Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2012-Jan-05 14:29:38 |
TLS Callbacks | 2 callback(s) detected. |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
May have dropper capabilities:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to MD5 Uses constants related to SHA1 Uses constants related to SHA256 Uses constants related to SHA512 Uses constants related to AES Uses constants related to Blowfish Uses known Diffie-Helman primes Microsoft's Cryptography API |
Suspicious | The PE is possibly packed. | Unusual section name found: /4 |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Suspicious | The file contains overlay data. | 14 bytes of data starting at offset 0x2a4a00. |
Malicious | VirusTotal score: 20/70 (Scanned on 2019-12-07 21:36:15) |
MicroWorld-eScan:
Trojan.GenericKD.40817954
McAfee: Artemis!5C6A1A6EE07D Cybereason: malicious.ee07d6 Arcabit: Trojan.Generic.D26ED522 F-Prot: W32/Trojan3.ABOF Symantec: Trojan Horse Paloalto: generic.ml BitDefender: Trojan.GenericKD.40817954 NANO-Antivirus: Trojan.Win32.Dwn.dzgqmx Ad-Aware: Trojan.GenericKD.40817954 DrWeb: Trojan.DownLoader18.14091 VIPRE: Trojan.Win32.Generic!BT McAfee-GW-Edition: BehavesLike.Win32.CryptDoma.vh Trapmine: malicious.moderate.ml.score FireEye: Trojan.GenericKD.40817954 Emsisoft: Trojan.GenericKD.40817954 (B) Cyren: W32/Trojan.DWJR-6998 Microsoft: PUA:Win32/Presenoker GData: Trojan.GenericKD.40817954 ALYac: Trojan.GenericKD.40817954 |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x80 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 8 |
TimeDateStamp | 2012-Jan-05 14:29:38 |
PointerToSymbolTable | 0x2a4a00 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 2.0 |
SizeOfCode | 0x216e00 |
SizeOfInitializedData | 0x2a4600 |
SizeOfUninitializedData | 0x5c00 |
AddressOfEntryPoint | 0x00001160 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x218000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 1.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x2af000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
|
SizeofStackReserve | 0x200000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.DLL |
CloseHandle
CreateFileA CreateFileMappingA CreateIoCompletionPort CreateSemaphoreA DeleteCriticalSection EnterCriticalSection ExitProcess FindClose FindFirstFileA FindNextFileA FormatMessageA FreeLibrary GetCurrentProcessId GetCurrentThreadId GetExitCodeProcess GetFileSize GetFileType GetLastError GetModuleFileNameA GetModuleHandleA GetProcAddress GetQueuedCompletionStatus GetStdHandle GetSystemDirectoryA GetSystemTimeAsFileTime GetTickCount GetVersion GetVersionExA GlobalMemoryStatus InitializeCriticalSection InitializeCriticalSectionAndSpinCount InterlockedExchange IsDBCSLeadByteEx LeaveCriticalSection LoadLibraryA LocalFree MapViewOfFile MultiByteToWideChar OpenProcess PostQueuedCompletionStatus QueryPerformanceCounter ReleaseSemaphore SetLastError SetUnhandledExceptionFilter Sleep TlsGetValue UnmapViewOfFile VirtualProtect VirtualQuery WaitForSingleObject WideCharToMultiByte |
---|---|
ADVAPI32.DLL |
CryptAcquireContextA
CryptGenRandom DeregisterEventSource RegCloseKey RegOpenKeyExA RegQueryValueExA RegisterEventSourceA ReportEventA |
GDI32.dll |
BitBlt
CreateCompatibleBitmap CreateCompatibleDC CreateDCA DeleteDC DeleteObject GetBitmapBits GetDeviceCaps GetObjectA SelectObject |
msvcrt.dll |
__getmainargs
__lc_codepage __mb_cur_max __p__environ __p__fmode __set_app_type _assert _beginthread _cexit _close _endthread _errno _exit _fstati64 _ftime _getch _getpid _iob _isctype _locking _lseek _onexit _open _pctype _read _setmode _snprintf _stat _strdup _stricmp _strnicmp _vsnprintf _wfopen _winmajor abort atexit atof atoi calloc exit exp fclose fflush fgets fopen fprintf fputc fputs fread free fseek ftell fwrite getenv gmtime localeconv localtime log malloc memchr memcmp memcpy memmove mktime pow printf puts qsort raise rand realloc rename signal sprintf srand sscanf strcat strchr strcmp strcpy strerror strftime strlen strncmp strncpy strrchr strspn strstr strtol strtoul time tolower vfprintf wcslen wcsstr |
msvcrt.dll (#2) |
__getmainargs
__lc_codepage __mb_cur_max __p__environ __p__fmode __set_app_type _assert _beginthread _cexit _close _endthread _errno _exit _fstati64 _ftime _getch _getpid _iob _isctype _locking _lseek _onexit _open _pctype _read _setmode _snprintf _stat _strdup _stricmp _strnicmp _vsnprintf _wfopen _winmajor abort atexit atof atoi calloc exit exp fclose fflush fgets fopen fprintf fputc fputs fread free fseek ftell fwrite getenv gmtime localeconv localtime log malloc memchr memcmp memcpy memmove mktime pow printf puts qsort raise rand realloc rename signal sprintf srand sscanf strcat strchr strcmp strcpy strerror strftime strlen strncmp strncpy strrchr strspn strstr strtol strtoul time tolower vfprintf wcslen wcsstr |
SHELL32.DLL |
SHGetMalloc
SHGetPathFromIDListA SHGetSpecialFolderLocation SHGetSpecialFolderPathA |
USER32.dll |
GetDesktopWindow
GetProcessWindowStation GetUserObjectInformationW MessageBoxA |
WS2_32.dll |
WSACleanup
WSAGetLastError WSAIoctl WSASetLastError WSAStartup accept bind closesocket connect gethostbyname gethostname getservbyname getsockname getsockopt htonl htons ioctlsocket listen ntohl ntohs recv recvfrom select send sendto setsockopt shutdown socket |
StartAddressOfRawData | 0x6ae019 |
---|---|
EndAddressOfRawData | 0x6ae01c |
AddressOfIndex | 0x6a9060 |
AddressOfCallbacks | 0x6ad004 |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_TYPE_REG
|
Callbacks |
0x0060E3D0
0x0060E390 |