60bdd4902b48e69b25eeee4df19ad417

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-Jan-30 17:36:27
TLS Callbacks 2 callback(s) detected.
Debug artifacts Embedded COFF debugging symbols

Plugin Output

Suspicious The PE is possibly packed. Unusual section name found: .eh_fram
Info The PE contains common functions which appear in legitimate applications. Possibly launches other programs:
  • system
Suspicious The file contains overlay data. 18566 bytes of data starting at offset 0x2b600.
Malicious VirusTotal score: 45/69 (Scanned on 2019-02-08 13:10:38) MicroWorld-eScan: Trojan.Autoruns.GenericKD.31601281
CAT-QuickHeal: Trojan.Multi
McAfee: RDN/Generic.tfr
Cylance: Unsafe
K7GW: Trojan ( 00546bc61 )
K7AntiVirus: Trojan ( 00546bc61 )
TrendMicro: Trojan.Win32.MERETAM.AD
NANO-Antivirus: Trojan.Win32.Trick.fmnxda
Symantec: Trojan.Gen.2
TrendMicro-HouseCall: Trojan.Win32.MERETAM.AD
Avast: Win32:Malware-gen
Kaspersky: Trojan.Win32.Inject.alefz
BitDefender: Trojan.Autoruns.GenericKD.31601281
Paloalto: generic.ml
Tencent: Win32.Trojan.Inject.Wnwn
Ad-Aware: Trojan.Autoruns.GenericKD.31601281
Emsisoft: Trojan.Autoruns.GenericKD.31601281 (B)
Comodo: Malware@#3gqg7pufxo88e
DrWeb: Trojan.Trick.46210
Zillya: Trojan.Inject.Win32.282573
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Nymaim.cc
SentinelOne: static engine - malicious
Cyren: W32/Trojan.RREM-4904
Webroot: W32.Trojan.Gen
Antiy-AVL: Trojan/Win32.Inject
Endgame: malicious (high confidence)
Arcabit: Trojan.Autoruns.Generic.D1E23281
ViRobot: Trojan.Win32.Z.Meretam.196230
ZoneAlarm: Trojan.Win32.Inject.alefz
Microsoft: Trojan:Win32/Trickbot.V
Sophos: Troj/Trikbot-CI
AhnLab-V3: Malware/Gen.Generic.C2985594
VBA32: BScope.Trojan.Click
ALYac: Trojan.Trickster.Gen
MAX: malware (ai score=99)
Malwarebytes: Trojan.TrickBot
ESET-NOD32: Win32/TrickBot.BN
Ikarus: Trojan-Banker.TrickBot
Fortinet: W32/PossibleThreat
AVG: Win32:Malware-gen
Cybereason: malicious.b904ef
Panda: Trj/GdSda.A
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: HEUR/QVM01.1.EC6F.Malware.Gen

Hashes

MD5 60bdd4902b48e69b25eeee4df19ad417
SHA1 2848018b904ef4faa2dabbb47c3816c3fb051d46
SHA256 4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9
SHA3 b1c8cfa4204a914879f0540ff3ef7c05847203c3bebf8dc49689c98751a4aa2f
SSDeep 3072:Z+gDsLmB3tO3fcOfXUmdDPEilXg+tLpGXXYtTe/IMm4I4mqrqwxWjA3t:Qkmg3tO1XJdvxgGpGXSewM/IcxHd
Imports Hash 1d642e450b189ba1bfa339ffaf69e6b1

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 8
TimeDateStamp 2019-Jan-30 17:36:27
PointerToSymbolTable 0x2b600
NumberOfSymbols 849
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 2.0
SizeOfCode 0x1a00
SizeOfInitializedData 0x2b200
SizeOfUninitializedData 0x200
AddressOfEntryPoint 0x000012A0 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x3000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 1.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x31000
SizeOfHeaders 0x400
Checksum 0x39d68
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x200000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 921467630f82d1b4593f9fd85565de44
SHA1 b1f9ad79459218b1f4b69773d099fcc30b91702d
SHA256 70099b51beb093e069788dc023ebc33cada7e6665b5436c27c359e80d17eb203
SHA3 534f41f88295355e65958f29ec7fbbb95050133925e09545c4613ce49e9ad0d4
VirtualSize 0x1880
VirtualAddress 0x1000
SizeOfRawData 0x1a00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_2048BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_8BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.56332

.data

MD5 f1e15284767bfbd652a35e2017975159
SHA1 e3bc0a5e8ff5d24f467b0387970d57b5fff728c2
SHA256 5646cd8a90fc150c7a2264f2d274031c56508d9217cba0c7c3611b55904f65f3
SHA3 6db593e61e15723e6900b49dbd5366991bc176149afcdd6592835451ba32ebec
VirtualSize 0x27f30
VirtualAddress 0x3000
SizeOfRawData 0x28000
PointerToRawData 0x1e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_2048BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_8BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.99837

.rdata

MD5 c42d7c093b82ee9e268ccbceb7c73d33
SHA1 6e8ed44125ce210e4c8f06ed6bb25f672b8a2d22
SHA256 ff0e44bd2564897ed67b7b3828c1b99b09060fa1f4eecee3e51b86d24af20667
SHA3 094ecf64b90678b77cf31f79c72e5691556654aa8381759e3fc7a1d681c2b674
VirtualSize 0x730
VirtualAddress 0x2b000
SizeOfRawData 0x800
PointerToRawData 0x29e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.8094

.eh_fram

MD5 4b2c1c1725f22c886fd070ad590dfeb5
SHA1 6b39aa2a429cba34e2a079ebd57333064a969f46
SHA256 29d193aa263e3b068272665806d98f7a4e4a1accab2196014606087fd525739a
SHA3 2fcc143bdf1a42952d8058c056cf15b1408270cd60f2d42aef24403faa540644
VirtualSize 0x4cc
VirtualAddress 0x2c000
SizeOfRawData 0x600
PointerToRawData 0x2a600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.93538

.bss

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x138
VirtualAddress 0x2d000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_2048BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_8BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata

MD5 2b585e735dacc843cf563286fd0a9e96
SHA1 368087799af466059b3b4fca02abb8617906a2ec
SHA256 c61f7f76a933e7afdc3ff37965ac1252f9327bf80717994998da4d58ddd1ac14
SHA3 c58f962e12a028d4677607152c5b4163b91778d9655142140056d27d03c90f66
VirtualSize 0x53c
VirtualAddress 0x2e000
SizeOfRawData 0x600
PointerToRawData 0x2ac00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.43839

.CRT

MD5 f88697431a1cbef9cf1aa0625f2020dc
SHA1 06219b216d8e4296ed7c3e3d00580b4058f53f7c
SHA256 f363843f7c3363db5b880b85bc09909cbf2d7fe6a170aab56c2d2b0309ae12d7
SHA3 f8ead03112f093dfcda2005ebcccbb4bd08375c4f616aca0c0dbd11304d048eb
VirtualSize 0x18
VirtualAddress 0x2f000
SizeOfRawData 0x200
PointerToRawData 0x2b200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.114463

.tls

MD5 78e8753ba328f4cd65d3eee14914710f
SHA1 2396f717abb223fca26840cfd2c00bb9d31def59
SHA256 8acae62c3c2982b48b7fee17b87d3c313eeb4b5b082129c8ba0ff9632714ab4a
SHA3 324ea38dcbffb6506d15dd71697d614638438ff8ca8344961871c595552cd37c
VirtualSize 0x20
VirtualAddress 0x30000
SizeOfRawData 0x200
PointerToRawData 0x2b400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_ALIGN_1024BYTES
IMAGE_SCN_ALIGN_16BYTES
IMAGE_SCN_ALIGN_1BYTES
IMAGE_SCN_ALIGN_256BYTES
IMAGE_SCN_ALIGN_2BYTES
IMAGE_SCN_ALIGN_32BYTES
IMAGE_SCN_ALIGN_4096BYTES
IMAGE_SCN_ALIGN_4BYTES
IMAGE_SCN_ALIGN_512BYTES
IMAGE_SCN_ALIGN_64BYTES
IMAGE_SCN_ALIGN_8192BYTES
IMAGE_SCN_ALIGN_MASK
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.195869

Imports

KERNEL32.dll DeleteCriticalSection
EnterCriticalSection
ExitProcess
GetLastError
GetModuleHandleA
GetProcAddress
InitializeCriticalSection
LeaveCriticalSection
SetUnhandledExceptionFilter
TlsGetValue
VirtualProtect
VirtualQuery
msvcrt.dll _access
_getch
_stricmp
msvcrt.dll (#2) _access
_getch
_stricmp
USER32.dll MessageBoxA

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData 0x430019
EndAddressOfRawData 0x43001c
AddressOfIndex 0x42d02c
AddressOfCallbacks 0x42f004
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks 0x00401F60
0x00401F10

Load Configuration

RICH Header

Errors

[*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF symbol's section number is bigger than the number of sections! [*] Warning: COFF String Table's reported size is bigger than the remaining bytes! [*] Warning: Section .bss has a size of 0!