89503b7935a05b1d26cb26ce3793a3fb

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2008-Apr-01 19:35:07

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to internet browsers:
  • iexplore.exe
May have dropper capabilities:
  • CurrentControlSet\Services
Malicious The file headers were tampered with. Unusual section name found: .cdata
The RICH header checksum is invalid.
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Code injection capabilities:
  • OpenProcess
  • WriteProcessMemory
  • CreateRemoteThread
  • VirtualAllocEx
Possibly launches other programs:
  • CreateProcessA
  • CreateProcessAsUserA
Functions related to the privilege level:
  • OpenProcessToken
  • DuplicateTokenEx
Manipulates other processes:
  • OpenProcess
  • WriteProcessMemory
  • ReadProcessMemory
Malicious VirusTotal score: 45/67 (Scanned on 2018-11-06 19:04:29) Bkav: W32.eHeur.Malware11
MicroWorld-eScan: Trojan.Lojack.Gen.1
McAfee: RDN/Generic BackDoor
Cylance: Unsafe
Zillya: Trojan.GenericKD.Win32.115912
BitDefender: Trojan.Lojack.Gen.1
K7GW: Riskware ( 0040eff71 )
K7AntiVirus: Riskware ( 0040eff71 )
Arcabit: Trojan.Lojack.Gen.1
TrendMicro: Backdoor.Win32.FALOJAK.SMMR
Cyren: W32/Backdoor.GV.gen!Eldorado
Symantec: Trojan.Lojax
ESET-NOD32: Win32/Agent.ZQE
TrendMicro-HouseCall: Backdoor.Win32.FALOJAK.SMMR
Paloalto: generic.ml
ClamAV: Win.Trojan.Agent-6741370-0
Kaspersky: HEUR:Backdoor.Win32.DoubleAgent.gen
ViRobot: Trojan.Win32.Agent.17408.EC
Avast: FileRepMalware
F-Secure: Trojan:W32/Jaxol.A
DrWeb: Trojan.LoJax.2
Invincea: heuristic
McAfee-GW-Edition: RDN/Generic BackDoor
Emsisoft: Trojan.Lojack.Gen.1 (B)
F-Prot: W32/Backdoor.GV.gen!Eldorado
Jiangmin: Backdoor.DoubleAgent.a
Avira: BDS/DoubeAgent.itcpi
Microsoft: Backdoor:Win32/Lojax.A
AegisLab: Trojan.Win32.DoubleAgent.tpts
ZoneAlarm: HEUR:Backdoor.Win32.DoubleAgent.gen
GData: Trojan.Lojack.Gen.1
TACHYON: Backdoor/W32.DoubleAgent.17408
AhnLab-V3: Trojan/Win32.Agent.C2487603
VBA32: Backdoor.DoubleAgent
ALYac: Trojan.Lojack.Gen.1
MAX: malware (ai score=100)
Ad-Aware: Trojan.Lojack.Gen.1
Malwarebytes: Backdoor.DoubleAgent
Zoner: Trojan.Doubleagent
Rising: Backdoor.DoubleAgent!8.F8EC (CLOUD)
Yandex: Backdoor.DoubleAgent!
Ikarus: Backdoor.Win32.Lojax
Fortinet: W32/DoubleAgent.SMMR!tr.bdr
AVG: FileRepMalware
Qihoo-360: Win32/Trojan.994

Hashes

MD5 89503b7935a05b1d26cb26ce3793a3fb
SHA1 5bc901e9267fa7bb7b14943f5f0299a84a7ef519
SHA256 6d626c7f661b8cc477569e8e89bfe578770fca332beefea1ee49c20def97226e
SHA3 f1a42a8faba760801667747a7a6ed563e0020e7552d92960a09469b1fa7c4b9f
SSDeep 384:R1Wx2a/j+nF400vvnIPxAvDJ1SvAPnXnG1l:R1I2ab+F400nnIpAN1SvAP36
Imports Hash 2d3a84dfeb99a2f4534843b7c5817fbc

DOS Header

e_magic MZ
e_cblp 0x4
e_cp 0x1
e_crlc 0
e_cparhdr 0x4
e_minalloc 0x1
e_maxalloc 0xffff
e_ss 0x6a06
e_sp 0xcb00
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xa8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2008-Apr-01 19:35:07
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 7.0
SizeOfCode 0x3600
SizeOfInitializedData 0xa00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000348D (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x5000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x8000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 a92b585f78a838e1d221373b3d60a37f
SHA1 346222fb3cdb53ca57bfd749b987f8155c2b88fd
SHA256 6584acdbaef2a78b1665be6a3c7b37ee30d5d7c1215c4e3193c1fafcf8e3d6d5
SHA3 4705f65f8f3c0d6d6f408d6d5ad708f43a80e238f888ddefd51a52ac1dd368ef
VirtualSize 0x35f6
VirtualAddress 0x1000
SizeOfRawData 0x3600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.40114

.data

MD5 4031479fbcd57a5f6c8dbf647bfcd376
SHA1 1ddbc29868bb42f598db5dcffdea0b1fe9f8d951
SHA256 0277c751df8e8abc55fe2bace1a2ca1292e96ef3de276706161d48d7bcd835bd
SHA3 a00ca26f5cacea198f45643320cf1c44b32d466dd089fca4d85887e141b14f4b
VirtualSize 0x164
VirtualAddress 0x5000
SizeOfRawData 0x200
PointerToRawData 0x3a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.00828

.cdata

MD5 2d38e1b5ba834b73beaaf9770baceca3
SHA1 9a415335bbcb2075a64e00d41e3d65a8e9895772
SHA256 6be5249392d69b2961a082b261ce8a15477bf382088bf86725d7e1af9b20e34a
SHA3 9ecbfe2596fbcb6287258b5b68c224357f397f4eb14bc06333a96459ede682f4
VirtualSize 0x23c
VirtualAddress 0x6000
SizeOfRawData 0x400
PointerToRawData 0x3c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_SHARED
IMAGE_SCN_MEM_WRITE
Entropy 1.30643

.reloc

MD5 7f5f3ba1ba90b8791121f26ba95facf6
SHA1 5999a0599cba75340c2726fc35949557be105cc2
SHA256 d8b9535677f13a3b4132313153fff2dc13f61f7267697361ae08a06e5db5135b
SHA3 9f70cc48fccb1a8f6890cc9be6ba2b399797a2c48d0d4aa114b765194beab5af
VirtualSize 0x338
VirtualAddress 0x7000
SizeOfRawData 0x400
PointerToRawData 0x4000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.79343

Imports

WSOCK32.dll #11
#115
#116
USER32.dll DefWindowProcA
wsprintfA
PostQuitMessage
RegisterClassA
TranslateMessage
GetMessageA
PeekMessageA
PostMessageA
DispatchMessageA
CreateWindowExA
SetTimer
PostThreadMessageA
KillTimer
KERNEL32.dll VirtualFreeEx
DeleteCriticalSection
OpenProcess
WriteFile
CloseHandle
RtlUnwind
GetVersion
LocalAlloc
SetFilePointer
CreateProcessA
GetModuleHandleA
GetLastError
LocalFree
ExitThread
SetEvent
ReadFile
TerminateProcess
WaitForSingleObject
WriteProcessMemory
ReadProcessMemory
ResetEvent
LeaveCriticalSection
GetStdHandle
TerminateThread
ExitProcess
InitializeCriticalSection
GetModuleFileNameA
GetProcAddress
WaitForMultipleObjects
CreateRemoteThread
lstrlenA
CreateEventA
GetExitCodeThread
CreateThread
lstrcmpiA
EnterCriticalSection
GetCurrentProcessId
CreateFileA
SetThreadPriority
ResumeThread
lstrcpyA
GetOverlappedResult
FreeLibrary
RaiseException
GetCurrentThreadId
lstrcatA
GetEnvironmentVariableA
SetStdHandle
VirtualAllocEx
Sleep
CopyFileA
LoadLibraryA
ADVAPI32.dll RegQueryValueExA
RegEnumValueA
RegOpenKeyA
RegDeleteValueA
SetServiceStatus
OpenProcessToken
RegOpenKeyExA
StartServiceCtrlDispatcherA
SetTokenInformation
RegCloseKey
RegisterServiceCtrlHandlerA
DuplicateTokenEx
CreateProcessAsUserA

Delayed Imports

rpcnetp

Ordinal 1
Address 0x34e1

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x77224aa4
Unmarked objects 0
Imports (2067) 2
Imports (2179) 7
Total imports 82
Unmarked objects (#2) 5
C objects (VS2003 (.NET) build 3077) 14
C++ objects (VS2003 (.NET) build 3077) 1
Exports (VS2003 (.NET) build 3077) 1
Linker (VS2003 (.NET) build 3077) 1

Errors