Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2017-Apr-21 20:58:43 |
Detected languages |
Russian - Russia
|
Info | Libraries used to perform cryptographic operations: | Microsoft's Cryptography API |
Suspicious | The PE is possibly packed. |
Unusual section name found: gdata
Unusual section name found: .wdata |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Suspicious | The PE is possibly a dropper. |
Resource 4 is possibly compressed or encrypted.
Resources amount for 75.0618% of the executable. |
Malicious | VirusTotal score: 45/67 (Scanned on 2018-10-28 01:07:30) |
MicroWorld-eScan:
Trojan.GenericKD.31076677
McAfee: GenericRXGC-TK!706A3F868151 Cylance: Unsafe K7GW: Riskware ( 0040eff71 ) K7AntiVirus: Riskware ( 0040eff71 ) TrendMicro: TROJ_GEN.F0C2C00GB18 Symantec: Packed.Generic.493 TrendMicro-HouseCall: TROJ_GEN.F0C2C00GB18 Avast: Win32:Malware-gen Kaspersky: HEUR:Trojan.Win32.Generic BitDefender: Trojan.GenericKD.31076677 NANO-Antivirus: Trojan.Win32.Emotet.ffcpnu Paloalto: generic.ml Tencent: Win32.Trojan.Generic.Aexu Ad-Aware: Trojan.GenericKD.31076677 Sophos: Mal/Elenoocka-G F-Secure: Trojan.GenericKD.31076677 DrWeb: Trojan.KillProc.54838 Invincea: heuristic McAfee-GW-Edition: GenericRXGC-TK!706A3F868151 Emsisoft: Trojan.GenericKD.31076677 (B) SentinelOne: static engine - malicious Cyren: W32/Trojan.WHBD-2909 Jiangmin: Trojan.Banker.Emotet.bko Webroot: W32.Trojan.GenKD Avira: HEUR/AGEN.1034238 Fortinet: W32/Tofsee.BJ!tr Antiy-AVL: Trojan[Banker]/Win32.Emotet Endgame: malicious (high confidence) Arcabit: Trojan.Generic.D1DA3145 ZoneAlarm: HEUR:Trojan.Win32.Generic Microsoft: Trojan:Win32/Occamy.C AhnLab-V3: Malware/Win32.Generic.C2611760 VBA32: TrojanBanker.Emotet ALYac: Trojan.GenericKD.31076677 Malwarebytes: Trojan.MalPack ESET-NOD32: Win32/TrojanDownloader.Small.AZP Rising: Backdoor.Tofsee!8.1E9 (TFE:2:FN6BRQT4x0P) Yandex: Trojan.Agent!pTCxDxGr5ak Ikarus: Trojan.Agent GData: Win32.Packed.Kryptik.KU AVG: Win32:Malware-gen Panda: Trj/CI.A CrowdStrike: malicious_confidence_100% (W) Qihoo-360: HEUR/QVM19.1.69E3.Malware.Gen |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x80 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2017-Apr-21 20:58:43 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x4600 |
SizeOfInitializedData | 0x13e00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000116C (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x6000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x1c000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
comsvcs.dll |
CoEnterServiceDomain
SafeRef RecycleSurrogate CoCreateActivity |
---|---|
advapi32.dll |
InitializeSid
RegSaveKeyW RegOpenKeyA CryptSignHashW OpenServiceA RegDeleteValueW OpenEventLogW RegUnLoadKeyW RegCloseKey RegRestoreKeyA RegReplaceKeyW |
user32.dll |
wsprintfA
GetPropA PeekMessageA DispatchMessageW InsertMenuA PostMessageA CharToOemA IsDialogMessageA GetDlgItemTextA DrawStateW LoadIconW DialogBoxParamA IsCharLowerW LoadCursorA |
kernel32.dll |
CreateEventA
GetVersionExW GetTickCount GetExitCodeThread SetLastError Sleep GetCommandLineA GetStartupInfoA GetEnvironmentVariableA GetLogicalDriveStringsW WaitNamedPipeW CompareStringW GetModuleHandleA GetLocalTime OpenFileMappingA CopyFileExW CreateWaitableTimerA GetFileType CreateMutexA HeapCreate WriteConsoleA FindResourceA GetDateFormatW CreateJobObjectW LoadLibraryExW GetSystemDirectoryW CreateFileMappingW GetProcAddress InitializeCriticalSection LoadLibraryA DeleteFileW lstrlen |
shlwapi.dll |
UrlCreateFromPathW
UrlGetLocationA PathCombineA UrlIsW UrlIsNoHistoryA UrlHashA PathIsRootA UrlUnescapeA PathCompactPathA UrlCompareA UrlGetPartA UrlCombineW UrlCanonicalizeW UrlEscapeA |
cfgmgr32.dll |
CMP_Init_Detection
CM_Add_Empty_Log_Conf CM_Add_Range |
shell32.dll |
ShellAboutA
SHGetFileInfoA SHGetDesktopFolder DllGetVersion SHGetFolderPathW ShellExecuteA StrChrA StrRChrA SHQueryRecycleBinW DllGetClassObject StrStrA |