5b5a46e9b0bdd2c6397f2e4bf55f22dd7f8ed05991821a4dc2697589d6fade84
Summary
| Architecture |
IMAGE_FILE_MACHINE_I386
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 1992-Jun-19 22:22:17 |
| Detected languages |
Russian - Russia
|
Plugin Output
| Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
| Suspicious | The PE header may have been manually modified. |
The resource timestamps differ from the PE header:
|
| Malicious | VirusTotal score: 3/55 (Scanned on 2015-11-15 03:18:39) |
Bkav:
W32.HfsIemusi.7260
ByteHero: Trojan.Malware.Obscu.Gen.007 Qihoo-360: HEUR/QVM05.1.Malware.Gen |
Hashes
DOS Header
| e_magic | MZ |
|---|---|
| e_cblp | 0x50 |
| e_cp | 0x2 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0xf |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0x1a |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0x100 |
PE Header
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_I386
|
| NumberofSections | 8 |
| TimeDateStamp | 1992-Jun-19 22:22:17 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xe0 |
| Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
|
Image Optional Header
| Magic | PE32 |
|---|---|
| LinkerVersion | 2.0 |
| SizeOfCode | 0x93c00 |
| SizeOfInitializedData | 0x1f600 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x00094A34 (Section: CODE) |
| BaseOfCode | 0x1000 |
| BaseOfData | 0x95000 |
| ImageBase | 0x400000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 4.0 |
| ImageVersion | 0.0 |
| SubsystemVersion | 4.0 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x338b4000 |
| SizeOfHeaders | 0x400 |
| Checksum | 0 |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| SizeofStackReserve | 0x100000 |
| SizeofStackCommit | 0x4000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
CODE
DATA
BSS
.idata
.tls
.rdata
.reloc
.rsrc
Imports
| kernel32.dll |
DeleteCriticalSection
LeaveCriticalSection EnterCriticalSection InitializeCriticalSection VirtualFree VirtualAlloc LocalFree LocalAlloc GetTickCount QueryPerformanceCounter GetVersion GetCurrentThreadId InterlockedDecrement InterlockedIncrement VirtualQuery WideCharToMultiByte MultiByteToWideChar lstrlenA lstrcpynA LoadLibraryExA GetThreadLocale GetStartupInfoA GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetLastError GetCommandLineA FreeLibrary FindFirstFileA FindClose ExitProcess ExitThread CreateThread WriteFile UnhandledExceptionFilter SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetFileType CreateFileA CloseHandle |
|---|---|
| user32.dll |
GetKeyboardType
LoadStringA MessageBoxA CharNextA |
| advapi32.dll |
RegQueryValueExA
RegOpenKeyExA RegCloseKey |
| oleaut32.dll |
SysFreeString
SysReAllocStringLen SysAllocStringLen |
| kernel32.dll (#2) |
DeleteCriticalSection
LeaveCriticalSection EnterCriticalSection InitializeCriticalSection VirtualFree VirtualAlloc LocalFree LocalAlloc GetTickCount QueryPerformanceCounter GetVersion GetCurrentThreadId InterlockedDecrement InterlockedIncrement VirtualQuery WideCharToMultiByte MultiByteToWideChar lstrlenA lstrcpynA LoadLibraryExA GetThreadLocale GetStartupInfoA GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetLastError GetCommandLineA FreeLibrary FindFirstFileA FindClose ExitProcess ExitThread CreateThread WriteFile UnhandledExceptionFilter SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetFileType CreateFileA CloseHandle |
| advapi32.dll (#2) |
RegQueryValueExA
RegOpenKeyExA RegCloseKey |
| kernel32.dll (#3) |
DeleteCriticalSection
LeaveCriticalSection EnterCriticalSection InitializeCriticalSection VirtualFree VirtualAlloc LocalFree LocalAlloc GetTickCount QueryPerformanceCounter GetVersion GetCurrentThreadId InterlockedDecrement InterlockedIncrement VirtualQuery WideCharToMultiByte MultiByteToWideChar lstrlenA lstrcpynA LoadLibraryExA GetThreadLocale GetStartupInfoA GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetLastError GetCommandLineA FreeLibrary FindFirstFileA FindClose ExitProcess ExitThread CreateThread WriteFile UnhandledExceptionFilter SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetFileType CreateFileA CloseHandle |
| version.dll |
VerQueryValueA
GetFileVersionInfoSizeA GetFileVersionInfoA |
| gdi32.dll |
UnrealizeObject
StretchBlt StartPage StartDocA SetWindowOrgEx SetWindowExtEx SetWinMetaFileBits SetViewportOrgEx SetViewportExtEx SetTextColor SetStretchBltMode SetROP2 SetPixel SetMapMode SetEnhMetaFileBits SetDIBColorTable SetBrushOrgEx SetBkMode SetBkColor SetAbortProc SelectPalette SelectObject SelectClipRgn SaveDC RestoreDC Rectangle RectVisible RealizePalette Polyline PolyPolyline PlayEnhMetaFile PatBlt MoveToEx MaskBlt LineTo IntersectClipRect GetWindowOrgEx GetWinMetaFileBits GetTextMetricsA GetTextExtentPointA GetTextExtentPoint32A GetSystemPaletteEntries GetStockObject GetPixel GetPaletteEntries GetObjectA GetEnhMetaFilePaletteEntries GetEnhMetaFileHeader GetEnhMetaFileBits GetDeviceCaps GetDIBits GetDIBColorTable GetDCOrgEx GetCurrentPositionEx GetClipBox GetBrushOrgEx GetBitmapBits ExtTextOutA ExtCreatePen ExcludeClipRect EndPage EndDoc DeleteObject DeleteEnhMetaFile DeleteDC CreateSolidBrush CreateRectRgn CreatePenIndirect CreatePalette CreateICA CreateHalftonePalette CreateFontIndirectA CreateDIBitmap CreateDIBSection CreateDCA CreateCompatibleDC CreateCompatibleBitmap CreateBrushIndirect CreateBitmap CopyEnhMetaFileA BitBlt |
| user32.dll (#2) |
GetKeyboardType
LoadStringA MessageBoxA CharNextA |
| kernel32.dll (#4) |
DeleteCriticalSection
LeaveCriticalSection EnterCriticalSection InitializeCriticalSection VirtualFree VirtualAlloc LocalFree LocalAlloc GetTickCount QueryPerformanceCounter GetVersion GetCurrentThreadId InterlockedDecrement InterlockedIncrement VirtualQuery WideCharToMultiByte MultiByteToWideChar lstrlenA lstrcpynA LoadLibraryExA GetThreadLocale GetStartupInfoA GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetLastError GetCommandLineA FreeLibrary FindFirstFileA FindClose ExitProcess ExitThread CreateThread WriteFile UnhandledExceptionFilter SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetFileType CreateFileA CloseHandle |
| oleaut32.dll (#2) |
SysFreeString
SysReAllocStringLen SysAllocStringLen |
| comctl32.dll |
ImageList_SetIconSize
ImageList_GetIconSize ImageList_Write ImageList_Read ImageList_GetDragImage ImageList_DragShowNolock ImageList_SetDragCursorImage ImageList_DragMove ImageList_DragLeave ImageList_DragEnter ImageList_EndDrag ImageList_BeginDrag ImageList_Remove ImageList_DrawEx ImageList_Draw ImageList_GetBkColor ImageList_SetBkColor ImageList_ReplaceIcon ImageList_Add ImageList_SetImageCount ImageList_GetImageCount ImageList_Destroy ImageList_Create InitCommonControls |
| winspool.drv |
OpenPrinterA
EnumPrintersA DocumentPropertiesA ClosePrinter |
| shell32.dll |
ShellExecuteA
|
| kernel32.dll (#5) |
DeleteCriticalSection
LeaveCriticalSection EnterCriticalSection InitializeCriticalSection VirtualFree VirtualAlloc LocalFree LocalAlloc GetTickCount QueryPerformanceCounter GetVersion GetCurrentThreadId InterlockedDecrement InterlockedIncrement VirtualQuery WideCharToMultiByte MultiByteToWideChar lstrlenA lstrcpynA LoadLibraryExA GetThreadLocale GetStartupInfoA GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetLastError GetCommandLineA FreeLibrary FindFirstFileA FindClose ExitProcess ExitThread CreateThread WriteFile UnhandledExceptionFilter SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetFileType CreateFileA CloseHandle |
Delayed Imports
1
2
3
4
5
6
7
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
PREVIEWGLYPH
1 (#2)
DLGTEMPLATE
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
DVCLAL
PACKAGEINFO
TFORM1
TFORM2
TFORM4
TFORM5
TFORM6
TFORM7
32761
32762
32763
32764
32765
32766
32767
MAINICON
1 (#3)
String Table contents
| Error binding data to SSL socket. |
| Mode has not been set. |
| Could not load SSL library. |
| SSL status: "%s" |
| Uneven size in DecodeToStream. |
| Uneven size in Encode. |
| Protocol field is empty |
| Host field is empty |
| General SOCKS server failure. |
| Connection not allowed by ruleset. |
| Network unreachable. |
| Host unreachable. |
| Connection refused. |
| TTL expired. |
| Command not supported. |
| Address type not supported. |
| Error accepting connection with SSL. |
| Error connecting with SSL. |
| SetCipher failed. |
| Error creating SSL context. |
| Could not load root certificate. |
| Could not load certificate. |
| Could not load key, check password. |
| Error geting SSL method. |
| Too many references, cannot splice. |
| Connection timed out. |
| Connection refused. |
| Too many levels of symbolic links. |
| File name too long. |
| Host is down. |
| No route to host. |
| Directory not empty |
| Host not found. |
| Request rejected or failed. |
| Request rejected because SOCKS server cannot connect. |
| Request rejected because the client program and identd report different user-ids. |
| Unknown socks error. |
| Socks server did not respond. |
| Invalid socks authentication method. |
| Authentication error to socks server. |
| Protocol not supported. |
| Socket type not supported. |
| Operation not supported on socket. |
| Protocol family not supported. |
| Address family not supported by protocol family. |
| Address already in use. |
| Cannot assign requested address. |
| Network is down. |
| Network is unreachable. |
| Net dropped connection or reset. |
| Software caused connection abort. |
| Connection reset by peer. |
| No buffer space available. |
| Socket is already connected. |
| Socket is not connected. |
| Cannot send or receive after socket is closed. |
| Socket Error # %d |
| %s |
| %s is not a valid IP address. |
| Interrupted system call. |
| Bad file number. |
| Access denied. |
| Bad address. |
| Invalid argument. |
| Too many open files. |
| Operation would block. |
| Operation now in progress. |
| Operation already in progress. |
| Socket operation on non-socket. |
| Destination address required. |
| Message too long. |
| Protocol wrong type for socket. |
| Bad protocol option. |
| Can not bind in port range (%d - %d) |
| Invalid Port Range (%d - %d) |
| Read Timeout |
| Max line length exceeded. |
| Error on call Winsock2 library function %s |
| Error on loading Winsock2 library (%s) |
| Resolving hostname %s. |
| Connecting to %s. |
| Connected. |
| Disconnecting. |
| Disconnected. |
| %s |
| Connect timed out. |
| Chunk Started |
| This authentication method is already registered with class name %s. |
| %s is not a valid service. |
| Failed to Save Stream |
| %d is an invalid PageIndex value. PageIndex must be between 0 and %d |
| Already connected. |
| Cannot allocate socket. |
| Connection Closed Gracefully. |
| Could not bind socket. Address and port are already in use. |
| Failed attempting to retrieve time zone information. |
| Not enough data in buffer. |
| Winsock Initialization Error. |
| Set Size Exceeded. |
| File "%s" not found |
| Only one TIdAntiFreeze can exist per application. |
| %d: Circular links are not allowed |
| IOHandler value is not valid |
| Not Connected |
| No data to read. |
| Scroll Bar |
| 3D Dark Shadow |
| 3D Light |
| Window Background |
| Window Frame |
| Window Text |
| No help keyword specified. |
| Failed to clear tab control |
| Failed to delete tab at index %d |
| Failed to retrieve tab at index %d |
| Failed to get object at index %d |
| Failed to set tab "%s" at index %d |
| Failed to set object at index %d |
| MultiLine must be True when TabPosition is tpLeft or tpRight |
| RichEdit line insertion error |
| Failed to Load Stream |
| Button Highlight |
| Button Shadow |
| Button Text |
| Caption Text |
| Default |
| Gray Text |
| Highlight Background |
| Highlight Text |
| Inactive Border |
| Inactive Caption |
| Inactive Caption Text |
| Info Background |
| Info Text |
| Menu Background |
| Menu Text |
| None |
| Red |
| Lime |
| Yellow |
| Blue |
| Fuchsia |
| Aqua |
| White |
| Money Green |
| Sky Blue |
| Cream |
| Medium Gray |
| Active Border |
| Active Caption |
| Application Workspace |
| Background |
| Button Face |
| - Dock zone has no control |
| Error setting %s.Count |
| Listbox (%s) style must be virtual in order to set Count |
| Unable to find a Table of Contents |
| No help found for %s |
| No context-sensitive help installed |
| No topic-based help system installed |
| Black |
| Maroon |
| Green |
| Olive |
| Navy |
| Purple |
| Teal |
| Gray |
| Silver |
| Down |
| Ins |
| Del |
| Shift+ |
| Ctrl+ |
| Alt+ |
| Unable to insert a line |
| Invalid clipboard format |
| Clipboard does not support Icons |
| Cannot open clipboard |
| Text exceeds memo capacity |
| There is no default printer currently selected |
| Menu '%s' is already being used by another form |
| Docked control must have a name |
| Error removing control from dock tree |
| - Dock zone not found |
| &Ignore |
| &All |
| N&o to All |
| Yes to &All |
| BkSp |
| Tab |
| Esc |
| Enter |
| Space |
| PgUp |
| PgDn |
| End |
| Home |
| Left |
| Up |
| Right |
| Enhanced Metafiles |
| Icons |
| Bitmaps |
| Invalid input value |
| Invalid input value. Use escape key to abandon changes |
| Warning |
| Error |
| Information |
| Confirm |
| &Yes |
| &No |
| OK |
| Cancel |
| &Help |
| &Abort |
| &Retry |
| %s on %s |
| GroupIndex cannot be less than a previous menu item's GroupIndex |
| Cannot create form. No MDI forms are currently active |
| A control cannot have itself as its parent |
| OK |
| Cancel |
| &Yes |
| &No |
| &Help |
| &Close |
| &Ignore |
| &Retry |
| Abort |
| &All |
| Cannot drag a form |
| Metafiles |
| Failed to write ImageList data to stream |
| Error creating window device context |
| Error creating window class |
| Cannot focus a disabled or invisible window |
| Control '%s' has no parent window |
| Cannot hide an MDI Child Form |
| Cannot change Visible in OnShow or OnHide |
| Cannot make a visible window modal |
| %s property out of range |
| Menu index out of range |
| Menu inserted twice |
| Sub-menu is not in menu |
| Not enough timers available |
| Printer is not currently printing |
| Printing in progress |
| Printer selected is not valid |
| Stream write error |
| Thread creation error: %s |
| Thread Error: %s (%d) |
| Tab position incompatible with current tab style |
| Tab style incompatible with current tab position |
| Bitmap image is not valid |
| Icon image is not valid |
| Metafile is not valid |
| Cannot change the size of an icon |
| Unsupported clipboard format |
| Out of system resources |
| Canvas does not allow drawing |
| Invalid image size |
| Invalid ImageList |
| Invalid ImageList Index |
| Failed to read ImageList data from stream |
| Invalid property path |
| Invalid property value |
| Cannot insert or delete rows from grid |
| List capacity out of bounds (%d) |
| List count out of bounds (%d) |
| List index out of bounds (%d) |
| Out of memory while expanding memory stream |
| Error reading %s%s%s: %s |
| Stream read error |
| Property is read-only |
| Resource %s not found |
| %s.Seek not implemented |
| Operation not allowed on sorted list |
| Too many rows or columns deleted |
| %s not in a class registration group |
| Property %s does not exist |
| Can't write to a read-only resource stream |
| CheckSynchronize called from thread $%x, which is NOT the main thread |
| Class %s not found |
| A class named %s already exists |
| List does not allow duplicates ($0%x) |
| A component named %s already exists |
| String list does not allow duplicates |
| Cannot create file "%s". %s |
| Fixed column count must be less than column count |
| Fixed row count must be less than row count |
| Cannot open file "%s". %s |
| Grid too large for operation |
| Grid index out of range |
| Invalid stream format |
| ''%s'' is not a valid component name |
| Invalid property value |
| Mon |
| Tue |
| Wed |
| Thu |
| Fri |
| Sat |
| Sunday |
| Monday |
| Tuesday |
| Wednesday |
| Thursday |
| Friday |
| Saturday |
| Ancestor for '%s' not found |
| Cannot assign a %s to a %s |
| Bits index out of range |
| Oct |
| Nov |
| Dec |
| January |
| February |
| March |
| April |
| May |
| June |
| July |
| August |
| September |
| October |
| November |
| December |
| Sun |
| Interface not supported |
| Exception in safecall method |
| %s (%s, line %d) |
| Abstract Error |
| Access violation at address %p in module '%s'. %s of address %p |
| System Error. Code: %d. |
| %s |
| A call to an OS function failed |
| Jan |
| Feb |
| Mar |
| Apr |
| May |
| Jun |
| Jul |
| Aug |
| Sep |
| Write |
| Error creating variant or safe array |
| Variant or safe array index out of bounds |
| Variant or safe array is locked |
| Invalid variant type conversion |
| Invalid variant operation |
| Invalid variant operation (%s%.8x) |
| %s |
| Could not convert variant of type (%s) into type (%s) |
| Overflow while converting variant of type (%s) into type (%s) |
| Variant overflow |
| Invalid argument |
| Invalid variant type |
| Operation not supported |
| Unexpected variant error |
| External exception %x |
| Assertion failed |
| Floating point division by zero |
| Floating point overflow |
| Floating point underflow |
| Invalid pointer operation |
| Invalid class typecast |
| Access violation at address %p. %s of address %p |
| Access violation |
| Stack overflow |
| Control-C hit |
| Privileged instruction |
| Exception %s in module %s at %p. |
| %s%s |
| Application Error |
| Format '%s' invalid or incompatible with argument |
| No argument for format '%s' |
| Variant method calls not supported |
| Read |
| '%s' is not a valid integer value |
| Invalid argument to time encode |
| Invalid argument to date encode |
| Out of memory |
| I/O error %d |
| File not found |
| Invalid filename |
| Too many open files |
| File access denied |
| Read beyond end of file |
| Disk full |
| Invalid numeric input |
| Division by zero |
| Range check error |
| Integer overflow |
| Invalid floating point operation |
Version Info
TLS Callbacks
| StartAddressOfRawData | 0x33c96000 |
|---|---|
| EndAddressOfRawData | 0x33c96010 |
| AddressOfIndex | 0x4950a4 |
| AddressOfCallbacks | 0x33c97010 |
| SizeOfZeroFill | 0 |
| Characteristics |
IMAGE_SCN_TYPE_REG
|
| Callbacks | (EMPTY) |
Load Configuration
RICH Header
Errors
[*] Warning: Section BSS has a size of 0!
[*] Warning: Section .tls has a size of 0!
Leave a comment
No comments yet.