7407342cd72aab4a293cfa8248c393f1

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2017-May-26 09:23:01
Detected languages English - United States

Plugin Output

Info Matching compiler(s): MASM/TASM - sig1(h)
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • GetProcAddress
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
Code injection capabilities:
  • WriteProcessMemory
  • OpenProcess
  • VirtualAllocEx
  • CreateRemoteThread
Code injection capabilities (process hollowing):
  • WriteProcessMemory
  • ResumeThread
  • SetThreadContext
Possibly launches other programs:
  • CreateProcessW
Manipulates other processes:
  • WriteProcessMemory
  • OpenProcess
  • Process32NextW
  • Process32FirstW
  • ReadProcessMemory
Suspicious VirusTotal score: 1/62 (Scanned on 2017-07-06 16:21:57) VIPRE: RiskTool.Win32.ProcessPatcher.Nor!cobra (v) (not malicious)

Hashes

MD5 7407342cd72aab4a293cfa8248c393f1
SHA1 dc8fbbb3f30884424c58ccda18deb930c5437f30
SHA256 e0966a1a2e40087c39b59fcd892211bc11bb66902efbc867e0097665a191009c
SHA3 0683fdb26fdf67b974a4700b3d9143c1759d20511c251d12965bab54b6fb0ad4
SSDeep 768:4BzHAkHidWkGnYAGeHfP6d0Ag/SG/gU/yOwC1tH3vIqcZL/Wc3bYF:uzBCxGaeHfyd0AGI5Owi/fYSLF
Imports Hash 313e47fa02e3523b9864f276e2fdb690

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2017-May-26 09:23:01
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x5e00
SizeOfInitializedData 0x5200
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000005C74 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0xf000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 df288a52941b68e6f2c819d4d67fb1d8
SHA1 628e3651e7924f438058bf4c737444660edae039
SHA256 c588333f663c2c18d847ba93f08fff1fe98e69994db085646978ca48172386d1
SHA3 251bc2d339c5c14dcf4d9ceccee0a0cf0c4955a9ca49333f1f09c348d1c14021
VirtualSize 0x5c3f
VirtualAddress 0x1000
SizeOfRawData 0x5e00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.07801

.rdata

MD5 54256dddf00c418882c13ff1d25751c6
SHA1 5162ff11c94dd00e10a122125d3c434dcfc2a52c
SHA256 50f2f72ed29e8259ef1403381a99ff7d268279439daec5f55bf39ab5694fa62c
SHA3 ad84b53c7302241bb71b26c67f692708a5fb8e54790755caae498ac54fd842fb
VirtualSize 0x3a24
VirtualAddress 0x7000
SizeOfRawData 0x3c00
PointerToRawData 0x6200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.47038

.data

MD5 893b8b7e004438d42f53782997f6d17d
SHA1 dc0e376afe0879618c4cbe5a73d0cc0b3e5fb7d3
SHA256 6ce963d919351d5656325584b93bd33d83df0d413eb49d3f9b1a245c5ddb10fb
SHA3 5bbd9bf793eb05724dc03eceef6d806bd05f44dd1729c17e5a902f566327f191
VirtualSize 0x9b8
VirtualAddress 0xb000
SizeOfRawData 0x400
PointerToRawData 0x9e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.67923

.pdata

MD5 f0f70c0c63a045b6633529600b75f6c3
SHA1 efc9fc1a08666a0e994d099de69a9ed169e4fb75
SHA256 209b3ccc7eb6f1c0c821f1b87cea56658d925b937ac6d0cab19eb1ad4983c423
SHA3 28309d44ff7250593e47c8a8b609b8c7c6506a0d902eca08cabf1e2585687c0e
VirtualSize 0x654
VirtualAddress 0xc000
SizeOfRawData 0x800
PointerToRawData 0xa200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.57553

.rsrc

MD5 44e3d39532c9319314b3e7669556d25a
SHA1 62781e8e72142285145da0e0b84c51e38b6e4cb0
SHA256 82734dc2b49e549f19311dc082c046cb8f3d019d2dab2b1b25fac08f4cc1a306
SHA3 c34360de44e134e645cca7885573b5550929b45e961557e2956406e27fcd167a
VirtualSize 0x1e0
VirtualAddress 0xd000
SizeOfRawData 0x200
PointerToRawData 0xaa00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.7015

.reloc

MD5 3f0ef48fec21256303416a775faa24f3
SHA1 e1195fe2a3b3036bde22fb817e5ed6e265b6405c
SHA256 90ddf99c1006455e76bc56b1357bb8e2c7141043ecf0dd266aa0ef45a2528adf
SHA3 68efff11f1ea102b3fa7643bb281db15f34691d029b7012140b507908631c9d4
VirtualSize 0x9c
VirtualAddress 0xe000
SizeOfRawData 0x200
PointerToRawData 0xac00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 2.1204

Imports

KERNEL32.dll WriteProcessMemory
GetFullPathNameW
Thread32Next
Thread32First
WaitForSingleObject
SuspendThread
ResumeThread
OpenProcess
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
CloseHandle
LoadLibraryW
QueueUserAPC
GetThreadContext
GetProcAddress
VirtualAllocEx
ReadProcessMemory
CreateProcessW
GetModuleHandleW
CreateRemoteThread
VirtualFreeEx
SetThreadContext
OpenThread
MultiByteToWideChar
IsDebuggerPresent
InitializeSListHead
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
RtlCaptureContext
USER32.dll UnhookWindowsHookEx
SetWindowsHookExW
MSVCP140.dll ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_BADOFF@std@@3_JB
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
?uncaught_exception@std@@YA_NXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
VCRUNTIME140.dll memcmp
memcpy
memset
_CxxThrowException
__CxxFrameHandler3
__C_specific_handler
__std_exception_destroy
memmove
__std_exception_copy
__std_type_info_compare
_purecall
__std_terminate
api-ms-win-crt-stdio-l1-1-0.dll setvbuf
__p__commode
_set_fmode
_get_stream_buffer_pointers
_fseeki64
fsetpos
ungetc
fputc
fgetpos
fwrite
fgetc
fclose
fflush
api-ms-win-crt-string-l1-1-0.dll _wcsicmp
api-ms-win-crt-runtime-l1-1-0.dll _exit
_errno
__p___argc
__p___argv
_cexit
_c_exit
_initterm
_get_initial_narrow_environment
exit
_configure_narrow_argv
_initialize_onexit_table
_register_onexit_function
_crt_atexit
terminate
_initialize_narrow_environment
_invalid_parameter_noinfo
_set_app_type
_seh_filter_exe
_invalid_parameter_noinfo_noreturn
_register_thread_local_exe_atexit_callback
_initterm_e
api-ms-win-crt-filesystem-l1-1-0.dll _unlock_file
_lock_file
api-ms-win-crt-heap-l1-1-0.dll free
malloc
_set_new_mode
_callnewh
api-ms-win-crt-math-l1-1-0.dll __setusermatherr
api-ms-win-crt-locale-l1-1-0.dll _configthreadlocale

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2017-May-26 09:23:01
Version 0.0
SizeofData 736
AddressOfRawData 0x84e4
PointerToRawData 0x76e4

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2017-May-26 09:23:01
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

Size 0xa0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x14000b010

RICH Header

XOR Key 0x58ec0f06
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 14
ASM objects (24723) 3
C objects (24723) 13
Imports (24723) 4
C++ objects (24723) 25
Imports (24610) 5
Total imports 156
265 (VS2017 v15.2 compiler 25019) 2
Resource objects (VS2017 v15.2 compiler 25019) 1
Linker (VS2017 v15.2 compiler 25019) 1

Errors

<-- -->