9676b403ae91208597c6139c8d6d85ea

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-Jan-24 23:00:05

Plugin Output

Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Suspicious The PE is possibly packed. Unusual section name found: CODE
Unusual section name found: CONST
Unusual section name found: .crt2
Malicious The PE contains functions mostly used by malware. Functions which can be used for anti-debugging purposes:
  • FindWindowW
Code injection capabilities (PowerLoader):
  • FindWindowW
  • GetWindowLongW
  • GetWindowLongA
Possibly launches other programs:
  • system
Uses Microsoft's cryptographic API:
  • CryptDestroyKey
Interacts with services:
  • EnumServicesStatusExW
Can shut the system down or lock the screen:
  • InitiateSystemShutdownA
  • LockWorkStation
Malicious VirusTotal score: 52/70 (Scanned on 2019-02-08 14:26:08) MicroWorld-eScan: Trojan.GenericKD.40991140
CAT-QuickHeal: Trojan.Emotet.X4
ALYac: Trojan.Agent.Emotet
Malwarebytes: Trojan.Emotet.Generic
K7GW: Trojan ( 0053c4bc1 )
K7AntiVirus: Trojan ( 0053c4bc1 )
TrendMicro: TrojanSpy.Win32.EMOTET.THOBEAI
Cyren: W32/Trojan.RAMG-2034
Symantec: Trojan.Emotet
TrendMicro-HouseCall: TrojanSpy.Win32.EMOTET.THOBEAI
Paloalto: generic.ml
Kaspersky: Trojan-Banker.Win32.Emotet.cbst
BitDefender: Trojan.GenericKD.40991140
NANO-Antivirus: Trojan.Win32.Emotet.fmlqbv
Avast: Win32:Dropper-gen [Drp]
Tencent: Win32.Trojan-banker.Emotet.Htlu
Ad-Aware: Trojan.GenericKD.40991140
Emsisoft: Trojan.GenericKD.40991140 (B)
Comodo: Malware@#19i56f1c0vy3y
F-Secure: Trojan.TR/AD.Emotet.yhvhw
DrWeb: Trojan.DownLoader27.26274
Zillya: Trojan.Emotet.Win32.12579
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Generic.dh
Trapmine: malicious.high.ml.score
Ikarus: Trojan-Banker.Emotet
Webroot: W32.Trojan.Emotet
Avira: TR/AD.Emotet.yhvhw
Fortinet: W32/Emotet.BN!tr
Antiy-AVL: Trojan[Banker]/Win32.Emotet
Endgame: malicious (high confidence)
Arcabit: Trojan.Generic.D27179A4
ViRobot: Trojan.Win32.Z.Emotet.222208.C
ZoneAlarm: Trojan-Banker.Win32.Emotet.cbst
Microsoft: Trojan:Win32/Emotet.EF
Sophos: Troj/Emotet-AWQ
AhnLab-V3: Malware/Gen.Generic.C2971356
Acronis: suspicious
McAfee: Emotet-FLT!9676B403AE91
MAX: malware (ai score=96)
VBA32: BScope.Trojan.Refinka
Cylance: Unsafe
ESET-NOD32: Win32/Emotet.BN
Rising: Trojan.Emotet!8.B95 (TFE:1:KvvtajH4ZtE)
SentinelOne: static engine - malicious
eGambit: Unsafe.AI_Score_99%
GData: Trojan.GenericKD.40991140
AVG: Win32:Dropper-gen [Drp]
Cybereason: malicious.3ae912
Panda: Trj/Genetic.gen
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.Dropper.c9f

Hashes

MD5 9676b403ae91208597c6139c8d6d85ea
SHA1 692e26afb749ed56e6d52d1f47348a4ba1ecfb2b
SHA256 9cd0a2533aad434427d8f75f68ed876455197b1d28d9b99d510ae7affa2799cd
SHA3 932c2a7c46d66811d9d3f060caab2f04513d67afcfa7e7da81c4dabdcb65dee8
SSDeep 3072:11VEIrLOu4eHNzuaz3xvPa8VfGisTdZEyIQJ0RYqsuEcMMWvoXro4Uuetw40a95:P3tS8VfsPEIJBuEcMMWvoF4twX
Imports Hash e26318534dbbf80508efb69f78477e0b

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2019-Jan-24 23:00:05
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_SYSTEM

Image Optional Header

Magic PE32
LinkerVersion 12.0
SizeOfCode 0x1a200
SizeOfInitializedData 0x1e400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00013F6F (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1c000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x3c000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 6485539244198c41f9e9db04054516af
SHA1 7e738dbd3b73a1bb6314100bfabf6566a4e00799
SHA256 c365a49e44d105096246a29c328eeec39a337a1a243be9609b46102a2a7b9a2a
SHA3 4ee724c87a5afe1fb35d0e948c40e39ba115abedf6d69a721be41502a7d02bc1
VirtualSize 0x1a198
VirtualAddress 0x1000
SizeOfRawData 0x1a200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 4.53869

CODE

MD5 36813575ce9c60f359013edc6f44a50c
SHA1 d3c89487cfe0b27566d72b7e73fd7a995f099d8f
SHA256 ce90a5881f6cd3fea6e1bbdfcfef49c517972c0bdcf3af8a66ccce61b38c4edb
SHA3 2f541e1b6b217fd2030e1622ee864726c7a88b7a2b890ef598bbbdae5121a4bf
VirtualSize 0x42b8
VirtualAddress 0x1c000
SizeOfRawData 0x1e00
PointerToRawData 0x1a600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.73194

CONST

MD5 83f06c6accee8dc4851085689f7f4a74
SHA1 f03af92837e832c7d37409a6777271100f4a036b
SHA256 7b182d9f6be2eb9a02fef857634b4c652ee39463b0b3663586e642e19aa6718b
SHA3 64b6c8d2f0f76e823b8d5ba866bdf3fb5a77bade05963dad445ba5ef65039057
VirtualSize 0x1c1c
VirtualAddress 0x21000
SizeOfRawData 0x1e00
PointerToRawData 0x1c400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_GPREL
IMAGE_SCN_LNK_COMDAT
IMAGE_SCN_LNK_INFO
IMAGE_SCN_MEM_READ
IMAGE_SCN_TYPE_GROUP
IMAGE_SCN_TYPE_NOLOAD
Entropy 5.3795

.crt2

MD5 605dcf99b25389b2bc22398ef7a8d3d6
SHA1 f5917f191cfd2ccb45474d2ad0506dad789a8f3f
SHA256 243afd9b330442d1c0a904ee325cbb625626cca4313849267d7306b938950a21
SHA3 3e6472ed329a59862295699758333d3e3321db461c263a8bd1432dcae097cba6
VirtualSize 0x18010
VirtualAddress 0x23000
SizeOfRawData 0x18200
PointerToRawData 0x1e200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
IMAGE_SCN_TYPE_COPY
IMAGE_SCN_TYPE_DSECT
IMAGE_SCN_TYPE_GROUP
IMAGE_SCN_TYPE_NOLOAD
IMAGE_SCN_TYPE_NO_PAD
Entropy 7.97716

Imports

Secur32.dll FreeCredentialsHandle
ole32.dll CoUninitialize
CoInitialize
CoCreateInstance
CoInitializeEx
SHELL32.dll ExtractAssociatedIconA
ExtractIconExA
ExtractIconA
msvcrt.dll ungetwc
towupper
system
mbtowc
strcspn
strncmp
mscms.dll GetColorDirectoryW
GetColorProfileHeader
GetColorProfileElement
GDI32.dll StrokePath
GetPixel
GetRasterizerCaps
GetTextCharset
DeleteColorSpace
GetTextExtentExPointI
CreateCompatibleBitmap
GetPolyFillMode
GetTextExtentExPointW
GetCharWidthW
ExtEscape
GetLogColorSpaceA
GetTextExtentPointA
GetTextCharsetInfo
GetRegionData
GetFontData
GdiSetBatchLimit
GetCurrentPositionEx
GetCharWidthFloatA
GetBkColor
GetClipBox
GetLayout
InvertRgn
SetROP2
DescribePixelFormat
WINSPOOL.DRV DeletePrinterDriverW
FindClosePrinterChangeNotification
DeletePrinter
OLEAUT32.dll #309
#162
#183
WININET.dll FindNextUrlCacheGroup
GetUrlCacheEntryInfoA
DeleteUrlCacheEntryW
FindFirstUrlCacheEntryW
KERNEL32.dll IsThreadAFiber
LocaleNameToLCID
GetPrivateProfileStringA
GetUserDefaultLangID
DefineDosDeviceW
GetSystemWindowsDirectoryA
GetSystemTimes
CreateFileMappingW
GlobalFindAtomA
GetTimeFormatW
GetModuleHandleW
NotifyUILanguageChange
TransmitCommChar
GetConsoleMode
GetSystemInfo
LocalAlloc
GlobalAddAtomW
GetFileAttributesExW
EnumResourceNamesW
CreateThread
FindActCtxSectionStringW
FindAtomW
WriteProfileSectionA
GetProfileStringW
EnumSystemGeoID
lstrcpynA
GetTempFileNameA
GetAtomNameA
VirtualFree
lstrcpynW
GetCurrentProcess
WriteProfileStringW
lstrcatW
GetConsoleOutputCP
FileTimeToDosDateTime
GlobalHandle
GetConsoleCursorInfo
lstrcmpW
MapViewOfFile
DeviceIoControl
GetSystemDirectoryA
GetThreadSelectorEntry
GetTempFileNameW
GlobalFree
GetTapeStatus
GetDiskFreeSpaceExA
MultiByteToWideChar
GetPrivateProfileStructW
GetCommTimeouts
VirtualAlloc
DeactivateActCtx
GlobalGetAtomNameA
GetProfileSectionA
FindResourceExA
GetStringTypeExW
GetCurrentDirectoryA
LoadLibraryExW
GetPrivateProfileSectionNamesW
EraseTape
WriteProfileStringA
FindVolumeClose
FindNextFileA
GetLocalTime
GetCompressedFileSizeA
GetShortPathNameA
GetAtomNameW
GlobalAddAtomA
VirtualQuery
GetSystemTime
LocalFree
UnmapViewOfFile
GetConsoleDisplayMode
EscapeCommFunction
FindResourceA
LoadLibraryW
FormatMessageW
FindFirstFileExW
GetPrivateProfileSectionW
ADVAPI32.dll LookupAccountNameA
IsTextUnicode
QueryUsersOnEncryptedFile
CryptDestroyKey
DecryptFileW
GetFileSecurityW
GetCurrentHwProfileA
LookupPrivilegeDisplayNameW
StartServiceA
GetTokenInformation
EnumServicesStatusExW
GetCurrentHwProfileW
GetSecurityDescriptorControl
GetSidSubAuthorityCount
GetSidIdentifierAuthority
AccessCheckAndAuditAlarmA
InitiateSystemShutdownA
GetServiceDisplayNameA
GetPrivateObjectSecurity
GetUserNameA
LookupPrivilegeNameW
SHLWAPI.dll PathMakeSystemFolderW
GetMenuPosFromID
CLUSAPI.dll GetClusterFromResource
NETAPI32.dll NetLocalGroupDel
USER32.dll FillRect
SetThreadDesktop
BringWindowToTop
CreateIconIndirect
UnhookWindowsHookEx
EnableScrollBar
DrawStateW
OpenClipboard
SetWindowPos
MessageBeep
GetKeyboardLayout
PostQuitMessage
DestroyCaret
FindWindowExW
GetClassInfoExA
RegisterClassExW
GetSystemMetrics
GetScrollPos
GetMenuStringW
DrawFocusRect
FlashWindow
GetWindowRect
GetWindowPlacement
FindWindowW
CreateDialogParamW
PhysicalToLogicalPoint
GetPriorityClipboardFormat
CreateIconFromResource
DrawTextW
SendMessageW
LoadMenuIndirectA
SetCursor
LoadKeyboardLayoutW
EnableMenuItem
GetWindowLongW
LockWindowUpdate
EnumWindows
CharNextW
SetForegroundWindow
GetWindowRgn
DefWindowProcW
GetSysColorBrush
IsIconic
DestroyWindow
LoadImageA
EnumWindowStationsA
GetMessageExtraInfo
SetActiveWindow
GetMenuState
InsertMenuItemA
InvalidateRect
DialogBoxParamW
PeekMessageW
IsRectEmpty
GetProcessDefaultLayout
GetShellWindow
DeleteMenu
GetCursorInfo
CloseDesktop
GetUpdateRect
SetScrollPos
GetMessageA
GetForegroundWindow
DrawIcon
GetWindowTextW
CreateWindowExW
GetMenuStringA
LockWorkStation
LockSetForegroundWindow
GetSubMenu
UpdateWindow
GetRawInputDeviceInfoW
LookupIconIdFromDirectoryEx
CharUpperW
DestroyMenu
EnableWindow
GetMenuCheckMarkDimensions
GetClipboardViewer
LoadIconW
LoadAcceleratorsW
FreeDDElParam
GetScrollInfo
DestroyCursor
GetDlgItem
RegisterWindowMessageW
GetSystemMenu
GetWindowLongA
MoveWindow
LoadCursorW

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[!] Error: Could not reach the requested directory (offset=0x0).