Architecture |
IMAGE_FILE_MACHINE_I386
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date |
2055-Apr-28 15:49:27
|
Comments |
|
CompanyName |
|
FileDescription |
TestLHDllDemo
|
FileVersion |
1.1.9
|
InternalName |
AdUds.exe
|
LegalCopyright |
Copyright © 2023
|
LegalTrademarks |
|
OriginalFilename |
AdUds.exe
|
ProductName |
TestLHDllDemo
|
ProductVersion |
1.1.9
|
Assembly Version |
1.1.9.0
|
Info |
Interesting strings found in the binary: |
Contains domain names:
- aia.ws.symantec.com
- crl.symauth.com
- crl.ws.symantec.com
- d.symcb.com
- http://pki-crl.symauth.com
- http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
- http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0
- http://pki-ocsp.symauth.com0
- http://s.symcb.com
- http://s.symcb.com/universal-root.crl0
- http://s.symcd.com06
- http://ts-aia.ws.symantec.com
- http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0
- http://ts-crl.ws.symantec.com
- http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
- http://ts-ocsp.ws.symantec.com0
- https://d.symcb.com
- https://d.symcb.com/cps0%
- https://d.symcb.com/rpa0
- https://d.symcb.com/rpa0.
- pki-crl.symauth.com
- s.symcb.com
- symantec.com
- symauth.com
- symcb.com
- ts-aia.ws.symantec.com
- ts-crl.ws.symantec.com
- ws.symantec.com
|
Info |
Cryptographic algorithms detected in the binary: |
Uses constants related to SHA256
|
Suspicious |
The PE is possibly packed. |
Unusual section name found:
Section is both writable and executable.
Unusual section name found:
Section is both writable and executable.
Unusual section name found:
Section is both writable and executable.
Unusual section name found:
Section is both writable and executable.
Section .data is both writable and executable.
|
Info |
The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
- GetProcAddress
- LoadLibraryA
Can access the registry:
Possibly launches other programs:
|
Malicious |
VirusTotal score: 20/71 (Scanned on 2025-02-03 15:23:44) |
APEX:
Malicious
Alibaba:
Trojan:Win32/Enigma.ebd239ab
CrowdStrike:
win/malicious_confidence_70% (D)
Cylance:
Unsafe
DeepInstinct:
MALICIOUS
ESET-NOD32:
a variant of Win64/Packed.Enigma.CE
Elastic:
malicious (high confidence)
FireEye:
Generic.mg.55a4422a536bc573
Google:
Detected
Ikarus:
Trojan.Win64.Enigma
MaxSecure:
Trojan.Malware.300983.susgen
McAfeeD:
Real Protect-LS!55A4422A536B
Panda:
Trj/Genetic.gen
SentinelOne:
Static AI - Suspicious PE
Skyhigh:
BehavesLike.Win32.Generic.vc
Sophos:
Generic ML PUA (PUA)
Symantec:
ML.Attribute.HighConfidence
Trapmine:
malicious.high.ml.score
Zoner:
Probably Heur.ExeHeaderL
tehtris:
Generic.Malware
|
MD5 |
55a4422a536bc573134950943353648e
|
SHA1 |
0335f35c8c39a77ba74c0b99217b7372aaa019cb
|
SHA256 |
5256844e4a6dbaa35ef17fae27a81dc10471af2fc3f5f43464c66a4be8f58282
|
SHA3 |
8fc4c93f7922e7f79a753c2b91f8664411c37509c2eb9bda49bbb9abbe018978
|
SSDeep |
49152:buhw81AzeDksDp7io0Eev5LnusTSBuD6NTSigG2BQrNGpQi:iq81A3sROEev5asmhNezBQT
|
Imports Hash |
2e5467cba76f44a088d39f78c5e807b6
|
e_magic |
MZ
|
e_cblp |
0x90
|
e_cp |
0x3
|
e_crlc |
0
|
e_cparhdr |
0x4
|
e_minalloc |
0
|
e_maxalloc |
0xffff
|
e_ss |
0
|
e_sp |
0xb8
|
e_csum |
0
|
e_ip |
0
|
e_cs |
0
|
e_ovno |
0
|
e_oemid |
0
|
e_oeminfo |
0
|
e_lfanew |
0x80
|
Signature |
PE
|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections |
6
|
TimeDateStamp |
2055-Apr-28 15:49:27
|
PointerToSymbolTable |
0
|
NumberOfSymbols |
0
|
SizeOfOptionalHeader |
0xe0
|
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic |
PE32
|
LinkerVersion |
48.0
|
SizeOfCode |
0xbf600
|
SizeOfInitializedData |
0x57a00
|
SizeOfUninitializedData |
0
|
AddressOfEntryPoint |
0x00B0D6FC (Section: .data)
|
BaseOfCode |
0x2000
|
BaseOfData |
0xc2000
|
ImageBase |
0x400000
|
SectionAlignment |
0x2000
|
FileAlignment |
0x200
|
OperatingSystemVersion |
4.0
|
ImageVersion |
0.0
|
SubsystemVersion |
6.0
|
Win32VersionValue |
0
|
SizeOfImage |
0xb14000
|
SizeOfHeaders |
0x2000
|
Checksum |
0
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve |
0x200000
|
SizeofStackCommit |
0x2000
|
SizeofHeapReserve |
0x200000
|
SizeofHeapCommit |
0x2000
|
LoaderFlags |
0
|
NumberOfRvaAndSizes |
16
|
MD5 |
a46c581001e5ca3870ac5f968e4c85c2
|
SHA1 |
db73b8da17fa35f2aba0c8b477cec0eb38cc7c98
|
SHA256 |
58fe5d1b68c4cfb37fc9d0b3bf8f1cf368dc610a8ecefaac17f3b715e0672b57
|
SHA3 |
666f0aed7ac76c1508907b880bbffe9d4eb7491309b9107ff166fdeeed7925d0
|
VirtualSize |
0xc0000
|
VirtualAddress |
0x2000
|
SizeOfRawData |
0x3a000
|
PointerToRawData |
0x2000
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
7.99922
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0x58000
|
VirtualAddress |
0xc2000
|
SizeOfRawData |
0
|
PointerToRawData |
0x3c000
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
MD5 |
9045cbe9916f5f0c6b2bd2edac417d85
|
SHA1 |
7396bc35f2899aeb3ccf334a489210963306e276
|
SHA256 |
09425ae259547c3fd2477257185e74b0e66fc5c789e9884f0b3aa146159d97aa
|
SHA3 |
f546a500b7853843299df08b89b5a840ee063701de8b6bd15eb17ad2b03dcb3a
|
VirtualSize |
0x2000
|
VirtualAddress |
0x11a000
|
SizeOfRawData |
0x200
|
PointerToRawData |
0x3c000
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
0.281092
|
MD5 |
d66c346f11ef1ebab57df013f01a8a19
|
SHA1 |
f1fc05f13777b3aa14260de71d57c76a5679ed1f
|
SHA256 |
e0499c118774c98f901d72f54f4bada75d3887edd928ea6a6fd8927243048121
|
SHA3 |
08e91629104b84bd552299eec8ae30897a39c11f51cf23c364b5af92280d3d0d
|
VirtualSize |
0x58000
|
VirtualAddress |
0x11c000
|
SizeOfRawData |
0x57800
|
PointerToRawData |
0x3c200
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
Entropy |
3.51778
|
MD5 |
48720a979ab9a1d1b15643a95e4a7fb7
|
SHA1 |
3465d051af2083ed27d68edb9ca5012fdfb46056
|
SHA256 |
a31c5a3eab23591da65b6a12b11a0dd88a747e4742231b5d405897b25a35c9d4
|
SHA3 |
6623acfeb22dd6a4cb80a46fab853141e477f9c7156f6b5f76a072336650d7a2
|
VirtualSize |
0x784000
|
VirtualAddress |
0x174000
|
SizeOfRawData |
0x32a00
|
PointerToRawData |
0x93a00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
7.99924
|
MD5 |
437da0f7251d6cf445b773aa327d7e9b
|
SHA1 |
8198ab4a54225a273077f1e5fd7218e6e8c837f5
|
SHA256 |
2fb9e53ec8cbedb0da3167f9bca34b263ba97474499cfd51f156f027962b9460
|
SHA3 |
e1d801576012488a3b4c33a3ab2cba8ec3ce4837ff0326e81f0f5cf6f9864249
|
VirtualSize |
0x21c000
|
VirtualAddress |
0x8f8000
|
SizeOfRawData |
0x21ac00
|
PointerToRawData |
0xc6400
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
7.98413
|
kernel32.dll |
GetModuleHandleA
GetProcAddress
ExitProcess
LoadLibraryA
|
user32.dll |
MessageBoxA
|
advapi32.dll |
RegCloseKey
|
oleaut32.dll |
SysFreeString
|
gdi32.dll |
CreateFontA
|
shell32.dll |
ShellExecuteA
|
version.dll |
GetFileVersionInfoA
|
mscoree.dll |
_CorExeMain
|
Type |
RT_ICON
|
Language |
UNKNOWN
|
Codepage |
UNKNOWN
|
Size |
0x8a8
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.47813
|
MD5 |
08e93b39bafeb88f2117b2b349d34062
|
SHA1 |
e0d2f400697c3ab67a224b8cc80b22533932ab49
|
SHA256 |
0060ed9cd79eba2a9260567c0b96be8dde32c44c0544592260452b0d063e8bfd
|
SHA3 |
fd4a90f04ac5249074a0fc19827c9ccb11126f31e4f4c2cc95e8c4bd186d2980
|
Type |
RT_ICON
|
Language |
UNKNOWN
|
Codepage |
UNKNOWN
|
Size |
0x568
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.30694
|
MD5 |
1a4147f33052b494fd012854f4b552e0
|
SHA1 |
e2f504af91cd9947853e2adfa0d9385c10edd203
|
SHA256 |
19116f23a8bfa7c6ed3e7c961678cd6d2e704c912207c949a7cfc8211c16bb8a
|
SHA3 |
c410396e4e8d6c59566c198302415fe7c36cf2a97b3c33bd959d3cac30d43264
|
Type |
RT_ICON
|
Language |
UNKNOWN
|
Codepage |
UNKNOWN
|
Size |
0x42028
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.49969
|
MD5 |
ddf7a3a197fd01a1df368b9bc05b478d
|
SHA1 |
b8defbd2bdf2195871179a90bfb265b3bb45d3b4
|
SHA256 |
e05960b01d9a260f9beab6af485f325cd666595fa852e22c00f86c2665995dbc
|
SHA3 |
67ceeb1f6f98a0c83657334386994e510cc5b722ab4dee7b32e56c0f58115f94
|
Type |
RT_ICON
|
Language |
UNKNOWN
|
Codepage |
UNKNOWN
|
Size |
0x10828
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.43121
|
MD5 |
6454cd60294389d70815b8f0dd749d11
|
SHA1 |
d35cfc4523b66084e02239e7184bb1de7ee88899
|
SHA256 |
996f0abed517c478dbdacc2ddb54f1b9242183ab05ad40a3629bef716938d308
|
SHA3 |
bf42f48bc8dea90cb26ce3d53f5e9985e8e4c8d15bbafd9bf39f5981a1546da2
|
Type |
RT_ICON
|
Language |
UNKNOWN
|
Codepage |
UNKNOWN
|
Size |
0x25a8
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.5353
|
MD5 |
86c3e915be41bdddf9539b78218759a4
|
SHA1 |
e6253a3cee7ea843a062a0302102ae9168b5f224
|
SHA256 |
b7497b689134d0f4ded238be027a277fc851222b1564c7917a59a31f30e3dadf
|
SHA3 |
13cfc7f96c1fd6bdc36f8ae4f8da1f61fbe53d780aa22c1f5dc17ea55bd6b2bb
|
Type |
RT_ICON
|
Language |
UNKNOWN
|
Codepage |
UNKNOWN
|
Size |
0x10a8
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.69556
|
MD5 |
08f845d9fd852efbd39066df4214290f
|
SHA1 |
88a15b513cd36420d24681eef3fc0f0e557c3a92
|
SHA256 |
6576665cec66b09f88208c2d8399bd642155976d29f5355df63541dd6d0df4f7
|
SHA3 |
48b1bf65ee103b6bcc1d643846b2e3765eb0c4cc92b427c14ac9adbaa5409e5c
|
Type |
RT_ICON
|
Language |
UNKNOWN
|
Codepage |
UNKNOWN
|
Size |
0x468
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.78103
|
MD5 |
e998faa52977fe70ee06b1ceec202952
|
SHA1 |
01571f1a105ba06c00862826b5cb3fea2f6f5702
|
SHA256 |
49cb19116f8496f8f036fc26b8594ff8f590ec2e92f14a36d6c4f4c459a52e14
|
SHA3 |
b4ab968e879f71b39991567ee95b2d32898e21c37afa219466ca175a3424a9e5
|
Type |
RT_GROUP_ICON
|
Language |
UNKNOWN
|
Codepage |
UNKNOWN
|
Size |
0x68
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
2.74719
|
Detected Filetype |
Icon file
|
MD5 |
d67be9d6642e764689adfcd635dd0b6e
|
SHA1 |
4f568f231b8666deb10360611756e53cfd7f64c8
|
SHA256 |
bdec7b37685a71c7f761708581f6a9c93cf0e22f0037f249641fd83aeb27ba97
|
SHA3 |
9e958ba0ec7920a9450d78a7f0ea50c1c61e5e2ca2a23a003e777589f47e0388
|
Type |
RT_VERSION
|
Language |
UNKNOWN
|
Codepage |
UNKNOWN
|
Size |
0x314
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.35025
|
MD5 |
45d46d10549bdcd1ce1bf4020036e66f
|
SHA1 |
e4ac34a917a79c002dcf08f439d9450deb1f391e
|
SHA256 |
9616e42b8993c22e7a47118fd5c9a89fb42afb3d07908b0f72e83881bd3e318c
|
SHA3 |
50be080cfb72cd981d498f41866537521dbc44b9ddf4ee2dbb0ece649ab9a8dc
|
Signature |
0xfeef04bd
|
StructVersion |
0x10000
|
FileVersion |
1.1.9.0
|
ProductVersion |
1.1.9.0
|
FileFlags |
(EMPTY)
|
FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language |
UNKNOWN
|
Comments |
|
CompanyName |
|
FileDescription |
TestLHDllDemo
|
FileVersion (#2) |
1.1.9
|
InternalName |
AdUds.exe
|
LegalCopyright |
Copyright © 2023
|
LegalTrademarks |
|
OriginalFilename |
AdUds.exe
|
ProductName |
TestLHDllDemo
|
ProductVersion (#2) |
1.1.9
|
Assembly Version |
1.1.9.0
|
[!] Error: Could not read the exported DLL name.
[*] Warning: Section has a size of 0!