61ca45f29f1f37a222817599be632f0a

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2011-Mar-22 15:34:39
Detected languages Chinese - PRC
CompanyName Sogou.com Inc.
FileDescription 搜狗拼音输入法 语言栏支持
FileVersion 5.0.0.3787
InternalName SogouPY SogouTSF
LegalCopyright ? 2010 Sogou.com Inc. All rights reserved.
OriginalFilename SogouTSF.dll
ProductName 搜狗拼音输入法
ProductVersion 5.0.0.3787

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ 6.0 DLL
Suspicious Strings found in the binary may indicate undesirable behavior: Tries to detect virtualized environments:
  • HARDWARE\DESCRIPTION\System
 May have dropper capabilities:
  • CurrentControlSet\Services
 Contains domain names:
  • Sogou.com
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Can access the registry:
  • RegCloseKey
  • RegCreateKeyExA
  • RegOpenKeyA
  • RegOpenKeyExA
  • RegQueryValueExA
  • RegSaveKeyA
  • RegRestoreKeyA
  • RegSetValueExA
  • RegDeleteKeyA
 Possibly launches other programs:
  • CreateProcessA
 Leverages the raw socket API to access the Internet:
  • WSAIoctl
  • #116
  • #9
  • #52
  • #23
  • #16
  • #18
  • #3
  • #19
  • #11
  • #4
  • #20
  • WSASocketA
  • #8
  • #6
  • #115
  • #21
 Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
 Interacts with services:
  • CreateServiceA
  • OpenSCManagerA
  • OpenServiceA
  • DeleteService
 Manipulates other processes:
  • Process32Next
  • Process32First
Suspicious The file contains overlay data. 3639296 bytes of data starting at offset 0x10000.
The overlay data has an entropy of 7.95103 and is possibly compressed or encrypted.
Overlay data amounts for 98.2311% of the executable.
Malicious VirusTotal score: 54/65 (Scanned on 2020-09-20 09:05:13) Bkav: W32.OnGamesLTLIBMSI.Trojan
Elastic: malicious (high confidence)
MicroWorld-eScan: Gen:Variant.Barys.62
CAT-QuickHeal: Backdoor.Farfli.O
McAfee: BackDoor-DVB.x
Zillya: Trojan.Farfli.Win32.11233
Sangfor: Malware
K7AntiVirus: Riskware ( 0015e4f01 )
K7GW: Riskware ( 0015e4f01 )
CrowdStrike: win/malicious_confidence_100% (D)
TrendMicro: TROJ_SPNR.15A512
Baidu: Win32.Backdoor.DarkAngle.a
Cyren: W32/Backdoor.Q.gen!Eldorado
Symantec: SMG.Heur!gen
ESET-NOD32: Win32/Farfli.DV
APEX: Malicious
Cynet: Malicious (score: 100)
Kaspersky: Trojan-GameThief.Win32.Magania.tzqn
BitDefender: Gen:Variant.Barys.62
NANO-Antivirus: Trojan.Win32.Farfli.bygrf
ViRobot: Trojan.Win32.PSW-Magania.65536
Avast: Win32:Downloader-UAD [Trj]
Rising: Backdoor.Farfli!1.64A3 (CLASSIC)
Ad-Aware: Gen:Variant.Barys.62
Comodo: TrojWare.Win32.Farfli.~brk@4k8xkk
F-Secure: Trojan.TR/Spy.Gen
DrWeb: Trojan.DownLoader4.50045
VIPRE: Backdoor.Win32.Farfli.k.dll (v)
Invincea: ML/PE-A + Troj/Farfli-Gen
FireEye: Generic.mg.61ca45f29f1f37a2
Sophos: Troj/Farfli-Gen
Ikarus: Trojan-GameThief.Win32.Magania
Jiangmin: Trojan/PSW.Magania.autl
Avira: TR/Spy.Gen
Antiy-AVL: Trojan[GameThief]/Win32.Magania
Microsoft: Backdoor:Win32/Farfli.O
Arcabit: Trojan.Barys.62
ZoneAlarm: Trojan-GameThief.Win32.Magania.tzqn
GData: Gen:Variant.Barys.62
AhnLab-V3: Win-Trojan/Onlinegamehack.10923008
VBA32: BScope.Trojan.Downloader
ALYac: Gen:Variant.Barys.62
MAX: malware (ai score=84)
Cylance: Unsafe
TrendMicro-HouseCall: TROJ_SPNR.15A512
Tencent: backdoor.win32.gh0st.ay
Yandex: Trojan.PWS.Magania!MO5/EUv2lzM
SentinelOne: DFI - Malicious PE
eGambit: Unsafe.AI_Score_99%
Fortinet: W32/Magania.EKEN!tr
BitDefenderTheta: Gen:NN.ZedlaF.34254.Ix@@aKMfKOdb
AVG: Win32:Downloader-UAD [Trj]
Panda: Trj/lineage.HINW
Qihoo-360: Backdoor.Win32.Gh0st.BG

Hashes

MD5 61ca45f29f1f37a222817599be632f0a
SHA1 2bea4b35aa6522e9ff49cb5d8a08085a8d355366
SHA256 64999d79878fed54534fca799eccdaa86d6647f83eaec927bd2184188ee70ff5
SHA3 12017eb13c7c987164199e98e3888e2d406366379904c13f81d70cd1e2763c34
SSDeep 1536:uTtLcWyeYd4//yEZc1GJf7/QP4uirySj5N:uZTvnyEZiGJ7/QguiryS5N
Imports Hash edaa1f25dda6b1ef76657affe12db951

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x108

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2011-Mar-22 15:34:39
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0xac00
SizeOfInitializedData 0x5800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000B9A3 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xc000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x13000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 c717527fa73d21059748cc178628dc37
SHA1 37d7d49838f59db650b4fdd55f43b90be59446f2
SHA256 e6a8a41d1a128d0bb578187db7544c427941c9a4eac07ba83b69111a190a5631
SHA3 ddc2946eb4505c2eef376aad48443a647cf6e0b3b5cdbe91f021c7e9b355cd5f
VirtualSize 0xab30
VirtualAddress 0x1000
SizeOfRawData 0xac00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.43064

.rdata

MD5 c15aa553db9a4966096910f155c0cb03
SHA1 d878b158a08acd424e2d9aec90e206f08c1e72a8
SHA256 5d9abcefc38a9cacdf88d466fccf68040f4a8aef5bac04988b23eab1877304ea
SHA3 d431d7bb8ab3aad8fd9770db7c54dbe33be2b8aa192971f145395020706649a0
VirtualSize 0x1d5c
VirtualAddress 0xc000
SizeOfRawData 0x1e00
PointerToRawData 0xb000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.97031

.data

MD5 6f6e4f79e28328f044aea1fae26fac3c
SHA1 a8f2be0e96b316cd4cdf9328d37f3fdc41d05c86
SHA256 5384fd052e305e5aeb0296ec83d027530093f9ba504821aa4971dcf85412b0f1
SHA3 9cb55cc3e63add1fc221debf60331c426b711fe68685da27818880f78fb343f7
VirtualSize 0x27f0
VirtualAddress 0xe000
SizeOfRawData 0x2000
PointerToRawData 0xce00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.07111

.rsrc

MD5 5d257eb79b530f2be85d5aeef9c7b714
SHA1 f77ea718a0684d3070a58f516d7fe6ab019acc60
SHA256 9ce687389f4444ca35cd5eaa963a5bd4982784b69421d817de859e8dd2b8e669
SHA3 318afcf3be3faaca1fc0782409a3d63ab82a1cdc5a938861d8f64b5c7a309823
VirtualSize 0x760
VirtualAddress 0x11000
SizeOfRawData 0x800
PointerToRawData 0xee00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.00546

.reloc

MD5 0997c172bb70dafb06dd0d5f220b8ef6
SHA1 b101e5b21ca18127584725fc3d875e1e31f260bf
SHA256 df1ae66a3d747156c00913596a4313eb8814fb627b21c424d3cb8baa257e27db
SHA3 b03cb518f91ff86ba5c005688d4c1cf955b182d8e64ec605da4ecf762d8df346
VirtualSize 0x8fe
VirtualAddress 0x12000
SizeOfRawData 0xa00
PointerToRawData 0xf600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.56021

Imports

KERNEL32.dll CreateFileA
GlobalMemoryStatus
GetSystemInfo
GetComputerNameA
GetVersionExA
OpenEventA
SetErrorMode
TerminateThread
CreateDirectoryA
GetCurrentProcess
lstrlenA
DeleteFileA
GetWindowsDirectoryA
SetFileAttributesA
lstrcmpiA
CopyFileA
ExpandEnvironmentStringsA
GetModuleFileNameA
ReadFile
CreateProcessA
lstrcpyA
WriteFile
GetSystemDirectoryA
ExitProcess
Process32Next
Process32First
CreateToolhelp32Snapshot
GetProcessHeap
HeapAlloc
GetCurrentProcessId
CreateThread
GetLocalTime
GetTickCount
CancelIo
InterlockedExchange
SetEvent
ResetEvent
GetLastError
WaitForSingleObject
CloseHandle
CreateEventA
VirtualAlloc
Sleep
lstrcatA
GetCurrentThreadId
FreeLibrary
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
LoadLibraryA
GetProcAddress
SetFilePointer
USER32.dll CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
wsprintfA
CreateWindowExA
LoadMenuA
RegisterClassA
LoadCursorA
LoadIconA
GetWindowTextA
MessageBoxA
GDI32.dll GetStockObject
ADVAPI32.dll RegCloseKey
RegisterServiceCtrlHandlerA
SetServiceStatus
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
OpenSCManagerA
CloseServiceHandle
OpenServiceA
StartServiceA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegSaveKeyA
RegRestoreKeyA
RegSetValueExA
RegDeleteKeyA
DeleteService
UnlockServiceDatabase
MSVCRT.dll _access
_strrev
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
free
calloc
malloc
strrchr
srand
_stricmp
wcstombs
atoi
??3@YAXPAX@Z
memmove
putchar
ceil
_ftol
puts
strstr
__CxxFrameHandler
??2@YAPAXI@Z
_CxxThrowException
rand
sprintf
strncpy
_beginthreadex
WS2_32.dll WSAIoctl
#116
#9
#52
#23
#16
#18
#3
#19
#11
#4
#20
WSASocketA
#8
#6
#115
#21

Delayed Imports

EndWork

Ordinal 1
Address 0x3d00

Runing

Ordinal 2
Address 0x3d00

ServiceMain

Ordinal 3
Address 0x3d20

Working

Ordinal 4
Address 0x3d00

103

Type RT_BITMAP
Language Chinese - PRC
Codepage UNKNOWN
Size 0x74
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.76448
MD5 5db6d95a25829b968de3993233d63ccc
SHA1 4c511ead177800ba6c6199bd72f6116ab7492c14
SHA256 37e950ab76582ea02ae011077db8b23452ec5a8b2aa3131ac2dba8dfb17aa351
SHA3 48c172921d9c3e5a5a39314ef9d7b7d7098c862f63137b76ff31a14d90aca3e7
Preview

102

Type RT_MENU
Language Chinese - PRC
Codepage UNKNOWN
Size 0x12
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.94472
MD5 00067feb6f81dcd6320fa75d91cc78f4
SHA1 c1cee2e3274e9de4b959a8d97448949a4a185d93
SHA256 0717dfca923df0beca176f2cb47bdf066cd80d7365dac55184d1a6282bb81b26
SHA3 1c9d99b9ba87c8ff688dfb7a79f92bc304826c4bcf8cce2f64c1c6211007654d

1

Type RT_VERSION
Language Chinese - PRC
Codepage UNKNOWN
Size 0x388
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.58883
MD5 f770921d4533250c8684439812b45b21
SHA1 8f5f97f6d72622b76115ebe7d3fbf8db2b671aa2
SHA256 b349c984fb983ab2f310fbdef27efa3f5a69cf9a7dc3859f0c386ec5296b8f6b
SHA3 677f0b3acb5bf1d899a2cb7c1203f3b01713f6e38b9ec3e0f3e88922889fadbd

1 (#2)

Type RT_MANIFEST
Language Chinese - PRC
Codepage UNKNOWN
Size 0x215
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.10609
MD5 3094519c13cf5858434d62962a7658c1
SHA1 e86d3c8fd3cc71adc15e9b51ef5b30cc0921e275
SHA256 35b7d03732d6f5834ca165995ac2985880c2ac0c13b0d9c60a23edc9e0ae11e3
SHA3 c25285cdfb3437fd3a50cb85d20168bd9dfd6323b21ab01a448beb356789792e

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.1
ProductVersion 1.0.0.1
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language Chinese - PRC
CompanyName Sogou.com Inc.
FileDescription 搜狗拼音输入法 语言栏支持
FileVersion (#2) 5.0.0.3787
InternalName SogouPY SogouTSF
LegalCopyright ? 2010 Sogou.com Inc. All rights reserved.
OriginalFilename SogouTSF.dll
ProductName 搜狗拼音输入法
ProductVersion (#2) 5.0.0.3787
Resource LangID Chinese - PRC

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x2337e931
Unmarked objects 0
12 (7291) 2
14 (7299) 2
C++ objects (8047) 1
C objects (8047) 4
Linker (8047) 2
C objects (VS98 build 8168) 12
Total imports 138
Imports (VS2003 (.NET) build 4035) 11
Resource objects (VS98 SP6 cvtres build 1736) 1
C++ objects (VS98 SP6 build 8804) 8
Linker (VC++ 6.0 SP5 imp/exp build 8447) 1

Errors

<-- -->