7d67ce19947d890dd2515d9ade051f2d

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_NATIVE
Compilation Date 2016-Sep-27 16:51:39
Detected languages Chinese - PRC
English - United States
Debug artifacts E:\temp\trunk\output\LcScience64.pdb
FileVersion 0.4.0.130
LegalCopyright Copyright (C) 2016
ProductVersion 0.4.0.130

Plugin Output

Suspicious The PE is possibly packed. Section INIT is both writable and executable.
Malicious The PE contains functions mostly used by malware. Functions which can be used for anti-debugging purposes:
  • DbgPrint
  • ZwQuerySystemInformation
 Uses Windows's Native API:
  • ZwClose
  • ZwOpenKey
  • ZwQueryValueKey
  • ZwQueryInformationProcess
  • ZwCreateFile
  • ZwQueryInformationFile
  • ZwCreateSection
  • ZwMapViewOfSection
  • ZwUnmapViewOfSection
  • ZwQuerySystemInformation
  • ZwQueryInformationToken
  • ZwOpenProcessTokenEx
  • ZwAllocateVirtualMemory
 Functions related to the privilege level:
  • ZwOpenProcessTokenEx
Info The PE is digitally signed. Signer: Baidu (China) Co.
Issuer: GlobalSign CodeSigning CA - G2
Malicious VirusTotal score: 16/68 (Scanned on 2019-12-10 11:18:16) McAfee: Artemis!7D67CE19947D
Zillya: Adware.Agent.Win32.134536
Sangfor: Malware
Alibaba: AdWare:Win32/Agent.bce74585
Kaspersky: not-a-virus:AdWare.Win32.Agent.kdbv
TrendMicro: PUA_JUZIHAO.component
McAfee-GW-Edition: Artemis!PUP
Jiangmin: Trojan/IE.startpage.b
Webroot: Pua.Gen
Antiy-AVL: Trojan/Win32.TGeneric
ZoneAlarm: not-a-virus:AdWare.Win32.Agent.kdbv
VBA32: AdWare.Agent
MAX: malware (ai score=93)
TrendMicro-HouseCall: PUA_JUZIHAO.component
Fortinet: Riskware/JUZIHAO
Qihoo-360: Trojan.Generic

Hashes

MD5 7d67ce19947d890dd2515d9ade051f2d
SHA1 2dc6ca6975acd6b28ae658a21dabe8e0d6634273
SHA256 a19457ae6baf065c98aa05b85b50f815871b5dd2e4797f2ada865e12c0204bfc
SHA3 d6fd57b5e099f898fef27c07c838f7e1acfa503d9401629a5dae3bdd46095aee
SSDeep 1536:/joJ5N7QiJuORQhHbfQTKw45uqMfESHJg8LiV:/jGfuR7fzlS28LiV
Imports Hash 2c917dc7c3d818cc9a03f1a023aa31ca

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2016-Sep-27 16:51:39
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 12.3
SizeOfCode 0x8600
SizeOfInitializedData 0x2000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000000000000D000 (Section: INIT)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.3
ImageVersion 6.3
SubsystemVersion 6.1
Win32VersionValue 0
SizeOfImage 0x10000
SizeOfHeaders 0x400
Checksum 0x16a94
Subsystem IMAGE_SUBSYSTEM_NATIVE
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 b55eb185f69f0c43ea7ac9d8ca7e764c
SHA1 2b1af6e5096f2ff120e0bd262820a2dbc8554942
SHA256 0facd4574c4ce8f0cb24230a38ebaac8df5d7c0d4ef23ca89fc5b21bead907c5
SHA3 8d530eb7acb13ed4ba25c507e5e18e2907a73bc0c98832201734f2f2769a510b
VirtualSize 0x7b1d
VirtualAddress 0x1000
SizeOfRawData 0x7c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 6.40196

.rdata

MD5 9623eee6d8c8a5ee148a643f4c0c0c5e
SHA1 f9c74811ba3f4ec3fec955ae9dd6e14c7f67f079
SHA256 b1024d508c3b0581e21938c739ec574a1994fe16a291387c3c2d274c95fd062f
SHA3 86a0aaa950c757c0b5add639a4229d8749dc7a21bcbfdd4f26683c9c6f635a2c
VirtualSize 0x1194
VirtualAddress 0x9000
SizeOfRawData 0x1200
PointerToRawData 0x8000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 5.12486

.data

MD5 1cbf6173cbd3ae4213f9f24eba058ec3
SHA1 a92c9564f8050125444a94d01dbaa659c2c0ffb9
SHA256 96a54ca47223258f3ae8c97f2266d9b2a06126ca4da81d3f5a63b5596ec90839
SHA3 2c21049c08f12166a7083c7d045d61a2016d3b32102fba8881b290f7837a41a5
VirtualSize 0x358
VirtualAddress 0xb000
SizeOfRawData 0x200
PointerToRawData 0x9200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.26165

.pdata

MD5 6bff65745fd931daf3ac58afe4290197
SHA1 519ab5e9401f2f348aef88f2e2b5bd21a30af39a
SHA256 7311e09b2c822c3bc3de3871749316866b5bb3ecac0a3080e823930c7a4c318c
SHA3 f7de644f30fe578a09729335c6e9e7052de01c4846ec1a7be12900dca519ba81
VirtualSize 0x5d0
VirtualAddress 0xc000
SizeOfRawData 0x600
PointerToRawData 0x9400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 4.3165

INIT

MD5 18492e14caa1d7f080c9ede5c5cebd00
SHA1 7fa503859416dedd4e94c7e23a8d2cce13671163
SHA256 32b7691f77c0223fd5995829cb8d917da7d7e08eb5c1e8ec587a4f7bcc22095f
SHA3 0a603266b1d028082f63053f20a41c1b864d5e1006d9b09f0badb4687f0c3923
VirtualSize 0x848
VirtualAddress 0xd000
SizeOfRawData 0xa00
PointerToRawData 0x9a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.63988

.rsrc

MD5 55819a23657f2e0ab45ddcf84751e7b6
SHA1 635055ff13aa3239945cca55ce1fb5df0e07e6c4
SHA256 7e3e3518dfd106caea83526a1a81e59527ace533a25119252291d2cfd42f7344
SHA3 9168b6b4640fbc3333f05d0b7984f393785aa942115db072d544ac35e37ae915
VirtualSize 0x1f8
VirtualAddress 0xe000
SizeOfRawData 0x200
PointerToRawData 0xa400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 2.95332

.reloc

MD5 f5271afaef5b5d059bededc6cc75c425
SHA1 40a424819acdd0b418a777265a95801412a745e4
SHA256 ce4ad00a85dca178ec1f49fad7e1062c90e3e01be810b381e6feaf98ab565189
SHA3 ff039cabbfa37a35b599de1cb7eafdf570ad4795b6d1321dcd09fb6698417201
VirtualSize 0x10
VirtualAddress 0xf000
SizeOfRawData 0x200
PointerToRawData 0xa600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0.13873

Imports

ntoskrnl.exe KeInitializeEvent
ExAllocatePool
ExFreePoolWithTag
ExAcquireFastMutex
ExReleaseFastMutex
__C_specific_handler
_local_unwind
_wcslwr
ZwClose
_wcsicmp
KeSetEvent
KeWaitForSingleObject
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
_stricmp
RtlInitUnicodeString
ExAllocatePoolWithTag
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
ObfDereferenceObject
ZwOpenKey
ZwQueryValueKey
PsSetCreateProcessNotifyRoutine
PsGetCurrentProcessId
PsLookupProcessByProcessId
PsGetProcessImageFileName
RtlAnsiStringToUnicodeString
RtlUnicodeStringToAnsiString
RtlFreeUnicodeString
RtlFreeAnsiString
RtlCopyUnicodeString
DbgPrint
IoCreateFile
ObReferenceObjectByHandle
MmIsAddressValid
IoQueryFileDosDeviceName
ObOpenObjectByPointer
ZwQueryInformationProcess
IoFileObjectType
tolower
CmRegisterCallback
ObQueryNameString
wcsncpy
RtlGetVersion
KeInitializeMutex
KeReleaseMutex
ZwCreateFile
ZwQueryInformationFile
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
ZwQuerySystemInformation
ZwQueryInformationToken
ZwOpenProcessTokenEx
ZwAllocateVirtualMemory
PsGetProcessSessionId
KeStackAttachProcess
KeUnstackDetachProcess
KeBugCheckEx

Delayed Imports

1

Type RT_VERSION
Language Chinese - PRC
Codepage UNKNOWN
Size 0x194
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.26644
MD5 28708887f22072dec2b9c1a0578616a9
SHA1 442eb19b9f3a6a3b9e4df7eeb67ecc33d6cd1b1d
SHA256 feff78d9dffc7db54fa1a2c42f569607b9dd1b7a1b036a6b0672258ee9f3af68
SHA3 4291ccb0284b7880ef95303ed1d8a1b8898e618f031d58126ce51cec34bfbfea

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 0.4.0.130
ProductVersion 0.4.0.130
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_UNKNOWN
Language English - United States
FileVersion (#2) 0.4.0.130
LegalCopyright Copyright (C) 2016
ProductVersion (#2) 0.4.0.130
Resource LangID Chinese - PRC

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2016-Sep-27 16:51:39
Version 0.0
SizeofData 61
AddressOfRawData 0x96f4
PointerToRawData 0x86f4
Referenced File E:\temp\trunk\output\LcScience64.pdb

TLS Callbacks

Load Configuration

Size 0x94
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x14000b1c8

RICH Header

XOR Key 0xc40369bb
Unmarked objects 0
Total imports 84
Imports (VS2008 SP1 build 30729) 3
C objects (VS2008 SP1 build 30729) 2
ASM objects (VS2008 SP1 build 30729) 3
C objects (65501) 4
ASM objects (65501) 1
C objects (VS2013 UPD4 build 31101) 14
Resource objects (VS2013 build 21005) 1
Linker (VS2013 UPD4 build 31101) 1

Errors

<-- -->