601df92ca7a6865bc0d63245941089b8

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2009-Jun-19 16:02:00
Detected languages Chinese - PRC
English - United States

Plugin Output

Info Matching compiler(s): MASM/TASM - sig1(h)
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Info The PE contains common functions which appear in legitimate applications. Possibly launches other programs:
  • WinExec
Suspicious The file contains overlay data. 126048 bytes of data starting at offset 0x8000.
Overlay data amounts for 79.3673% of the executable.
Malicious VirusTotal score: 46/71 (Scanned on 2019-03-13 05:13:29) MicroWorld-eScan: Gen:Variant.Graftor.28753
CMC: Virus.Win32.Lamer!O
McAfee: Generic Packed
Zillya: Downloader.Murlo.Win32.3243
TheHacker: Trojan/Dropper.Agent.nyn
Invincea: heuristic
Cyren: W32/Dropper.AA.gen!Eldorado
Symantec: ML.Attribute.HighConfidence
TrendMicro-HouseCall: TROJ_DOWNLOADER_0000a08.TOMA
ClamAV: Win.Trojan.4492986-1
Kaspersky: Virus.Win32.Lamer.bs
BitDefender: Gen:Variant.Graftor.28753
NANO-Antivirus: Virus.Win32.Lamer.vpqnl
Tencent: Win32.Virus.Lamer.Wkcb
Endgame: malicious (high confidence)
Emsisoft: Gen:Variant.Graftor.28753 (B)
Comodo: TrojWare.Win32.TrojanDropper.Mudrop.H@1cukoj
F-Secure: Trojan.TR/Drop.Agen.102912
DrWeb: Trojan.DownLoader6.40818
TrendMicro: TROJ_DOWNLOADER_0000a08.TOMA
McAfee-GW-Edition: Generic Packed
Sophos: Mal/Mdrop-DA
Ikarus: Trojan-Downloader.Win32.Murlo
F-Prot: W32/Dropper.AA.gen!Eldorado
Jiangmin: Trojan/Generic.bdzl
Webroot: W32.Trojan.Gen
Avira: TR/Drop.Agen.102912
MAX: malware (ai score=99)
Kingsoft: Win32.Infector.xd.118303
Arcabit: Trojan.Graftor.D7051
ZoneAlarm: Virus.Win32.Lamer.bs
GData: Gen:Variant.Graftor.28753
AhnLab-V3: Win-Trojan/Muldrop.Gen
ALYac: Gen:Variant.Graftor.28753
Ad-Aware: Gen:Variant.Graftor.28753
Cylance: Unsafe
ESET-NOD32: a variant of Win32/TrojanDropper.Agent.NYN
Rising: Worm.Win32.ExeKiller.o (CLOUD)
Yandex: Trojan.DR.Agent!jKqaLpDoX2w
SentinelOne: DFI - Malicious PE
Fortinet: W32/Mudrop.GFO!tr
AVG: FileRepMalware
Cybereason: malicious.ca7a68
Panda: Trj/Genetic.gen
CrowdStrike: win/malicious_confidence_100% (D)
Qihoo-360: Win32/Trojan.ff0

Hashes

MD5 601df92ca7a6865bc0d63245941089b8
SHA1 0b576a79363540b841e43ef16fff2c7830e4f63a
SHA256 407bd490e96552230e749e720fbf33a976556ecc04aadcf74d041c0913975c81
SHA3 1ac6029551ed91924e592735cf23f4b2dfc38586f4ea30fac913dd1814520605
SSDeep 3072:LqnTbOQpJakJLfwQdJauqP3yMtZ8zkOQpJakJLfw:LCOQpJ7JfwsJaz2zkOQpJ7Jfw
Imports Hash 4afefc18d5b72d1f2d8159fedf8aef42

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2009-Jun-19 16:02:00
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x4000
SizeOfInitializedData 0x2b000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00003EB6 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x5000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x30000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 71e1cc3f8ffe80dbb5f7d0455ac0a3d9
SHA1 8f3af148aabe5be7b7b1ba72e701e8085a96fab9
SHA256 53e9d426baa8eeffbd180a99eef7bdbf8a3ed3e0d7cf3918993bdaec71284922
SHA3 ddddfb7d4d35c7707208f3a09ee8baffa68e63801ef5f08910d32ee240feb41e
VirtualSize 0x30aa
VirtualAddress 0x1000
SizeOfRawData 0x4000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.3649

.rdata

MD5 5fcf602b80716916c19ecc323c3c334e
SHA1 3e7464f45e2085c3983c0d533dbac7ccdfe4ceed
SHA256 e2cb8fd73a87dc2e3b5e39996586c9ce0fc68fc62eb7da4e12407affa0372d36
SHA3 cd0bec3729e0b096da44437b4673b7c1d7a7ead93f00953d8086a647db13aa84
VirtualSize 0xc6c
VirtualAddress 0x5000
SizeOfRawData 0x1000
PointerToRawData 0x5000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.33947

.data

MD5 9b269146bc5822e22005f89bab8b1364
SHA1 30e6e0a5bd1ed42a49a9e1684ebe2d57d4b86b85
SHA256 ce94c7611079153e0af6fb8c0b5915a529d99a0541c0c631ae9a6896518419bd
SHA3 681e42efdbb047eeb2ac5ea1c5ce0558ce3ef1bbce40ae6868719179f2aaecaf
VirtualSize 0x28c8c
VirtualAddress 0x6000
SizeOfRawData 0x1000
PointerToRawData 0x6000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.80103

.rsrc

MD5 e0844fdeb176f9d957b3365b5e472608
SHA1 ffec5442734960cf35484d45ffa01998a8e5a972
SHA256 fd4f61f87fe64df0f3264791c7fb4205c56de1a38db566b0294bd9a590d6db9c
SHA3 b9ad7994297954f5bdaa38b444fabc0a0152e4f670bd07a27385bd0fe9cf176a
VirtualSize 0x9e8
VirtualAddress 0x2f000
SizeOfRawData 0x1000
PointerToRawData 0x7000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.84462

Imports

WSOCK32.dll #4
#23
#116
#9
#18
#52
#22
#16
#19
#3
#115
MFC42.DLL #5199
#2396
#3346
#5300
#5302
#2725
#4079
#4698
#5307
#5289
#5714
#2982
#3147
#3259
#4465
#3136
#3262
#2985
#3081
#2976
#3830
#3831
#3825
#3079
#4080
#4622
#4424
#3738
#561
#825
#815
#641
#2514
#860
#540
#800
#5265
#4998
#6052
#4078
#1775
#4407
#5241
#2385
#1089
#6374
#4353
#5280
#3798
#4837
#4441
#2648
#2055
#6376
#3749
#5065
#1727
#5261
#2446
#2124
#5277
#4627
#4425
#3597
#1146
#1168
#324
#4234
#798
#5583
#1997
#6392
#5194
#533
#1576
#539
#537
#941
#858
#4129
#665
#3790
#924
#354
#535
#859
#4710
#2379
#6215
#668
#1980
#4202
#3181
#4058
#2781
#2770
#5710
#356
#823
#3922
#5731
#2512
#2554
#4486
#6375
#4274
#4673
#5163
#939
MSVCRT.dll fclose
fopen
atoi
rand
srand
time
strcat
strcpy
exit
_mbscmp
memset
__dllonexit
_onexit
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
fread
fseek
fwrite
memcpy
getc
putc
_setmbcp
KERNEL32.dll LockResource
GetStartupInfoA
GetModuleHandleA
CreateThread
CloseHandle
GetModuleFileNameA
MoveFileExA
GetCurrentDirectoryA
DeleteFileA
WinExec
GetWindowsDirectoryA
SizeofResource
FindResourceA
SetFileAttributesA
EnumResourceNamesA
LoadLibraryExA
Sleep
MultiByteToWideChar
CopyFileA
LoadResource
USER32.dll SetTimer
EnableWindow
LookupIconIdFromDirectory
KillTimer
SendMessageA
LoadIconA
ole32.dll CoCreateInstance
CoInitialize

Delayed Imports

1

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.86076
MD5 f947568018095c377fc49870dfdfbfb0
SHA1 5464e737d69b51a52020fce6953811f2cf8a3b12
SHA256 44622072c4c1126918ede4d2b13050e340a2f09c7f1524c80082b19df5035917
SHA3 8247719cff0f83dd5d80cbf4369f1d206a543f237185d8c3ef66146f76ae5999

102

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x34
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.25864
MD5 a61fd2604e49d2a7888d037ee6252620
SHA1 28994565c38f1ababf7cb0e08ff0a29a7412b3a3
SHA256 9a127421f2114c970416ba5eb57ca80a9120c37dbce440213841b34cad6f5799
SHA3 677a9a0a5721da5a612434693a67d8ac5b356b3742a214345c1ab7299fedace5

128

Type RT_GROUP_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.81924
Detected Filetype Icon file
MD5 cbee427fa121aba9b9b265ff05de5383
SHA1 24fcae33001c8e0f5ec795c6edf076a69d59589f
SHA256 494e4fd717fa1ee0c5c7bb3b4e28fdab4b7f6e95b4f9865f5ab86f03f62ae62c
SHA3 a3fa35d56632275ba55716a4964f02031270f61f06a903fc460ac2dd6bebde85

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x110775d
Unmarked objects 0
Unmarked objects (#2) 3
C++ objects (8047) 1
C objects (8047) 11
14 (7299) 2
Linker (8047) 2
C++ objects (VS98 SP6 build 8804) 3
Linker (VS98 SP6 build 8804) 2
Total imports 185
19 (8034) 9
C++ objects (VS98 build 8168) 4
Resource objects (VS98 SP6 cvtres build 1736) 1

Errors

<-- -->