6c2a33512b8b0ec906982783e82b9678

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2011-Nov-08 23:03:23
Detected languages English - United States

Plugin Output

Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX v2.0 -> Markus, Laszlo & Reiser (h)
UPX -> www.upx.sourceforge.net
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
Suspicious The PE is possibly packed. Unusual section name found: LOL0
Section LOL0 is both writable and executable.
Unusual section name found: LOL1
Section LOL1 is both writable and executable.
The PE only has 8 import(s).
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
Has Internet access capabilities:
  • InternetOpenA
Leverages the raw socket API to access the Internet:
  • #115
Malicious VirusTotal score: 44/69 (Scanned on 2018-10-02 21:26:01) MicroWorld-eScan: Trojan.GenericKD.3181270
CAT-QuickHeal: Trojan.Multi
McAfee: RDN/Generic Downloader.x
Zillya: Trojan.GenericKD.Win32.54834
TheHacker: Posible_Worm32
K7GW: Riskware ( 0040eff71 )
K7AntiVirus: Riskware ( 0040eff71 )
Arcabit: Trojan.Generic.D308AD6
Invincea: heuristic
F-Prot: W32/Threat-HLLSI-based!Maximus
Symantec: ML.Attribute.HighConfidence
Avast: FileRepMalware
Kaspersky: UDS:DangerousObject.Multi.Generic
BitDefender: Trojan.GenericKD.3181270
NANO-Antivirus: Trojan.Win32.ThreatHLLSIbased.eeiqjt
Paloalto: generic.ml
AegisLab: Trojan.Win32.Generic.4!c
Rising: Trojan.Win32.Generic.191D40FD (C64:YzY0Oog+fvMFmUya)
Ad-Aware: Trojan.GenericKD.3181270
Emsisoft: Trojan.GenericKD.3181270 (B)
F-Secure: Trojan.GenericKD.3181270
VIPRE: Trojan.Win32.Generic!BT
McAfee-GW-Edition: BehavesLike.Win32.SpyLydra.lc
Fortinet: W32/Dloader.X!tr
Sophos: Mal/Generic-S
Cyren: W32/Threat-HLLSI-based!Maximus
Webroot: Trojan.Dropper.Gen
Avira: TR/Downloader.Gen
MAX: malware (ai score=99)
Antiy-AVL: Trojan/Win32.BTSGeneric
Endgame: malicious (high confidence)
Microsoft: Trojan:Win32/Tiggre!rfn
AhnLab-V3: Malware/Win32.Generic.C2704176
ALYac: Trojan.GenericKD.3181270
AVware: Trojan.Win32.Generic!BT
VBA32: suspected of Trojan.Downloader.gen.h
Cylance: Unsafe
Yandex: Trojan.DL.Agent!wKOUDxvnYc4
Ikarus: Trojan-Downloader
GData: Trojan.GenericKD.3181270
AVG: FileRepMalware
Cybereason: malicious.12b8b0
CrowdStrike: malicious_confidence_70% (W)
Qihoo-360: HEUR/QVM11.1.Malware.Gen

Hashes

MD5 6c2a33512b8b0ec906982783e82b9678
SHA1 abe778ca6d429dd7cd21ab2fbd226f421390050d
SHA256 212b29a8e36ccc8f65205122e33d84940a156a9a91329f747a713f988a157948
SHA3 5a2aeb2b98c8c9febceb83f7aab8b278fc77ce0805ce4c74a4b5fe47865a9ec6
SSDeep 384:Nj0AJZLBhWS/dvqAgVIzVtmdpfe1nk6Et0:NISWS/NNzVtKoO
Imports Hash 86fdef97aff28b7f33296444676ea236

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2011-Nov-08 23:03:23
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x4000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0x7000
AddressOfEntryPoint 0x0000AF60 (Section: LOL1)
BaseOfCode 0x8000
BaseOfData 0xc000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0xd000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

LOL0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x7000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

LOL1

MD5 921d51081255fe696b4fe61d3589443f
SHA1 ec15eef6d3e16df7d70255028e92b6963cbf34a2
SHA256 d9c0b93135d1a4a6e6dbcbf5dfe9501d6a5a75687bc89790bdb8b051e39da3e3
SHA3 dd4a1ea7d7b839f08f46ced9f5aca31a156d9fdc2072c8b3bfd73b21e57b1381
VirtualSize 0x4000
VirtualAddress 0x8000
SizeOfRawData 0x3200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.81507

.rsrc

MD5 b2dc1ae224157c0ebec7bc97488d3773
SHA1 6b0b47be0090812e1e8921d6afc2a73ae0e182a6
SHA256 64fcc1096b8875af6608286ac8a3674b11cc272f3fb6c938e9e739b45d835edf
SHA3 3f7be41bd2bb50468558b543aca0e91590c5703bf67a4a398dc9454cd84d69d9
VirtualSize 0x1000
VirtualAddress 0xc000
SizeOfRawData 0x200
PointerToRawData 0x3600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.62652

Imports

KERNEL32.DLL LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
WININET.dll InternetOpenA
WS2_32.dll #115

Delayed Imports

101

Type RT_RCDATA
Language English - United States
Codepage UNKNOWN
Size 0x20
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.8125
MD5 b7d19ea97c1f5aa6f38caac4f608e9c7
SHA1 9a8b011bb2b3b1b2608f60b13870376da1a0ecef
SHA256 de87b9d25168d0d1adfc51ff7ef165cd3b4c41aec326a735043f92769d4d8380
SHA3 78c38097c67f9a53d756a9976dba5ee8f8087543469466d49fb7ad6f27700413

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Section LOL0 has a size of 0! [*] Warning: Section LOL0 has a size of 0!