Architecture |
IMAGE_FILE_MACHINE_I386
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date |
2019-Jan-30 17:36:27
|
TLS Callbacks |
2 callback(s) detected.
|
Debug artifacts |
Embedded COFF debugging symbols
|
Info |
The PE contains common functions which appear in legitimate applications. |
Possibly launches other programs:
|
Suspicious |
The file contains overlay data. |
18566 bytes of data starting at offset 0x2b600.
|
Malicious |
VirusTotal score: 60/73 (Scanned on 2019-12-26 20:08:52) |
Bkav:
HW32.Packed.
DrWeb:
Trojan.Trick.46210
MicroWorld-eScan:
Trojan.Autoruns.GenericKD.31601281
FireEye:
Generic.mg.60bdd4902b48e69b
CAT-QuickHeal:
Trojan.Multi
McAfee:
Trojan-FQGT!60BDD4902B48
Cylance:
Unsafe
VIPRE:
Trojan.Win32.Generic!BT
K7AntiVirus:
Trojan ( 00546bc61 )
Alibaba:
Trojan:Win32/Trickbot.8ab883d7
K7GW:
Trojan ( 00546bc61 )
Cybereason:
malicious.02b48e
Invincea:
heuristic
BitDefenderTheta:
Gen:NN.ZexaF.33558.lGY@au@o7Wp
Symantec:
Trojan.Gen.2
ESET-NOD32:
Win32/TrickBot.BN
TrendMicro-HouseCall:
Trojan.Win32.MERETAM.AD
Avast:
Win32:Malware-gen
Kaspersky:
Trojan.Win32.Inject.alefz
BitDefender:
Trojan.Autoruns.GenericKD.31601281
NANO-Antivirus:
Trojan.Win32.Trick.fmnxda
Paloalto:
generic.ml
ViRobot:
Trojan.Win32.Trickbot.196230
Endgame:
malicious (high confidence)
Sophos:
Troj/Trikbot-CI
Comodo:
Malware@#3gqg7pufxo88e
F-Secure:
Trojan.TR/Dropper.Gen
Zillya:
Trojan.Inject.Win32.282573
TrendMicro:
Trojan.Win32.MERETAM.AD
McAfee-GW-Edition:
BehavesLike.Win32.Ardurk.cc
Fortinet:
W32/TrickBot.D417!tr
Emsisoft:
Trojan.Autoruns.GenericKD.31601281 (B)
Ikarus:
Trojan-Banker.TrickBot
Cyren:
W32/Trojan.RREM-4904
Jiangmin:
Trojan.Inject.aqzd
Webroot:
W32.Trojan.Gen
Avira:
TR/Dropper.Gen
MAX:
malware (ai score=99)
Antiy-AVL:
Trojan/Win32.Inject
Arcabit:
Trojan.Autoruns.Generic.D1E23281
AegisLab:
Trojan.Win32.Inject.4!c
ZoneAlarm:
Trojan.Win32.Inject.alefz
Microsoft:
Trojan:Win32/Trickbot.V
AhnLab-V3:
Malware/Gen.Generic.C2985594
Acronis:
suspicious
VBA32:
Trojan.Trick
ALYac:
Trojan.Trickster.Gen
Ad-Aware:
Trojan.Autoruns.GenericKD.31601281
Malwarebytes:
Trojan.TrickBot
APEX:
Malicious
Rising:
Trojan.Generic@ML.91 (RDMK:ChHhADcp3qlCsbPF7G28/w)
Yandex:
Trojan.Inject!rL3MzuGzHCg
SentinelOne:
DFI - Malicious PE
eGambit:
Unsafe.AI_Score_89%
GData:
Trojan.Autoruns.GenericKD.31601281
MaxSecure:
Trojan.Malware.74102624.susgen
AVG:
Win32:Malware-gen
Panda:
Trj/GdSda.A
CrowdStrike:
win/malicious_confidence_100% (W)
Qihoo-360:
HEUR/QVM01.1.EC6F.Malware.Gen
|
MD5 |
60bdd4902b48e69b25eeee4df19ad417
|
SHA1 |
2848018b904ef4faa2dabbb47c3816c3fb051d46
|
SHA256 |
4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9
|
SHA3 |
b1c8cfa4204a914879f0540ff3ef7c05847203c3bebf8dc49689c98751a4aa2f
|
SSDeep |
3072:Z+gDsLmB3tO3fcOfXUmdDPEilXg+tLpGXXYtTe/IMm4I4mqrqwxWjA3t:Qkmg3tO1XJdvxgGpGXSewM/IcxHd
|
Imports Hash |
1d642e450b189ba1bfa339ffaf69e6b1
|
e_magic |
MZ
|
e_cblp |
0x90
|
e_cp |
0x3
|
e_crlc |
0
|
e_cparhdr |
0x4
|
e_minalloc |
0
|
e_maxalloc |
0xffff
|
e_ss |
0
|
e_sp |
0xb8
|
e_csum |
0
|
e_ip |
0
|
e_cs |
0
|
e_ovno |
0
|
e_oemid |
0
|
e_oeminfo |
0
|
e_lfanew |
0x80
|
Signature |
PE
|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections |
8
|
TimeDateStamp |
2019-Jan-30 17:36:27
|
PointerToSymbolTable |
0x2b600
|
NumberOfSymbols |
849
|
SizeOfOptionalHeader |
0xe0
|
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic |
PE32
|
LinkerVersion |
2.0
|
SizeOfCode |
0x1a00
|
SizeOfInitializedData |
0x2b200
|
SizeOfUninitializedData |
0x200
|
AddressOfEntryPoint |
0x000012A0 (Section: .text)
|
BaseOfCode |
0x1000
|
BaseOfData |
0x3000
|
ImageBase |
0x400000
|
SectionAlignment |
0x1000
|
FileAlignment |
0x200
|
OperatingSystemVersion |
4.0
|
ImageVersion |
1.0
|
SubsystemVersion |
4.0
|
Win32VersionValue |
0
|
SizeOfImage |
0x31000
|
SizeOfHeaders |
0x400
|
Checksum |
0x39d68
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve |
0x200000
|
SizeofStackCommit |
0x1000
|
SizeofHeapReserve |
0x100000
|
SizeofHeapCommit |
0x1000
|
LoaderFlags |
0
|
NumberOfRvaAndSizes |
16
|
MD5 |
921467630f82d1b4593f9fd85565de44
|
SHA1 |
b1f9ad79459218b1f4b69773d099fcc30b91702d
|
SHA256 |
70099b51beb093e069788dc023ebc33cada7e6665b5436c27c359e80d17eb203
|
SHA3 |
534f41f88295355e65958f29ec7fbbb95050133925e09545c4613ce49e9ad0d4
|
VirtualSize |
0x1880
|
VirtualAddress |
0x1000
|
SizeOfRawData |
0x1a00
|
PointerToRawData |
0x400
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_2048BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_8BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
|
Entropy |
5.56332
|
MD5 |
f1e15284767bfbd652a35e2017975159
|
SHA1 |
e3bc0a5e8ff5d24f467b0387970d57b5fff728c2
|
SHA256 |
5646cd8a90fc150c7a2264f2d274031c56508d9217cba0c7c3611b55904f65f3
|
SHA3 |
6db593e61e15723e6900b49dbd5366991bc176149afcdd6592835451ba32ebec
|
VirtualSize |
0x27f30
|
VirtualAddress |
0x3000
|
SizeOfRawData |
0x28000
|
PointerToRawData |
0x1e00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_2048BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_8BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
7.99837
|
MD5 |
c42d7c093b82ee9e268ccbceb7c73d33
|
SHA1 |
6e8ed44125ce210e4c8f06ed6bb25f672b8a2d22
|
SHA256 |
ff0e44bd2564897ed67b7b3828c1b99b09060fa1f4eecee3e51b86d24af20667
|
SHA3 |
094ecf64b90678b77cf31f79c72e5691556654aa8381759e3fc7a1d681c2b674
|
VirtualSize |
0x730
|
VirtualAddress |
0x2b000
|
SizeOfRawData |
0x800
|
PointerToRawData |
0x29e00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
Entropy |
4.8094
|
MD5 |
4b2c1c1725f22c886fd070ad590dfeb5
|
SHA1 |
6b39aa2a429cba34e2a079ebd57333064a969f46
|
SHA256 |
29d193aa263e3b068272665806d98f7a4e4a1accab2196014606087fd525739a
|
SHA3 |
2fcc143bdf1a42952d8058c056cf15b1408270cd60f2d42aef24403faa540644
|
VirtualSize |
0x4cc
|
VirtualAddress |
0x2c000
|
SizeOfRawData |
0x600
|
PointerToRawData |
0x2a600
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
Entropy |
3.93538
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0x138
|
VirtualAddress |
0x2d000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_2048BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_8BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
MD5 |
2b585e735dacc843cf563286fd0a9e96
|
SHA1 |
368087799af466059b3b4fca02abb8617906a2ec
|
SHA256 |
c61f7f76a933e7afdc3ff37965ac1252f9327bf80717994998da4d58ddd1ac14
|
SHA3 |
c58f962e12a028d4677607152c5b4163b91778d9655142140056d27d03c90f66
|
VirtualSize |
0x53c
|
VirtualAddress |
0x2e000
|
SizeOfRawData |
0x600
|
PointerToRawData |
0x2ac00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
4.43839
|
MD5 |
f88697431a1cbef9cf1aa0625f2020dc
|
SHA1 |
06219b216d8e4296ed7c3e3d00580b4058f53f7c
|
SHA256 |
f363843f7c3363db5b880b85bc09909cbf2d7fe6a170aab56c2d2b0309ae12d7
|
SHA3 |
f8ead03112f093dfcda2005ebcccbb4bd08375c4f616aca0c0dbd11304d048eb
|
VirtualSize |
0x18
|
VirtualAddress |
0x2f000
|
SizeOfRawData |
0x200
|
PointerToRawData |
0x2b200
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
0.114463
|
MD5 |
78e8753ba328f4cd65d3eee14914710f
|
SHA1 |
2396f717abb223fca26840cfd2c00bb9d31def59
|
SHA256 |
8acae62c3c2982b48b7fee17b87d3c313eeb4b5b082129c8ba0ff9632714ab4a
|
SHA3 |
324ea38dcbffb6506d15dd71697d614638438ff8ca8344961871c595552cd37c
|
VirtualSize |
0x20
|
VirtualAddress |
0x30000
|
SizeOfRawData |
0x200
|
PointerToRawData |
0x2b400
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
0.195869
|
KERNEL32.dll |
DeleteCriticalSection
EnterCriticalSection
ExitProcess
GetLastError
GetModuleHandleA
GetProcAddress
InitializeCriticalSection
LeaveCriticalSection
SetUnhandledExceptionFilter
TlsGetValue
VirtualProtect
VirtualQuery
|
msvcrt.dll |
_access
_getch
_stricmp
|
msvcrt.dll (#2) |
_access
_getch
_stricmp
|
USER32.dll |
MessageBoxA
|
StartAddressOfRawData |
0x430019
|
EndAddressOfRawData |
0x43001c
|
AddressOfIndex |
0x42d02c
|
AddressOfCallbacks |
0x42f004
|
SizeOfZeroFill |
0
|
Characteristics |
IMAGE_SCN_TYPE_REG
|
Callbacks |
0x00401F60
0x00401F10
|
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF String Table's reported size is bigger than the remaining bytes!
[*] Warning: Section .bss has a size of 0!