Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2010-Sep-28 01:00:25 |
Info | Matching compiler(s): |
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ 6.0 DLL Microsoft Visual C++ |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
May have dropper capabilities:
|
Suspicious | The PE is packed or was manually edited. | The number of imports reported in the RICH header is inconsistent. |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Suspicious | The file contains overlay data. | 1 bytes of data starting at offset 0x5e00. |
Malicious | VirusTotal score: 59/70 (Scanned on 2024-04-17 04:56:08) |
ALYac:
Gen:Variant.Ulise.173672
APEX: Malicious AVG: Win32:TrojanX-gen [Trj] AhnLab-V3: Trojan/Win32.Xema.C93063 Alibaba: Backdoor:Win32/Connapts.eafdbb07 Antiy-AVL: Trojan[Backdoor]/Win32.Agent Arcabit: Trojan.Ulise.D2A668 Avast: Win32:TrojanX-gen [Trj] Avira: BDS/Backdoor.Gen BitDefender: Gen:Variant.Ulise.173672 BitDefenderTheta: Gen:NN.ZedlaF.36802.bq5@aq5eUxk Bkav: W32.Common.2A32BB94 ClamAV: Win.Trojan.Agent-385568 CrowdStrike: win/malicious_confidence_100% (W) Cylance: unsafe Cynet: Malicious (score: 100) DeepInstinct: MALICIOUS DrWeb: BackDoor.Siggen.38566 ESET-NOD32: a variant of Win32/Small.NDX Emsisoft: Gen:Variant.Ulise.173672 (B) F-Secure: Backdoor.BDS/Backdoor.Gen FireEye: Generic.mg.84882c9d43e23d63 Fortinet: W32/Small.NDX!tr GData: Gen:Variant.Ulise.173672 Google: Detected Ikarus: Trojan.Win32.Small Jiangmin: Backdoor/Agent.csty K7AntiVirus: Trojan ( 00036ba91 ) K7GW: Trojan ( 00036ba91 ) Kaspersky: Backdoor.Win32.Agent.gmlh Kingsoft: malware.kb.a.1000 MAX: malware (ai score=100) Malwarebytes: Trojan.Agent.LB MaxSecure: Trojan.Malware.2971735.susgen McAfee: GenericRXGO-KC!84882C9D43E2 MicroWorld-eScan: Gen:Variant.Ulise.173672 Microsoft: Trojan:Win32/Connapts NANO-Antivirus: Trojan.Win32.MLW.dylhy Rising: Backdoor.Agent!8.C5D (TFE:5:cnvQz3sOcPP) SUPERAntiSpyware: Backdoor.Bot/Variant Sangfor: Suspicious.Win32.Save.ins SentinelOne: Static AI - Malicious PE Skyhigh: GenericRXGO-KC!84882C9D43E2 Sophos: Troj/Small-EVG Symantec: ML.Attribute.HighConfidence TACHYON: Backdoor/W32.Agent.24065 Tencent: Malware.Win32.Gencirc.10bfa4ee TrendMicro: TROJ_GEN.R002C0DBA22 TrendMicro-HouseCall: TROJ_GEN.R002C0DBA22 VBA32: BScope.Trojan.Tiggre VIPRE: Gen:Variant.Ulise.173672 Varist: W32/Small.RKJT-5458 ViRobot: Backdoor.Win32.A.Agent.24064.B VirIT: Trojan.Win32.Generic.CABJ Webroot: W32.Malware.Gen Xcitium: TrojWare.Win32.Small.dy39@4owfj9 Zillya: Backdoor.Agent.Win32.31812 ZoneAlarm: Backdoor.Win32.Agent.gmlh alibabacloud: Backdoor:Win/Ulise |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2010-Sep-28 01:00:25 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0x4000 |
SizeOfInitializedData | 0xca00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00004E4D (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x5000 |
ImageBase | 0x10000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x13000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetStartupInfoA
CreatePipe GetCurrentDirectoryA CreateProcessA lstrlenA SetLastError OutputDebugStringA CloseHandle ReadFile GetTempPathA GetLongPathNameA LoadLibraryA GetProcAddress CreateThread GetSystemTime WaitForSingleObject TerminateThread Sleep GetLastError GetModuleFileNameA |
---|---|
ADVAPI32.dll |
OpenServiceA
DeleteService RegOpenKeyExA RegQueryValueExA RegCloseKey OpenSCManagerA CreateServiceA CloseServiceHandle RegCreateKeyA RegSetValueExA RegisterServiceCtrlHandlerA SetServiceStatus |
WS2_32.dll |
inet_addr
WSASocketA closesocket connect ioctlsocket send select __WSAFDIsSet recv shutdown WSAStartup gethostname WSACleanup htons |
WININET.dll |
InternetCloseHandle
InternetOpenA InternetConnectA HttpOpenRequestA HttpSendRequestA HttpQueryInfoA InternetReadFile |
MSVCRT.dll |
_chdir
_strnicmp _adjust_fdiv malloc _initterm free ??1type_info@@UAE@XZ _except_handler3 _CxxThrowException _stricmp _EH_prolog __CxxFrameHandler strchr _itoa strstr strncat strlen sscanf atol ??2@YAPAXI@Z memset wcstombs strncpy strcat strcpy atoi fclose fflush ??3@YAXPAX@Z fwrite fopen strrchr |
Ordinal | 1 |
---|---|
Address | 0x4706 |
Ordinal | 2 |
---|---|
Address | 0x3196 |
Ordinal | 3 |
---|---|
Address | 0x4b18 |
Ordinal | 4 |
---|---|
Address | 0x4b0b |
Ordinal | 5 |
---|---|
Address | 0x4c2b |
XOR Key | 0x93f51bde |
---|---|
Unmarked objects | 0 |
12 (7291) | 4 |
14 (7299) | 2 |
C objects (VS98 build 8168) | 4 |
Unmarked objects (#2) | 9 |
Total imports | 80 |
19 (8034) | 7 |
C++ objects (VS98 build 8168) | 3 |
Linker (VS98 build 8168) | 3 |