8fba76abdcfe0f2cf623f01086418638

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2012-May-22 14:47:29

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
  • LoadLibraryW
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
Code injection capabilities:
  • VirtualAllocEx
  • WriteProcessMemory
  • OpenProcess
  • CreateRemoteThread
  • VirtualAlloc
Can access the registry:
  • RegOpenKeyExW
  • RegEnumKeyExW
  • RegCloseKey
  • RegCreateKeyExW
  • RegQueryValueExW
  • RegSetValueExW
  • SHDeleteKeyW
Possibly launches other programs:
  • CreateProcessW
  • CreateProcessAsUserW
  • ShellExecuteW
Uses Microsoft's cryptographic API:
  • CryptGetHashParam
  • CryptAcquireContextW
  • CryptReleaseContext
  • CryptCreateHash
  • CryptDestroyHash
  • CryptHashData
  • CryptUnprotectData
Can create temporary files:
  • GetTempPathW
  • CreateFileW
Memory manipulation functions often used by packers:
  • VirtualProtectEx
  • VirtualAllocEx
  • VirtualProtect
  • VirtualAlloc
Has Internet access capabilities:
  • InternetSetStatusCallbackW
  • InternetQueryOptionA
  • InternetSetOptionA
  • InternetQueryOptionW
  • InternetReadFile
  • InternetReadFileExA
  • InternetQueryDataAvailable
  • InternetCloseHandle
  • InternetOpenA
  • InternetCrackUrlA
  • InternetConnectA
Leverages the raw socket API to access the Internet:
  • #20
  • #18
  • getaddrinfo
  • #17
  • #5
  • #111
  • #19
  • #3
  • WSASend
  • WSAIoctl
  • #4
  • WSAAddressToStringW
  • #115
  • #22
  • #21
  • #2
  • #23
  • #112
  • #13
  • #16
  • freeaddrinfo
  • WSAEventSelect
  • #6
  • #1
Functions related to the privilege level:
  • OpenProcessToken
  • AdjustTokenPrivileges
Manipulates other processes:
  • ReadProcessMemory
  • WriteProcessMemory
  • Process32NextW
  • Process32FirstW
  • OpenProcess
Changes object ACLs:
  • SetNamedSecurityInfoW
Can take screenshots:
  • PrintWindow
  • GetDCEx
  • GetDC
  • CreateCompatibleDC
Reads the contents of the clipboard:
  • GetClipboardData
Interacts with the certificate store:
  • CertOpenSystemStoreW
Can shut the system down or lock the screen:
  • ExitWindowsEx
  • InitiateSystemShutdownExW
Suspicious The file contains overlay data. 512 bytes of data starting at offset 0x22a00.
The overlay data has an entropy of 7.59431 and is possibly compressed or encrypted.
Malicious VirusTotal score: 50/56 (Scanned on 2016-12-11 22:43:25) Bkav: W32.Clodaf0.Trojan.0b84
MicroWorld-eScan: Gen:Variant.Kazy.165
CAT-QuickHeal: Trojan.Zbot.AJ3
McAfee: PWS-Zbot.gen.ds
Malwarebytes: Trojan.Zbot
VIPRE: Trojan-PWS.Win32.Zbot.aac (v)
K7GW: Backdoor ( 04c4ee7b1 )
K7AntiVirus: Backdoor ( 04c4ee7b1 )
TrendMicro: Cryp_Xin1
Baidu: Win32.Trojan.Zbot.a
F-Prot: W32/Zbot.BR.gen!Eldorado
Symantec: Infostealer
ESET-NOD32: a variant of Win32/Spy.Zbot.YW
TrendMicro-HouseCall: Cryp_Xin1
Avast: Sf:Crypt-BT [Trj]
ClamAV: Win.Spyware.Zbot-1275
Kaspersky: HEUR:Trojan.Win32.Generic
BitDefender: Gen:Variant.Kazy.165
NANO-Antivirus: Trojan.Win32.Panda.crlabi
Tencent: Win32.Trojan.Generic.Efli
Ad-Aware: Gen:Variant.Kazy.165
Sophos: Troj/PWS-BSF
Comodo: UnclassifiedMalware
F-Secure: Trojan-Spy:W32/Zbot.AVTH
DrWeb: Trojan.PWS.Panda.2319
Zillya: Trojan.Zbot.Win32.176075
Invincea: trojanspy.win32.nivdort.dd
McAfee-GW-Edition: BehavesLike.Win32.PWSZbot.ch
Emsisoft: Gen:Variant.Kazy.165 (B)
Cyren: W32/Zbot.BR.gen!Eldorado
Jiangmin: Trojan/Generic.afsjy
Avira: TR/Kazy.MK
Antiy-AVL: Trojan[:HEUR]/Win32.Unknown
Kingsoft: Win32.Troj.Undef.(kcloud)
Microsoft: PWS:Win32/Zbot!CI
Arcabit: Trojan.Kazy.165
AegisLab: Troj.W32.Generic!c
GData: Gen:Variant.Kazy.165
AhnLab-V3: Trojan/Win32.Zbot.R4880
ALYac: Gen:Variant.Kazy.165
AVware: Trojan-PWS.Win32.Zbot.aac (v)
VBA32: SScope.Trojan.FakeAV.01110
Rising: Trojan.Generic-1gUnVBPjxwU (cloud)
Yandex: TrojanSpy.Zbot!Jm6OqcJ0zBU
Ikarus: Trojan-Spy.Banker.Citadel
Fortinet: W32/Zbot.AT!tr
AVG: Win32/Cryptor
Panda: Generic Malware
CrowdStrike: malicious_confidence_100% (D)
Qihoo-360: HEUR/Malware.QVM20.Gen

Hashes

MD5 8fba76abdcfe0f2cf623f01086418638
SHA1 7683d209c3e743e4cafdfdf68c551b335071875a
SHA256 245c6816294ca374ba8a0ef57b85b20ff28c22222c13d83d913ea65a6bb6a9bb
SHA3 6e1cd6e9effb7d161af87735cb1889681cc2862133c3ea5c051ac7b134e1a03b
SSDeep 3072:2to8SmQmuKsg3Cw8OMduXlK8g6n4deylM/KzX3eQzTxk+QqU:2to8GmuKpRYuXlC6n4destT5Qx
Imports Hash a0b277f00482315f894834c8bac6ea95

DOS Header

e_magic MZ
e_cblp 0
e_cp 0
e_crlc 0
e_cparhdr 0
e_minalloc 0
e_maxalloc 0
e_ss 0
e_sp 0
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2012-May-22 14:47:29
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x20a00
SizeOfInitializedData 0x3a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0001BADD (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x22000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 1.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x27000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 83b6e51d38a3a34b9439466d2943fb72
SHA1 f44467f2d03d7ceb23a859a4386d8a6a488b4567
SHA256 f9159de8866a92e171a37a0b7c9551579f601354cb9004b84080159279f64ea9
SHA3 3bbac0f22cc4a169b02963198b782f73fa1ca9d4c15522371dd1fee502af45c0
VirtualSize 0x20884
VirtualAddress 0x1000
SizeOfRawData 0x20a00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.70735

.data

MD5 6a8a0d12b8c64d3705d567de27b0e2e3
SHA1 3a3d57adaf35ab6f2308b5715ba0935e480e63e6
SHA256 c5ee5ad51d08aa1b26059320ac829f6c6f75957d45c4b61257912f816ca5764f
SHA3 5fea8ae402d9062b5d9e8f446dae70ba0e52a9b58b48301a2df5c1872806508a
VirtualSize 0x2064
VirtualAddress 0x22000
SizeOfRawData 0x400
PointerToRawData 0x20e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.62066

.reloc

MD5 cf28fe8e6f08d647a690a20597d49068
SHA1 0b6f4489a0367cc5f9c4f9d0e67f24dae59fccad
SHA256 1fece1810720ccea76a20808873366e74b709207f9eb4a720c7913aa71209365
SHA3 7285c86552a5e013596c9e548faeb854cc3590308f31ff73f1ea0015cee76a12
VirtualSize 0x168c
VirtualAddress 0x25000
SizeOfRawData 0x1800
PointerToRawData 0x21200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.65689

Imports

KERNEL32.dll FlushFileBuffers
GetEnvironmentVariableW
FileTimeToDosDateTime
GetTempFileNameW
HeapReAlloc
FindFirstFileW
SetEndOfFile
CreateProcessW
HeapAlloc
SystemTimeToFileTime
SetFilePointerEx
HeapFree
VirtualFree
GetProcessHeap
IsBadReadPtr
SetFileTime
VirtualQueryEx
Thread32First
WideCharToMultiByte
ReadProcessMemory
HeapDestroy
HeapCreate
Thread32Next
ReadFile
GetModuleFileNameW
GetTimeZoneInformation
GetPrivateProfileIntW
MultiByteToWideChar
WriteFile
GetFileSizeEx
OpenMutexW
GetLastError
VirtualProtectEx
VirtualAllocEx
FindClose
RemoveDirectoryW
FindNextFileW
VirtualProtect
GetFileTime
FileTimeToLocalFileTime
GetVolumeNameForVolumeMountPointW
DeleteFileW
GetFileInformationByHandle
WriteProcessMemory
GetCommandLineW
SetErrorMode
GetComputerNameW
OpenEventW
DuplicateHandle
GetCurrentProcessId
MoveFileExW
GetUserDefaultUILanguage
GetPrivateProfileStringW
SetFileAttributesW
GetVersionExW
GetNativeSystemInfo
ResetEvent
TerminateProcess
TlsSetValue
TlsGetValue
GetModuleHandleW
GlobalUnlock
GlobalLock
lstrcmpiW
WTSGetActiveConsoleSessionId
ReleaseMutex
SetLastError
GetTickCount
LoadLibraryA
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
OpenProcess
CreateRemoteThread
CreateThread
GetSystemTime
GetLocalTime
ExpandEnvironmentStringsW
GetTempPathW
LocalFree
GetProcAddress
lstrcmpiA
CreateFileW
GetFileAttributesW
Sleep
LoadLibraryW
CreateDirectoryW
FreeLibrary
ExitProcess
WaitForMultipleObjects
GetFileAttributesExW
GetProcessId
EnterCriticalSection
VirtualAlloc
LeaveCriticalSection
VirtualFreeEx
InitializeCriticalSection
SetThreadContext
GetThreadContext
TlsFree
CloseHandle
TlsAlloc
GetCurrentThreadId
CreateEventW
CreateFileMappingW
SetThreadPriority
GetCurrentThread
SetEvent
WaitForSingleObject
UnmapViewOfFile
MapViewOfFile
CreateMutexW
USER32.dll GetWindowInfo
GetClassLongW
GetCapture
SetCursorPos
GetWindowLongW
GetAncestor
PeekMessageW
PeekMessageA
SetWindowPos
SendMessageTimeoutW
IsWindow
ReleaseCapture
MapWindowPoints
GetMessagePos
IsRectEmpty
DrawIcon
GetIconInfo
GetParent
CharToOemW
MapVirtualKeyW
PostMessageW
RegisterClassExA
RegisterWindowMessageW
GetThreadDesktop
GetMenuItemID
IntersectRect
GetSubMenu
DefDlgProcW
DefFrameProcA
OpenInputDesktop
OpenDesktopW
CharLowerW
CharLowerBuffA
DrawEdge
CreateDesktopW
SetProcessWindowStation
CloseWindowStation
CreateWindowStationW
GetProcessWindowStation
CloseDesktop
SetThreadDesktop
OpenWindowStationW
GetTopWindow
LoadImageW
MsgWaitForMultipleObjects
WindowFromPoint
CharLowerA
CharUpperW
SetWindowLongW
GetWindow
DispatchMessageW
ExitWindowsEx
EqualRect
PrintWindow
GetMessageW
EndPaint
FillRect
GetCursorPos
GetUpdateRgn
GetWindowDC
BeginPaint
SetCapture
GetShellWindow
RegisterClassA
GetDCEx
TranslateMessage
GetKeyboardState
GetClipboardData
MenuItemFromPoint
GetDC
GetMenu
RegisterClassExW
GetMenuItemRect
TrackPopupMenuEx
SystemParametersInfoW
GetClassNameW
ReleaseDC
GetMenuState
DefWindowProcA
DefMDIChildProcW
SwitchDesktop
GetMenuItemCount
DefDlgProcA
PostThreadMessageW
DefMDIChildProcA
HiliteMenuItem
ToUnicode
GetSystemMetrics
GetMessageA
GetWindowRect
SetKeyboardState
GetWindowThreadProcessId
DefFrameProcW
DefWindowProcW
CallWindowProcW
EndMenu
CallWindowProcA
SendMessageW
GetUserObjectInformationW
RegisterClassW
GetUpdateRect
ADVAPI32.dll EqualSid
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
GetLengthSid
ConvertSidToStringSidW
InitiateSystemShutdownExW
CryptGetHashParam
OpenProcessToken
GetSidSubAuthority
CryptAcquireContextW
OpenThreadToken
GetSidSubAuthorityCount
GetTokenInformation
RegCreateKeyExW
CryptReleaseContext
RegQueryValueExW
CreateProcessAsUserW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetNamedSecurityInfoW
LookupPrivilegeValueW
CryptCreateHash
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
SetSecurityDescriptorSacl
CryptDestroyHash
AdjustTokenPrivileges
RegSetValueExW
CryptHashData
IsWellKnownSid
SHLWAPI.dll StrStrIW
StrCmpNIW
PathRenameExtensionW
wvnsprintfA
StrCmpNIA
PathMatchSpecW
PathRemoveBackslashW
PathUnquoteSpacesW
PathAddExtensionW
PathCombineW
SHDeleteKeyW
PathSkipRootW
SHDeleteValueW
PathAddBackslashW
PathFindFileNameW
PathIsDirectoryW
wvnsprintfW
UrlUnescapeA
PathIsURLW
PathQuoteSpacesW
StrStrIA
PathRemoveFileSpecW
SHELL32.dll ShellExecuteW
SHGetFolderPathW
CommandLineToArgvW
Secur32.dll GetUserNameExW
ole32.dll StringFromGUID2
CLSIDFromString
CoUninitialize
CoCreateInstance
CoInitializeEx
GDI32.dll SetViewportOrgEx
GdiFlush
CreateDIBSection
SetRectRgn
SaveDC
RestoreDC
DeleteDC
GetDeviceCaps
DeleteObject
SelectObject
GetDIBits
CreateCompatibleBitmap
CreateCompatibleDC
WS2_32.dll #20
#18
getaddrinfo
#17
#5
#111
#19
#3
WSASend
WSAIoctl
#4
WSAAddressToStringW
#115
#22
#21
#2
#23
#112
#13
#16
freeaddrinfo
WSAEventSelect
#6
#1
CRYPT32.dll CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertCloseStore
CertOpenSystemStoreW
CertDeleteCertificateFromStore
PFXImportCertStore
CryptUnprotectData
PFXExportCertStoreEx
WININET.dll HttpAddRequestHeadersW
InternetSetStatusCallbackW
GetUrlCacheEntryInfoW
InternetQueryOptionA
InternetSetOptionA
InternetQueryOptionW
HttpSendRequestW
InternetReadFile
InternetReadFileExA
InternetQueryDataAvailable
HttpSendRequestExW
HttpSendRequestExA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
InternetCrackUrlA
InternetConnectA
HttpQueryInfoA
OLEAUT32.dll #8
#2
#9
#6
NETAPI32.dll NetApiBufferFree
NetUserEnum
NetUserGetInfo

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors