8fb9d89f1f96c0225eaecda6fdbb2345

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2020-Sep-30 06:56:21
Detected languages English - United States
Russian - Russia
FileVersion 7.2.1.1
LegalCopyright Copyright © 2020
ProductVersion 7.2.1.1

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Microsoft's Cryptography API
Suspicious The PE is possibly packed. Unusual section name found: init
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Functions which can be used for anti-debugging purposes:
  • SwitchToThread
 Can access the registry:
  • RegDeleteValueW
  • RegQueryValueExW
  • RegOpenKeyExW
  • RegSetValueExW
  • RegCreateKeyExW
  • RegCloseKey
 Possibly launches other programs:
  • CreateProcessW
 Uses Microsoft's cryptographic API:
  • CryptGenRandom
  • CryptReleaseContext
  • CryptAcquireContextW
 Has Internet access capabilities:
  • InternetCheckConnectionW
 Leverages the raw socket API to access the Internet:
  • #21
  • #10
  • #112
  • #111
  • #3
  • #116
  • WSASend
  • #18
  • #4
  • WSASocketW
  • #22
  • #8
  • #14
  • #9
  • getaddrinfo
  • #7
  • WSACloseEvent
  • #115
  • WSARecv
  • WSACreateEvent
  • freeaddrinfo
  • WSAEventSelect
 Functions related to the privilege level:
  • OpenProcessToken
Malicious VirusTotal score: 40/71 (Scanned on 2020-11-20 14:09:02) Bkav: W32.AIDetectVM.malware1
Elastic: malicious (high confidence)
MicroWorld-eScan: Gen:Variant.Ulise.121606
McAfee: GenericRXHS-AA!8FB9D89F1F96
Malwarebytes: Trojan.Glupteba
Sangfor: Malware
CrowdStrike: win/malicious_confidence_80% (D)
K7GW: Trojan ( 0056559e1 )
K7AntiVirus: Trojan ( 0056559e1 )
Invincea: Troj/Glupteba-M
Cyren: W32/S-3ebf0797!Eldorado
Symantec: ML.Attribute.HighConfidence
ESET-NOD32: a variant of Win32/Glupteba.BC
APEX: Malicious
Kaspersky: Trojan.Win32.Kepiten.a
BitDefender: Gen:Variant.Ulise.121606
Avast: Win32:TrojanX-gen [Trj]
Rising: Trojan.Glupteba!1.BC88 (CLASSIC)
Ad-Aware: Gen:Variant.Ulise.121606
Sophos: Troj/Glupteba-M
F-Secure: Trojan.TR/Crypt.XPACK.Gen2
DrWeb: Trojan.SpyBot.961
McAfee-GW-Edition: GenericRXHS-AA!8FB9D89F1F96
FireEye: Generic.mg.8fb9d89f1f96c022
Emsisoft: Gen:Variant.Ulise.121606 (B)
Ikarus: Trojan.Win32.Glupteba
Jiangmin: Trojan.Kepiten.a
Webroot: W32.Trojan.Gen
Avira: TR/Crypt.XPACK.Gen2
Microsoft: Trojan:Win32/Glupteba.PA!MTB
Arcabit: Trojan.Ulise.D1DB06
ZoneAlarm: Trojan.Win32.Kepiten.a
GData: Gen:Variant.Ulise.121606
Cynet: Malicious (score: 100)
ALYac: Gen:Variant.Ulise.121606
MAX: malware (ai score=87)
Cylance: Unsafe
Fortinet: W32/Glupteba.B!tr
BitDefenderTheta: Gen:NN.ZexaF.34634.Iu0@aubuUXbk
AVG: Win32:TrojanX-gen [Trj]

Hashes

MD5 8fb9d89f1f96c0225eaecda6fdbb2345
SHA1 24459ed9f412de0e27f17ed6f1dbb24e2f84166d
SHA256 e637dbb0cd16d549c49337d755e671dc657800c2cfaf52c9a0f940dd12d42496
SHA3 bd0c4e87e98949f481aebf84ec6d00ade8ee257fa4e4fd10f302f2682fc8295d
SSDeep 12288:IYiFoe1hg4M8jNshsOjK6P3qYG8plfMYMJ+InSF8TkCdveEx5ULnr1SeQpalDhu:IYiFoeNpJ+InSF8TkG9qnr1uk8i
Imports Hash 6b89c1d112f9db4f18ff21190a0c27ad

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x118

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2020-Sep-30 06:56:21
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x68e00
SizeOfInitializedData 0x1ea00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00028D70 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x6a000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x8b000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 d9c82a0a9d2cead561d83997074c323d
SHA1 ceb1ddc56688d4af40f49a3d9306a91e5ef06919
SHA256 ac57e039cabbf32790655112b3cf5c0ff19e647a8b96ee517f1d2a4db34d1649
SHA3 553b1b6268ed610139ac084ba5ab5e58420e410d835a582d8de8467a41415392
VirtualSize 0x69000
VirtualAddress 0x1000
SizeOfRawData 0x69000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.65024

.rdata

MD5 2cfd93f2e6dbbef79b7d79079eb12489
SHA1 d58b027ed66f32b0ff6cd60c2e08080af8c6dc78
SHA256 55ba7c09c274338a8afdb9eed09487fbd79e0139f4ec94a0308785e5a760f9dc
SHA3 2688bd04043b4fc0caaf50610f39d1c4434024ab248a43cd6acb0043f190da79
VirtualSize 0x19000
VirtualAddress 0x6a000
SizeOfRawData 0x19000
PointerToRawData 0x6a000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.25647

.data

MD5 b4d92bfd0b9dc9b39d390fdae072ed96
SHA1 dbabc48afd60a12aea051395f6d15951f178e9a1
SHA256 ebd71a2c1be1f246fbdf3e3acd7e18ffb8c57823ce700ddba515e7b6a7497afd
SHA3 99ddbd469daa1cb0bfa8b27d3c9f89f67a855b1810a49e0ec0a661b353ed4e3f
VirtualSize 0x5000
VirtualAddress 0x83000
SizeOfRawData 0x5000
PointerToRawData 0x83000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.3423

init

MD5 70558ce88a640d70ec5504ece501dcac
SHA1 3dbb0e403a0091b6e0ffaf892c3d99836c055430
SHA256 a702375a53e0def55d4e2b633f3886a7986a80bbd342deb47975013555eaecc2
SHA3 9b1b9d5712cf0a0b41b76cca535f8d9f1a3ab7e3630a48b2fe9b5948631c8ec1
VirtualSize 0x1000
VirtualAddress 0x88000
SizeOfRawData 0x1000
PointerToRawData 0x88000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.0508504

.rsrc

MD5 21ca88928002b287389ab16a8792e6dc
SHA1 9d0683edc50ee3a3559cd6851cc620b56ca04461
SHA256 c0a929ae1daf039c9faf363d170c3e600e00f9da394a3d137551519181a009c4
SHA3 a11518a1e55970be299816e67ac9e29c02f3c6d1fdc8bf2140cf28bb32f0dfc0
VirtualSize 0x2000
VirtualAddress 0x89000
SizeOfRawData 0x2000
PointerToRawData 0x89000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.32951

Imports

SHLWAPI.dll StrCpyNW
WININET.dll InternetCheckConnectionW
KERNEL32.dll FormatMessageA
PostQueuedCompletionStatus
GetQueuedCompletionStatus
SetLastError
SetWaitableTimer
LeaveCriticalSection
EnterCriticalSection
TlsFree
TlsAlloc
TlsSetValue
TlsGetValue
CloseHandle
WaitForSingleObject
SleepEx
SetEvent
CreateEventW
QueueUserAPC
TerminateThread
WaitForMultipleObjects
DeleteCriticalSection
CreateIoCompletionPort
InitializeCriticalSectionAndSpinCount
VerifyVersionInfoW
VerSetConditionMask
FormatMessageW
CopyFileW
lstrlenW
GetTempFileNameW
MultiByteToWideChar
GetTickCount
CreateMutexW
CreateMutexA
ExitProcess
DeleteFileW
RemoveDirectoryW
AllocConsole
SetConsoleTextAttribute
GetStdHandle
WriteConsoleW
ReadConsoleInputW
FreeConsole
GetLocalTime
GetWindowsDirectoryW
OpenEventW
InitializeCriticalSection
GetModuleHandleA
VirtualProtect
lstrcmp
GetModuleFileNameW
CreateProcessW
GetModuleHandleW
SetEnvironmentVariableW
LocalFree
WideCharToMultiByte
MoveFileExW
GetTickCount64
GetLastError
GetProcessHeap
SetStdHandle
HeapSize
GetCurrentProcess
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
GetACP
IsValidCodePage
GetTimeZoneInformation
HeapReAlloc
ReadConsoleW
ReadFile
FlushFileBuffers
GetFileSizeEx
GetConsoleMode
GetConsoleCP
GetFileType
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
HeapAlloc
HeapFree
WriteFile
GetCommandLineW
GetCommandLineA
GetModuleHandleExW
ExitThread
RaiseException
RtlUnwind
WaitForSingleObjectEx
Sleep
SwitchToThread
GetCurrentThreadId
QueryPerformanceCounter
QueryPerformanceFrequency
CreateFileW
FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesW
GetFileAttributesExW
GetFileInformationByHandle
SetEndOfFile
SetFilePointerEx
AreFileApisANSI
DeviceIoControl
GetProcAddress
GetSystemTimeAsFileTime
EncodePointer
DecodePointer
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
GetEnvironmentVariableW
ResetEvent
InitializeSListHead
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetCurrentProcessId
CreateThread
GetCurrentThread
GetThreadTimes
FreeLibrary
FreeLibraryAndExitThread
LoadLibraryExW
ADVAPI32.dll RegDeleteValueW
CryptGenRandom
CryptReleaseContext
CryptAcquireContextW
ConvertSidToStringSidA
RegQueryValueExW
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegCloseKey
GetTokenInformation
OpenProcessToken
SHELL32.dll SHGetFolderPathAndSubDirW
ole32.dll CoInitializeEx
CoUninitialize
CoCreateGuid
StringFromGUID2
CoInitializeSecurity
WS2_32.dll #21
#10
#112
#111
#3
#116
WSASend
#18
#4
WSASocketW
#22
#8
#14
#9
getaddrinfo
#7
WSACloseEvent
#115
WSARecv
WSACreateEvent
freeaddrinfo
WSAEventSelect

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x128
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.37822
MD5 38eb5eb191402435a7d5da77a9c8fae8
SHA1 122abf75f49cb26e6a4588f733926ffc785999bb
SHA256 30debf74be60f1353f58f8b8c36879a43958a782f821457b1adcc7be00902c9c
SHA3 d240ada057ba429708df9988f5f76ede9cf725368b8629ae051e707c11b86856

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.37379
MD5 d4e6bfe640680b53022d29175f514d79
SHA1 e538175400bc398ea4b8e65d808e7a2dfbbdbfd4
SHA256 0e9195372eecd1faaddfaebb8fde8196a66b16a10318ca85ee8db8a9bfc9d041
SHA3 154345b37f32feef934af656aded9255b9ee8f6abe7a0cd9d61a1833542ecf4f

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x668
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.27805
MD5 7698bb789bff1e0f040c773774a6c671
SHA1 ac2a37528032e735758a15f7beb792aba8111f82
SHA256 098fa4bd1988e76fb0013734ae677050255a347d42e39bc23ab36eb508b7ffd4
SHA3 827cad1ee4cf29f2665bb7ea3a2c3ded210fd559fe9dd4a0090b108895b7bd88

4

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0xb0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.25424
MD5 d692bdfe2fb2255f139a28eb167e93ce
SHA1 31bdfaa5ab273d5ee12ad71d6785acdea9ab1a40
SHA256 a4b917720dbc918dbb8fbbbedc00d68b94a6f7e3297cf198bea2bff0a7173941
SHA3 d78194c750f29ad0acade8d06bbbc617e345fce3bc63457f99051558b8ac56a9

5

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x130
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.71029
MD5 d44b688eb4c9be14455a69c9b7645a60
SHA1 7e97cc3a48f3c354c97d5153f539c923603895b8
SHA256 5226f8f982320b5a9f32e13dec5196c24e5cb3a8c82cb4a860c161f428a2855b
SHA3 9fa47dcf5e5dff1648eb117e428b5f8d50d7e45643d9435984bdb5cb4cbb50e1

6

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x330
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.13181
MD5 5b743688af868a30ee61935cfc5c6f33
SHA1 17d4681c7f8e1762ade0299f9309a16f18642a61
SHA256 6a09c554ec308202d3bb08b1ae91f6502067308ee5bdf3871ee20126c4b373a7
SHA3 59d066fe30735a5605a29b6d8c65a472309c3e4407528454d0f2428f9a16d800

32

Type RT_STRING
Language Russian - Russia
Codepage UNKNOWN
Size 0x38
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.60504
MD5 0fd4fd4383074b9c5d9fa081d053d326
SHA1 65b5705f69c33ac824b0fd28d5a180aa685f3d87
SHA256 0de061c847d9266c7b43b0e5c04300ba6b29137a1367b310ac1a856c94750552
SHA3 7a1dbf95ece3c017b71f7aa84a49f49f11d30c9a7f10da208bcf83372833a319

101

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x5a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.74417
Detected Filetype Icon file
MD5 d148c75e59377aa79c180396f45f355c
SHA1 b0b26cad3bc43856c4de4bcb92e54dce6bf1f6f7
SHA256 ef77555c4d1e769f6748372d39d8422b85e6af8f11c8a811c82ce78a87cc8c9d
SHA3 e87f2a758ae18abe7e030c83b7d0b1e53c08b6b448376f9e954b53967f547bf5

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x188
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.30855
MD5 ce936f38097c7b5953cd18f428770e44
SHA1 93264c81c23a425cffcb8eaabffe42b525455b92
SHA256 d0ca9f264294f9a03c58f975857b4d7de4f964334ae05f5d3a7e9d8a0086c740
SHA3 237080aa5f94ddebefe9c53c5d92923f9bc8401bf44aa8bc56f0f0fbe96c4861

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

String Table contents

EpicNet Inc.

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 7.2.1.1
ProductVersion 7.2.1.1
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
FileVersion (#2) 7.2.1.1
LegalCopyright Copyright © 2020
ProductVersion (#2) 7.2.1.1
Resource LangID English - United States

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2020-Sep-30 06:56:21
Version 0.0
SizeofData 956
AddressOfRawData 0x7c80c
PointerToRawData 0x7ba0c

TLS Callbacks

StartAddressOfRawData 0x47cbd8
EndAddressOfRawData 0x47cbe0
AddressOfIndex 0x486100
AddressOfCallbacks 0x46a398
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0xa4
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x483064
SEHandlerTable 0x47c3e0
SEHandlerCount 267

RICH Header

XOR Key 0xdae10580
Unmarked objects 0
ASM objects (26715) 19
C++ objects (26715) 176
C objects (26715) 24
C objects (VS 2015/2017/2019 runtime 28117) 17
ASM objects (VS 2015/2017/2019 runtime 28117) 23
C++ objects (28106) 8
C++ objects (VS 2015/2017/2019 runtime 28117) 152
262 (26715) 1
Imports (26715) 19
Total imports 234
265 (VS2019 Update 4 (16.4.4-5) compiler 28316) 14
ASM objects (VS2019 Update 4 (16.4.4-5) compiler 28316) 1
Resource objects (VS2019 Update 4 (16.4.4-5) compiler 28316) 1
151 1
Linker (VS2019 Update 4 (16.4.4-5) compiler 28316) 1

Errors

<-- -->