73100bc95a7963b8779d3de52080930d

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2021-Jun-28 12:36:29
Detected languages English - United States
Debug artifacts C:\Users\ZABBIX\build-agents-web\zabbix-5.2.7\bin\win64\zabbix_agentd.pdb
CompanyName Zabbix SIA
ProductVersion 5.2.7
FileVersion 5.2.7.91e8333180
InternalName Zabbix
FileDescription zabbix_agentd.exe
LegalCopyright Copyright (C) 2001-2021 Zabbix SIA
ProductName Zabbix

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Looks for VMWare presence:
  • vmware
 May have dropper capabilities:
  • CurrentControlSet\Services
 Accesses the WMI:
  • root\cimv2
 Contains domain names:
  • http://gnu.org
  • http://www.openssl.org
  • http://www.openssl.org/
  • http://www.zabbix.com
  • https://support.zabbix.com
  • https://www.zabbix.com
  • https://www.zabbix.com/documentation
  • openssl.org
  • service.info
  • support.zabbix.com
  • www.openssl.org
  • www.zabbix.com
  • zabbix.com
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Uses constants related to SHA512
Uses constants related to AES
Uses constants related to Blowfish
Uses known Diffie-Helman primes
Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryExA
  • LoadLibraryW
  • GetProcAddress
  • LoadLibraryA
  • LoadLibraryExW
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Can access the registry:
  • RegSetValueExW
  • RegDeleteKeyW
  • RegCreateKeyExW
  • RegQueryValueExW
  • RegOpenKeyExW
  • RegCloseKey
 Possibly launches other programs:
  • CreateProcessW
 Uses Microsoft's cryptographic API:
  • CryptReleaseContext
  • CryptGenRandom
  • CryptAcquireContextW
 Leverages the raw socket API to access the Internet:
  • accept
  • getservbyname
  • closesocket
  • connect
  • ioctlsocket
  • getpeername
  • bind
  • __WSAFDIsSet
  • getservbyport
  • gethostbyname
  • getsockopt
  • htonl
  • htons
  • inet_addr
  • inet_ntoa
  • listen
  • ntohs
  • WSAStartup
  • recv
  • recvfrom
  • select
  • send
  • sendto
  • setsockopt
  • gethostbyaddr
  • socket
  • WSASetLastError
  • WSACleanup
  • gethostname
  • WSAAddressToStringA
  • WSASocketW
  • WSAGetLastError
  • shutdown
 Functions related to the privilege level:
  • OpenProcessToken
 Interacts with services:
  • DeleteService
  • CreateServiceW
  • ControlService
  • QueryServiceStatus
  • QueryServiceConfig2W
  • QueryServiceConfigW
  • OpenServiceW
  • OpenSCManagerW
  • EnumServicesStatusExW
 Enumerates local disk drives:
  • GetDriveTypeW
  • GetLogicalDriveStringsW
  • GetVolumeInformationW
 Manipulates other processes:
  • OpenProcess
  • Process32FirstW
  • Process32NextW
Info The PE is digitally signed. Signer: Zabbix SIA
Issuer: SSL.com Code Signing Intermediate CA RSA R1
Safe VirusTotal score: 0/67 (Scanned on 2021-08-20 13:51:17) All the AVs think this file is safe.

Hashes

MD5 73100bc95a7963b8779d3de52080930d
SHA1 8577374d969a32075f9b63025e3d5d6f1302d869
SHA256 b93dc1115be0839a2024eabf8a4dd2d32659f842d6793b58782fc143845d19b5
SHA3 528097c5cd0c93ec1123329ca0fa2476bfddad56ba98d92aeae2b39257c759f9
SSDeep 49152:uPVwASOeGtlqViIU6icm8ccQCPYqVfyrJlx3i1x5hILuYwqz7773CCuGmqhfSQOh:DF+cddPYCnYbZhjKFj85ykyF
Imports Hash 3cfe1cede2278897cafd987521f12a99

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x130

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2021-Jun-28 12:36:29
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x22ce00
SizeOfInitializedData 0xd8600
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000206FE0 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.2
ImageVersion 0.0
SubsystemVersion 5.2
Win32VersionValue 0
SizeOfImage 0x314000
SizeOfHeaders 0x400
Checksum 0x30da1b
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 00a17531de443bedc661d136d12fdb7a
SHA1 a21de140cb82b5191cac6d1bcc5a11871b0a03cf
SHA256 eb91039c4c8d5b4173d1c0ed5e1e9527d870a4206c1512bb1dab4567ca515cc4
SHA3 449f5661d5dd6050e939bb559cb507cb0a7016c0c3331ca911c8bb4912abda1c
VirtualSize 0x22ccae
VirtualAddress 0x1000
SizeOfRawData 0x22ce00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.71459

.rdata

MD5 ea4a96359054886486787a10116cf48d
SHA1 006c9e64be31c94972a57130c5ff0d510aadb964
SHA256 051d079971d805e95db67972e5589bd435dc60236cf0b96bba831f15f094f435
SHA3 d295523ebf5652027612edd1f5623684b5823f0596518992a205844b543448d0
VirtualSize 0xb7db2
VirtualAddress 0x22e000
SizeOfRawData 0xb7e00
PointerToRawData 0x22d200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.72146

.data

MD5 0fd87c419c470968d61ca932e64fd2e6
SHA1 0957205a3417c91e2e9ca8329dc23a8cc80f7b65
SHA256 9c400d7d678f6f7fb439d180abfbcc8e3da84477a0798a473a288560b28c6dc7
SHA3 1fd8b0e8a6c51b27c5520688d6032691f6f9709beee0b7da38a3effaaf6e3e30
VirtualSize 0x164f8
VirtualAddress 0x2e6000
SizeOfRawData 0xbc00
PointerToRawData 0x2e5000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.24922

.pdata

MD5 4e2a95ab5377e1c6afa34cc02771f7d1
SHA1 be196f57fb7cc28feda5ac9c0f8e78e08a5944c1
SHA256 18cf598703a3d39681de26016fffa9abf5a75f8bf8799ffff4a616e39a6c6d51
SHA3 4cf08965b7641789b60e03d43e9cc54173bb5728e8a8ade2c1ed973da7b03965
VirtualSize 0x143c4
VirtualAddress 0x2fd000
SizeOfRawData 0x14400
PointerToRawData 0x2f0c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.1982

_RDATA

MD5 a67a5f83800df76eb1416db151207390
SHA1 1fa36eac3532c7c51742daaa7f8a2e3daf025586
SHA256 d491f7ae8e2b4456cc78ff7567e142d9567bcef4d6bf08d9a36974fc4d8feaad
SHA3 99b9ab25191308133a9ce2cda1921c5d637cd17c219e59c37cceb89f9e9121d9
VirtualSize 0x94
VirtualAddress 0x312000
SizeOfRawData 0x200
PointerToRawData 0x305000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.42266

.rsrc

MD5 6db6e6adc9dbf121a0a8a29950d27ef0
SHA1 34494a08c5682d1c9ce5f9f3c9605156ec92fd07
SHA256 86f911c20814ac08f12c0cd35a8005d7fc488d99507a52bfb30a1be06d5998f3
SHA3 7a5ca13757f3160bfc5f02a9cb7ec782ed4a82ddea479cb1269a558a42d29047
VirtualSize 0x508
VirtualAddress 0x313000
SizeOfRawData 0x600
PointerToRawData 0x305200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.52872

Imports

WS2_32.dll accept
getservbyname
closesocket
connect
ioctlsocket
getpeername
bind
__WSAFDIsSet
getservbyport
gethostbyname
getsockopt
htonl
htons
inet_addr
inet_ntoa
listen
ntohs
WSAStartup
recv
recvfrom
select
send
sendto
setsockopt
gethostbyaddr
socket
WSASetLastError
WSACleanup
gethostname
WSAAddressToStringA
WSASocketW
WSAGetLastError
shutdown
PSAPI.DLL GetModuleFileNameExW
GetProcessMemoryInfo
pdh.dll PdhMakeCounterPathW
PdhCollectQueryData
PdhValidatePathW
PdhLookupPerfNameByIndexW
PdhEnumObjectsW
PdhCalculateCounterFromRawValue
PdhCloseQuery
PdhRemoveCounter
PdhAddCounterW
PdhOpenQueryW
PdhParseCounterPathW
PdhEnumObjectItemsW
PdhGetRawCounterValue
ADVAPI32.dll DeregisterEventSource
CryptReleaseContext
CryptGenRandom
ConvertSidToStringSidW
ReadEventLogW
OpenEventLogW
GetOldestEventLogRecord
GetNumberOfEventLogRecords
CloseEventLog
StartServiceW
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
DeleteService
CreateServiceW
ControlService
ChangeServiceConfig2W
RegSetValueExW
RegDeleteKeyW
RegCreateKeyExW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
QueryServiceStatus
QueryServiceConfig2W
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
GetServiceKeyNameW
EnumServicesStatusExW
CloseServiceHandle
LookupAccountSidW
GetTokenInformation
OpenProcessToken
ReportEventW
RegisterEventSourceW
CryptAcquireContextW
IPHLPAPI.DLL GetIpAddrTable
GetIfTable
GetIfEntry
GetTcpTable
DNSAPI.dll DnsFree
DnsQuery_W
USER32.dll GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW
ole32.dll CoCreateInstance
CoInitializeSecurity
CoInitializeEx
CoUninitialize
CoSetProxyBlanket
OLEAUT32.dll SysAllocString
SysFreeString
SafeArrayGetDim
SafeArrayGetElemsize
SafeArrayGetUBound
SafeArrayGetLBound
VariantChangeType
VariantCopy
VariantClear
VariantInit
SafeArrayGetVartype
SafeArrayGetElement
dbghelp.dll SymSetOptions
SymGetOptions
SymCleanup
SymInitialize
StackWalk64
KERNEL32.dll SystemTimeToTzSpecificLocalTime
WriteConsoleW
GetModuleFileNameW
ExitProcess
FindFirstFileExW
GetCommandLineA
GetCommandLineW
HeapFree
OutputDebugStringW
GetStringTypeW
HeapAlloc
HeapReAlloc
CompareStringW
LCMapStringW
FileTimeToSystemTime
GetCurrentDirectoryW
GetConsoleCP
SetEndOfFile
FlushFileBuffers
DeleteFileW
MoveFileExW
GetFileSizeEx
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
HeapSize
VirtualProtect
ExitThread
GetTimeZoneInformation
SetStdHandle
SetFilePointerEx
CreateThread
DuplicateHandle
FreeLibraryAndExitThread
SetConsoleCtrlHandler
RaiseException
RtlPcToFileHeader
RtlUnwindEx
VirtualQuery
LoadLibraryExA
WaitForMultipleObjectsEx
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
SystemTimeToFileTime
GetSystemTime
ReadConsoleW
ReadConsoleA
SetConsoleMode
GetConsoleMode
LoadLibraryW
RtlVirtualUnwind
ConvertThreadToFiber
ConvertFiberToThread
GetSystemTimeAsFileTime
CreateFiber
DeleteFiber
SwitchToFiber
WriteFile
GetFileType
GetEnvironmentVariableW
QueryPerformanceCounter
QueryPerformanceFrequency
MultiByteToWideChar
WideCharToMultiByte
lstrcmpiA
VerSetConditionMask
SetHandleInformation
GetLastError
GetSystemDirectoryA
FreeLibrary
GetProcAddress
LoadLibraryA
FormatMessageW
VerifyVersionInfoW
FindClose
FindFirstFileW
FindNextFileW
GetModuleHandleW
CloseHandle
ReleaseMutex
WaitForSingleObject
CreateMutexW
GetCurrentProcessId
QueueUserAPC
GetCurrentThreadId
GetExitCodeThread
GetStdHandle
ReadFile
CreatePipe
PeekNamedPipe
Sleep
TerminateProcess
GetExitCodeProcess
ResumeThread
CreateProcessW
GetStartupInfoW
CreateJobObjectW
AssignProcessToJobObject
TerminateJobObject
CreateFileW
GetFileInformationByHandle
GetCompressedFileSizeW
GetFileAttributesW
GetNativeSystemInfo
FindFirstVolumeW
FindNextVolumeW
FindVolumeClose
GetDiskFreeSpaceExW
GetDriveTypeW
GetLogicalDriveStringsW
GetVolumeInformationW
GetVolumePathNamesForVolumeNameW
GlobalMemoryStatus
GetProcessTimes
OpenProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetEvent
CreateEventW
TerminateThread
GetSystemInfo
GetVersionExW
GetComputerNameW
SleepEx
ExpandEnvironmentStringsW
LoadLibraryExW
LocalFree
GetVolumePathNameW
SetErrorMode
GetCurrentProcess
GetCurrentThread
GetDiskFreeSpaceW
GetFullPathNameW
GetModuleHandleExW
SetLastError
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
wevtapi.dll (delay-loaded) EvtOpenLog
EvtClose
EvtCreateRenderContext
EvtQuery
EvtOpenPublisherMetadata
EvtGetLogInfo
EvtRender
EvtNext
EvtFormatMessage

Delayed Imports

Attributes 0x1
Name wevtapi.dll
ModuleHandle 0x2f75c0
DelayImportAddressTable 0x2f1ba8
DelayImportNameTable 0x2e40f8
BoundDelayImportTable 0x2e41e0
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

1

Type RT_MESSAGETABLE
Language English - United States
Codepage Latin 1 / Western European
Size 0x24
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.00209
MD5 f88b5e3f13c4597232142a2abc34deb9
SHA1 7fbf73f9621385b245f5c70cd21c19eda10aba1e
SHA256 c4eae15f9c213daa7ea67b88c13cf88bf02646a14c915694d11634ac1ee71e34
SHA3 c6f60ab486fca53ca0f75cf17552f2539832189172a817b67e2f75e116f14f4d

1 (#2)

Type RT_VERSION
Language English - United States
Codepage Latin 1 / Western European
Size 0x2a0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.44853
MD5 45b8fbf44a7e0c37c1af9f3e8ff4b7ad
SHA1 7b5a9ec1354fe72869a681dd9e4d58de3659e71f
SHA256 ae7adecc2272489c9541ece28fa32147df45b141c29a3c68bf13f0df33657a57
SHA3 257ed3f0642caf38614abddea87505480446a15980110ca1699852aba3e16340

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 5.2.7.2400
ProductVersion 5.2.7.0
FileFlags (EMPTY)
FileOs (EMPTY)
FileType VFT_UNKNOWN
Language English - United States
CompanyName Zabbix SIA
ProductVersion (#2) 5.2.7
FileVersion (#2) 5.2.7.91e8333180
InternalName Zabbix
FileDescription zabbix_agentd.exe
LegalCopyright Copyright (C) 2001-2021 Zabbix SIA
ProductName Zabbix
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2021-Jun-28 12:36:29
Version 0.0
SizeofData 98
AddressOfRawData 0x2cf49c
PointerToRawData 0x2ce69c
Referenced File C:\Users\ZABBIX\build-agents-web\zabbix-5.2.7\bin\win64\zabbix_agentd.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2021-Jun-28 12:36:29
Version 0.0
SizeofData 20
AddressOfRawData 0x2cf500
PointerToRawData 0x2ce700

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2021-Jun-28 12:36:29
Version 0.0
SizeofData 1060
AddressOfRawData 0x2cf514
PointerToRawData 0x2ce714

TLS Callbacks

StartAddressOfRawData 0x1402cf960
EndAddressOfRawData 0x1402cfe51
AddressOfIndex 0x1402fa948
AddressOfCallbacks 0x14022e960
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_16BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x138
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x1402f0f78

RICH Header

XOR Key 0x28f6488
Unmarked objects 0
C objects (26715) 12
ASM objects (26715) 8
C++ objects (26715) 192
262 (26715) 1
199 (41118) 6
C objects (VS 2015/2017/2019 runtime 29118) 19
ASM objects (VS 2015/2017/2019 runtime 29118) 10
Unmarked objects (#2) 28
C objects (VS2017 v15.7.5 compiler 26433) 12
C++ objects (VS 2015/2017/2019 runtime 29118) 50
Imports (26715) 23
Total imports 297
C++ objects (VS2019 Update 8 (16.8.2) compiler 29334) 1
C objects (VS2019 Update 8 (16.8.2) compiler 29334) 622
Resource objects (VS2019 Update 8 (16.8.2) compiler 29334) 1
Linker (VS2019 Update 8 (16.8.2) compiler 29334) 1

Errors

<-- -->