Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2018-Apr-03 12:45:36 |
Detected languages |
English - United States
Russian - Russia |
TLS Callbacks | 1 callback(s) detected. |
Debug artifacts |
D:\Build\desktop_apps\_out\naps.pdb
|
CompanyName | Mail.Ru |
FileDescription | Mail.Ru Naps |
FileVersion | 3.13.3.76 |
InternalName | naps |
LegalCopyright | Copyright 2015 |
OriginalFilename | naps.exe |
ProductName | Mail.Ru Naps |
ProductVersion | 3.13.3.76 |
Comments |
Info | Matching compiler(s): |
Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 - 8.0 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to internet browsers:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to MD5
Uses constants related to Blowfish Microsoft's Cryptography API |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Info | The PE is digitally signed. |
Signer: LLC Mail.Ru
Issuer: thawte SHA256 Code Signing CA |
Malicious | VirusTotal score: 18/69 (Scanned on 2019-08-24 12:37:08) |
MicroWorld-eScan:
Gen:Variant.Ursu.214266
FireEye: Gen:Variant.Ursu.214266 Qihoo-360: Win32/Trojan.95a ALYac: Gen:Variant.Ursu.214266 Arcabit: Trojan.Ursu.D344FA Cyren: W32/Trojan.TEJD-9087 BitDefender: Gen:Variant.Ursu.214266 Avast: FileRepMetagen [PUP] Ad-Aware: Gen:Variant.Ursu.214266 Emsisoft: Gen:Variant.Ursu.214266 (B) McAfee-GW-Edition: BehavesLike.Win32.BadFile.th GData: Gen:Variant.Ursu.214266 McAfee: Artemis!A7B71AE87E24 TrendMicro-HouseCall: TROJ_GEN.R002H09HM19 Ikarus: PUA.MailRu Fortinet: W32/Agent.9306!tr AVG: FileRepMetagen [PUP] Cybereason: malicious.87e24b |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 6 |
TimeDateStamp | 2018-Apr-03 12:45:36 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 12.0 |
SizeOfCode | 0xcee00 |
SizeOfInitializedData | 0x3fa00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00089E62 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0xd0000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x113000 |
SizeOfHeaders | 0x400 |
Checksum | 0x114791 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
ResumeThread
WaitForSingleObject LoadLibraryW CreateToolhelp32Snapshot Process32FirstW Process32NextW CreateSemaphoreA GetModuleHandleA WaitForSingleObjectEx DuplicateHandle GetSystemTimeAsFileTime ReleaseSemaphore GetCommandLineW FormatMessageW GetExitCodeProcess CreateProcessW GetStartupInfoW DeviceIoControl GetSystemDirectoryW GetComputerNameW SystemTimeToFileTime CreateEventW GetCurrentThreadId GetStringTypeW GetCurrentThread EnterCriticalSection LeaveCriticalSection EncodePointer Sleep LoadLibraryA GetStringTypeExW LCMapStringW GetUserDefaultLCID GetEnvironmentVariableW CreateDirectoryW DeleteFileW FindClose FindFirstFileW FindNextFileW RemoveDirectoryW SetEndOfFile SetFilePointerEx SetFileTime GetWindowsDirectoryW CreateDirectoryExW CopyFileW AreFileApisANSI FormatMessageA IsDebuggerPresent OutputDebugStringW SetStdHandle SetEnvironmentVariableA UnregisterWaitEx QueryDepthSList InterlockedFlushSList TerminateProcess FreeLibrary GetVersionExW GetBinaryTypeW GetFileAttributesW CreateFileW WriteFile GetTickCount SetEvent CreateEventA GetCurrentProcess LocalFree WideCharToMultiByte MultiByteToWideChar ExpandEnvironmentStringsW GetModuleFileNameW GetACP GetModuleHandleW SetLastError GetProcAddress DeleteCriticalSection InitializeCriticalSectionAndSpinCount GetLastError RaiseException GetProcessHeap HeapSize HeapFree HeapReAlloc InterlockedPushEntrySList InterlockedPopEntrySList InitializeSListHead VirtualProtect VirtualFree VirtualAlloc FreeLibraryAndExitThread GetThreadTimes GetTimeZoneInformation GetOEMCP IsValidCodePage ReadConsoleW ReadFile GetConsoleMode GetConsoleCP FlushFileBuffers FreeEnvironmentStringsW GetEnvironmentStringsW QueryPerformanceCounter ExitProcess EnumSystemLocalesW IsValidLocale GetLocaleInfoW CompareStringW GetTimeFormatW GetDateFormatW LoadLibraryExW ExitThread CreateSemaphoreW SetUnhandledExceptionFilter UnhandledExceptionFilter UnregisterWait RegisterWaitForSingleObject SetThreadAffinityMask GetProcessAffinityMask GetNumaHighestNodeNumber DeleteTimerQueueTimer ChangeTimerQueueTimer CreateTimerQueueTimer GetThreadPriority SetThreadPriority CreateThread SwitchToThread SignalObjectAndWait CreateTimerQueue HeapAlloc DecodePointer CloseHandle GetCurrentProcessId OpenProcess GlobalMemoryStatusEx GetCPInfo IsProcessorFeaturePresent OpenEventA WaitForMultipleObjectsEx ResetEvent SetWaitableTimer TlsAlloc TlsGetValue TlsSetValue TlsFree GetLogicalProcessorInformation CreateWaitableTimerA GetStdHandle GetFileType GetModuleHandleExW WriteConsoleW RtlUnwind |
---|---|
USER32.dll |
LoadStringW
wsprintfW |
ADVAPI32.dll |
RegCreateKeyExW
RegSetValueExW RegOpenKeyExW RegQueryValueExW OpenProcessToken GetTokenInformation LookupAccountSidW CryptGenRandom CryptGetHashParam CryptVerifySignatureW CryptDestroyHash CryptHashData CryptCreateHash CryptDestroyKey CryptReleaseContext CryptAcquireContextW LookupAccountNameW FreeSid AllocateAndInitializeSid EqualSid ConvertSidToStringSidW RegCloseKey |
ole32.dll |
CoTaskMemFree
StringFromCLSID CoCreateGuid |
SHELL32.dll |
SHGetFolderPathW
CommandLineToArgvW |
PSAPI.DLL |
GetProcessMemoryInfo
|
WTSAPI32.dll |
WTSQueryUserToken
WTSFreeMemory WTSEnumerateSessionsW |
VERSION.dll |
GetFileVersionInfoW
VerQueryValueW GetFileVersionInfoSizeW |
WINHTTP.dll |
WinHttpCloseHandle
WinHttpSetStatusCallback WinHttpOpenRequest WinHttpAddRequestHeaders WinHttpSendRequest WinHttpReceiveResponse WinHttpQueryHeaders WinHttpOpen WinHttpConnect WinHttpReadData WinHttpWriteData WinHttpQueryDataAvailable WinHttpSetOption |
CRYPT32.dll |
CryptDecodeObjectEx
CryptImportPublicKeyInfo CryptStringToBinaryA CryptBinaryToStringW |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 3.13.3.76 |
ProductVersion | 3.13.3.76 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
FileType |
VFT_DLL
|
Language | English - United States |
CompanyName | Mail.Ru |
FileDescription | Mail.Ru Naps |
FileVersion (#2) | 3.13.3.76 |
InternalName | naps |
LegalCopyright | Copyright 2015 |
OriginalFilename | naps.exe |
ProductName | Mail.Ru Naps |
ProductVersion (#2) | 3.13.3.76 |
Comments |
Resource LangID | Russian - Russia |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2018-Apr-03 12:45:36 |
Version | 0.0 |
SizeofData | 60 |
AddressOfRawData | 0xe22b0 |
PointerToRawData | 0xe14b0 |
Referenced File | D:\Build\desktop_apps\_out\naps.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2018-Apr-03 12:45:36 |
Version | 0.0 |
SizeofData | 20 |
AddressOfRawData | 0xe22ec |
PointerToRawData | 0xe14ec |
StartAddressOfRawData | 0x505000 |
---|---|
EndAddressOfRawData | 0x505001 |
AddressOfIndex | 0x5022a8 |
AddressOfCallbacks | 0x4d0654 |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_ALIGN_1BYTES
|
Callbacks |
0x00489CA0
|
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x4f95e0 |
SEHandlerTable | 0x4e7cd0 |
SEHandlerCount | 802 |
XOR Key | 0xae339d5 |
---|---|
Unmarked objects | 0 |
ASM objects (VS2013 build 21005) | 38 |
Imports (VS2008 SP1 build 30729) | 29 |
Total imports | 275 |
C++ objects (20806) | 2 |
C objects (VS2008 SP1 build 30729) | 2 |
C++ objects (VS2013 build 21005) | 137 |
C objects (VS2013 build 21005) | 245 |
C++ objects (VS2013 UPD5 build 40629) | 69 |
Resource objects (VS2013 build 21005) | 1 |
151 | 1 |
Linker (VS2013 UPD5 build 40629) | 1 |