975c46a123a4d7a9e3fcff63aa1f384c

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-Aug-13 06:51:13
Detected languages English - United States
Debug artifacts C:\bamboo-home\xml-data\build-dir\SPOONVM-VM-JOB1\vm\Build\Output\x86\StubExe.pdb

Plugin Output

Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryW
Manipulates other processes:
  • OpenProcess
Suspicious The file contains overlay data. 12 bytes of data starting at offset 0x5200.
Malicious VirusTotal score: 7/70 (Scanned on 2020-01-18 08:23:51) Paloalto: generic.ml
Comodo: Backdoor.Win32.DarkKomet.GH@60rz8p
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Backdoor.mh
SentinelOne: DFI - Suspicious PE
Jiangmin: Trojan/Generic.bgtuw
eGambit: Unsafe.AI_Score_58%

Hashes

MD5 975c46a123a4d7a9e3fcff63aa1f384c
SHA1 6584b5569f85488fed62598455badebaeaf5b9d4
SHA256 684489aabca371c527c106a68b3641bb7920545384d5be38ef011056b0c858e5
SHA3 d91c15eacd5ffea726276657c3d4cd30f282e0ff8479cef81dc7ab4709525606
SSDeep 384:mnHoOOkiHj0wZfCzTlS/w2/T1PZKGPdqt5kPEOfx:+IOkjZfCzTQZPTPAzJox
Imports Hash aaec64f2ad182e38096da2ef4bc28f41

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2019-Aug-13 06:51:13
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 9.0
SizeOfCode 0x4400
SizeOfInitializedData 0xa00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000049B7 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x6000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0xe000
SizeOfHeaders 0x400
Checksum 0xad25
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 9da0b0b4b8de3b4a61e12d58973c3fba
SHA1 929e3d5fb472f30fc062cd009f213ec83dbddbfb
SHA256 8dc9289e704f80bcecbc6d0a2692cc0eb5ca59843a0af7f78e8e462c172a8974
SHA3 a10343f2504f1eefdc80967bee8dae751ec93b068cdcf87d9de529c0090ab83e
VirtualSize 0x43a8
VirtualAddress 0x1000
SizeOfRawData 0x4400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.36732

.data

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x448
VirtualAddress 0x6000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc

MD5 4dee37a6d8d5de3fc2d5b4266829b8b1
SHA1 585744e7ca074abcc33095f7a118d39fdc9408f2
SHA256 d200c449bc82a67834e2065311175f3c120a3eeb00148f5aaf42633b802357b5
SHA3 17c7c7c4a777045c8acfa881e5c681f723b4c0238a7a3775b69949e5dabc808c
VirtualSize 0x428
VirtualAddress 0x7000
SizeOfRawData 0x600
PointerToRawData 0x4800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.29868

.reloc

MD5 fea30a75759e13842a90a411aa1eafe4
SHA1 9645e8888600f66e421feccfa34938c3ac9f752e
SHA256 8a777198a68901e67f80b9fda3ab047f2cd33a0531e5c49c7d56e1649704d31b
SHA3 4b9236ec82941234156bff230f286a0d10059fb0a70f2d1cc82c46ad530c7a5c
VirtualSize 0x6000
VirtualAddress 0x8000
SizeOfRawData 0x400
PointerToRawData 0x4e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.36963

Imports

KERNEL32.dll HeapAlloc
GetProcessHeap
HeapFree
GetTickCount
GetModuleFileNameW
SetEnvironmentVariableW
IsWow64Process
GetCurrentProcess
GetCommandLineW
OpenProcess
GetLastError
DuplicateHandle
GetVersionExW
CreateFileW
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
CloseHandle
OpenFileMappingW
SetEvent
GetFileSizeEx
VirtualAlloc
VirtualFree
GetModuleHandleW
GetProcAddress
LoadLibraryW
GetModuleHandleA

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x3cf
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.09461
MD5 c5e0a556a87fad7bedbbcd5ead282fb3
SHA1 2507d31a90546d03c59469d54b3b92fc7eda6abb
SHA256 c36cb000b7a92ec39274ddc6fa059c5ac8a24fa714587062dd51b79d739fdaee
SHA3 0e34c2e0f64da42528647689f6deb89ddc2d274f3dc68bee5a862f6dc30f4b6e

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2015-Oct-21 19:07:03
Version 0.0
SizeofData 106
AddressOfRawData 0x21e0
PointerToRawData 0x15e0
Referenced File C:\bamboo-home\xml-data\build-dir\SPOONVM-VM-JOB1\vm\Build\Output\x86\StubExe.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xa2406f6c
Unmarked objects 0
Imports (VS2012 build 50727 / VS2005 build 50727) 3
Total imports 27
138 (VS2008 SP1 build 30729) 9
Resource objects (VS2008 SP1 build 30729) 1

Errors

[*] Warning: Section .data has a size of 0!