898ddb3765a149d047408c8ac83c1bb9

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-Oct-10 19:36:41
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Code injection capabilities:
  • OpenProcess
  • WriteProcessMemory
  • VirtualAllocEx
  • CreateRemoteThread
 Possibly launches other programs:
  • CreateProcessW
  • CreateProcessA
 Can create temporary files:
  • GetTempPathW
  • CreateFileW
 Has Internet access capabilities:
  • WinHttpQueryHeaders
  • WinHttpReadData
  • WinHttpOpenRequest
  • WinHttpSetOption
  • WinHttpCloseHandle
  • WinHttpAddRequestHeaders
  • WinHttpWriteData
  • WinHttpSendRequest
  • WinHttpSetTimeouts
  • WinHttpConnect
  • WinHttpCrackUrl
  • WinHttpQueryDataAvailable
  • WinHttpOpen
  • WinHttpGetProxyForUrl
  • WinHttpReceiveResponse
  • WinHttpGetIEProxyConfigForCurrentUser
 Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
 Manipulates other processes:
  • OpenProcess
  • WriteProcessMemory
  • ReadProcessMemory
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 898ddb3765a149d047408c8ac83c1bb9
SHA1 487907604be4070d4d2f78a485c09ed037fffd1d
SHA256 a3bae3ec7be4c3e6776aab4583d5fc313810c8eb037bcb841861378bb65dcb61
SHA3 bb622c80701a01d3493363cf2534746638a0e1f476bc65a0daf5287c653cc1f1
SSDeep 3072:HAEcein+7ADvqvII9Ci5oHDyhwf2+PxqF+HJfv+jyKAg0FujoGMa9AmF2Y/Ne:H7j7A2foHmhwf2t+nKAO+abBNe
Imports Hash 4d706068d7808efdaba9012e9d34b5d6

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x118

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 7
TimeDateStamp 2019-Oct-10 19:36:41
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x26c00
SizeOfInitializedData 0x14600
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000B09F (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x28000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x40000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 724933b5a4792216595f779db9c371fa
SHA1 765078afb8c7a53f2c47a19caf3d7dab13b6c926
SHA256 fcf01a8fb8e2e7132b6a7689b4cc1039808c65a0595a869f38bda580bf93a8f7
SHA3 b67c2c757152e9e46e54c6e3e5d7737ed12716b3b18b7f31aa4c86b56560895d
VirtualSize 0x26af7
VirtualAddress 0x1000
SizeOfRawData 0x26c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.66671

.rdata

MD5 acd2e83e0de814fbbca9eb3291449576
SHA1 963ca71c6b81c5acfacb6ac2bf7b0aa6ca63e578
SHA256 8626b860d5cfeae2be1f3a1f8dcde8603d21f7713226296f9498954ffd51e090
SHA3 8cad237549f294fa4da6f34d3037e509c8ef783515ebb78a508a27b8eecf2bbd
VirtualSize 0xfd6c
VirtualAddress 0x28000
SizeOfRawData 0xfe00
PointerToRawData 0x27000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.58599

.data

MD5 47156351388a14b5b08346b73d7326e7
SHA1 6b88a423fda9fc30b66950bd125d3af013203b1b
SHA256 b3a5c8573eb6181ae0268ad96c77b799c12e9965288620a89bb4f2747155885a
SHA3 c3f4bafbb9ba8ddf08eb9e222dba2cc501aba5ecc9139b33c8609c244cb98ad4
VirtualSize 0x1d5c
VirtualAddress 0x38000
SizeOfRawData 0x1000
PointerToRawData 0x36e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.56229

.gfids

MD5 a36874cfa073d72ec19e14690fb11e5b
SHA1 bcef9eaef562f2ca07549419da2c4e07df6e1c63
SHA256 e159cdf90be60b98f27af003b18c5eda8a5514dd9f899ba02b44c5b46515ef5a
SHA3 156b3f470c01caf3ab9b8e3de4bbee14a4d422509da6dba20b336e5d9481c2ab
VirtualSize 0x1e4
VirtualAddress 0x3a000
SizeOfRawData 0x200
PointerToRawData 0x37e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.71677

.tls

MD5 1f354d76203061bfdd5a53dae48d5435
SHA1 aa0d33a0c854e073439067876e932688b65cb6a9
SHA256 4c6474903705cb450bb6434c29e8854f17d8324efca1fdb9ee9008599060883a
SHA3 991fbbd46bbd69198269fe6c247d440e0f8a7d38259b7a1e04b74790301d1d2b
VirtualSize 0x9
VirtualAddress 0x3b000
SizeOfRawData 0x200
PointerToRawData 0x38000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.0203931

.rsrc

MD5 2a18ce9346eb6f71ef31bc4ce827a4db
SHA1 7042cdf29d740676971b80f5a075f7d9c29a97c8
SHA256 cef6f5f073348f194af472d09263a2a7834b462acbcf7544a2a331ce272dce55
SHA3 93455ba9ecc6089852bc6e1405f34ad07b6c1003255df8454082ce136181104b
VirtualSize 0x1e0
VirtualAddress 0x3c000
SizeOfRawData 0x200
PointerToRawData 0x38200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.72473

.reloc

MD5 37af4cecd34cbbfad2b4ac5ce5f93116
SHA1 b3ad8590842a5f20546f679e9170374b919c4fb5
SHA256 9c482825fc22f1d24233ce683ce0f9c6b4f17fb5c1db770d9314aa143dc220b3
SHA3 2107d39594f09c809ced2f1073d6f121d23aa037224ca0ec74826081ffbdfd5d
VirtualSize 0x23b8
VirtualAddress 0x3d000
SizeOfRawData 0x2400
PointerToRawData 0x38400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.57306

Imports

KERNEL32.DLL GetVersionExW
GetComputerNameExW
OpenProcess
HeapSize
MultiByteToWideChar
GetLastError
GlobalAlloc
GlobalFree
HeapReAlloc
CloseHandle
RaiseException
HeapAlloc
K32EnumProcesses
DecodePointer
WaitForSingleObject
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
CreateProcessW
WideCharToMultiByte
WriteProcessMemory
VirtualAllocEx
ReadProcessMemory
CreateRemoteThread
ReadConsoleW
InitializeCriticalSectionEx
GetTempPathW
K32GetModuleFileNameExW
GetCurrentProcess
ReadFile
SetEndOfFile
WriteConsoleW
SetFilePointerEx
CreateFileW
FlushFileBuffers
SetStdHandle
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
IsValidCodePage
FindNextFileA
FindFirstFileExA
FindClose
GetStringTypeW
EnterCriticalSection
LeaveCriticalSection
EncodePointer
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetModuleHandleW
GetProcAddress
CompareStringW
LCMapStringW
GetLocaleInfoW
GetCPInfo
IsDebuggerPresent
OutputDebugStringW
SetEvent
ResetEvent
WaitForSingleObjectEx
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentThreadId
InitializeSListHead
RtlUnwind
FreeLibrary
LoadLibraryExW
GetModuleFileNameW
InterlockedFlushSList
ExitProcess
GetModuleHandleExW
GetModuleFileNameA
GetACP
GetStdHandle
GetFileType
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetExitCodeProcess
CreateProcessA
GetFileAttributesExW
WriteFile
GetConsoleCP
GetConsoleMode
HeapFree
ADVAPI32.dll SystemFunction036
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken
GetUserNameW
SHLWAPI.dll StrChrA
PathFindFileNameW
USER32.dll wsprintfW
WINHTTP.dll WinHttpQueryHeaders
WinHttpReadData
WinHttpOpenRequest
WinHttpSetOption
WinHttpCloseHandle
WinHttpAddRequestHeaders
WinHttpWriteData
WinHttpSendRequest
WinHttpSetTimeouts
WinHttpConnect
WinHttpCrackUrl
WinHttpQueryDataAvailable
WinHttpOpen
WinHttpGetProxyForUrl
WinHttpReceiveResponse
WinHttpGetIEProxyConfigForCurrentUser

Delayed Imports

Final

Ordinal 1
Address 0x47ea

2

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

TLS Callbacks

StartAddressOfRawData 0x1003b000
EndAddressOfRawData 0x1003b008
AddressOfIndex 0x10039588
AddressOfCallbacks 0x10028244
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x5c
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x10038070
SEHandlerTable 0x100357c0
SEHandlerCount 44

RICH Header

XOR Key 0x79dc6ec7
Unmarked objects 0
241 (40116) 13
243 (40116) 152
242 (40116) 29
ASM objects (23907) 22
C++ objects (23013) 2
C++ objects (23907) 53
C objects (23907) 33
Imports (65501) 11
Total imports 139
265 (VS2015 UPD2 build 23918) 4
Exports (VS2015 UPD2 build 23918) 1
Resource objects (VS2015 UPD2 build 23918) 1
Linker (VS2015 UPD2 build 23918) 1

Errors

<-- -->