5c6a1a6ee07d6861741dcf01bfd73aeb

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2012-Jan-05 14:29:38
TLS Callbacks 2 callback(s) detected.

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentControlSet\Services
Miscellaneous malware strings:
  • hack
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Uses constants related to SHA512
Uses constants related to AES
Uses constants related to Blowfish
Microsoft's Cryptography API
Suspicious The PE is possibly packed. Unusual section name found: /4
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Functions which can be used for anti-debugging purposes:
  • QueryPerformanceCounter
Can access the registry:
  • RegCloseKey
  • RegOpenKeyExA
  • RegQueryValueExA
Uses Windows's Native API:
  • ntohl
  • ntohs
Uses Microsoft's cryptographic API:
  • CryptAcquireContextA
  • CryptGenRandom
Leverages the raw socket API to access the Internet:
  • WSACleanup
  • WSAGetLastError
  • WSAIoctl
  • WSASetLastError
  • WSAStartup
  • accept
  • bind
  • closesocket
  • connect
  • gethostbyname
  • gethostname
  • getservbyname
  • getsockname
  • getsockopt
  • htonl
  • htons
  • ioctlsocket
  • listen
  • ntohl
  • ntohs
  • recv
  • recvfrom
  • select
  • send
  • sendto
  • setsockopt
  • shutdown
  • socket
Manipulates other processes:
  • OpenProcess
Can take screenshots:
  • BitBlt
  • CreateCompatibleDC
Suspicious The file contains overlay data. 14 bytes of data starting at offset 0x2a4a00.
Malicious VirusTotal score: 6/68 (Scanned on 2018-01-05 08:57:39) F-Prot: W32/Trojan3.ABOF
Symantec: Trojan Horse
NANO-Antivirus: Trojan.Win32.Dwn.dzgqmx
DrWeb: Trojan.DownLoader18.14091
Cyren: W32/Trojan.DWJR-6998
Cylance: Unsafe

Hashes

MD5 5c6a1a6ee07d6861741dcf01bfd73aeb
SHA1 3cb0f05415b927ab3af55be95a0293660842c7b0
SHA256 e91881528f7fcc3091735b1d4efb7570e60f4b9ba7019a5cc60ce435aeef3560
SHA3 2e9d4eb35569ca673cbacef71c4f8a8174232031d19b4930502a72e7b6d45fe8
SSDeep 49152:BEgv2l96EtaDpjoPRAs86gak7ijgTaDEWdzWyxxr7/Rz3nCEpUKu0C9taKbEfTZi:BEgv2l96EtcpjoPRAstg/+gTrCzWyx9K
Imports Hash d7e68575548c9b734c7f5908baf955b2

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 8
TimeDateStamp 2012-Jan-05 14:29:38
PointerToSymbolTable 0x2a4a00
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 2.0
SizeOfCode 0x216e00
SizeOfInitializedData 0x2a4600
SizeOfUninitializedData 0x5c00
AddressOfEntryPoint 0x00001160 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x218000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 1.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x2af000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x200000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 08e2f2308219ea2ff1020d21102df5a9
SHA1 60dab5a01338e7d3b2b2f1750c9021868b203d3d
SHA256 12b7dcf301dffd5629108f35763726f1270f27a8efc7b83342b2c4e2fd853f95
SHA3 8dcb8bd8b280daaf871b5f5f7df5adad8db53e71e16e4922b569ae988fc55030
VirtualSize 0x216dd0
VirtualAddress 0x1000
SizeOfRawData 0x216e00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_2048BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_8BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.14629

.data

MD5 ba092283a672c0023cbc930d69798dd7
SHA1 350a08c9a61ee601467aa2a1986fb3bf7479697e
SHA256 0df94a5d61f236de49a69cd4e94080893d478e42b83521c425cc804854f511f6
SHA3 05eb70fd5fbaec47d7f1ad579cdc2132aececc7ed49f3da0f7cfc02d12c263f6
VirtualSize 0xa85c
VirtualAddress 0x218000
SizeOfRawData 0xaa00
PointerToRawData 0x217200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_2048BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_8BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.22634

.rdata

MD5 8b7e1e670f61d4944b94e87b285e208d
SHA1 8e3875697936450758cd719515c1c40fb02db7d7
SHA256 7c6c6976aadbd9b43c42dd2a2ba449ce236c163415746e40c39e44fbf5eeeccb
SHA3 4c36e4630d8031b696abf241ef4068f215f53bca5e490746b2258b89d2caa15a
VirtualSize 0x80fdc
VirtualAddress 0x223000
SizeOfRawData 0x81000
PointerToRawData 0x221c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_2048BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_8BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.80154

/4

MD5 dd139abf93f672901a0f188ab6734f83
SHA1 393a6aefeb7acecbc4af052d35ada6e9a62b7d25
SHA256 2298d00a8a920b945ee6028d59db4bd3eab36af507d79e72ae393e490173c300
SHA3 eba496813a3b15c3bba2f2c986eddcf1e2722ce0663bb9f8b5f4fe1f2df8cea3
VirtualSize 0x120
VirtualAddress 0x2a4000
SizeOfRawData 0x200
PointerToRawData 0x2a2c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.08088

.bss

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x5bf0
VirtualAddress 0x2a5000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_2048BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_8BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata

MD5 b2444e73da1de4b3f7f0ac29d9eb3204
SHA1 fe071bed3ace6a0c5be356840d3c54264d168071
SHA256 0770b627c7b4a760aa8ecb55e99ebffa22af324ea5c4bde5fce1be761fcdea39
SHA3 a0b48f0fdffb3189ac676d4926e8ab249d457c59d1b698c3886902f5af449f75
VirtualSize 0x16e4
VirtualAddress 0x2ab000
SizeOfRawData 0x1800
PointerToRawData 0x2a2e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.76432

.CRT

MD5 6121364e8d537efd0e4fa025c2f907b9
SHA1 43d4f1faa9b8b2a602f07204d25faac951ecd794
SHA256 385d95ba12473dea732c98bc26b4c3bcd90a608052a6c32a8e3ada6187bb8f90
SHA3 b5f83d64c33972f51ea2ae717baca24a33545b5efcd6ea2dec84458b6af77276
VirtualSize 0x18
VirtualAddress 0x2ad000
SizeOfRawData 0x200
PointerToRawData 0x2a4600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.114463

.tls

MD5 7fce883b255632630d02e00d1fb6b2ea
SHA1 fc8e10ec7cf19505cc235b5479d6ec6799fe79a4
SHA256 c4e6c7d784bdb2fbc8e0937bf348694e785f99d6fe0323af73788460a2ccc140
SHA3 02c19fc80ee5e1a2c23008c783c71922974fd479b6e67d7617dd94fcd505b836
VirtualSize 0x20
VirtualAddress 0x2ae000
SizeOfRawData 0x200
PointerToRawData 0x2a4800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.22482

Imports

KERNEL32.DLL CloseHandle
CreateFileA
CreateFileMappingA
CreateIoCompletionPort
CreateSemaphoreA
DeleteCriticalSection
EnterCriticalSection
ExitProcess
FindClose
FindFirstFileA
FindNextFileA
FormatMessageA
FreeLibrary
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetFileSize
GetFileType
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetQueuedCompletionStatus
GetStdHandle
GetSystemDirectoryA
GetSystemTimeAsFileTime
GetTickCount
GetVersion
GetVersionExA
GlobalMemoryStatus
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedExchange
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
LocalFree
MapViewOfFile
MultiByteToWideChar
OpenProcess
PostQueuedCompletionStatus
QueryPerformanceCounter
ReleaseSemaphore
SetLastError
SetUnhandledExceptionFilter
Sleep
TlsGetValue
UnmapViewOfFile
VirtualProtect
VirtualQuery
WaitForSingleObject
WideCharToMultiByte
ADVAPI32.DLL CryptAcquireContextA
CryptGenRandom
DeregisterEventSource
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegisterEventSourceA
ReportEventA
GDI32.dll BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCA
DeleteDC
DeleteObject
GetBitmapBits
GetDeviceCaps
GetObjectA
SelectObject
msvcrt.dll __getmainargs
__lc_codepage
__mb_cur_max
__p__environ
__p__fmode
__set_app_type
_assert
_beginthread
_cexit
_close
_endthread
_errno
_exit
_fstati64
_ftime
_getch
_getpid
_iob
_isctype
_locking
_lseek
_onexit
_open
_pctype
_read
_setmode
_snprintf
_stat
_strdup
_stricmp
_strnicmp
_vsnprintf
_wfopen
_winmajor
abort
atexit
atof
atoi
calloc
exit
exp
fclose
fflush
fgets
fopen
fprintf
fputc
fputs
fread
free
fseek
ftell
fwrite
getenv
gmtime
localeconv
localtime
log
malloc
memchr
memcmp
memcpy
memmove
mktime
pow
printf
puts
qsort
raise
rand
realloc
rename
signal
sprintf
srand
sscanf
strcat
strchr
strcmp
strcpy
strerror
strftime
strlen
strncmp
strncpy
strrchr
strspn
strstr
strtol
strtoul
time
tolower
vfprintf
wcslen
wcsstr
msvcrt.dll (#2) __getmainargs
__lc_codepage
__mb_cur_max
__p__environ
__p__fmode
__set_app_type
_assert
_beginthread
_cexit
_close
_endthread
_errno
_exit
_fstati64
_ftime
_getch
_getpid
_iob
_isctype
_locking
_lseek
_onexit
_open
_pctype
_read
_setmode
_snprintf
_stat
_strdup
_stricmp
_strnicmp
_vsnprintf
_wfopen
_winmajor
abort
atexit
atof
atoi
calloc
exit
exp
fclose
fflush
fgets
fopen
fprintf
fputc
fputs
fread
free
fseek
ftell
fwrite
getenv
gmtime
localeconv
localtime
log
malloc
memchr
memcmp
memcpy
memmove
mktime
pow
printf
puts
qsort
raise
rand
realloc
rename
signal
sprintf
srand
sscanf
strcat
strchr
strcmp
strcpy
strerror
strftime
strlen
strncmp
strncpy
strrchr
strspn
strstr
strtol
strtoul
time
tolower
vfprintf
wcslen
wcsstr
SHELL32.DLL SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHGetSpecialFolderPathA
USER32.dll GetDesktopWindow
GetProcessWindowStation
GetUserObjectInformationW
MessageBoxA
WS2_32.dll WSACleanup
WSAGetLastError
WSAIoctl
WSASetLastError
WSAStartup
accept
bind
closesocket
connect
gethostbyname
gethostname
getservbyname
getsockname
getsockopt
htonl
htons
ioctlsocket
listen
ntohl
ntohs
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData 0x6ae019
EndAddressOfRawData 0x6ae01c
AddressOfIndex 0x6a9060
AddressOfCallbacks 0x6ad004
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks 0x0060E3D0
0x0060E390

Load Configuration

RICH Header

Errors

[*] Warning: Tried to read outside the COFF string table to get the name of section /4! [*] Warning: Section .bss has a size of 0!