Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2021-Jun-28 12:36:29 |
Detected languages |
English - United States
|
Debug artifacts |
C:\Users\ZABBIX\build-agents-web\zabbix-5.2.7\bin\win64\zabbix_agentd.pdb
|
CompanyName | Zabbix SIA |
ProductVersion | 5.2.7 |
FileVersion | 5.2.7.91e8333180 |
InternalName | Zabbix |
FileDescription | zabbix_agentd.exe |
LegalCopyright | Copyright (C) 2001-2021 Zabbix SIA |
ProductName | Zabbix |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Looks for VMWare presence:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to MD5
Uses constants related to SHA1 Uses constants related to SHA256 Uses constants related to SHA512 Uses constants related to AES Uses constants related to Blowfish Uses known Diffie-Helman primes Microsoft's Cryptography API |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Info | The PE is digitally signed. |
Signer: Zabbix SIA
Issuer: SSL.com Code Signing Intermediate CA RSA R1 |
Safe | VirusTotal score: 0/67 (Scanned on 2021-08-20 13:51:17) | All the AVs think this file is safe. |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x130 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 6 |
TimeDateStamp | 2021-Jun-28 12:36:29 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32+ |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x22ce00 |
SizeOfInitializedData | 0xd8600 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000000000206FE0 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.2 |
ImageVersion | 0.0 |
SubsystemVersion | 5.2 |
Win32VersionValue | 0 |
SizeOfImage | 0x314000 |
SizeOfHeaders | 0x400 |
Checksum | 0x30da1b |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
WS2_32.dll |
accept
getservbyname closesocket connect ioctlsocket getpeername bind __WSAFDIsSet getservbyport gethostbyname getsockopt htonl htons inet_addr inet_ntoa listen ntohs WSAStartup recv recvfrom select send sendto setsockopt gethostbyaddr socket WSASetLastError WSACleanup gethostname WSAAddressToStringA WSASocketW WSAGetLastError shutdown |
---|---|
PSAPI.DLL |
GetModuleFileNameExW
GetProcessMemoryInfo |
pdh.dll |
PdhMakeCounterPathW
PdhCollectQueryData PdhValidatePathW PdhLookupPerfNameByIndexW PdhEnumObjectsW PdhCalculateCounterFromRawValue PdhCloseQuery PdhRemoveCounter PdhAddCounterW PdhOpenQueryW PdhParseCounterPathW PdhEnumObjectItemsW PdhGetRawCounterValue |
ADVAPI32.dll |
DeregisterEventSource
CryptReleaseContext CryptGenRandom ConvertSidToStringSidW ReadEventLogW OpenEventLogW GetOldestEventLogRecord GetNumberOfEventLogRecords CloseEventLog StartServiceW StartServiceCtrlDispatcherW SetServiceStatus RegisterServiceCtrlHandlerW DeleteService CreateServiceW ControlService ChangeServiceConfig2W RegSetValueExW RegDeleteKeyW RegCreateKeyExW RegQueryValueExW RegOpenKeyExW RegCloseKey QueryServiceStatus QueryServiceConfig2W QueryServiceConfigW OpenServiceW OpenSCManagerW GetServiceKeyNameW EnumServicesStatusExW CloseServiceHandle LookupAccountSidW GetTokenInformation OpenProcessToken ReportEventW RegisterEventSourceW CryptAcquireContextW |
IPHLPAPI.DLL |
GetIpAddrTable
GetIfTable GetIfEntry GetTcpTable |
DNSAPI.dll |
DnsFree
DnsQuery_W |
USER32.dll |
GetProcessWindowStation
GetUserObjectInformationW MessageBoxW |
ole32.dll |
CoCreateInstance
CoInitializeSecurity CoInitializeEx CoUninitialize CoSetProxyBlanket |
OLEAUT32.dll |
SysAllocString
SysFreeString SafeArrayGetDim SafeArrayGetElemsize SafeArrayGetUBound SafeArrayGetLBound VariantChangeType VariantCopy VariantClear VariantInit SafeArrayGetVartype SafeArrayGetElement |
dbghelp.dll |
SymSetOptions
SymGetOptions SymCleanup SymInitialize StackWalk64 |
KERNEL32.dll |
SystemTimeToTzSpecificLocalTime
WriteConsoleW GetModuleFileNameW ExitProcess FindFirstFileExW GetCommandLineA GetCommandLineW HeapFree OutputDebugStringW GetStringTypeW HeapAlloc HeapReAlloc CompareStringW LCMapStringW FileTimeToSystemTime GetCurrentDirectoryW GetConsoleCP SetEndOfFile FlushFileBuffers DeleteFileW MoveFileExW GetFileSizeEx IsValidCodePage GetACP GetOEMCP GetCPInfo GetEnvironmentStringsW FreeEnvironmentStringsW SetEnvironmentVariableW GetProcessHeap HeapSize VirtualProtect ExitThread GetTimeZoneInformation SetStdHandle SetFilePointerEx CreateThread DuplicateHandle FreeLibraryAndExitThread SetConsoleCtrlHandler RaiseException RtlPcToFileHeader RtlUnwindEx VirtualQuery LoadLibraryExA WaitForMultipleObjectsEx IsDebuggerPresent InitializeSListHead IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter RtlLookupFunctionEntry RtlCaptureContext SystemTimeToFileTime GetSystemTime ReadConsoleW ReadConsoleA SetConsoleMode GetConsoleMode LoadLibraryW RtlVirtualUnwind ConvertThreadToFiber ConvertFiberToThread GetSystemTimeAsFileTime CreateFiber DeleteFiber SwitchToFiber WriteFile GetFileType GetEnvironmentVariableW QueryPerformanceCounter QueryPerformanceFrequency MultiByteToWideChar WideCharToMultiByte lstrcmpiA VerSetConditionMask SetHandleInformation GetLastError GetSystemDirectoryA FreeLibrary GetProcAddress LoadLibraryA FormatMessageW VerifyVersionInfoW FindClose FindFirstFileW FindNextFileW GetModuleHandleW CloseHandle ReleaseMutex WaitForSingleObject CreateMutexW GetCurrentProcessId QueueUserAPC GetCurrentThreadId GetExitCodeThread GetStdHandle ReadFile CreatePipe PeekNamedPipe Sleep TerminateProcess GetExitCodeProcess ResumeThread CreateProcessW GetStartupInfoW CreateJobObjectW AssignProcessToJobObject TerminateJobObject CreateFileW GetFileInformationByHandle GetCompressedFileSizeW GetFileAttributesW GetNativeSystemInfo FindFirstVolumeW FindNextVolumeW FindVolumeClose GetDiskFreeSpaceExW GetDriveTypeW GetLogicalDriveStringsW GetVolumeInformationW GetVolumePathNamesForVolumeNameW GlobalMemoryStatus GetProcessTimes OpenProcess CreateToolhelp32Snapshot Process32FirstW Process32NextW SetEvent CreateEventW TerminateThread GetSystemInfo GetVersionExW GetComputerNameW SleepEx ExpandEnvironmentStringsW LoadLibraryExW LocalFree GetVolumePathNameW SetErrorMode GetCurrentProcess GetCurrentThread GetDiskFreeSpaceW GetFullPathNameW GetModuleHandleExW SetLastError EnterCriticalSection LeaveCriticalSection InitializeCriticalSectionAndSpinCount DeleteCriticalSection TlsAlloc TlsGetValue TlsSetValue TlsFree |
wevtapi.dll (delay-loaded) |
EvtOpenLog
EvtClose EvtCreateRenderContext EvtQuery EvtOpenPublisherMetadata EvtGetLogInfo EvtRender EvtNext EvtFormatMessage |
Attributes | 0x1 |
---|---|
Name | wevtapi.dll |
ModuleHandle | 0x2f75c0 |
DelayImportAddressTable | 0x2f1ba8 |
DelayImportNameTable | 0x2e40f8 |
BoundDelayImportTable | 0x2e41e0 |
UnloadDelayImportTable | 0 |
TimeStamp | 1970-Jan-01 00:00:00 |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 5.2.7.2400 |
ProductVersion | 5.2.7.0 |
FileFlags | (EMPTY) |
FileOs | (EMPTY) |
FileType |
VFT_UNKNOWN
|
Language | English - United States |
CompanyName | Zabbix SIA |
ProductVersion (#2) | 5.2.7 |
FileVersion (#2) | 5.2.7.91e8333180 |
InternalName | Zabbix |
FileDescription | zabbix_agentd.exe |
LegalCopyright | Copyright (C) 2001-2021 Zabbix SIA |
ProductName | Zabbix |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2021-Jun-28 12:36:29 |
Version | 0.0 |
SizeofData | 98 |
AddressOfRawData | 0x2cf49c |
PointerToRawData | 0x2ce69c |
Referenced File | C:\Users\ZABBIX\build-agents-web\zabbix-5.2.7\bin\win64\zabbix_agentd.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2021-Jun-28 12:36:29 |
Version | 0.0 |
SizeofData | 20 |
AddressOfRawData | 0x2cf500 |
PointerToRawData | 0x2ce700 |
Characteristics |
0
|
---|---|
TimeDateStamp | 2021-Jun-28 12:36:29 |
Version | 0.0 |
SizeofData | 1060 |
AddressOfRawData | 0x2cf514 |
PointerToRawData | 0x2ce714 |
StartAddressOfRawData | 0x1402cf960 |
---|---|
EndAddressOfRawData | 0x1402cfe51 |
AddressOfIndex | 0x1402fa948 |
AddressOfCallbacks | 0x14022e960 |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_ALIGN_16BYTES
|
Callbacks | (EMPTY) |
Size | 0x138 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x1402f0f78 |
XOR Key | 0x28f6488 |
---|---|
Unmarked objects | 0 |
C objects (26715) | 12 |
ASM objects (26715) | 8 |
C++ objects (26715) | 192 |
262 (26715) | 1 |
199 (41118) | 6 |
C objects (VS 2015/2017/2019 runtime 29118) | 19 |
ASM objects (VS 2015/2017/2019 runtime 29118) | 10 |
Unmarked objects (#2) | 28 |
C objects (VS2017 v15.7.5 compiler 26433) | 12 |
C++ objects (VS 2015/2017/2019 runtime 29118) | 50 |
Imports (26715) | 23 |
Total imports | 297 |
C++ objects (VS2019 Update 8 (16.8.2) compiler 29334) | 1 |
C objects (VS2019 Update 8 (16.8.2) compiler 29334) | 622 |
Resource objects (VS2019 Update 8 (16.8.2) compiler 29334) | 1 |
Linker (VS2019 Update 8 (16.8.2) compiler 29334) | 1 |