| Architecture |
IMAGE_FILE_MACHINE_I386
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
| Compilation Date | 2011-Jan-19 16:10:41 |
| Suspicious | PEiD Signature: |
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX v2.0 -> Markus, Laszlo & Reiser (h) UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser UPX -> www.upx.sourceforge.net UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser |
| Suspicious | The PE is packed with UPX |
Unusual section name found: UPX0
Section UPX0 is both writable and executable. Unusual section name found: UPX1 Section UPX1 is both writable and executable. Unusual section name found: UPX2 The PE only has 9 import(s). |
| Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
| Malicious | VirusTotal score: 40/65 (Scanned on 2017-10-03 13:58:49) |
nProtect:
Trojan/W32.Agent.3072.PM
CAT-QuickHeal: Trojan.Dynamer!ac McAfee: Generic.ait Cylance: Unsafe VIPRE: Trojan.Win32.Generic!BT TheHacker: Posible_Worm32 Invincea: heuristic Baidu: Win32.Trojan-Clicker.Agent.ad Symantec: Trojan.Gen.2 ESET-NOD32: Win32/TrojanClicker.Agent.NVM TrendMicro-HouseCall: TROJ_GEN.R08JC0OF817 Paloalto: generic.ml ClamAV: Win.Trojan.Agent-709658 NANO-Antivirus: Trojan.Win32.RP.cwxtpf Avast: Win32:Malware-gen Rising: Trojan.Clicker-Agent!8.13 (CLOUD) Comodo: UnclassifiedMalware DrWeb: Trojan.Click3.12740 Zillya: Trojan.Agent.Win32.549706 TrendMicro: TROJ_GEN.R08JC0OF817 McAfee-GW-Edition: Generic.ait Cyren: W32/Trojan.UCOC-9169 Jiangmin: Trojan.Generic.fxlq Webroot: Avira: TR/Downloader.Gen Antiy-AVL: Trojan/Win32.SGeneric Kingsoft: Win32.Malware.Heur_Generic.A.(kcloud) Endgame: malicious (moderate confidence) AegisLab: Troj.Downloader.Gen!c GData: Win32.Trojan.Agent.JV4OJM AhnLab-V3: Trojan/Win32.StartPage.C26214 ALYac: Trojan.Startpage.3072 AVware: Trojan.Win32.Generic!BT Tencent: Win32.Trojan.Downloader.Dyzr Yandex: Trojan.CL.Agent!SYJ1YyE/ZV4 Ikarus: Trojan.Win32.TrojanClicker Fortinet: W32/Agent.NVM!tr AVG: Win32:Malware-gen CrowdStrike: malicious_confidence_90% (W) Qihoo-360: HEUR/Malware.QVM11.Gen |
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0xe0 |
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_I386
|
| NumberofSections | 3 |
| TimeDateStamp | 2011-Jan-19 16:10:41 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xe0 |
| Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
| Magic | PE32 |
|---|---|
| LinkerVersion | 6.0 |
| SizeOfCode | 0x1000 |
| SizeOfInitializedData | 0x1000 |
| SizeOfUninitializedData | 0x4000 |
| AddressOfEntryPoint | 0x5410 (Section: UPX1) |
| BaseOfCode | 0x5000 |
| BaseOfData | 0x6000 |
| ImageBase | 0x400000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 4.0 |
| ImageVersion | 0.0 |
| SubsystemVersion | 4.0 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x7000 |
| SizeOfHeaders | 0x1000 |
| Checksum | 0 |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
| DllCharacteristics | (EMPTY) |
| SizeofStackReserve | 0x100000 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
| KERNEL32.DLL |
LoadLibraryA
GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess |
|---|---|
| ADVAPI32.dll |
CreateServiceA
|
| MSVCRT.dll |
exit
|
| WININET.dll |
InternetOpenA
|