Architecture |
IMAGE_FILE_MACHINE_AMD64
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date |
1970-Jan-01 00:00:00
|
Debug artifacts |
Embedded COFF debugging symbols
|
Info |
Cryptographic algorithms detected in the binary: |
Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Uses constants related to SHA512
Uses constants related to AES
|
Suspicious |
The PE is possibly packed. |
Unusual section name found: /4
Unusual section name found: /18
Unusual section name found: /30
Unusual section name found: /43
Unusual section name found: /59
Unusual section name found: /75
Unusual section name found: /94
Unusual section name found: /106
Unusual section name found: .symtab
|
Suspicious |
The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
- LoadLibraryA
- LoadLibraryW
- GetProcAddress
Functions which can be used for anti-debugging purposes:
Leverages the raw socket API to access the Internet:
|
Malicious |
VirusTotal score: 4/67 (Scanned on 2018-06-18 15:08:43) |
Cylance:
Unsafe
TrendMicro-HouseCall:
Suspicious_GEN.F47V0609
Jiangmin:
Trojan.Mucc.afs
Antiy-AVL:
Trojan[Backdoor]/Win32.Gorsh
|
MD5 |
92818764a320ca57d8656d5700ffd281
|
SHA1 |
0f00b7bf22cdf634018ad8d23a9ee125398e3aac
|
SHA256 |
b7e6a4a1e42eb3847adf39df532ea6d6f2d5cd4b6dfc613860417b30c7fd1ac9
|
SHA3 |
2c7c814760f606b4407e35ee0476b04ae5fd694c7283d7b44042fdd81f8a129a
|
SSDeep |
49152:Qt+kuLvMMdfUxQjhhESGknrjbYr/rBsKWiz5wkp4+mQkfU5mI0/aTtd7dkmd5y5:7dAQjnr+dsO6v88eLbU5FsXxDCisDGR
|
Imports Hash |
96c44fa1eee2c4e9b9e77d7bf42d59e6
|
e_magic |
MZ
|
e_cblp |
0x90
|
e_cp |
0x3
|
e_crlc |
0x4
|
e_cparhdr |
0
|
e_minalloc |
0
|
e_maxalloc |
0xffff
|
e_ss |
0
|
e_sp |
0x8b
|
e_csum |
0
|
e_ip |
0
|
e_cs |
0
|
e_ovno |
0
|
e_oemid |
0
|
e_oeminfo |
0
|
e_lfanew |
0x80
|
Signature |
PE
|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections |
12
|
TimeDateStamp |
1970-Jan-01 00:00:00
|
PointerToSymbolTable |
0x8dd600
|
NumberOfSymbols |
11712
|
SizeOfOptionalHeader |
0xf0
|
Characteristics |
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED
|
Magic |
PE32+
|
LinkerVersion |
3.0
|
SizeOfCode |
0x5e3400
|
SizeOfInitializedData |
0x3c000
|
SizeOfUninitializedData |
0
|
AddressOfEntryPoint |
0x0000000000055950 (Section: .text)
|
BaseOfCode |
0x1000
|
ImageBase |
0x400000
|
SectionAlignment |
0x1000
|
FileAlignment |
0x200
|
OperatingSystemVersion |
4.0
|
ImageVersion |
1.0
|
SubsystemVersion |
4.0
|
Win32VersionValue |
0
|
SizeOfImage |
0x98d000
|
SizeOfHeaders |
0x600
|
Checksum |
0
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
SizeofStackReserve |
0x200000
|
SizeofStackCommit |
0x1000
|
SizeofHeapReserve |
0x100000
|
SizeofHeapCommit |
0x1000
|
LoaderFlags |
0
|
NumberOfRvaAndSizes |
16
|
MD5 |
fe10063f3775f5792d9319b631428342
|
SHA1 |
77e445814ba5ad99b6fda9a41f4559f6a827b947
|
SHA256 |
117589916ee33a40fa1ce38d209093a2c697afd978a3e7bc96cb9e79b005aadf
|
SHA3 |
dce45c6b6c5db8ede2a273c84bdb0b9d744d4e99c0916dfbb9bfd52572452a1d
|
VirtualSize |
0x5e32a6
|
VirtualAddress |
0x1000
|
SizeOfRawData |
0x5e3400
|
PointerToRawData |
0x600
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
|
Entropy |
5.88491
|
MD5 |
6c88423b0c9240d795e99a9110f00b7c
|
SHA1 |
736229abe291e5699d2830e8731f4cce66de6b3e
|
SHA256 |
8ac55f2dcd81034c811ac6fed95d27baaf523adc47148b1c88ebdaf740b1bd5a
|
SHA3 |
4b4b6fba7745311d217bbab03b0751566448c990bb59a4775ae669a01d75d12d
|
VirtualSize |
0x5ccb8
|
VirtualAddress |
0x5e5000
|
SizeOfRawData |
0x3c000
|
PointerToRawData |
0x5e3a00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
5.10622
|
MD5 |
5297c917947d98d48aa44033a6f61bb4
|
SHA1 |
2bd5ade2e7b4f92b3449bac367ede6eacf41ff97
|
SHA256 |
f08eec20b7dc1a292a88976cc2169472e930495a36f7ca7101f408b08a4f9611
|
SHA3 |
4dcbc1c7615a794f528676a6eab593f555840a251f425fdd86b10ba7bad57606
|
VirtualSize |
0x1b5
|
VirtualAddress |
0x642000
|
SizeOfRawData |
0x200
|
PointerToRawData |
0x61fa00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
4.23636
|
MD5 |
512aa7f660281b1b8d8381173e129c87
|
SHA1 |
82e70239da85e62f733ce6f520f829d7635ade17
|
SHA256 |
3a7bffe3be7db4c91b8a316002750f875353d13f53f2bb2b13ea61fc49b1d08a
|
SHA3 |
29edf77fcaffcf460f468ad2e4b88ed729b53b2c71177d07a08ef949f4609102
|
VirtualSize |
0x5007a
|
VirtualAddress |
0x643000
|
SizeOfRawData |
0x50200
|
PointerToRawData |
0x61fc00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
6.56331
|
MD5 |
81ed187f4a50162509e173650f8f4d7d
|
SHA1 |
41fa89f38001114aada586a0c730d2e9c84acbfe
|
SHA256 |
975adbc45b19ee8a3e1073d01148c61e6aa14718ed7d6a95f37ebfe4d3c718af
|
SHA3 |
b9638aaf85f3080f254cf29c625786434ef0ee13bb1d81f7e813131edb46577d
|
VirtualSize |
0x576b4
|
VirtualAddress |
0x694000
|
SizeOfRawData |
0x57800
|
PointerToRawData |
0x66fe00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
3.72394
|
MD5 |
89b5c4e0807af35ee3e020c962330db7
|
SHA1 |
5678cbd3ab4f092e4329ef0a41c201bce7720b1f
|
SHA256 |
2fe93e2d432b56d29857a17c8a6df2e731cb8cddaa51960984d942770e591b33
|
SHA3 |
8e9a937d94f52934428818535f2514d41300cd3fab3077f4e43f780808669cd4
|
VirtualSize |
0x1d8f2
|
VirtualAddress |
0x6ec000
|
SizeOfRawData |
0x1da00
|
PointerToRawData |
0x6c7600
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
5.42416
|
MD5 |
cbc2f0711720f4a671e0f5b65997f2d6
|
SHA1 |
75a50693c6edef0396c3156307284ae669abc58d
|
SHA256 |
54d070113d82079855226491dd3d0d9685fbdf3ddc0aa48098d383e2e9befa03
|
SHA3 |
0c956c38add454c73c8c1b32de9f0cf4bf3a296b181ea5b0a279ac6358191869
|
VirtualSize |
0x33f14
|
VirtualAddress |
0x70a000
|
SizeOfRawData |
0x34000
|
PointerToRawData |
0x6e5000
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
5.48403
|
MD5 |
d55036c917e5c260dc3a3446984c1111
|
SHA1 |
e26f5f67ee450dc4c66462082a59e0baf15fefae
|
SHA256 |
4b87402c03c1c337134d9374db1c0cf8a4a3e7d3444cb7b5374a2029d1742dbe
|
SHA3 |
c50685a70411476d6daea88c34d7fa0c0d3dfb0552b4045fd12133b99a7268a8
|
VirtualSize |
0x2a
|
VirtualAddress |
0x73e000
|
SizeOfRawData |
0x200
|
PointerToRawData |
0x719000
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
0.74559
|
MD5 |
f6bf10378fe89b5d568b50d775c2ed12
|
SHA1 |
8626a763344cfa4367facdbf372e4bcc46d7bc60
|
SHA256 |
1b146ca95fc73e09c6d6329b5c4a54fa0cc0a9be6cac330dd5146215541b2ca9
|
SHA3 |
1bfd8c0f5841a2611dce69e4536d320f35867261425280150c14019b5d171b19
|
VirtualSize |
0x199aa4
|
VirtualAddress |
0x73f000
|
SizeOfRawData |
0x199c00
|
PointerToRawData |
0x719200
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
5.74151
|
MD5 |
3c3bf06dc167caa59aa21fe41db9d63d
|
SHA1 |
e652be50415a9af2eaa06916b65feebce718ce34
|
SHA256 |
f1174c25f4f74e24ffc3c74c428dd75a925643b1e519ec463f69018d643c1871
|
SHA3 |
6ad7a6fe6a449924eeb86ee6266c6ac911fc7077eb629b9fcdbfeaa33ce70f86
|
VirtualSize |
0x2a340
|
VirtualAddress |
0x8d9000
|
SizeOfRawData |
0x2a400
|
PointerToRawData |
0x8b2e00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
2.31071
|
MD5 |
2df17de52480e66143dccfcc1448c999
|
SHA1 |
fd5ddfd28f54ecb59a21888d58667ed9c74e51dd
|
SHA256 |
cd05c569f29871c4440b7402ea4ade83054a949d494fe512d5c48d3c4e55c376
|
SHA3 |
3764ec328ccb9a5da178360b330ac0858de5c9ac538dad33eeb5855c61883913
|
VirtualSize |
0x3fe
|
VirtualAddress |
0x904000
|
SizeOfRawData |
0x400
|
PointerToRawData |
0x8dd200
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
4.27157
|
MD5 |
c383948ca92e9852358a19340dfa4ec4
|
SHA1 |
9e461d5067d41b32088cffc0ccac27e4dacbb81f
|
SHA256 |
a20cef2149e46a97fd0fe8eb2175e047c3acce18bd3196ff0c42d2902b5b976c
|
SHA3 |
dcefa0cbeed166078a30fa71b701ea0481ee9cff40c9925d113c92b3ffc253d3
|
VirtualSize |
0x87811
|
VirtualAddress |
0x905000
|
SizeOfRawData |
0x87a00
|
PointerToRawData |
0x8dd600
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
5.39581
|
winmm.dll |
timeEndPeriod
timeBeginPeriod
|
ws2_32.dll |
WSAGetOverlappedResult
|
kernel32.dll |
WriteFile
WriteConsoleW
WaitForSingleObject
VirtualFree
VirtualAlloc
SwitchToThread
SetWaitableTimer
SetUnhandledExceptionFilter
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
LoadLibraryA
LoadLibraryW
GetSystemInfo
GetStdHandle
GetQueuedCompletionStatus
GetProcessAffinityMask
GetProcAddress
GetEnvironmentStringsW
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateThread
CreateIoCompletionPort
CreateEventA
CloseHandle
AddVectoredExceptionHandler
|
[*] Warning: Tried to read outside the COFF string table to get the name of section /4!
[*] Warning: Tried to read outside the COFF string table to get the name of section /18!
[*] Warning: Tried to read outside the COFF string table to get the name of section /30!
[*] Warning: Tried to read outside the COFF string table to get the name of section /43!
[*] Warning: Tried to read outside the COFF string table to get the name of section /59!
[*] Warning: Tried to read outside the COFF string table to get the name of section /75!
[*] Warning: Tried to read outside the COFF string table to get the name of section /94!
[*] Warning: Tried to read outside the COFF string table to get the name of section /106!