Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2018-Oct-20 17:06:52 |
Detected languages |
Chinese - PRC
English - United States |
CompanyName | Riyue Tongxing Information Technology (Beijing) Co.,Ltd. |
FileDescription | downer for windows |
FileVersion | 1.3.6.26 |
InternalName | |
LegalCopyright | Riyue Tongxing Information Technology (Beijing) Co.,Ltd. |
LegalTrademarks | |
OriginalFilename | downer |
ProductName | downer for windows |
ProductVersion | 1.3.6.26 |
Comments |
Suspicious | PEiD Signature: |
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX v2.0 -> Markus, Laszlo & Reiser (h) UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser UPX -> www.upx.sourceforge.net UPX Protector v1.0x (2) UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser |
Info | Cryptographic algorithms detected in the binary: | Uses constants related to MD5 |
Suspicious | The PE is packed with UPX |
Unusual section name found: UPX0
Section UPX0 is both writable and executable. Unusual section name found: UPX1 Section UPX1 is both writable and executable. |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Info | The PE's resources present abnormal characteristics. |
Resource 1 is possibly compressed or encrypted.
Resource 2 is possibly compressed or encrypted. Resource 3 is possibly compressed or encrypted. Resource 4 is possibly compressed or encrypted. Resource 5 is possibly compressed or encrypted. Resource 6 is possibly compressed or encrypted. Resource 7 is possibly compressed or encrypted. Resource 4078 is possibly compressed or encrypted. Resource 4079 is possibly compressed or encrypted. Resource 4080 is possibly compressed or encrypted. Resource 4081 is possibly compressed or encrypted. Resource 4082 is possibly compressed or encrypted. Resource 4084 is possibly compressed or encrypted. Resource 4085 is possibly compressed or encrypted. Resource 4086 is possibly compressed or encrypted. Resource 4087 is possibly compressed or encrypted. Resource 4088 is possibly compressed or encrypted. Resource 4089 is possibly compressed or encrypted. Resource 4090 is possibly compressed or encrypted. Resource 4091 is possibly compressed or encrypted. Resource 4093 is possibly compressed or encrypted. Resource 4094 is possibly compressed or encrypted. Resource 4095 is possibly compressed or encrypted. Resource 4096 is possibly compressed or encrypted. Resource BTN_BAIDU is possibly compressed or encrypted. Resource BTN_CLOSE is possibly compressed or encrypted. Resource BTN_INSTALL is possibly compressed or encrypted. Resource BTN_KNOW is possibly compressed or encrypted. Resource BTN_OPEND is possibly compressed or encrypted. Resource BTN_OPENF is possibly compressed or encrypted. Resource CHARTABLE is possibly compressed or encrypted. Resource HTTPMODE is possibly compressed or encrypted. Resource IMG_CHECK is possibly compressed or encrypted. Resource IMG_CHECK2 is possibly compressed or encrypted. Resource IMG_INSTALLBK is possibly compressed or encrypted. Resource IMG_INSTALLICON is possibly compressed or encrypted. Resource LOAD_BK is possibly compressed or encrypted. Resource MAIN_BK is possibly compressed or encrypted. Resource MAIN_BORDER is possibly compressed or encrypted. Resource PACKAGEINFO is possibly compressed or encrypted. Resource PROGRESS_BK is possibly compressed or encrypted. Resource PROGRESS_FORCE is possibly compressed or encrypted. Resource TFFRMINSTALL is possibly compressed or encrypted. Resource TFFRMLOAD is possibly compressed or encrypted. Resource TFFRMMAIN is possibly compressed or encrypted. Resource THUNDER is possibly compressed or encrypted. The binary may have been compiled on a machine in the UTC+8 timezone. |
Malicious | VirusTotal score: 47/68 (Scanned on 2019-04-13 04:57:15) |
MicroWorld-eScan:
Trojan.GenericKD.41135074
FireEye: Generic.mg.67f4f7638559cb64 CAT-QuickHeal: Trojan.Downer McAfee: RDN/Generic PUP.z Malwarebytes: Adware.ChinAd VIPRE: Trojan.Win32.Generic!BT Alibaba: Downloader:Win32/Agent.2c582171 K7GW: Riskware ( 00544e421 ) K7AntiVirus: Riskware ( 00544e421 ) NANO-Antivirus: Trojan.Win32.Donex.fnxxjv ESET-NOD32: a variant of Win32/Gaofenquming.B potentially unwanted TrendMicro-HouseCall: PUA.Win32.Downer.AA Kaspersky: not-a-virus:HEUR:Downloader.Win32.Agent.gen BitDefender: Trojan.GenericKD.41135074 Paloalto: generic.ml Endgame: malicious (moderate confidence) Emsisoft: Trojan.GenericKD.41135074 (B) Comodo: ApplicUnwnt@#3b0on1ar7a3sg F-Secure: Adware.ADWARE/Gaofenq.Gen DrWeb: Adware.Downware.19347 Invincea: heuristic McAfee-GW-Edition: RDN/Generic PUP.z SentinelOne: DFI - Malicious PE Cyren: W32/Application.FEUH-6606 Jiangmin: Downloader.Agent.lhc Avira: ADWARE/Gaofenq.Gen Antiy-AVL: RiskWare[Downloader]/Win32.Agent Microsoft: PUA:Win32/Downer Arcabit: Trojan.Generic.D273ABE2 ViRobot: Adware.Gaofenquming.911040 ZoneAlarm: not-a-virus:HEUR:Downloader.Win32.Agent.gen GData: Win32.Application.RiyueDowner.A Sophos: Downloader (PUA) AhnLab-V3: PUP/Win32.Qiwmonk.R215616 VBA32: BScope.Downloader.Donex ALYac: Trojan.GenericKD.41135074 MAX: malware (ai score=100) Ad-Aware: Trojan.GenericKD.41135074 Rising: PUA.Downer!8.F658 (CLOUD) Yandex: PUA.Downloader! Ikarus: PUA.Gaofenquming eGambit: Unsafe.AI_Score_80% Fortinet: Riskware/Agent AVG: FileRepMalware [PUP] Cybereason: malicious.38559c Panda: Trj/Genetic.gen CrowdStrike: win/malicious_confidence_80% (D) |
e_magic | MZ |
---|---|
e_cblp | 0x50 |
e_cp | 0x2 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0xf |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0x1a |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x100 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 3 |
TimeDateStamp | 2018-Oct-20 17:06:52 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 2.0 |
SizeOfCode | 0xd5000 |
SizeOfInitializedData | 0x8000 |
SizeOfUninitializedData | 0x115000 |
AddressOfEntryPoint | 0x001EA270 (Section: UPX1) |
BaseOfCode | 0x116000 |
BaseOfData | 0x1eb000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.0 |
ImageVersion | 0.0 |
SubsystemVersion | 5.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x1f3000 |
SizeOfHeaders | 0x1000 |
Checksum | 0xeaf2b |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x4000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.DLL |
LoadLibraryA
GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess |
---|---|
advapi32.dll |
RegFlushKey
|
comctl32.dll |
ImageList_Add
|
gdi32.dll |
Pie
|
msimg32.dll |
AlphaBlend
|
ole32.dll |
OleDraw
|
oleaut32.dll |
VariantCopy
|
shell32.dll |
ShellExecuteW
|
URLMON.DLL |
URLDownloadToFileW
|
user32.dll |
GetDC
|
version.dll |
VerQueryValueW
|
Winhttp.dll |
WinHttpOpen
|
wininet.dll |
InternetOpenW
|
ÿÌÌÿ餀㎙Ì ㌳f㏌ÿ昀昳㍦暙曌㏿餳饦香駌駿찀찳챦f척쳌쳿S챦ルᅩ Ì3fÌÌÌÌ㌀㌳Ì㍦Ì㎙Ì㏌Ì㏿Ì昀Ì昳Ì晦暙Ì曌Ì替 |
䈈Ѵ⏐䁑鸘橄Ǜ썖瀡䉆䷳⪨Ĕදᑉ洢Ĥ廴ᔕ봣耶欣鈣珦쁔ᰢਜⶈ∋ |