706a3f868151edddffe191ba94b73573

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Apr-21 20:58:43
Detected languages Russian - Russia

Plugin Output

Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Suspicious The PE is possibly packed. Unusual section name found: gdata
Unusual section name found: .wdata
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryExW
  • GetProcAddress
  • LoadLibraryA
 Can access the registry:
  • RegSaveKeyW
  • RegOpenKeyA
  • RegDeleteValueW
  • RegUnLoadKeyW
  • RegCloseKey
  • RegRestoreKeyA
  • RegReplaceKeyW
 Possibly launches other programs:
  • ShellExecuteA
 Uses Microsoft's cryptographic API:
  • CryptSignHashW
 Interacts with services:
  • OpenServiceA
 Enumerates local disk drives:
  • GetLogicalDriveStringsW
Suspicious The PE is possibly a dropper. Resource 4 is possibly compressed or encrypted.
Resources amount for 75.0618% of the executable.
Malicious VirusTotal score: 45/67 (Scanned on 2018-10-28 01:07:30) MicroWorld-eScan: Trojan.GenericKD.31076677
McAfee: GenericRXGC-TK!706A3F868151
Cylance: Unsafe
K7GW: Riskware ( 0040eff71 )
K7AntiVirus: Riskware ( 0040eff71 )
TrendMicro: TROJ_GEN.F0C2C00GB18
Symantec: Packed.Generic.493
TrendMicro-HouseCall: TROJ_GEN.F0C2C00GB18
Avast: Win32:Malware-gen
Kaspersky: HEUR:Trojan.Win32.Generic
BitDefender: Trojan.GenericKD.31076677
NANO-Antivirus: Trojan.Win32.Emotet.ffcpnu
Paloalto: generic.ml
Tencent: Win32.Trojan.Generic.Aexu
Ad-Aware: Trojan.GenericKD.31076677
Sophos: Mal/Elenoocka-G
F-Secure: Trojan.GenericKD.31076677
DrWeb: Trojan.KillProc.54838
Invincea: heuristic
McAfee-GW-Edition: GenericRXGC-TK!706A3F868151
Emsisoft: Trojan.GenericKD.31076677 (B)
SentinelOne: static engine - malicious
Cyren: W32/Trojan.WHBD-2909
Jiangmin: Trojan.Banker.Emotet.bko
Webroot: W32.Trojan.GenKD
Avira: HEUR/AGEN.1034238
Fortinet: W32/Tofsee.BJ!tr
Antiy-AVL: Trojan[Banker]/Win32.Emotet
Endgame: malicious (high confidence)
Arcabit: Trojan.Generic.D1DA3145
ZoneAlarm: HEUR:Trojan.Win32.Generic
Microsoft: Trojan:Win32/Occamy.C
AhnLab-V3: Malware/Win32.Generic.C2611760
VBA32: TrojanBanker.Emotet
ALYac: Trojan.GenericKD.31076677
Malwarebytes: Trojan.MalPack
ESET-NOD32: Win32/TrojanDownloader.Small.AZP
Rising: Backdoor.Tofsee!8.1E9 (TFE:2:FN6BRQT4x0P)
Yandex: Trojan.Agent!pTCxDxGr5ak
Ikarus: Trojan.Agent
GData: Win32.Packed.Kryptik.KU
AVG: Win32:Malware-gen
Panda: Trj/CI.A
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: HEUR/QVM19.1.69E3.Malware.Gen

Hashes

MD5 706a3f868151edddffe191ba94b73573
SHA1 2c7c14b4313e4e1c881ab40359f40b128cce6af9
SHA256 554ffb467b1189f6d6ecd4eb4ca9be95634e0de763d1f9d3a8a0573b3b6259f8
SHA3 7faf9fd9dbcc358b7ecde5cb3dbf3090314dac48622b9d7d57e538c8dad6d2f9
SSDeep 1536:KFmuub3EHivMSAtoxsZecMyqSRgsmHnSrm:DAHgMSA+sNT+s+mm
Imports Hash e8913c518e25649287444506b3d9a824

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2017-Apr-21 20:58:43
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x4600
SizeOfInitializedData 0x13e00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000116C (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x6000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x1c000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 06e5d8791c510e944748adeb89ee1941
SHA1 5e1cb865feb50eefb637aac5c13ee025c9a32b6a
SHA256 3009673915d3b3103f572fc08bc005ee49c00ea1ae292673c3ad95c5c010c027
SHA3 fe5ae6494a8ac871cb066f23ea957475b062e5f86953ea7c1cbc6b2654952dae
VirtualSize 0x44c7
VirtualAddress 0x1000
SizeOfRawData 0x4600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 4.40961

gdata

MD5 d662f8816340739adde26d050865c7b3
SHA1 726fe2c569a54dfdfa9c2c31b1254c83d22be30f
SHA256 7788f623871195c91c3a232228cda31aa763b2881a0d3ccb323a802ff1576539
SHA3 6068e38abe21bb33f46fab2615b7003d2e8c2646a4ef896babd31c13d2c3c23a
VirtualSize 0x106c
VirtualAddress 0x6000
SizeOfRawData 0x1200
PointerToRawData 0x4a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.00496

.wdata

MD5 80b82b0e8971a1f1129983303e429cf4
SHA1 f2f5967a316e6008db1a1439dd8cbdf9c3f0cdb0
SHA256 33e961010d29061b1f5e1f22cc73d4636274c05ea9dbc168b22c4737249dd251
SHA3 565eb0ba44c26488f460bebfc1723ead4ed27345685c25dcc6d76aa02c543f14
VirtualSize 0x3c1
VirtualAddress 0x8000
SizeOfRawData 0x400
PointerToRawData 0x5c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.188

.rsrc

MD5 4542a0cfe5f2495fb656b696a55422c0
SHA1 b6f233444cac521275a9f7e11a010327eb9b576d
SHA256 6d0d9d53e8090f433b745a49853a1aa2ca241686139e652e276a9f9e3b1cad71
SHA3 8d0b2c06120bcc1b1b704136a23a6d2a749111a686768726568e61bc69be983d
VirtualSize 0x127be
VirtualAddress 0x9000
SizeOfRawData 0x12800
PointerToRawData 0x6000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.70373

Imports

comsvcs.dll CoEnterServiceDomain
SafeRef
RecycleSurrogate
CoCreateActivity
advapi32.dll InitializeSid
RegSaveKeyW
RegOpenKeyA
CryptSignHashW
OpenServiceA
RegDeleteValueW
OpenEventLogW
RegUnLoadKeyW
RegCloseKey
RegRestoreKeyA
RegReplaceKeyW
user32.dll wsprintfA
GetPropA
PeekMessageA
DispatchMessageW
InsertMenuA
PostMessageA
CharToOemA
IsDialogMessageA
GetDlgItemTextA
DrawStateW
LoadIconW
DialogBoxParamA
IsCharLowerW
LoadCursorA
kernel32.dll CreateEventA
GetVersionExW
GetTickCount
GetExitCodeThread
SetLastError
Sleep
GetCommandLineA
GetStartupInfoA
GetEnvironmentVariableA
GetLogicalDriveStringsW
WaitNamedPipeW
CompareStringW
GetModuleHandleA
GetLocalTime
OpenFileMappingA
CopyFileExW
CreateWaitableTimerA
GetFileType
CreateMutexA
HeapCreate
WriteConsoleA
FindResourceA
GetDateFormatW
CreateJobObjectW
LoadLibraryExW
GetSystemDirectoryW
CreateFileMappingW
GetProcAddress
InitializeCriticalSection
LoadLibraryA
DeleteFileW
lstrlen
shlwapi.dll UrlCreateFromPathW
UrlGetLocationA
PathCombineA
UrlIsW
UrlIsNoHistoryA
UrlHashA
PathIsRootA
UrlUnescapeA
PathCompactPathA
UrlCompareA
UrlGetPartA
UrlCombineW
UrlCanonicalizeW
UrlEscapeA
cfgmgr32.dll CMP_Init_Detection
CM_Add_Empty_Log_Conf
CM_Add_Range
shell32.dll ShellAboutA
SHGetFileInfoA
SHGetDesktopFolder
DllGetVersion
SHGetFolderPathW
ShellExecuteA
StrChrA
StrRChrA
SHQueryRecycleBinW
DllGetClassObject
StrStrA

Delayed Imports

1

Type RT_ICON
Language Russian - Russia
Codepage UNKNOWN
Size 0x10828
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.50083
MD5 a41457cb95eb931ec08b27065e5d0d65
SHA1 6008eb4bb60c49c79f3dc3bc1b10d12f16b5ca93
SHA256 551f83f942e8700c9f8c259447099157e585e0b869a6ac0ae62b019dc5eda408
SHA3 1e3776bd81401a50f9289208a206bdb97646a73af567c7c1734557676b80c756

1 (#2)

Type RT_RCDATA
Language UNKNOWN
Codepage UNKNOWN
Size 0x400
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.5
MD5 8b8ade541a30e4898eb43e0883b2bbc1
SHA1 7641488e853ff8f3acab684ec39af95ec71cc0dc
SHA256 64b7cd832b98bd2d74eeb45ca50b3cd2f6daae41c83ecc0e3217041ae97d5dd1
SHA3 0efd39966d763487beb385d3df988d59ade06e583014cb5538c1d167398be9ae

2

Type RT_RCDATA
Language UNKNOWN
Codepage UNKNOWN
Size 0x400
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.5
MD5 8b8ade541a30e4898eb43e0883b2bbc1
SHA1 7641488e853ff8f3acab684ec39af95ec71cc0dc
SHA256 64b7cd832b98bd2d74eeb45ca50b3cd2f6daae41c83ecc0e3217041ae97d5dd1
SHA3 0efd39966d763487beb385d3df988d59ade06e583014cb5538c1d167398be9ae

3

Type RT_RCDATA
Language UNKNOWN
Codepage UNKNOWN
Size 0x400
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.5
MD5 8b8ade541a30e4898eb43e0883b2bbc1
SHA1 7641488e853ff8f3acab684ec39af95ec71cc0dc
SHA256 64b7cd832b98bd2d74eeb45ca50b3cd2f6daae41c83ecc0e3217041ae97d5dd1
SHA3 0efd39966d763487beb385d3df988d59ade06e583014cb5538c1d167398be9ae

4

Type RT_RCDATA
Language UNKNOWN
Codepage UNKNOWN
Size 0x1200
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.70502
MD5 eebe4aee02376421a20057aed43844a1
SHA1 58acd8c103ebe03054ff02a658e27bd92628e9ce
SHA256 71204ada1ab3885e6cef7ac9b0179f61e34e0ed99e750441accf32a38f382195
SHA3 bd1b44fa5514a58661146797e56e936fea45b4ffbc015bd11eeb2df78c771569

1 (#3)

Type RT_GROUP_ICON
Language Russian - Russia
Codepage UNKNOWN
Size 0x16
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.88538
Detected Filetype Icon file
MD5 f43aae61b1af83513cc1da300f558993
SHA1 d8105628ba1a1955da49c33480572b563e554712
SHA256 10b3a8b08f9d9af527955db7a7947bca19d2f11034848230931941c1be66b98a
SHA3 6fea13118438544f17437a935b6f579c3ee1f0dcbac97e6d12196223b64b91f3

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Could not read the name of the DLL to be delay-loaded! [!] Error: directory 5 has a RVA of 0 but a non-null size.
<-- -->