5c9908365c627c4eac9aab4c29923444

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2019-Sep-06 12:37:54
Detected languages English - United States
Debug artifacts E:\武大\2019KCTFQ3\ZhonyaRing\Release\ZhonyaRing.pdb

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Possibly launches other programs:
  • CreateProcessA
Suspicious VirusTotal score: 1/67 (Scanned on 2019-09-10 09:19:28) Qihoo-360: HEUR/QVM10.2.C8F5.Malware.Gen

Hashes

MD5 5c9908365c627c4eac9aab4c29923444
SHA1 6e2562db8f2737942f889b1a46dc9fabedc71651
SHA256 5d78c3fdf21998ac6dbbd26611738a71f85d95b5719dec088b6bc933084efbe4
SHA3 5631b6fb0e8ecc6cfaa91358566aa9b0413fcc3b17243957f9f840e831ef65b2
SSDeep 3072:0St89yvSzBawQC2mCaRVK47VueJpWyNmcjYPBYLccrcYqvBptR67Q:0StJazEqRB7UeJU2r8PBXcGv68
Imports Hash dfbb9ab9f4b8bd2469e43d40d8073923

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2019-Sep-06 12:37:54
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x17a00
SizeOfInitializedData 0x9200
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001EF6 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x19000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x25000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 d751696edb079ac95ea6e5bfeee59ee6
SHA1 a5538ec9ffd72c043142e57537a2a20c3a4351e7
SHA256 3ed2df06d7a24aa7be24bbb50a8335f203c36f092408be3cde88b7a5ce0bc44f
SHA3 f75cecc9a93b57ab30262096b7ddff9144f1246d710c41fb14951235c23cebfc
VirtualSize 0x1789b
VirtualAddress 0x1000
SizeOfRawData 0x17a00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.62901

.rdata

MD5 b4cf1e94b44fff43225a129ce1bcf531
SHA1 1326157c37b2ab6fd46b0cd30206e951b4bb1767
SHA256 b1a3ccb653329605fc72e5ae51bda30c2ab0387337051733d2ee8bfe75d500b7
SHA3 26a00563b041237eaec35207fe63b176da277279a9e4f9515eba618c2c3c8616
VirtualSize 0x6698
VirtualAddress 0x19000
SizeOfRawData 0x6800
PointerToRawData 0x17e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.24942

.data

MD5 1b5da2102525dd62f3d3a0675bff4d43
SHA1 44e544da7eeae840861ae44af7d738ca4da7341f
SHA256 67cd18ec536295ce1e4de7d0eaa05360b6f55d0f0c150ec76a8fa9e1bf3671b0
SHA3 fe8a57dd8045c99de55f018020d120aefe1808994dd1bf08872458727d47a3de
VirtualSize 0x1348
VirtualAddress 0x20000
SizeOfRawData 0xa00
PointerToRawData 0x1e600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.90934

.rsrc

MD5 85e172d10fe5784e3aa0fd2c07df66ac
SHA1 bd363a3a19a2fd23a72697e99d97d57c99fe9cd9
SHA256 711025adb2287c0f7888ca4b6f85227fcf7f44d7459ae9c9e78f8111bdc59147
SHA3 6febc396da3da0345c58d07abcebd55d8043015f7e5196f58fda127731bee09d
VirtualSize 0x288
VirtualAddress 0x22000
SizeOfRawData 0x400
PointerToRawData 0x1f000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.84491

.reloc

MD5 725b576e5daabe5303781b5fe9774470
SHA1 230f461c1d9453fe026846555a15415c07b2f94a
SHA256 013057741080a295086a68df066b667e5a0fc981a34c261652fb70e9b4120296
SHA3 91eb79b8a1240852d1296df57b7fa5b61acd18bc93c47bbc257368e4bb41edb9
VirtualSize 0x10d8
VirtualAddress 0x23000
SizeOfRawData 0x1200
PointerToRawData 0x1f400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.36283

Imports

KERNEL32.dll UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
DecodePointer
RtlUnwind
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
GetStdHandle
WriteFile
GetModuleFileNameA
MultiByteToWideChar
WideCharToMultiByte
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
GetACP
HeapFree
HeapAlloc
CompareStringW
LCMapStringW
GetFileType
CloseHandle
WaitForSingleObject
GetExitCodeProcess
CreateProcessA
GetFileAttributesExW
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetStdHandle
GetStringTypeW
GetProcessHeap
FlushFileBuffers
GetConsoleCP
GetConsoleMode
HeapSize
HeapReAlloc
SetFilePointerEx
ReadFile
ReadConsoleW
CreateFileW
WriteConsoleW
RaiseException

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x224
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.04378
MD5 245b863be176aab16ef1dbe168defe03
SHA1 c0a369f6f0e77b89c5d9d37fb94e1d5e2d431b5b
SHA256 59ba97d56a01766792386c3b379946bb613c8921e3daf8a878855a268ad5e4aa
SHA3 7efbe82f17422b353f747a146c1e8f1b9df37e90648150f2020442ff9477341e

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2019-Sep-06 12:37:54
Version 0.0
SizeofData 79
AddressOfRawData 0x1e8bc
PointerToRawData 0x1d6bc
Referenced File E:\武大\2019KCTFQ3\ZhonyaRing\Release\ZhonyaRing.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2019-Sep-06 12:37:54
Version 0.0
SizeofData 20
AddressOfRawData 0x1e90c
PointerToRawData 0x1d70c

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2019-Sep-06 12:37:54
Version 0.0
SizeofData 656
AddressOfRawData 0x1e920
PointerToRawData 0x1d720

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2019-Sep-06 12:37:54
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

Size 0xa0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x420000
SEHandlerTable 0x41e8b0
SEHandlerCount 3

RICH Header

XOR Key 0xf176b1a7
Unmarked objects 0
ASM objects (VS2017 v15.?.? build 25203) 9
C++ objects (VS2017 v15.?.? build 25203) 148
C objects (VS2017 v15.?.? build 25203) 18
Imports (VS2017 v15.?.? build 25203) 3
Total imports 89
ASM objects (VS2015/2017 runtime 25810) 17
C++ objects (VS2015/2017 runtime 25810) 29
C objects (VS2015/2017 runtime 25810) 18
265 (VS2017 v15.5.2 compiler 25831) 3
Resource objects (VS2017 v15.5.2 compiler 25831) 1
Linker (VS2017 v15.5.2 compiler 25831) 1

Errors

<-- -->