW
RegisterClassW
GetSysColor
AdjustWindowRectEx
GetParent
GetDlgCtrlID
EnableMenuItem
GDI32.dll DeleteDC
GetStockObject
ScaleWindowExtEx
SetWindowExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
SelectObject
Escape
TextOutW
RectVisible
GetDeviceCaps
SetMapMode
RestoreDC
SaveDC
DeleteObject
ExtTextOutW
CreateBitmap
SetBkColor
SetTextColor
GetClipBox
PtVisible
COMDLG32.dll GetFileTitleW
WINSPOOL.DRV DocumentPropertiesW
OpenPrinterW
ClosePrinter
ADVAPI32.dll RegSetValueExW
RegEnumKeyW
RegDeleteKeyW
RegQueryValueW
RegOpenKeyW
RegCreateKeyExW
RegCloseKey
RegQueryValueExW
RegEnumKeyExW
RegOpenKeyExW
SHLWAPI.dll PathStripToRootW
PathIsUNCW
PathFindFileNameW
PathFindExtensionW
ole32.dll CoDisconnectObject
StringFromGUID2
CoGetObject
CoCreateInstance
CLSIDFromProgID
CoInitialize
OLEAUT32.dll #6
#8
#10
#9
#4
#12
#183
#162
#2
#7
#161
OLEACC.dll (delay-loaded) LresultFromObject
CreateStdAccessibleObject

Delayed Imports

Attributes 0x1
Name OLEACC.dll
ModuleHandle 0x3aef0
DelayImportAddressTable 0x383f8
DelayImportNameTable 0x34238
BoundDelayImportTable 0x34274
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

129

Type RT_BITMAP
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x3a4c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.90949
MD5 ae3bd35726e256961b0b7b9e143eda58
SHA1 97fdf228382aa25bfce97f2684f5a4dd98d1bc6d
SHA256 0eb0d9d00f8be714f834bbe9ac386ab75fd67e74009a706cff35addf565a38b3
SHA3 20ba49009ffcf1fe78ab3e74b915e5d93c3d4005eff71718204019f970acad0d
Preview

1

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x70a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.67318
MD5 1bf4584dc12fe62b9786c55870f4d2a0
SHA1 90f4ddddb79d2f320b48f6d0fed52744613504e5
SHA256 ba2f75718961d4174874e655fc4055d34dddc6e477be7ad48315b7ac79ca44cf
SHA3 6f25cd77fb1343bfbb226f4cdca8d634aafd6d3bd32ab1ed35a3edf0dc09b845

7

Type RT_STRING
Language French - France
Codepage Latin 1 / Western European
Size 0x48
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.19502
MD5 10d022e533e73f962adaaea84d9d2341
SHA1 481e712df2258121f09da4acaaa7999fd25a1f23
SHA256 21933103638153262fc04241620439d017bfd09e4bdee5c696367de46a7d1a91
SHA3 5793e868a42430bd434b149a7848daf8da84f6294f6432baaf35f426a40023cc

131

Type RT_GROUP_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.91924
Detected Filetype Icon file
MD5 5a181c8e195049d74c15cd450c32b67b
SHA1 4a8e54de71bcbc2fe94255397fd5ea0c38a7ce23
SHA256 beca8ec591fb662213cad9a95fd978021158938a283178e5d01600004d238ef3
SHA3 39d4387198bd7e3b67f20d985a0262e9c961fdadbb80595389db6a917154d210

1 (#2)

Type RT_VERSION
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x1fc
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.59208
MD5 c9b7b544a9ddb7849b802905c4ff657a
SHA1 e2d2f2044f20e23dd9af63cd171cd70b377955d9
SHA256 3f6069c080316b866b2aa1bd15ec3eac22e651d3534959e84235c6535e823918
SHA3 059bc74433001d95a3cd7f0f02f94a5430052601f1973b032fe07aeea887ab79

1 (#3)

Type RT_MANIFEST
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x12a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.76335
MD5 aaf3ee7fa1852fab25ddef0cd42b66f8
SHA1 c4a0d6105c3ae5103ff54b5a59e40aee3771e082
SHA256 a8cb18d3a79d9cc323fde18a0dc9d9fdad4c55e3998a76772546fc70aeef3e21
SHA3 39f95ba32add6c64595f7271a6174cddf6ef045ba0316eac1683990d7ed5042c

1 (#4)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

String Table contents

mywscript2
MYWSCRIPT2

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.0
ProductVersion 1.0.0.0
FileFlags VS_FF_DEBUG
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
FileVersion (#2) 1, 0, 0, 0
ProductVersion (#2) 1, 0, 0, 0
LegalCopyright Copyright (C) 2018
FileDescription
ProductName NisWatchII
Resource LangID UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2012-Mar-08 15:59:48
Version 0.0
SizeofData 83
AddressOfRawData 0x306c0
PointerToRawData 0x2eec0
Referenced File C:\Projets\vbsedit_source\script2exe\Release\mywscript.pdb

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x436ddc
SEHandlerTable 0x431e80
SEHandlerCount 106

RICH Header

XOR Key 0x647ee5a7
Unmarked objects 0
C objects (VS2012 build 50727 / VS2005 build 50727) 8
Imports (VS2012 build 50727 / VS2005 build 50727) 21
Total imports 516
ASM objects (VS2008 SP1 build 30729) 25
C objects (VS2008 SP1 build 30729) 151
C++ objects (VS2008 SP1 build 30729) 130
C++ objects (VS2008 build 21022) 3
138 (VS2008 SP1 build 30729) 8
Linker (VS2008 build 21022) 1
Resource objects (VS2008 SP1 build 30729) 1

Errors