a193184e61e34e2bc36289deaafdec37

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 1970-Jan-01 00:00:00
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
Leverages the raw socket API to access the Internet:
  • #3
  • getaddrinfo
  • #115
  • #19
  • #23
  • #4
  • #16
  • freeaddrinfo
  • #21
  • #111
Manipulates other processes:
  • Process32First
  • OpenProcess
  • Process32Next
Malicious VirusTotal score: 48/68 (Scanned on 2019-03-01 03:39:50) MicroWorld-eScan: Trojan.GenericKD.5333249
CAT-QuickHeal: Trojan.Endowerpo
McAfee: Trojan-FNDH!A193184E61E3
K7GW: Trojan ( 00510ef01 )
K7AntiVirus: Trojan ( 00510ef01 )
TrendMicro: TROJ_INDUSTROYER.C
F-Prot: W32/Industroyer.B.gen!Eldorado
Symantec: Backdoor.Industroyer
TrendMicro-HouseCall: TROJ_INDUSTROYER.C
Paloalto: generic.ml
Kaspersky: Trojan.Win32.Industroyer.c
BitDefender: Trojan.GenericKD.5333249
NANO-Antivirus: Trojan.Win32.Industroyer.errctz
Avast: Win32:Malware-gen
Rising: Trojan.Industroyer!8.E852 (CLOUD)
Endgame: malicious (high confidence)
Emsisoft: Trojan.GenericKD.5333249 (B)
Comodo: Malware@#3e6e8fsjode2u
F-Secure: Trojan.TR/Agent.ntnvk
DrWeb: Trojan.Industroyer.5
Zillya: Trojan.Industroyer.Win32.3
McAfee-GW-Edition: Trojan-FNDH!A193184E61E3
Fortinet: W32/Industroyer.A!tr
Cyren: W32/Industroyer.B.gen!Eldorado
Webroot: W32.Trojan.Gen
Avira: TR/Agent.ntnvk
MAX: malware (ai score=100)
Antiy-AVL: Trojan/Win32.Industroyer
Arcabit: Trojan.Generic.D516101
ViRobot: Trojan.Win32.Industroyer.136704.A
ZoneAlarm: Trojan.Win32.Industroyer.c
Microsoft: Trojan:Win32/CrashOverride.A
Sophos: Troj/Idtroyer-H
AhnLab-V3: Trojan/Win32.Industroyer.R202380
VBA32: Trojan.Industroyer
ALYac: Trojan.Agent.Endowerpo
TACHYON: Trojan/W32.Industroyer.136704
Ad-Aware: Trojan.GenericKD.5333249
ESET-NOD32: a variant of Win32/Industroyer.A
Tencent: Win32.Trojan.Industroyer.Klbs
Yandex: Trojan.Industroyer!
Ikarus: Trojan.Industroyer
eGambit: Trojan.Generic
GData: Win32.Backdoor.Industroyer.F
AVG: Win32:Malware-gen
Panda: Trj/GdSda.A
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: Trojan.Generic

Hashes

MD5 a193184e61e34e2bc36289deaafdec37
SHA1 94488f214b165512d2fc0438a581f5c9e3bd4d4c
SHA256 7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad
SHA3 41e14184a62586466ed2e57bccbbbefae804264b4d5475bd3b7164d54d484750
SSDeep 3072:McaprOfoaXmgD31r4VWBvRZoiTprUZNZ9VQ6s6W9:McuOJ2gD31QW51pgE6st9
Imports Hash d2b465d6595e8cf3197d045c9c081e67

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x118

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 6
TimeDateStamp 1970-Jan-01 00:00:00
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x17400
SizeOfInitializedData 0xa800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00005658 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x19000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x27000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 edbc3326130d90b2f27839f5c7d2459d
SHA1 63a342c3fd5ea4a0700f1dc789e02e710118654a
SHA256 4abb48b6c831c88e97c98402fe5bc50e47648d29cf3b95b5a13226cdcd78ed41
SHA3 cd882be275f191570570531228dda6584b698b572c4b9aec7c27225dd1dedbe0
VirtualSize 0x17275
VirtualAddress 0x1000
SizeOfRawData 0x17400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.6655

.rdata

MD5 f2379bbe1def3d287f98c8b66c2cb365
SHA1 5fd4a935e42f6c84284f886d78423c49e57b114c
SHA256 10b3e6f07d0a7762abd32d9b2798115faa1ddd393f7d71dc7e50c3719447d61e
SHA3 97dde1a5279a3dedfd01344e8e9675cb14ce088169e0d390a8e182f4c7b1b543
VirtualSize 0x7918
VirtualAddress 0x19000
SizeOfRawData 0x7a00
PointerToRawData 0x17800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.3916

.data

MD5 26bfc131cc1f6a9331dd1811617ac5c2
SHA1 1c93391be2a94b26613723424f650009bbee2d54
SHA256 bd349745fdd464870ce1c40c8c78c94103699be6da905380d0bd4348a226c434
SHA3 8cb1335d258ea217609d3cf4d840f15b297f804a2b1448b8ea0606f817eaf53e
VirtualSize 0x13bc
VirtualAddress 0x21000
SizeOfRawData 0xa00
PointerToRawData 0x1f200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.5358

.gfids

MD5 8a00be9b93fae3d52b578f84000a7248
SHA1 c0f9bc745e4e1b358e1f10d1f1bd9f8c52971b7a
SHA256 fd8ecc70c9c93c9feea72f3646696aeecfbb41e777cac9219958bbe1632ee79a
SHA3 f6ea5ed5deb7ea858ae7d5a55f7753d1e760149e33187a9ccadcd1e032fae918
VirtualSize 0x100
VirtualAddress 0x23000
SizeOfRawData 0x200
PointerToRawData 0x1fc00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.94658

.rsrc

MD5 daefabcc5853733844632a0d26725281
SHA1 ab4d6846de72fb7bc11deb2570b6189dbedae77e
SHA256 204308c824f32ed4bb88eee5c37161f2fc974a3f75ee0ee8a4564c093c6efe1d
SHA3 b02f986e47faa1c832cd37c8c8335e926df333d96f45138e19f7fed713ef61da
VirtualSize 0x1e0
VirtualAddress 0x24000
SizeOfRawData 0x200
PointerToRawData 0x1fe00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.72082

.reloc

MD5 123ad46f18c8e23cafabd1f48294a734
SHA1 12cdf63b7ce8349799a279b3c0b01da0d6115197
SHA256 498d08cfc3c93992b9f9ce98c8d538338300e5be0d5d127287a229c4d5ee49df
SHA3 ca78ab987c0a7f3d19e87ab083c7fe75dd9b08bcf6e496d187eb6a8af2ba3536
VirtualSize 0x14f8
VirtualAddress 0x25000
SizeOfRawData 0x1600
PointerToRawData 0x20000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.44828

Imports

KERNEL32.dll Process32First
SetConsoleTextAttribute
GetStdHandle
TerminateProcess
WaitForMultipleObjects
SetThreadPriority
OpenProcess
CreateToolhelp32Snapshot
Sleep
Process32Next
CloseHandle
CreateThread
ReadConsoleW
ReadFile
SetEndOfFile
HeapReAlloc
HeapSize
WriteConsoleW
SetFilePointerEx
SetStdHandle
FlushFileBuffers
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
EncodePointer
RaiseException
InterlockedFlushSList
GetLastError
SetLastError
RtlUnwind
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetModuleFileNameA
MultiByteToWideChar
WideCharToMultiByte
HeapFree
HeapAlloc
LCMapStringW
GetFileType
GetACP
WriteFile
GetConsoleCP
GetConsoleMode
GetStringTypeW
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
CreateFileW
DecodePointer
WS2_32.dll #3
getaddrinfo
#115
#19
#23
#4
#16
freeaddrinfo
#21
#111

Delayed Imports

Crash

Ordinal 1
Address 0x14e0

2

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2016-Dec-18 02:48:22
Version 0.0
SizeofData 764
AddressOfRawData 0x1f5f4
PointerToRawData 0x1ddf4

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2016-Dec-18 02:48:22
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

Size 0x5c
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x10021008
SEHandlerTable 0x1001f5c0
SEHandlerCount 13

RICH Header

XOR Key 0x4a345c9e
Unmarked objects 0
241 (40116) 10
243 (40116) 137
242 (40116) 24
199 (41118) 2
ASM objects (VS2015 UPD3 build 24123) 18
C++ objects (VS2015 UPD3 build 24123) 29
C objects (VS2015 UPD3 build 24123) 16
Imports (VS2008 SP1 build 30729) 5
Total imports 106
265 (VS2015 UPD3 build 24210) 8
Exports (VS2015 UPD3 build 24210) 1
Resource objects (VS2015 UPD3 build 24210) 1
Linker (VS2015 UPD3 build 24210) 1

Errors