58c5d5708130caec4a2e52586b9ea195

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2011-Nov-24 00:41:46
Detected languages English - United States
FileVersion 3.0.0.5
ProductVersion 3.0.0.5
FileDescription A Simple Unlocker - HadiK IT
CompanyName -
LegalCopyright -
ProductName Qualcomm Tool - HadiK IT

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
 Contains domain names:
  • command.com
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
 Possibly launches other programs:
  • CreateProcessA
 Can create temporary files:
  • GetTempPathA
  • CreateFileA
Suspicious The PE is possibly a dropper. Resources amount for 80.4224% of the executable.
Suspicious The file contains overlay data. 1069 bytes of data starting at offset 0x52000.
Malicious The program tries to mislead users about its origins. The PE pretends to be from Qualcomm but is not signed!
Malicious VirusTotal score: 8/71 (Scanned on 2023-06-05 18:30:48) Cybereason: malicious.003abd
VirIT: Trojan.Win32.AVKill.BKFM
APEX: Malicious
Rising: Trojan.Win32.Fednu.ujp (CLASSIC)
Trapmine: malicious.high.ml.score
Gridinsoft: Ransom.Win32.Wacatac.oa!s1
BitDefenderTheta: Gen:NN.ZexaE.36250.uq1@aqqMpYhi
DeepInstinct: MALICIOUS

Hashes

MD5 58c5d5708130caec4a2e52586b9ea195
SHA1 d22afe5003abd25ed73eadfd40f4879cd1e1fb8b
SHA256 d16aa38a85f27cc5debf802b9d084fe0be2003b2f17959d47aba787a14a41912
SHA3 fe0a2f62ff8903dce958b3fb900105b04cc860e978123c30b3dfbe86b21c1cc1
SSDeep 3072:ed0Zc+CPCo97QAzHgjzMJOFeUMpdha/DI3o:eyuuDYgT
Imports Hash 5006f0f00b4a58b67754be4478c2b333

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2011-Nov-24 00:41:46
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0xc000
SizeOfInitializedData 0x45000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00005C8E (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xd000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0xa28000
SizeOfHeaders 0x1000
Checksum 0x5c5b7
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 39204c3136e19e64423bc92c6f65d49e
SHA1 0d1f5c97f958c3a935775156d3d0396e4a7bcfcc
SHA256 d7c00658c113b8c7b59d8a6e7e675d1eed306957c0202c8e99b06804943d8bb1
SHA3 b66047880d9a85e3f1a11de52e7ae6f5fed1c70411be6624a18a8725d8f603ea
VirtualSize 0xb74c
VirtualAddress 0x1000
SizeOfRawData 0xc000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.38054

.rdata

MD5 f6d36c364dcad153273074e2e2141462
SHA1 fe29f70bd9f7de42a8610963acd0b03b412efc8a
SHA256 ae4a7c63b75fdd2730de01731938f30dccf37d9a250ee4d45ce97df49d33d91f
SHA3 4e678a1b90ad1dad537f9bf0ca3d38bce1c24e40323453c527c60bd2579f7b41
VirtualSize 0xae8
VirtualAddress 0xd000
SizeOfRawData 0x1000
PointerToRawData 0xd000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.14603

.data

MD5 4bdde9f2ae82fad99bb8e133226ebd13
SHA1 31c152de8802abc75977ece32fb7c980e5dcc881
SHA256 b583a7ed8b4a5c33727a93bf82d7daf85a102a5c78a374056cc102584db28bf4
SHA3 2535cbbcbcf54d38f464c65b5f991946a21787767372a6835afa159e28af39bc
VirtualSize 0x9d6cf8
VirtualAddress 0xe000
SizeOfRawData 0x1000
PointerToRawData 0xe000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.86186

.rsrc

MD5 360a9932eb66f92963c31205171317f3
SHA1 8bc57e1286e6d4c4db2f9851e2a0b36c06825d75
SHA256 59de65214aa91a370caae892b33d3e873f88392c160e84017865eb3e4ad487df
SHA3 5263bf6be435e06f90965980f95cb48e53949f1aeb29419383dc79f66c766f42
VirtualSize 0x42370
VirtualAddress 0x9e5000
SizeOfRawData 0x43000
PointerToRawData 0xf000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.96995

Imports

KERNEL32.dll GetTempPathA
GetStdHandle
GetModuleFileNameA
Sleep
SetConsoleCursorInfo
SetConsoleCursorPosition
SetConsoleTextAttribute
GetTickCount
LCMapStringA
SetEndOfFile
ExitProcess
TerminateProcess
GetCurrentProcess
GetCommandLineA
GetVersion
GetLastError
GetFileAttributesA
HeapFree
CloseHandle
SetFilePointer
SetHandleCount
GetFileType
GetStartupInfoA
WriteFile
ReadFile
GetProcAddress
GetModuleHandleA
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
HeapDestroy
HeapCreate
VirtualFree
RtlUnwind
HeapAlloc
GetExitCodeProcess
WaitForSingleObject
CreateProcessA
VirtualAlloc
HeapReAlloc
SetStdHandle
FlushFileBuffers
CreateFileA
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
GetCPInfo
GetACP
GetOEMCP
LoadLibraryA
CompareStringA
CompareStringW
SetEnvironmentVariableA
LCMapStringW
WINMM.dll timeGetTime

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x42028
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.98144
MD5 07e6ca49049d59b66efb2f7ea682c164
SHA1 5466514888bff8da5860d42aa9a8e915c47f2196
SHA256 b004a2c004b0557bbb381d11e5354a2c0ba6552bc83212d0fae134c50f39af27
SHA3 12a948c80f70d031c6601375534d6819596fb04ba908e236f8e906e3d0df8730

102

Type RT_GROUP_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.41904
Detected Filetype Icon file
MD5 3b04d5655b205040debd49847be5ac5a
SHA1 44b18c404d44d1bbf8765c3d3184cfb1b3ca8a15
SHA256 eb7ba489c325fcb54956ad4594f982e3635f284d84a744c12cf3760549c32114
SHA3 f9f02e36dbd4bfacf2bd44446809309cda0e151853423815c853e66f2d26f3b8

1 (#2)

Type RT_VERSION
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x244
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.30658
MD5 6ae4e57a05fde07b5ac95101d5a56f7e
SHA1 966d835405320ecedfa8423015a58dcb009cc3a5
SHA256 d92e2b62ab692103d7eb094f104eaa9b0c4c66296192b91282f0ef5bd8facc79
SHA3 651fb0d60ff2a528f6f2052bc481ee7ec4e195cbd0488eb471fda9efc03fd28d

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 3.0.0.5
ProductVersion 3.0.0.5
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language UNKNOWN
FileVersion (#2) 3.0.0.5
ProductVersion (#2) 3.0.0.5
FileDescription A Simple Unlocker - HadiK IT
CompanyName -
LegalCopyright -
ProductName Qualcomm Tool - HadiK IT
Resource LangID UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x991839a5
Unmarked objects 0
C++ objects (VS98 build 8168) 1
14 (7299) 15
19 (8034) 5
Total imports 59
C objects (VS98 build 8168) 93
Resource objects (VS98 cvtres build 1720) 1

Errors

[*] Warning: Raw bytes from section .text could not be obtained.