Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2016-Dec-20 01:13:50 |
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to SHA256
Uses constants related to SHA512 Uses constants related to AES Microsoft's Cryptography API |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 26/68 (Scanned on 2019-06-23 06:39:51) |
FireEye:
Generic.mg.9456197d0f8b6cab
McAfee: RDN/Generic.dx Alibaba: Trojan:Win64/LightNeuron.d09fad7b Cyren: W64/Trojan.CSTY-2755 Symantec: Trojan.Gen.MBT ESET-NOD32: a variant of Win64/Turla.CC Avast: Win64:Trojan-gen Kaspersky: Trojan.Win64.LightNeuron.b AegisLab: Trojan.Win64.LightNeuron.4!c Tencent: Win64.Trojan.Lightneuron.Hryk McAfee-GW-Edition: RDN/Generic.dx Sophos: Mal/Generic-S Avira: BDS/Turla.muasi Fortinet: W32/LightNeuron.B!tr Endgame: malicious (high confidence) Microsoft: Trojan:Win32/Casdet!rfn ZoneAlarm: Trojan.Win64.LightNeuron.b TACHYON: Trojan/W64.LightNeuron.261120 MAX: malware (ai score=99) Cylance: Unsafe TrendMicro-HouseCall: Trojan.Win64.TURLA.AA Rising: Trojan.Turla!8.1C8 (CLOUD) Ikarus: Trojan.Win64.Turla GData: Win64.Trojan.Agent.09DLKK AVG: Win64:Trojan-gen Qihoo-360: Win32/Trojan.068 |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 5 |
TimeDateStamp | 2016-Dec-20 01:13:50 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 9.0 |
SizeOfCode | 0x2ca00 |
SizeOfInitializedData | 0x19400 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000000000001000 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x180000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.2 |
ImageVersion | 0.0 |
SubsystemVersion | 5.2 |
Win32VersionValue | 0 |
SizeOfImage | 0x49000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
CRYPT32.dll |
CryptBinaryToStringA
CryptStringToBinaryA |
---|---|
PSAPI.DLL |
QueryWorkingSet
|
ADVAPI32.dll |
RegOpenKeyExA
CryptAcquireContextA CryptGenRandom CryptReleaseContext RegCloseKey RegQueryValueExW |
KERNEL32.dll |
RtlUnwindEx
CreateFileA SetFilePointer lstrlenA HeapAlloc HeapFree GetProcessHeap WriteFile GetTimeZoneInformation GetLocalTime CloseHandle SetEvent InitializeCriticalSection TerminateThread Sleep CreateEventA LeaveCriticalSection GetFileAttributesA ExitThread FindFirstFileA GetLastError EnterCriticalSection FindClose LoadLibraryA OpenEventA FindNextFileA DeleteCriticalSection DeleteFileA CreateThread lstrcatA GetProcAddress GetModuleFileNameA GetModuleHandleA GetTempPathA lstrcpyA lstrcmpA GetSystemDirectoryA lstrlenW GetTickCount WaitForSingleObject GetSystemInfo OpenProcess GetCurrentProcessId MapViewOfFile CreateFileMappingA GetFileSize UnmapViewOfFile CreateProcessA SetHandleInformation CreatePipe ReadFile PeekNamedPipe TerminateProcess GetExitCodeProcess MultiByteToWideChar GetComputerNameW GlobalFree FreeLibrary GetACP lstrcmpiA IsDBCSLeadByteEx WideCharToMultiByte GetCPInfo IsValidCodePage HeapReAlloc GetStdHandle GetCurrentDirectoryA CreateFileW CreateDirectoryA SetFileTime GetFileTime GetFullPathNameA CreateMutexA ReleaseMutex |
USER32.dll |
wvsprintfA
wsprintfA OemToCharA CharLowerA CharLowerW CharUpperA IsCharAlphaA IsCharAlphaNumericA wvsprintfW |
Ordinal | 1 |
---|---|
Address | 0x1040 |
Ordinal | 2 |
---|---|
Address | 0x1050 |
Ordinal | 3 |
---|---|
Address | 0xbf60 |
XOR Key | 0x62acddf0 |
---|---|
Unmarked objects | 0 |
ASM objects (VS2008 SP1 build 30729) | 1 |
Imports (VS2012 build 50727 / VS2005 build 50727) | 11 |
Total imports | 93 |
C objects (VS2008 SP1 build 30729) | 49 |
138 (VS2008 SP1 build 30729) | 4 |
Exports (VS2008 SP1 build 30729) | 1 |
Resource objects (VS2008 SP1 build 30729) | 1 |