89e6fb5168f0cab8d0265e5e7796273c

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2021-Jan-27 11:31:12
Detected languages English - United States

Plugin Output

Suspicious The PE is possibly packed. Unusual section name found: .data2
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • LoadLibraryExW
  • GetProcAddress
  • LoadLibraryA
Malicious VirusTotal score: 47/60 (Scanned on 2017-05-26 06:52:33) Bkav: HW32.Packed.674C
MicroWorld-eScan: Trojan.GenericKD.5158286
CAT-QuickHeal: TrojanSpy.Ursnif
McAfee: RDN/Generic.grp
Malwarebytes: Ransom.Cerber
K7AntiVirus: Spyware ( 00505c591 )
K7GW: Spyware ( 00505c591 )
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9999
F-Prot: W32/Agent.ANX.gen!Eldorado
Symantec: Trojan Horse
ESET-NOD32: Win32/Spy.Ursnif.AO
TrendMicro-HouseCall: TSPY_URSNIF.AUSIOC
Paloalto: generic.ml
Kaspersky: Trojan-Spy.Win32.Ursnif.rvs
BitDefender: Trojan.GenericKD.5158286
NANO-Antivirus: Trojan.Win32.Ursnif.epfsdw
AegisLab: Ml.Attribute.Gen!c
Avast: Win32:Malware-gen
Ad-Aware: Trojan.GenericKD.5158286
Sophos: Troj/Gozi-HM
Comodo: TrojWare.Win32.Troldesh.B
F-Secure: Trojan.GenericKD.5158286
DrWeb: Trojan.Gozi.23
VIPRE: VirTool.Win32.Obfuscator.da!j (v)
Invincea: trojan.win32.skeeyah.a!rfn
McAfee-GW-Edition: BehavesLike.Win32.PWSZbot.fc
Emsisoft: Trojan.GenericKD.5158286 (B)
SentinelOne: static engine - malicious
Cyren: W32/Trojan.AZGX-5780
Webroot: W32.Infostealer.Zeus
Avira: TR/Crypt.Xpack.mayzd
Antiy-AVL: Trojan/Win32.Kryptik
Microsoft: Trojan:Win32/Dynamer!rfn
Endgame: malicious (high confidence)
Arcabit: Trojan.Generic.D4EB58E
ViRobot: Trojan.Win32.Agent.331264.G[h]
ZoneAlarm: Trojan-Spy.Win32.Ursnif.rvs
GData: Trojan.GenericKD.5158286
AhnLab-V3: Trojan/Win32.Cerber.C1970349
ALYac: Gen:Variant.Midie.37830
AVware: VirTool.Win32.Obfuscator.da!j (v)
Ikarus: Trojan.Inject
Fortinet: W32/Kryptik.FSNS!tr
AVG: SCGeneric_c1.BSY
Panda: Trj/Genetic.gen
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Trojan.Generic

Hashes

MD5 89e6fb5168f0cab8d0265e5e7796273c
SHA1 a6aea3b6399121b8263a26e9d514b8e8de433bec
SHA256 050b5f98878c1bd29024e810e82e6add629fa6b0345ae1a11d64b33cf6a9151c
SHA3 81767af985f7ca860c12b4868b844a12c0924c8b8a12dd2ea045cf9489ca2ad3
SSDeep 6144:GW1ZKl1ZD8CwAT1xeD5642TohE00ylJ2sBDsyeO/37Bo0qRyHWvJKr0hri7q+Xm:GW/Kl/4Cwwet6VToSOlYsBDsyjygHqG
Imports Hash 4423f1d4fa182ed8db988966636bc13a

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xb8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2021-Jan-27 11:31:12
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 13.1
SizeOfCode 0x4ee00
SizeOfInitializedData 0x1c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001DE5 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x50000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 5.1
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x54000
SizeOfHeaders 0x400
Checksum 0x5495f
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 4b900c02b85df4436f6ff2fb95f6d5a4
SHA1 acd466ee0ee4d0d2183f5189bdb9bb159afda25f
SHA256 19ceb56c92e81502dd343bb7a26269c98ef7aa2cfcf33884f32ce238b4075955
SHA3 396974edfa2086589dcff81c20995a88a8c78ef7ad1a5b393fc8a2bd8c57eab8
VirtualSize 0x4ec3c
VirtualAddress 0x1000
SizeOfRawData 0x4ee00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 7.92847

.data2

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x100
VirtualAddress 0x50000
SizeOfRawData 0
PointerToRawData 0x4f200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_MEM_READ

.data

MD5 8f21f7828708c678d28f4a0594963444
SHA1 e3bc73c11e737af5d5f7535702cfefbddbb7af83
SHA256 0c128be5e2122ddfdb7a220f29bf2a49ff4121e8d83bdc25b801d5ac2fb00442
SHA3 9d8e6a414e4222827f7c4338a396e0900548ca8f47b0732d45b0691441227fae
VirtualSize 0x68a
VirtualAddress 0x51000
SizeOfRawData 0x800
PointerToRawData 0x4f200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.42665

.rsrc

MD5 ddfe5bab874347d3b0d517c273e3ce18
SHA1 1dded99fdb69a2fe241a120d2868f2184b1e7ff7
SHA256 bf180b1766643ec1c6be1e12093556e38995fe49972e9687d45be27a91de18c1
SHA3 779525faa8ec34ed20ee0892cb5891e875bc51482258640c6bdb15b1eb16ba8f
VirtualSize 0x1370
VirtualAddress 0x52000
SizeOfRawData 0x1400
PointerToRawData 0x4fa00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.58468

Imports

user32.dll PostMessageW
InsertMenuA
LoadIconA
DispatchMessageW
LoadMenuW
LoadCursorA
PeekMessageA
GetPropA
DrawStateA
GetMessageW
CharToOemA
IsCharLowerW
wsprintfA
GetClassLongA
LoadBitmapA
FlashWindow
clusapi.dll CloseCluster
CloseClusterNode
shlwapi.dll PathCompactPathW
UrlCanonicalizeA
UrlGetPartW
UrlGetLocationW
PathCombineA
PathIsRootW
PathCommonPrefixW
UrlEscapeW
UrlCombineW
PathStripPathA
UrlCompareA
UrlHashW
kernel32.dll IsBadStringPtrA
LoadLibraryExW
SetErrorMode
CreateMailslotW
GetTickCount
FindFirstFileA
lstrcpy
GetStringTypeW
CreateFileMappingA
GetProcAddress
GetTempFileNameA
OpenFileMappingA
GetGeoInfoW
GetConsoleTitleA
WaitForSingleObjectEx
GetACP
CopyFileW
CreateNamedPipeW
LoadLibraryA
MoveFileExA
CreateMutexA
EncodePointer
DeleteFileA
FormatMessageW
GetPrivateProfileStringW
CreateSemaphoreA
GetBinaryTypeA
GetCommandLineA
GetVersionExW
resutils.dll ResUtilDupString
ClusWorkerTerminate
ResUtilGetBinaryValue
ClusWorkerStart

Delayed Imports

1

Type GASD
Language English - United States
Codepage UNKNOWN
Size 0x300
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.26184
MD5 e33afc2e8ce043146eafea5abeabfa78
SHA1 470d899a7d81b205a603114a840d78a2edd7280d
SHA256 ef464cdb48d4f6e36999841b7a03a65f4886030c735c654d844da09f312f77f9
SHA3 347db19d8292a5aebf3f352abfcd53e42f7ed394f669576b2cca03a6a2e5ba6e

2

Type GASD
Language English - United States
Codepage UNKNOWN
Size 0x300
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.26184
MD5 e33afc2e8ce043146eafea5abeabfa78
SHA1 470d899a7d81b205a603114a840d78a2edd7280d
SHA256 ef464cdb48d4f6e36999841b7a03a65f4886030c735c654d844da09f312f77f9
SHA3 347db19d8292a5aebf3f352abfcd53e42f7ed394f669576b2cca03a6a2e5ba6e

3

Type GASD
Language English - United States
Codepage UNKNOWN
Size 0x300
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.26184
MD5 e33afc2e8ce043146eafea5abeabfa78
SHA1 470d899a7d81b205a603114a840d78a2edd7280d
SHA256 ef464cdb48d4f6e36999841b7a03a65f4886030c735c654d844da09f312f77f9
SHA3 347db19d8292a5aebf3f352abfcd53e42f7ed394f669576b2cca03a6a2e5ba6e

4

Type GASD
Language English - United States
Codepage UNKNOWN
Size 0x300
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.26184
MD5 e33afc2e8ce043146eafea5abeabfa78
SHA1 470d899a7d81b205a603114a840d78a2edd7280d
SHA256 ef464cdb48d4f6e36999841b7a03a65f4886030c735c654d844da09f312f77f9
SHA3 347db19d8292a5aebf3f352abfcd53e42f7ed394f669576b2cca03a6a2e5ba6e

5

Type GASD
Language English - United States
Codepage UNKNOWN
Size 0x300
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.26184
MD5 e33afc2e8ce043146eafea5abeabfa78
SHA1 470d899a7d81b205a603114a840d78a2edd7280d
SHA256 ef464cdb48d4f6e36999841b7a03a65f4886030c735c654d844da09f312f77f9
SHA3 347db19d8292a5aebf3f352abfcd53e42f7ed394f669576b2cca03a6a2e5ba6e

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x300
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 0
MD5 33c250bf306b7cbbd3dd71b6029b8784
SHA1 025a14a110e180aa74754a185dd7a06e11d380d5
SHA256 ef115a0e0c15cdc41958ca46b5b14b456115f4baec5e3ca68599d2a8f435e3b8
SHA3 564d4682e53623eac67e8e1a761e99f1f26bbe6ba100f887f011d7fad3ceaf98

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Could not read the name of the DLL to be delay-loaded! [!] Error: Could not read PDB file information of invalid magic number. [!] Error: Could not read a VS_FIXED_FILE_INFO! [*] Warning: Section .data2 has a size of 0! [!] Error: Could not read a VS_FIXED_FILE_INFO! [*] Warning: Could not parse a VERSION_INFO resource!
<-- -->