643654975b63a9bb6f597502e5cd8f49

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2014-Jan-14 04:38:30
Detected languages Chinese - PRC

Plugin Output

Info Matching compiler(s): Microsoft Visual C++
Microsoft Visual C++ v6.0
Suspicious Strings found in the binary may indicate undesirable behavior: Contains another PE executable:
  • This program cannot be run in DOS mode.
Info Cryptographic algorithms detected in the binary: Uses constants related to DES
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
 Possibly launches other programs:
  • CreateProcessA
  • ShellExecuteA
 Can create temporary files:
  • CreateFileA
  • GetTempPathA
Malicious The PE is possibly a dropper. Resource 108 detected as a PDF document.
Resource 109 detected as a PE Executable.
Resources amount for 93.026% of the executable.
Malicious VirusTotal score: 45/65 (Scanned on 2022-02-18 08:40:14) Bkav: W32.AIDetect.malware2
Elastic: malicious (high confidence)
MicroWorld-eScan: Gen:Variant.Barys.229848
FireEye: Generic.mg.643654975b63a9bb
McAfee: Artemis!643654975B63
Malwarebytes: Malware.AI.4172468544
Zillya: Dropper.Agent.Win32.234271
Alibaba: Backdoor:Win32/Sloth.e877666f
Cybereason: malicious.75b63a
BitDefenderTheta: AI:Packer.9CE5F6661F
VirIT: Trojan.Win32.DownLoader9.RDJ
Symantec: ML.Attribute.HighConfidence
ESET-NOD32: a variant of Win32/TrojanDropper.Agent.PVR
APEX: Malicious
Paloalto: generic.ml
ClamAV: Win.Trojan.B-262
Kaspersky: Backdoor.Win32.Sloth.c
BitDefender: Gen:Variant.Barys.229848
NANO-Antivirus: Trojan.Win32.RP.czjbjv
Avast: Win32:Downloader-VAV [Trj]
Rising: Dropper.Agent!8.2F (CLOUD)
Ad-Aware: Gen:Variant.Barys.229848
Sophos: Mal/Generic-S
Comodo: Malware@#i8nnjf8prdx7
DrWeb: Trojan.DownLoader9.11579
VIPRE: Trojan.Win32.Generic!BT
TrendMicro: Mal_DLDER
McAfee-GW-Edition: BackDoor-FBVO!AB9DB28EEC90
Emsisoft: Gen:Variant.Barys.229848 (B)
SentinelOne: Static AI - Suspicious PE
GData: Gen:Variant.Barys.229848
Jiangmin: Trojan.Generic.pbdo
Avira: TR/ATRAPS.Gen4
Antiy-AVL: Trojan/Win32.Occamy
Kingsoft: Win32.Heur.KVM007.a.(kcloud)
Microsoft: Trojan:Win32/Comisproc!gmb
Cynet: Malicious (score: 99)
VBA32: BScope.Trojan-Spy.Zbot
ALYac: Gen:Variant.Barys.229848
Tencent: Win32.Trojan.Atraps.Wmiw
Yandex: Trojan.GenAsa!tbPeKqtnYCk
Fortinet: W32/Agent.PVR!tr
AVG: Win32:Downloader-VAV [Trj]
Panda: Trj/CI.A
CrowdStrike: win/malicious_confidence_100% (W)

Hashes

MD5 643654975b63a9bb6f597502e5cd8f49
SHA1 2c901a12e8c4ec9babfd693b5f3d805c945e4657
SHA256 7b63576c9f0ea6afb4c900b0c5832789922c0409e9cd6efd100d3b33024963cd
SHA3 0bdc1a6807b7a31ac0d8379136d2234a46b536ca6bd69164b79a3ee6d524298e
SSDeep 6144:c0WJzQyoyoMGGGGGGGGGGbGGGGGGGGGG6GG/DGXxeXJE85PmWyVcjUkdHbIIA3:c0WJztKHjl
Imports Hash 0fefba40443edd57f816502035077e3e

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2014-Jan-14 04:38:30
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x4000
SizeOfInitializedData 0x51800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000014C2 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x5000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x57000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 aa58df81e6566a98ab6c66985f6131c5
SHA1 42b6b4b8db37abe662c9b7f4bfe30c23c1861dec
SHA256 c438626161a8100216d973155a16c0849e6bafdcb89e4f8d3cca163724febabb
SHA3 0afafc4b7ae0315abda178d5acd722fe46d4e689cac4c65d40ff3834a4f77aca
VirtualSize 0x3fc4
VirtualAddress 0x1000
SizeOfRawData 0x4000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.57064

.rdata

MD5 2e4359d421f248a3774c9a4b0dea6985
SHA1 5c05747bebffe49c955e050caf977838aae776e5
SHA256 000d633682598270638ced194977f15bfe816255a5d3d8d958c9c9745265ed42
SHA3 43683742bdcea44f6c7bd779589576dc1add528b5b6e111b31af8c587d37ab7c
VirtualSize 0xa60
VirtualAddress 0x5000
SizeOfRawData 0xc00
PointerToRawData 0x4400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.87919

.data

MD5 e1ca358a07756f23b03efd68334ffca4
SHA1 8b80d6c3ce2a4f2a8c4092f3d91a30ea2b92b654
SHA256 04ccab66c91f570a383646f6fb476f1417124b7938cbfa3cf455127285e99a20
SHA3 ed21c497cdc77025a20b7f47dc4a82f71d91dd81aca0327ed316e37d1fd02eca
VirtualSize 0x1e7c
VirtualAddress 0x6000
SizeOfRawData 0xa00
PointerToRawData 0x5000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.15182

.rsrc

MD5 b73f67a174421da5331b14d9f8d6e6bd
SHA1 d72e598e63a273309b301ad8de2a3c6e5f1ecd34
SHA256 79669f20bf31527881900521546dad660237b419937710293382270f932a0a3b
SHA3 a36a5504b664362f94505bf0a7068f58a4ab10c5189fd7406a53150d8734c738
VirtualSize 0x4ead0
VirtualAddress 0x8000
SizeOfRawData 0x4ec00
PointerToRawData 0x5a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.7331

Imports

KERNEL32.dll CreateProcessA
CloseHandle
WriteFile
LockResource
SizeofResource
LoadResource
FindResourceA
CreateFileA
CreateDirectoryA
GetCurrentDirectoryA
GetTempPathA
SetProcessPriorityBoost
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetCurrentProcess
lstrcatA
lstrcpyA
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
GetStringTypeW
GetStringTypeA
LCMapStringW
LCMapStringA
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
HeapDestroy
HeapCreate
VirtualFree
HeapFree
RtlUnwind
GetLastError
SetFilePointer
GetCPInfo
GetACP
GetOEMCP
HeapAlloc
VirtualAlloc
HeapReAlloc
GetProcAddress
LoadLibraryA
SetStdHandle
MultiByteToWideChar
FlushFileBuffers
SHELL32.dll SHChangeNotify
ShellExecuteA
ShellExecuteExA

Delayed Imports

108

Type PDF
Language Chinese - PRC
Codepage UNKNOWN
Size 0x3d38
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.9079
Detected Filetype PDF Document
MD5 76aa49de535ee39129d5751e00517ad0
SHA1 fc6eec9573c7ac9d5445e0e8c10f18ab91286eab
SHA256 daa2246de34e720e554d328516a9516ba34a476d1f363743623b427deb508201
SHA3 de9a54e78332afc452c3e02553b670a1b5adfe99e6e31e87cd2e7237983340aa

109

Type US
Language Chinese - PRC
Codepage UNKNOWN
Size 0x2c00
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.0344
Detected Filetype PE Executable
MD5 ab9db28eec90696575bef33e293c0410
SHA1 810ba3a28f9e22125ed0b10c90f2151bcfb02203
SHA256 73428f344caa5704d0c54bdd3237478489f4e9752f668846b430356544c6fcf7
SHA3 d7157ddad791bcaf99c3a01b0dac9ce0a12c7475bc691c6d09b06905e83278e4

1

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x668
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.36446
MD5 37802f4244f7aca50caa646d5e3e3adf
SHA1 0957d2eecfe1d099aaf1d8ccd6857a4917b5c86c
SHA256 d7a213e9d2693748cc4d949b2183de31878c808154ff32512e127a8118b1a869
SHA3 53c41350465a8a0d0b1aa2e9d578d5b2e850824a1084e2a0775287123de926c3

2

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.4983
MD5 044084a7e7813e45d785e5771d713c53
SHA1 bb45af39bb04fb08c154a9758e4ba2fd7e7a3ab1
SHA256 ec0f1c6de43d87c0becf018cb9d9a6fc83cc792519a4306fafcefe5ecacc6e97
SHA3 60aa023ef6248a1fe53d72d1a634e1e4ec8938cbf70067d7a7ea98e0a7a5e69c

3

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x128
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.19721
MD5 38bb18ab0c3d11a30409a6e0b4012b57
SHA1 fbca65562c2b5998ffef71b3a51b84353560dd14
SHA256 daf7848ff12e05e2cf9bb6a6d291ee2438af1ec81b444a8df07ca9abf5f95d6a
SHA3 c6cdca18cff1191d0974192fd5fd9ba20ecce2b57dc6bc8e0bf46e7efa31155f

4

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0xea8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.50363
MD5 49c7cd54577ad1e476d70282b548fc23
SHA1 ca39f76dd196c4885915a29d6739134f53ac3916
SHA256 13b0fbac7d1e3828cebf0d390affe216f50769abba5960c2f7c6e55154a74585
SHA3 84e02a501943cec3abb60c66f1b746622548fd546109c3397027da24e7e03481

5

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.13728
MD5 c56bc0b85057a4df1cf8d122dfa7fc3f
SHA1 11346b67d66d85f220619d7e3bb391f322076b77
SHA256 0a8c332eabbe0be7dda025a36bbb74a352ce973a01c1202e4a3b2b8ff51b3fc6
SHA3 68d4d8143a19e4bfd1858a6e10bf4226b97f2f888c41f68c78b936294f556d4e

6

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x568
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.08017
MD5 87d60af2f9ee2355b9b35bd483b8cbbc
SHA1 37bd7e5ee1b89b16688fb5105218ada821d0fb95
SHA256 94514c10dbf1d0e89f59a07b2d66ece808a79f72c950297066ef4125848230eb
SHA3 7980671a9f1a87bcdcc6b35e6c8cbc160b439ac2f158b6c2248fe9d315769d21

7

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x42028
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.21581
MD5 928b9580b18a35a665d29e9b6775f634
SHA1 5cb64ea9af930ab8ebd837c682e94a11047add19
SHA256 6fabdef0c67cd7b95657c8052eb5fced9a1c0c4f1ed768266ac132c1dc975167
SHA3 bb1916e1644dcc1abfa05fa87e73b4c916f3e1f5981f8cb3a3aae8628ccf11dd

8

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.52717
MD5 2bd9749db4946242bab1cc959cac4acc
SHA1 dd12ecd6631a4505a128aea73c92b705d4ace89a
SHA256 41cfc6eb2bc18e593a8fc2dc2ecefbd71b9614378545ac65b03e4c9d019eca91
SHA3 8481b81d6bc25743a6a885f395de7a0b96c35803b3182dd522a8674e33559e06

9

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0xca8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79854
MD5 e1db01a74974650eebde1785dc294121
SHA1 358b1ef0f3c08df027f0bb6994030a5bc185137e
SHA256 fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd
SHA3 aaf8936c6705c3c7e9aa60322fc122a316a607cea38f7c080dc6801b3585de8c

10

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.45207
MD5 db99c2c04800cbb0938b19496feb5e2a
SHA1 7018317ba29b6a4b7a80cbbb5323362059222118
SHA256 94b2ef673471d0f96d83125ad5be115b3c599e0e4f51976529f609cfc2a7ef43
SHA3 c09e32835ce8f9df2ed5b379c353514b0b2cb163282692d177a3cee1a8774d5e

110

Type RT_GROUP_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x92
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.94686
Detected Filetype Icon file
MD5 c089fade0845c03465c36dbe43662184
SHA1 7fe145c2315d967c6b0d4d6a7aa4b5da4805eb1a
SHA256 bca95d518d15007e85b1e5ca42c0ce0d733c6c1720ef75f97a71f3b5a154f7a0
SHA3 a7d9c0d01133601cc72b47d1149c9a986343bb6b94e83b30668a5a9896c8f2eb

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x4cfbc511
Unmarked objects 0
14 (7299) 11
C objects (VS98 build 8168) 43
19 (8034) 5
Total imports 62
C++ objects (VS98 build 8168) 3
Resource objects (VS98 cvtres build 1720) 1

Errors

<-- -->