Architecture |
IMAGE_FILE_MACHINE_I386
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date |
2010-Feb-23 15:26:08
|
Detected languages |
English - United Kingdom
|
Debug artifacts |
Embedded COFF debugging symbols
|
Suspicious |
Strings found in the binary may indicate undesirable behavior: |
May have dropper capabilities:
|
Malicious |
The PE contains functions mostly used by malware. |
Can access the registry:
- RegCloseKey
- RegDeleteValueW
- RegEnumValueW
- RegOpenKeyExW
- RegQueryInfoKeyW
- RegQueryValueExW
- RegSetValueExW
Possibly launches other programs:
Functions related to the privilege level:
- AdjustTokenPrivileges
- OpenProcessToken
Interacts with services:
- ChangeServiceConfigW
- OpenSCManagerW
- OpenServiceW
- QueryServiceConfigW
- QueryServiceStatus
Manipulates other processes:
- OpenProcess
- EnumProcesses
Can shut the system down or lock the screen:
|
Suspicious |
The file contains overlay data. |
25901 bytes of data starting at offset 0x6000.
|
Suspicious |
VirusTotal score: 1/69 (Scanned on 2019-07-23 17:13:16) |
VBA32:
TScope.Malware-Cryptor.SB
|
MD5 |
9146f21288ab749c4c729343f5f285a1
|
SHA1 |
3d25e366c1195fc246f91c74d78163b9864db7cb
|
SHA256 |
acd6bb404942e46ec1072107908575c6873db789893102e34a49e9335b7354a3
|
SHA3 |
eb317b0a058b2849e935cb716f88d7cf49148775d0a01f58837fb63a88422756
|
SSDeep |
768:kU4RhwrBHL6L3g05/43TDPo4eBoM+qrW4bxaeHefIwrQKmr:yRyVHmL3g05QHEBf5rvseHefI2Qt
|
Imports Hash |
20eab2e5bf9e1ed56997ee7917857187
|
e_magic |
MZ
|
e_cblp |
0x90
|
e_cp |
0x3
|
e_crlc |
0
|
e_cparhdr |
0x4
|
e_minalloc |
0
|
e_maxalloc |
0xffff
|
e_ss |
0
|
e_sp |
0xb8
|
e_csum |
0
|
e_ip |
0
|
e_cs |
0
|
e_ovno |
0
|
e_oemid |
0
|
e_oeminfo |
0
|
e_lfanew |
0x80
|
Signature |
PE
|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections |
6
|
TimeDateStamp |
2010-Feb-23 15:26:08
|
PointerToSymbolTable |
0x6000
|
NumberOfSymbols |
1194
|
SizeOfOptionalHeader |
0xe0
|
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic |
PE32
|
LinkerVersion |
2.0
|
SizeOfCode |
0x3200
|
SizeOfInitializedData |
0x5c00
|
SizeOfUninitializedData |
0x200
|
AddressOfEntryPoint |
0x00001220 (Section: .text)
|
BaseOfCode |
0x1000
|
BaseOfData |
0x5000
|
ImageBase |
0x400000
|
SectionAlignment |
0x1000
|
FileAlignment |
0x200
|
OperatingSystemVersion |
4.0
|
ImageVersion |
1.0
|
SubsystemVersion |
4.0
|
Win32VersionValue |
0
|
SizeOfImage |
0xb000
|
SizeOfHeaders |
0x400
|
Checksum |
0x1b022
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
SizeofStackReserve |
0x200000
|
SizeofStackCommit |
0x1000
|
SizeofHeapReserve |
0x100000
|
SizeofHeapCommit |
0x1000
|
LoaderFlags |
0
|
NumberOfRvaAndSizes |
16
|
MD5 |
5aef84287aadb3385b7b2f46d7ae3f67
|
SHA1 |
deba4f8a9329d16dc02787986a8726c6fb747075
|
SHA256 |
fc21af3be2e9519a9e4a099d7c046ec4da8accb783781deed1667799734eddf7
|
SHA3 |
b5d44c43fdbd181479b175de1d9b5398ee814e6eef398cfd51f66256a2cf23ec
|
VirtualSize |
0x30d4
|
VirtualAddress |
0x1000
|
SizeOfRawData |
0x3200
|
PointerToRawData |
0x400
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
|
Entropy |
5.37716
|
MD5 |
6c36ab33351b44901e89c97ec08acfa7
|
SHA1 |
4a8770240d5423078a43f7f6c005722832d27ac6
|
SHA256 |
3b26e4673c4bbd26116132de18f1b5f07f65542cc427af27dc44fcdb83c0e7a2
|
SHA3 |
dfe0c395553fd63421fd6d024ce651ff034a7c2af5618a309f1e59a05c2657e6
|
VirtualSize |
0xa0
|
VirtualAddress |
0x5000
|
SizeOfRawData |
0x200
|
PointerToRawData |
0x3600
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
0.9073
|
MD5 |
e84ef6eb52163c6e266da507eb6a0c2a
|
SHA1 |
2f57e65b7e5739854d51120c87cdce12d6d46c1e
|
SHA256 |
05894cb5ff4e4f8e43b11e53f363ab603586e0b2a55f40f0312f662933b34bf1
|
SHA3 |
70ea59842dc4da5c7641fcd26ffe12a94d159cae041be264d677f5349a825a8f
|
VirtualSize |
0x16e0
|
VirtualAddress |
0x6000
|
SizeOfRawData |
0x1800
|
PointerToRawData |
0x3800
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
Entropy |
3.36441
|
MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
VirtualSize |
0xd0
|
VirtualAddress |
0x8000
|
SizeOfRawData |
0
|
PointerToRawData |
0
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
MD5 |
2ba6261d8a39ffffd2728eaf114e2521
|
SHA1 |
027a94277cf65c903e57477d0ea40b982f6dbf9e
|
SHA256 |
eb1c0e80b70d7dce08407fd349742547727889295ee46a6a85495189ed713c05
|
SHA3 |
4ee0c23d814436d8d4d9bf83f98043ff99e31cfa47c1ae4b49fdc645b15c8405
|
VirtualSize |
0x9bc
|
VirtualAddress |
0x9000
|
SizeOfRawData |
0xa00
|
PointerToRawData |
0x5000
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
4.75524
|
MD5 |
cada56fa58356acc24bfa09a9e285f49
|
SHA1 |
1bc38ae42fc819b4ad0ccc7ccdb8c812c1d3a87d
|
SHA256 |
e6a8c8e397d4982e6ac9d80beecc010bc92f24696812d9e436b95e8dae104d8a
|
SHA3 |
30c2945d99a0b0a6541e7c1abfb25002a184d956b8f9eceea478969af2b36cf5
|
VirtualSize |
0x540
|
VirtualAddress |
0xa000
|
SizeOfRawData |
0x600
|
PointerToRawData |
0x5a00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
3.86556
|
ADVAPI32.DLL |
AdjustTokenPrivileges
AllocateAndInitializeSid
ChangeServiceConfigW
EqualSid
FreeSid
GetTokenInformation
LookupPrivilegeValueW
OpenProcessToken
OpenSCManagerW
OpenServiceW
QueryServiceConfigW
QueryServiceStatus
RegCloseKey
RegDeleteValueW
RegEnumValueW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExW
|
KERNEL32.dll |
AddAtomA
CloseHandle
CreateMutexW
CreateProcessW
CreateThread
DeleteFileW
ExitProcess
ExpandEnvironmentStringsW
FindAtomA
FindClose
FindFirstFileW
FindNextFileW
GetAtomNameA
GetConsoleWindow
GetCurrentProcess
GetLastError
GetLocalTime
OpenProcess
SetLastError
SetUnhandledExceptionFilter
|
msvcrt.dll |
__getmainargs
__p__environ
__p__fmode
__set_app_type
_cexit
_iob
_onexit
_setmode
_wcsicmp
_wfopen
_wtoi
abort
atexit
calloc
fclose
fflush
fgetc
fgetwc
fprintf
free
fseek
ftell
fwprintf
fwrite
malloc
memset
rewind
signal
strlen
wcscat
wcschr
wcscmp
wcscpy
wcslen
|
PSAPI.DLL |
EnumProcesses
GetModuleFileNameExW
|
USER32.dll |
DialogBoxParamW
EnableWindow
EndDialog
ExitWindowsEx
GetDlgItem
MessageBoxW
ShowWindow
wsprintfW
|
Type |
RT_DIALOG
|
Language |
English - United Kingdom
|
Codepage |
UNKNOWN
|
Size |
0x300
|
TimeDateStamp |
2010-Feb-23 15:26:08
|
Entropy |
3.37714
|
MD5 |
ba04ba1344e50aee648d06ee4d358cd8
|
SHA1 |
c92decdc0f548a340d0314b126ef67bb95b29f97
|
SHA256 |
acde68db0d1f600d49305178445ca02207084021b841f76877a06c1a47a5ee14
|
SHA3 |
b6548d08b21a41b3dc26e250fd7ad156c530c164952e230bfe2b7b83162424f8
|
Type |
RT_MANIFEST
|
Language |
English - United Kingdom
|
Codepage |
UNKNOWN
|
Size |
0x19e
|
TimeDateStamp |
2010-Feb-23 15:26:08
|
Entropy |
4.79649
|
MD5 |
3ef0a1202be0fbcb984e48a58ef4857f
|
SHA1 |
ba3b48a832a0673367bf0f85d8cc5d1c79c2c105
|
SHA256 |
e5d6ee2327449058c673492fafb47612ebd7a58a428d4dcbd4e26b144134deef
|
SHA3 |
1b629a84fe26a6dbfa26041bc169ca12566316b47cc996296bf87eff3ac7c6e9
|
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF String Table's reported size is bigger than the remaining bytes!
[*] Warning: Section .bss has a size of 0!