642c74aa1ecb0fdc4ba774e1add22456

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2011-Apr-03 00:50:03
Detected languages English - United States

Plugin Output

Info Matching compiler(s): MASM/TASM - sig2(h)
Suspicious PEiD Signature: FASM 1.5x
FASM v1.5x
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • sc.exe
 Contains another PE executable:
  • This program cannot be run in DOS mode.
 Contains domain names:
  • adobe.com
  • apple.com
  • crl.microsoft.com
  • doubleclick.net
  • google.com
  • helpx.adobe.com
  • http://crl.microsoft.com
  • http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl0M
  • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
  • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
  • http://ns.adobe.com
  • http://ns.adobe.com/xdp/
  • http://support.apple.com
  • http://support.apple.com/zh-TW/downloads/#safari
  • http://windows.microsoft.com
  • http://windows.microsoft.com/zh-tw/internet-explorer/download-ie
  • http://www.microsoft.com
  • http://www.microsoft.com/pki/certs/CodeSigPCA.crt0
  • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
  • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0v
  • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
  • http://www.microsoft.com0
  • http://www.xfa.org
  • http://www.xfa.org/schema/xdc/1.0/
  • https://helpx.adobe.com
  • https://helpx.adobe.com/tw/acrobat-com/kb/supported-file-formats-fill-sign.html
  • https://www.adobe.com
  • https://www.adobe.com/go/fillsigngetstarted_tw
  • https://www.google.com.tw
  • https://www.google.com.tw/intl/zh-TW/chrome/browser/
  • https://www.mozilla.org
  • https://www.mozilla.org/zh-TW/firefox
  • microsoft.com
  • mozilla.org
  • ns.adobe.com
  • support.apple.com
  • windows.microsoft.com
  • www.adobe.com
  • www.google.com
  • www.microsoft.com
  • www.mozilla.org
  • www.xfa.org
Info Cryptographic algorithms detected in the binary: Uses constants related to SHA1
Info The PE contains common functions which appear in legitimate applications. Possibly launches other programs:
  • CreateProcessA
Suspicious The file contains overlay data. 213556 bytes of data starting at offset 0x3400.
Overlay data amounts for 94.1323% of the executable.
Malicious VirusTotal score: 64/73 (Scanned on 2020-07-13 19:50:38) Bkav: W32.FamVT.LamerBTTc.PE
MicroWorld-eScan: Gen:Trojan.FileInfector.nuZ@a4T!Kcmi
FireEye: Generic.mg.642c74aa1ecb0fdc
CAT-QuickHeal: Trojan.Agent
Qihoo-360: Win32/Virus.FileInfector.A
ALYac: Gen:Trojan.FileInfector.nuZ@a4T!Kcmi
Cylance: Unsafe
VIPRE: Virus.Win32.sivis.a (v)
Sangfor: Malware
K7AntiVirus: Virus ( 004d554e1 )
Alibaba: Virus:Win32/Zatoxp.d65237b2
K7GW: Virus ( 004d554e1 )
CrowdStrike: win/malicious_confidence_100% (W)
Arcabit: Trojan.FileInfector.ED1D1C
TrendMicro: PE_SIVIS_FC18000B.UVPM
Baidu: Win32.Virus.Lamer.g
F-Prot: W32/Lamer.C.gen!Eldorado
Symantec: W32.Suviapen
APEX: Malicious
ClamAV: Win.Malware.Sivis-6838221-0
Kaspersky: Virus.Win32.Lamer.cq
BitDefender: Gen:Trojan.FileInfector.nuZ@a4T!Kcmi
NANO-Antivirus: Virus.Win32.Lamer.zocpe
AegisLab: Virus.Win32.Lamer.tn6d
Tencent: Virus.Win32.Lamer.cq
Ad-Aware: Gen:Trojan.FileInfector.nuZ@a4T!Kcmi
Sophos: Troj/Agent-APCU
Comodo: Backdoor.Win32.Androm.XTA@4z809t
F-Secure: Trojan.TR/Dropper.Gen8
DrWeb: Win32.HLLW.Siggen.4657
Zillya: Adware.AdLoad.Win32.6665
Invincea: heuristic
Fortinet: W32/Sivis.A!tr
Trapmine: malicious.high.ml.score
Emsisoft: Gen:Trojan.FileInfector.nuZ@a4T!Kcmi (B)
SentinelOne: DFI - Malicious PE
Cyren: W32/Lamer.C.gen!Eldorado
Jiangmin: Win32/Lamer.l
Webroot: W32.Infector
Avira: TR/Dropper.Gen8
MAX: malware (ai score=83)
Antiy-AVL: Virus/Win32.Lamer.cq
Endgame: malicious (high confidence)
Microsoft: Virus:Win32/Zatoxp.A
ZoneAlarm: Virus.Win32.Lamer.cq
Cynet: Malicious (score: 100)
AhnLab-V3: Trojan/Win32.FileInfector.C933388
Acronis: suspicious
McAfee: W32/Sivis.gen.a
TACHYON: Trojan/W32.Sivis.Gen
VBA32: Virus.Lamer.cq
Panda: Generic Suspicious
ESET-NOD32: a variant of Win32/Zatoxp.C
TrendMicro-HouseCall: PE_SIVIS_FC18000B.UVPM
Rising: Worm.Lamer!1.A4FA (RDMK:cmRtazrwqL96nJyfz3VGF4p7V0BX)
Yandex: Trojan.Agent!Gvkm4yfNIq8
Ikarus: Virus.Win32.Zatoxp
eGambit: Unsafe.AI_Score_100%
GData: Gen:Trojan.FileInfector.nuZ@a4T!Kcmi
BitDefenderTheta: Gen:NN.ZexaF.34134.nuZ@a4T!Kcmi
AVG: Win32:Lamer-A [Trj]
Cybereason: malicious.a1ecb0
Avast: Win32:Lamer-A [Trj]
MaxSecure: Virus.W32.Lamer.CQ

Hashes

MD5 642c74aa1ecb0fdc4ba774e1add22456
SHA1 21cc067569d503908dab891e5204afde5d7b7a8f
SHA256 3cfa882e86a5037b8c55df10aee396899a25b0c89b6bc39a81a6096ebfbde219
SHA3 1beb5a5387c495fa928a33691c4ee73f3d8b49fdb1de4740717db84583c2a8c5
SSDeep 3072:DO/vVpdr/KeNAG45qvKiW2TQX7yNgLlD9YqMX1B/1V7AohNXO0+6NnFDfh9IOUM9:yJhhAohNXO0+6NnFDf+vmd5gyn++
Imports Hash 33f98db5bdb6a7013d52f0120248df35

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2011-Apr-03 00:50:03
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 2.0
SizeOfCode 0x2200
SizeOfInitializedData 0xe00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001000 (Section: .code)
BaseOfCode 0x1000
BaseOfData 0x4000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x7000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.code

MD5 18d35c6464b20b0004e19244dc553171
SHA1 5ccc1951612e96ce2836521f6cb1623e866cc573
SHA256 c55494eb9a3535ce0529f8d3cb0a9a4d9c008367a0ff9f156efcd4c9cf8e0559
SHA3 9b61808b8f5086df8dd7e6af04f5c039b882d7326cd3dca99016f45e784568dd
VirtualSize 0x6fe
VirtualAddress 0x1000
SizeOfRawData 0x800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 4.8868

.text

MD5 e5c131e218e72dfcdbbecae31da38624
SHA1 dccff734de2be465057f316c677f11bf2dd8e8a8
SHA256 bffdb2aa231fe3a7835f1ca6ef377d69323b1c8cbc1d68f4a82e5c8e14147228
SHA3 201c91ac2d8e442a4175337aac8eae325d5981c6183fbebde6c8551d4ef2de9c
VirtualSize 0x1808
VirtualAddress 0x2000
SizeOfRawData 0x1a00
PointerToRawData 0xc00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.89444

.rdata

MD5 78597bff848dcb22b49e824b9c11ca81
SHA1 cf5a13910f457bf2a8a8fbecffe664f279ecb769
SHA256 669b81f8d618ebb35b11d2b3e13ee7f31ad1f7d8b17e7788f08f006fb3d17876
SHA3 60ea5668f675a5414059f9976351d1c5eede1a321a64e8c513300e1a960355c0
VirtualSize 0x1a
VirtualAddress 0x4000
SizeOfRawData 0x200
PointerToRawData 0x2600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 0.184151

.data

MD5 10122367e3bb0e287433d9a66642c7d8
SHA1 457e92190cb3b83ab07d58c64b2217aa74d0af67
SHA256 25e1d3102fd2cccad6afab011f7b0759f44a483eb5ba423ba0f6ccc74f032860
SHA3 a5b6b046c32d10673ffbd95cb1f1dc954ff557032651731643ee26f72872ca9d
VirtualSize 0x758
VirtualAddress 0x5000
SizeOfRawData 0x800
PointerToRawData 0x2800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.237

.rsrc

MD5 7775febd4624bda5ede9af2365436c93
SHA1 bb27372c187f2a2b4980fd0ba4a3a2d4044d0386
SHA256 12c4314c071a8de7966c629ef7e1a580376bcd6af0f9d6fef9a05234119d1424
SHA3 db550f45d6fbe53e90ed94099dd2ce97799055e96b6ea1f6721592f44527157f
VirtualSize 0x2bc
VirtualAddress 0x6000
SizeOfRawData 0x400
PointerToRawData 0x3000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.13997

Imports

MSVCRT.dll memset
memcpy
_stricmp
strncmp
_strnicmp
strcmp
memmove
strlen
strcpy
strcat
strncpy
KERNEL32.dll GetModuleHandleA
HeapCreate
HeapDestroy
ExitProcess
GetCurrentThreadId
GetTickCount
HeapAlloc
HeapFree
WriteFile
CloseHandle
CreateFileA
GetFileSize
ReadFile
SetFilePointer
InitializeCriticalSection
GetModuleFileNameA
GetCurrentProcess
DuplicateHandle
CreatePipe
GetStdHandle
CreateProcessA
WaitForSingleObject
EnterCriticalSection
LeaveCriticalSection
GetCurrentProcessId
FindClose
FindFirstFileA
GetLastError
FindNextFileA
SetFileAttributesA
HeapReAlloc
COMCTL32.DLL InitCommonControls
USER32.DLL MessageBoxA
GetWindowThreadProcessId
IsWindowVisible
IsWindowEnabled
GetForegroundWindow
EnableWindow
EnumWindows
SHELL32.DLL ShellExecuteExA
OLE32.DLL CoInitialize

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x263
TimeDateStamp 2011-Apr-03 00:50:03
Entropy 4.92322
MD5 841795bb3b61ebd511249778aa26af77
SHA1 59f426938522ef9906b0740821e8cc270d1ca897
SHA256 be809cba9d14bfb52a969d766992832b10e99e133babcdd99dc6d1bba5597cf7
SHA3 5fa5c36711cc5c3661248b1180ce35543201ff1dc77d158129b844f03a2144c9

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

<-- -->