8363436878404da0ae3e46991e355b83

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2011-Jan-19 16:10:41

Plugin Output

Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX v2.0 -> Markus, Laszlo & Reiser (h)
UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX -> www.upx.sourceforge.net
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser
Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
Unusual section name found: UPX2
The PE only has 9 import(s).
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
 Has Internet access capabilities:
  • InternetOpenA
 Interacts with services:
  • CreateServiceA
Malicious VirusTotal score: 44/70 (Scanned on 2019-02-06 12:03:53) CAT-QuickHeal: Trojan.Dynamer!ac
McAfee: Generic.ait
Cylance: Unsafe
Invincea: heuristic
Baidu: Win32.Trojan-Clicker.Agent.ad
Symantec: Trojan.Gen.2
TrendMicro-HouseCall: TROJ_GEN.R002C0CHI18
Paloalto: generic.ml
ClamAV: Win.Malware.Agent-6350563-0
NANO-Antivirus: Trojan.Win32.RP.cwxtpf
Avast: Win32:Malware-gen
Tencent: Win32.Trojan.Downloader.Dyzr
Comodo: Malware@#22epuiwih8vym
F-Secure: Trojan.TR/Downloader.Gen
DrWeb: Trojan.Click3.12740
Zillya: Trojan.Agent.Win32.549706
TrendMicro: TROJ_GEN.R002C0CHI18
McAfee-GW-Edition: Generic.ait
Trapmine: malicious.high.ml.score
TheHacker: Posible_Worm32
Cyren: W32/GenBl.83634368!Olympus
Jiangmin: Trojan.Generic.fxlq
Webroot:
Avira: TR/Downloader.Gen
Fortinet: W32/Agent.NVM!tr
Antiy-AVL: Trojan/Win32.SGeneric
Kingsoft: Win32.Malware.Heur_Generic.A.(kcloud)
Endgame: malicious (moderate confidence)
Microsoft: Trojan:Win32/Dynamer!ac
Sophos: Mal/Generic-S
AhnLab-V3: Trojan/Win32.StartPage.C26214
Acronis: suspicious
VBA32: Trojan.Click
ALYac: Trojan.Startpage.3072
MAX: malware (ai score=98)
ESET-NOD32: Win32/TrojanClicker.Agent.NVM
Rising: Trojan.Clicker-Agent!8.13 (CLOUD)
Yandex: Trojan.CL.Agent!SYJ1YyE/ZV4
Ikarus: Trojan.Win32.TrojanClicker
GData: Win32.Trojan.Agent.JV4OJM
AVG: Win32:Malware-gen
Cybereason: malicious.cbcb77
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: HEUR/Malware.QVM11.Gen

Hashes

MD5 8363436878404da0ae3e46991e355b83
SHA1 5a016facbcb77e2009a01ea5c67b39af209c3fcb
SHA256 c876a332d7dd8da331cb8eee7ab7bf32752834d4b2b54eaa362674a2a48f64a6
SHA3 90d0ce9fc80f299d134bc0ac67b1b2931565587a8c99d00f2ccabcf720ebf7f6
SSDeep 48:atUKzxRhvlNZEVtfbn4m3ZUJSSeJY8JTaIcLoBgs:0UKXktfb4KOJzcK
Imports Hash 096aa05b8a2e1f2dc66fc73a1a978a7b

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2011-Jan-19 16:10:41
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x1000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0x4000
AddressOfEntryPoint 0x00005410 (Section: UPX1)
BaseOfCode 0x5000
BaseOfData 0x6000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x7000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x4000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 ad0f236c2b34f1031486c8cc4803a908
SHA1 bd7ea516ea0f96cc57d5b7c008db3de3a2f6d0f5
SHA256 ac4fe158d7fbb3b8bdea75cbb8459d9b8d2faedcdb50a3a30d563a1c76366e7c
SHA3 019186b62dc01e505f6db65644b94effec6c5b37613e0728ba95a7dac7d70ae5
VirtualSize 0x1000
VirtualAddress 0x5000
SizeOfRawData 0x600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.06718

UPX2

MD5 f998d25f473e69cc89bf43af3102beea
SHA1 cdc7c68f02e81c18e9d40b6e94e4e40038ce80e5
SHA256 17e519e58fbf915862e673b8f108f7b8994f3cc503b63496ca677383abc358ca
SHA3 54cb54cd617c76deda5e1604c2778ef12544fea8bd58b79898e2939ee1ff298e
VirtualSize 0x1000
VirtualAddress 0x6000
SizeOfRawData 0x200
PointerToRawData 0xa00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.7978

Imports

KERNEL32.DLL LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
ADVAPI32.dll CreateServiceA
MSVCRT.dll exit
WININET.dll InternetOpenA

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xdc0ba0a7
Unmarked objects 0
C objects (VS98 build 8168) 11
14 (7299) 1
Linker (VS98 build 8168) 2
Unmarked objects (#2) 4
Total imports 27
19 (8034) 5
C++ objects (VS98 build 8168) 2

Errors

[*] Warning: Section UPX0 has a size of 0!
<-- -->