66ea09330bee7239fcb11a911f8e8ea3

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-Mar-12 07:57:49
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • schtask
May have dropper capabilities:
  • CurrentVersion\Run
Miscellaneous malware strings:
  • cmd.exe
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Suspicious The PE is possibly packed. Section .data is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
  • LoadLibraryExW
Can access the registry:
  • RegOpenKeyExA
  • RegSetValueExA
  • RegCloseKey
Possibly launches other programs:
  • WinExec
  • CreateProcessA
Uses Microsoft's cryptographic API:
  • CryptDestroyHash
  • CryptVerifySignatureA
  • CryptHashData
  • CryptCreateHash
  • CryptDecrypt
  • CryptImportKey
  • CryptGetHashParam
  • CryptDestroyKey
  • CryptDeriveKey
  • CryptReleaseContext
  • CryptAcquireContextA
  • CryptStringToBinaryA
  • CryptDecodeObjectEx
Has Internet access capabilities:
  • URLOpenBlockingStreamA
Interacts with services:
  • OpenServiceA
  • OpenSCManagerA
  • CreateServiceA
  • ChangeServiceConfigA
Info The PE is digitally signed. Signer: Shenzhen Qitu Software Technolgy Co.
Issuer: VeriSign Class 3 Code Signing 2010 CA
Malicious VirusTotal score: 39/68 (Scanned on 2019-03-14 12:30:15) MicroWorld-eScan: Trojan.GenericKD.31786336
McAfee: RDN/Generic.cf
Malwarebytes: Trojan.Agent
K7GW: Riskware ( 0040eff71 )
K7AntiVirus: Riskware ( 0040eff71 )
TrendMicro: TrojanSpy.Win32.BEAHNY.THCACAI
TrendMicro-HouseCall: TrojanSpy.Win32.BEAHNY.THCACAI
Avast: Win32:Trojan-gen
Kaspersky: HEUR:Trojan.Win32.Generic
BitDefender: Trojan.GenericKD.31786336
Paloalto: generic.ml
Tencent: Win32.Trojan.Driverlifemalware.Bseb
Ad-Aware: Trojan.GenericKD.31786336
Emsisoft: Trojan.GenericKD.31786336 (B)
Comodo: Malware@#20n6b2xun7n23
F-Secure: Trojan.TR/Agent.tuuxr
McAfee-GW-Edition: RDN/Generic.cf
SentinelOne: DFI - Malicious PE
Cyren: W32/Trojan.PQFE-8428
Avira: TR/Agent.tuuxr
Fortinet: W32/Generic!tr
Endgame: malicious (high confidence)
Arcabit: Trojan.Generic.D1E50560
ViRobot: Trojan.Win32.S.Agent.139448
ZoneAlarm: HEUR:Trojan.Win32.Generic
Microsoft: Trojan:Win32/Beahny
Sophos: Mal/Generic-S
AhnLab-V3: Malware/Win32.Generic.C3090712
Acronis: suspicious
ALYac: Trojan.Agent.139448
Cylance: Unsafe
ESET-NOD32: a variant of Win32/Agent.AALI
Rising: Trojan.Agent!1.B670 (CLOUD)
Ikarus: Trojan.Win32.Agent
GData: Win32.Trojan.Agent.I4TYUH
AVG: Win32:Trojan-gen
Panda: Trj/CI.A
CrowdStrike: win/malicious_confidence_80% (D)
Qihoo-360: Win32/Trojan.e6d

Hashes

MD5 66ea09330bee7239fcb11a911f8e8ea3
SHA1 4825e41524decdb4b8a68205d9a4cd1d1af501c0
SHA256 aaef385a090d83639fb924c679b2ff22e90ae9377774674d537670a975513397
SHA3 88500455eb09af34201d82ee38eb1bc5f3ac9e6c7a477394ca6ecd264c1da519
SSDeep 3072:H31w+JUlVQSMGYSIfSHMC77JKhmSeVHCJK4:H3IQF3SIavfJKjad4
Imports Hash 5f57701d2eaf25ff96c0855d3d43fb05

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2019-Mar-12 07:57:49
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x1e800
SizeOfInitializedData 0x2600
SizeOfUninitializedData 0xc00
AddressOfEntryPoint 0x0000D0C8 (Section: .data)
BaseOfCode 0x1000
BaseOfData 0x20000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x25000
SizeOfHeaders 0x400
Checksum 0x2b63a
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.data

MD5 cedadfb06db3c5f60615fe0eeb55c816
SHA1 f356adf3e2c7a8ccff02ac7333860195b3be1c57
SHA256 37b0a905d1521d0556a04f22a482d59b6429969b486cc3936ecfce59cfe756a5
SHA3 97f17e12dedad317adf16f1fc243f392af2a82c63146cb006e1c9fb279f57504
VirtualSize 0x1e6e4
VirtualAddress 0x1000
SizeOfRawData 0x1e800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.4281

.bss

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0xa68
VirtualAddress 0x20000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata

MD5 7e123c9d7475205972f4aaa328bc1e8a
SHA1 d6edc4759e4402f50bff462db1f086a42368633c
SHA256 7ba858ec20c71c1e5063a1ae4d9d76e209868507ca5da117401badd47d3438f9
SHA3 4b3da93ad7c1c2325576c0ae8a4e29043f2624625c5c90c93d4c1d86dcd50e44
VirtualSize 0xda2
VirtualAddress 0x21000
SizeOfRawData 0xe00
PointerToRawData 0x1ec00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.39667

.rsrc

MD5 f754adbd7f5d6195fd6d527001cab98c
SHA1 9bfa72e0e04da7de1e38d35f609b8ad828553090
SHA256 610f0f1ac88a28f59c086c850befcd103e250fdd9e5f1f41f58ebec3f5a0b77f
SHA3 f1e39c2425df073da9c5eef202d3d4d90465a0828f2564a85af3a24b38f20669
VirtualSize 0x1e0
VirtualAddress 0x22000
SizeOfRawData 0x200
PointerToRawData 0x1fa00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.70436

.reloc

MD5 bf43badd1d5cf0d16941b5ae963c8d86
SHA1 d929d5881d45e53002eda940ffed454d1197be13
SHA256 93be6eb416a3919509dd2f99de2655e7f58aa6cd71ef9d6d17e1eb190801f47d
SHA3 e590438a95e056cc5e41cc00694215e5b062e46b24a1cc5b87fd9bf0a66ffd3b
VirtualSize 0x1414
VirtualAddress 0x23000
SizeOfRawData 0x1600
PointerToRawData 0x1fc00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.32996

Imports

KERNEL32.dll LoadLibraryA
GetStartupInfoA
CopyFileA
GetComputerNameA
lstrcmpiA
WriteConsoleW
SetFilePointerEx
WinExec
LocalFree
LocalAlloc
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetVersionExA
GetTickCount
GetSystemInfo
CreateProcessA
Sleep
CreateMutexA
CreatePipe
GetLastError
CloseHandle
WriteFile
SetFilePointer
SetFileAttributesA
ReadFile
GetLongPathNameA
GetFileSize
GetFileAttributesA
DeleteFileA
CreateFileA
ExpandEnvironmentStringsA
FreeLibrary
GetEnvironmentVariableA
HeapReAlloc
HeapSize
CreateFileW
GetConsoleMode
GetConsoleCP
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
GetModuleHandleW
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RtlUnwind
RaiseException
SetLastError
EncodePointer
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
ExitProcess
GetModuleHandleExW
MultiByteToWideChar
WideCharToMultiByte
GetStdHandle
GetCommandLineA
GetCommandLineW
GetACP
HeapFree
HeapAlloc
CompareStringW
LCMapStringW
GetFileType
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
GetProcessHeap
SetStdHandle
GetStringTypeW
FlushFileBuffers
DecodePointer
USER32.dll GetSystemMetrics
wsprintfA
ADVAPI32.dll CryptDestroyHash
RegOpenKeyExA
RegSetValueExA
StartServiceCtrlDispatcherA
SetServiceStatus
RegisterServiceCtrlHandlerA
OpenServiceA
OpenSCManagerA
CreateServiceA
CloseServiceHandle
ChangeServiceConfig2A
ChangeServiceConfigA
CryptVerifySignatureA
RegCloseKey
CryptHashData
CryptCreateHash
CryptDecrypt
CryptImportKey
CryptGetHashParam
CryptDestroyKey
CryptDeriveKey
CryptReleaseContext
CryptAcquireContextA
CRYPT32.dll CryptStringToBinaryA
CryptDecodeObjectEx
urlmon.dll URLOpenBlockingStreamA
SHLWAPI.dll StrRChrA
PathFileExistsA

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2019-Mar-12 07:57:49
Version 0.0
SizeofData 768
AddressOfRawData 0x7748
PointerToRawData 0x6b48

TLS Callbacks

Load Configuration

Size 0xa0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x401160
SEHandlerTable 0x407700
SEHandlerCount 18

RICH Header

XOR Key 0xeb585899
Unmarked objects 0
241 (40116) 10
243 (40116) 130
242 (40116) 24
C objects (VS 2015/2017 runtime 26706) 17
ASM objects (VS 2015/2017 runtime 26706) 19
C++ objects (VS 2015/2017 runtime 26706) 40
Imports (65501) 13
Total imports 142
C++ objects (VS2017 v15.9.4 compiler 27025) 3
Resource objects (VS2017 v15.9.4 compiler 27025) 1
Linker (VS2017 v15.9.4 compiler 27025) 1

Errors

[*] Warning: Section .bss has a size of 0!