85a1a2dc2792676839346db8df07d413

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2018-Apr-22 21:54:50
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Malicious The file headers were tampered with. The RICH header checksum is invalid.
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
  • LoadLibraryExW
Suspicious The file contains overlay data. 875 bytes of data starting at offset 0x34000.
Suspicious VirusTotal score: 2/66 (Scanned on 2018-05-22 10:53:55) Invincea: heuristic
TrendMicro-HouseCall: Suspicious_GEN.F47V0508

Hashes

MD5 85a1a2dc2792676839346db8df07d413
SHA1 c79a1f333c828b698a3e3f0742a6771f1ac1033c
SHA256 933f8a1dbf16142f604c22ed47ba095ae7b34c19634b9d323d23f963a5100a3a
SHA3 21c2c3d077bfefe1344d5c05aa0bebabbcfc3acf75f681c8ee20495dd65724fa
SSDeep 6144:aTLxENm2eK7mnoUSgpAY8ODcDcm7cIsBV2G07YXd1Q2AOH29:aTh0GuYw2A9
Imports Hash 5542aa7d7f66388b2c332212712c4470

DOS Header

e_magic MZ
e_cblp 0xe8
e_cp 0
e_crlc 0x5b00
e_cparhdr 0xc381
e_minalloc 0x6d9
e_maxalloc 0
e_ss 0xc353
e_sp 0
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2018-Apr-22 21:54:50
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x21c00
SizeOfInitializedData 0x12e00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000086AC (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x23000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x38000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 98956a03ee64d1c17a2284503331b441
SHA1 874307f00047af8e11bcff541beebf25873e9614
SHA256 065903b8f6ac679546e73e5b19c61d7f070c1f8d37c1d8b2149ad3a6be8e91b9
SHA3 0ab90c69ab0e3cf386dda2d7793ac170e7b97ed743a795e6782d154b7fab29ef
VirtualSize 0x21bcc
VirtualAddress 0x1000
SizeOfRawData 0x21c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.66344

.rdata

MD5 0f901bcf36269acc92158514f12e135f
SHA1 35e775b1f6da45bf6e26d56d1a234c90c3f0c1af
SHA256 d6eb6d20f073d3783bccc32f4871aad0d7c619843d5dcf1c85610520d05e41e1
SHA3 ae29140b87d9f18f41b059254e3c67ebe17c74774f8119e0139bd028eb1a93a9
VirtualSize 0xe92c
VirtualAddress 0x23000
SizeOfRawData 0xea00
PointerToRawData 0x22000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.64083

.data

MD5 9b609dcb44eb790c6b2101772e3ba011
SHA1 320e869947df6dea13ddf89f56bd3e456f540e1b
SHA256 5672827ba649ac670b4a70777a9bb81a577df4ac100ec66820accd9f2fd9cd74
SHA3 7225e1a1086c240e0d78f6fcd26647c1185e659f4fddb7a817e7a9adbcbc8628
VirtualSize 0x1f34
VirtualAddress 0x32000
SizeOfRawData 0x1200
PointerToRawData 0x30a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.30932

.rsrc

MD5 8cb8f26a87e3cca59046dfd7477b7d02
SHA1 681d0c8da566297a7626f4bf877c2cc2b256f477
SHA256 499b7af1eb867aa3342b4294e540b2c9ffae71f3ea73b4f77838f86ad1ac718f
SHA3 ecdfb088ba4d6a7ad6aa0e6839ade3d627a405626dd961f9a8dd718ae1d34fe6
VirtualSize 0x1e0
VirtualAddress 0x34000
SizeOfRawData 0x200
PointerToRawData 0x31c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.72473

.reloc

MD5 cc51c1c341d404188afbd6c307fb1961
SHA1 7df6a9a0bf7ee39ad603a34bf23618bf6742b5bf
SHA256 a1fb1badfe1b35ef7cd2d79617217d68e5d6979fc925ce344124b72bc65c9b7a
SHA3 098c5367f5b518305064ca9d5a5170ee5e976bd1867b7cabb95e20dff36ab90a
VirtualSize 0x2164
VirtualAddress 0x35000
SizeOfRawData 0x2200
PointerToRawData 0x31e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.52749

Imports

KERNEL32.dll AddVectoredExceptionHandler
WaitForSingleObject
Sleep
ExitProcess
GetEnvironmentVariableA
SetEnvironmentVariableA
GetCurrentProcessId
GetModuleHandleA
VirtualProtect
LoadLibraryA
CreateThread
CreateFileW
HeapSize
ReadConsoleW
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
WideCharToMultiByte
GetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
MultiByteToWideChar
EncodePointer
DecodePointer
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetModuleHandleW
GetProcAddress
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentThreadId
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
RaiseException
RtlUnwind
InterlockedFlushSList
FreeLibrary
LoadLibraryExW
HeapAlloc
HeapFree
HeapReAlloc
GetModuleHandleExW
GetModuleFileNameA
GetACP
GetStdHandle
GetFileType
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetProcessHeap
CloseHandle
FlushFileBuffers
WriteFile
GetConsoleCP
GetConsoleMode
ReadFile
SetFilePointerEx
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCommandLineA
WriteConsoleW
USER32.dll ShowWindow
SendMessageA
EnumWindows
MessageBoxA
EnumChildWindows
GetWindowThreadProcessId

Delayed Imports

2

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2018-Apr-22 21:54:50
Version 0.0
SizeofData 744
AddressOfRawData 0x2fcd8
PointerToRawData 0x2ecd8

TLS Callbacks

Load Configuration

Size 0xa0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x100322dc
SEHandlerTable 0x1002fc30
SEHandlerCount 42

RICH Header

XOR Key 0x721518db
Unmarked objects 0
ASM objects (VS2017 v15.?.? build 25203) 13
C++ objects (VS2017 v15.?.? build 25203) 151
C objects (VS2017 v15.?.? build 25203) 22
ASM objects (VS2017 v15.?.? build 25930) 21
C++ objects (VS2017 v15.?.? build 25930) 50
C objects (VS2017 v15.?.? build 25930) 32
Imports (VS2017 v15.?.? build 25203) 5
Total imports 102
C++ objects (VS2017 v15.6.3-5 compiler 26129) 6
Exports (VS2017 v15.6.3-5 compiler 26129) 1
Resource objects (VS2017 v15.6.3-5 compiler 26129) 1
Linker (VS2017 v15.6.3-5 compiler 26129) 1

Errors

[*] Warning: Raw bytes from section .text could not be obtained.
<-- -->