Architecture |
IMAGE_FILE_MACHINE_I386
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date |
2020-Sep-22 07:28:29
|
Detected languages |
English - United States
|
TLS Callbacks |
2 callback(s) detected.
|
CompanyName |
ProjectHax
|
FileDescription |
phBot - Silkroad Online Bot
|
FileVersion |
16.3.3.0
|
InternalName |
phBot.exe
|
LegalCopyright |
Copyright (C) 2020 ProjectHax
|
OriginalFilename |
phBot.exe
|
ProductName |
phBot
|
ProductVersion |
16.3.3.0
|
Suspicious |
The PE is packed with UPX |
Unusual section name found: .qtmetad
Unusual section name found: .upx0
Unusual section name found: .upx1
|
Suspicious |
The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
- LoadLibraryA
- GetProcAddress
Leverages the raw socket API to access the Internet:
|
Info |
The PE is digitally signed. |
Signer: ProjectHax
Issuer: ProjectHax
|
Suspicious |
VirusTotal score: 1/69 (Scanned on 2020-10-01 10:34:32) |
Bkav:
W32.AIDetectVM.malware1
|
MD5 |
743da7083c658814132c26b92e70d727
|
SHA1 |
dd46e1051c0d555db2704a1b716dc6afc94cff8e
|
SHA256 |
467b35269e1bcb9120a50b3eec318d49da176e9c7d8592548d4e9abc886f907d
|
SHA3 |
fbf930ab058494c317c532874568da37575d4ef8246dda0d84ca645db1aa7de6
|
SSDeep |
786432:twTehlAHEaigAVDc8T/Lg7zqA7+PTl6IO:twTePAHWHVDcG4zqA70l6
|
Imports Hash |
c7013cd1e030b28da730b01f3d92b31b
|
e_magic |
MZ
|
e_cblp |
0x90
|
e_cp |
0x3
|
e_crlc |
0
|
e_cparhdr |
0x4
|
e_minalloc |
0
|
e_maxalloc |
0xffff
|
e_ss |
0
|
e_sp |
0xb8
|
e_csum |
0
|
e_ip |
0
|
e_cs |
0
|
e_ovno |
0
|
e_oemid |
0
|
e_oeminfo |
0
|
e_lfanew |
0x80
|
Signature |
PE
|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections |
8
|
TimeDateStamp |
2020-Sep-22 07:28:29
|
PointerToSymbolTable |
0
|
NumberOfSymbols |
0
|
SizeOfOptionalHeader |
0xe0
|
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED
|
Magic |
PE32
|
LinkerVersion |
12.0
|
SizeOfCode |
0xa78800
|
SizeOfInitializedData |
0x722a00
|
SizeOfUninitializedData |
0
|
AddressOfEntryPoint |
0x02593C62 (Section: .upx1)
|
BaseOfCode |
0x1000
|
BaseOfData |
0xa7a000
|
ImageBase |
0x400000
|
SectionAlignment |
0x1000
|
FileAlignment |
0x200
|
OperatingSystemVersion |
5.1
|
ImageVersion |
0.0
|
SubsystemVersion |
5.1
|
Win32VersionValue |
0
|
SizeOfImage |
0x4119000
|
SizeOfHeaders |
0x400
|
Checksum |
0x1c641a8
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve |
0x100000
|
SizeofStackCommit |
0x1000
|
SizeofHeapReserve |
0x100000
|
SizeofHeapCommit |
0x1000
|
LoaderFlags |
0
|
NumberOfRvaAndSizes |
16
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0xa78731
|
VirtualAddress |
0x1000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0x648cfa
|
VirtualAddress |
0xa7a000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0x69324
|
VirtualAddress |
0x10c3000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0x238
|
VirtualAddress |
0x112d000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_SHARED
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0x2
|
VirtualAddress |
0x112e000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0x1387bb3
|
VirtualAddress |
0x112f000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
|
MD5 |
85130a93649d14119ec8b0a58365bc5f
|
SHA1 |
9b10f3f43dbcfcfc7658eb0f676a200f3cec3702
|
SHA256 |
d37c2645794deb883069b7419607f71650876671fd2b5717da6da81cd4da43fc
|
SHA3 |
77e9c08f3859ffff59b03f09e67a89759caec5e64efa302691f3b3bd32fa7394
|
VirtualSize |
0x1c60b00
|
VirtualAddress |
0x24b7000
|
SizeOfRawData |
0x1c60c00
|
PointerToRawData |
0x400
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
|
Entropy |
7.998
|
MD5 |
d5797e7c56df40c9914a853a9df90bf2
|
SHA1 |
d23832409e835070da49d10ce393b50361935699
|
SHA256 |
90e054e8e9b858f86434d325c8e1a17576dd6a0974f945cb78cd2931c6582a11
|
SHA3 |
83fdbbdfcf9d74ed05d63ed14b431f2dbf58d61ba61c92751f438772453b4aa2
|
VirtualSize |
0xff6
|
VirtualAddress |
0x4118000
|
SizeOfRawData |
0x1000
|
PointerToRawData |
0x1c61000
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
Entropy |
4.52596
|
WS2_32.dll |
#7
|
IPHLPAPI.DLL |
GetAdaptersAddresses
|
WINMM.dll |
PlaySoundW
|
PSAPI.DLL |
EmptyWorkingSet
|
VERSION.dll |
GetFileVersionInfoW
|
WINTRUST.dll |
WinVerifyTrust
|
python34.dll |
PyList_SetItem
|
KERNEL32.dll |
GetVersionExW
|
USER32.dll |
IsChild
|
GDI32.dll |
OffsetRgn
|
ADVAPI32.dll |
InitializeAcl
|
SHELL32.dll |
SHGetMalloc
|
ole32.dll |
CoTaskMemAlloc
|
OLEAUT32.dll |
#6
|
MSVCP120.dll |
?do_get@?$num_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@MBE?AV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@V32@0AAVios_base@2@AAHAAO@Z
|
MSVCR120.dll |
_calloc_crt
|
VCOMP120.DLL |
omp_set_num_threads
|
IMM32.dll |
ImmGetDefaultIMEWnd
|
WTSAPI32.dll |
WTSSendMessageW
|
KERNEL32.dll (#2) |
GetVersionExW
|
USER32.dll (#2) |
IsChild
|
KERNEL32.dll (#3) |
GetVersionExW
|
USER32.dll (#3) |
IsChild
|
Ordinal |
1
|
Address |
0x29ea8e
|
Ordinal |
2
|
Address |
0x120e22
|
Ordinal |
3
|
Address |
0x120e35
|
Type |
RT_ICON
|
Language |
English - United States
|
Codepage |
UNKNOWN
|
Size |
0x8a8
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.78511
|
MD5 |
56274d50e58603d1111397e28b2ada7d
|
SHA1 |
3429a8a3622a05a99d576181ba3c98689eae0323
|
SHA256 |
624fc2a89f560cb16570560710d0971a2db392b7a738f9cad8f0173eff4fc122
|
SHA3 |
fc9848c5e6234be7644074db3f36008517babce399026237394bb3bdca2ac113
|
Type |
RT_GROUP_ICON
|
Language |
English - United States
|
Codepage |
UNKNOWN
|
Size |
0x14
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
1.81924
|
Detected Filetype |
Icon file
|
MD5 |
cbee427fa121aba9b9b265ff05de5383
|
SHA1 |
24fcae33001c8e0f5ec795c6edf076a69d59589f
|
SHA256 |
494e4fd717fa1ee0c5c7bb3b4e28fdab4b7f6e95b4f9865f5ab86f03f62ae62c
|
SHA3 |
a3fa35d56632275ba55716a4964f02031270f61f06a903fc460ac2dd6bebde85
|
Type |
RT_VERSION
|
Language |
English - United States
|
Codepage |
UNKNOWN
|
Size |
0x2dc
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.45111
|
MD5 |
dc2656666593bac7a06efe4eb50e39e0
|
SHA1 |
1ab8a82c0f3491323d78ec3f5f166e84b0d93239
|
SHA256 |
ad1c8dfaa099d872a59a21fa15a994e9539ce2defe910a2488f3981a7f820cda
|
SHA3 |
9f16ffecd3ed42a6b0593f39a81904ed4f8936136422d92bb287f53028938ada
|
Type |
RT_MANIFEST
|
Language |
English - United States
|
Codepage |
UNKNOWN
|
Size |
0x32e
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
5.11233
|
MD5 |
103c3fbfd46c7d0efb572638e07b25cb
|
SHA1 |
2fb02823962f9ca3422da336dc40c09707f04b06
|
SHA256 |
00447479ea051af4f7de70eedfca5c6433e44830d3215549b4f8a4f7e85808a1
|
SHA3 |
8d0d1069540c3f598e8abb403092119135ff19e0fdf6af05ff8e60494b08c0e0
|
Signature |
0xfeef04bd
|
StructVersion |
0x10000
|
FileVersion |
16.3.3.0
|
ProductVersion |
16.3.3.0
|
FileFlags |
(EMPTY)
|
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language |
English - United States
|
CompanyName |
ProjectHax
|
FileDescription |
phBot - Silkroad Online Bot
|
FileVersion (#2) |
16.3.3.0
|
InternalName |
phBot.exe
|
LegalCopyright |
Copyright (C) 2020 ProjectHax
|
OriginalFilename |
phBot.exe
|
ProductName |
phBot
|
ProductVersion (#2) |
16.3.3.0
|
Resource LangID |
English - United States
|
StartAddressOfRawData |
0x44839cc
|
EndAddressOfRawData |
0x44839cd
|
AddressOfIndex |
0x152c150
|
AddressOfCallbacks |
0x44839cd
|
SizeOfZeroFill |
0
|
Characteristics |
IMAGE_SCN_ALIGN_1BYTES
|
Callbacks |
0x028DEF48
0x00C9E040
|
Size |
0x48
|
TimeDateStamp |
1970-Jan-01 00:00:00
|
Version |
0.0
|
GlobalFlagsClear |
(EMPTY)
|
GlobalFlagsSet |
(EMPTY)
|
CriticalSectionDefaultTimeout |
0
|
DeCommitFreeBlockThreshold |
0
|
DeCommitTotalFreeThreshold |
0
|
LockPrefixTable |
0
|
MaximumAllocationSize |
0
|
VirtualMemoryThreshold |
0
|
ProcessAffinityMask |
0
|
ProcessHeapFlags |
(EMPTY)
|
CSDVersion |
0
|
Reserved1 |
0
|
EditList |
0
|
SecurityCookie |
0x14cae80
|
SEHandlerTable |
0x4510e50
|
SEHandlerCount |
6955
|
[*] Warning: Section .text has a size of 0!
[*] Warning: Section .rdata has a size of 0!
[*] Warning: Section .data has a size of 0!
[*] Warning: Section .qtmetad has a size of 0!
[*] Warning: Section .tls has a size of 0!
[*] Warning: Section .upx0 has a size of 0!
[*] Warning: 1 invalid export(s) not shown.