ab9db28eec90696575bef33e293c0410

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2014-Jan-13 08:57:08

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 8.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Info Cryptographic algorithms detected in the binary: Uses constants related to DES
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Can access the registry:
  • RegCloseKey
 Possibly launches other programs:
  • CreateProcessA
 Has Internet access capabilities:
  • InternetOpenA
  • InternetCloseHandle
  • InternetReadFile
  • InternetOpenUrlA
Malicious VirusTotal score: 35/57 (Scanned on 2015-09-17 06:11:29) MicroWorld-eScan: Gen:Trojan.Heur.RP.amW@aK50nkh
McAfee: BackDoor-FBVO!AB9DB28EEC90
VIPRE: Trojan.Win32.Generic!BT
BitDefender: Gen:Trojan.Heur.RP.amW@aK50nkh
K7GW: Trojan ( 0040f8b51 )
K7AntiVirus: Trojan ( 0040f8b51 )
NANO-Antivirus: Trojan.Win32.RP.czjbjv
Symantec: Downloader
ESET-NOD32: a variant of Win32/Tiny.NBF
TrendMicro-HouseCall: Mal_DLDER
Avast: Win32:Downloader-VAV [Trj]
ClamAV: Win.Backdoor.Sloth
Kaspersky: UDS:DangerousObject.Multi.Generic
Agnitum: TrojanSpy.Agent!qkjUZkF3v+0
Rising: PE:Malware.Generic/QRS!1.9E2D[F1]
Ad-Aware: Gen:Trojan.Heur.RP.amW@aK50nkh
Sophos: Mal/Generic-S
Comodo: UnclassifiedMalware
F-Secure: Gen:Trojan.Heur.RP.amW@aK50nkh
TrendMicro: Mal_DLDER
McAfee-GW-Edition: BehavesLike.Win32.Downloader.lh
Emsisoft: Gen:Trojan.Heur.RP.amW@aK50nkh (B)
Avira: TR/ATRAPS.Gen4
Fortinet: W32/DLDER.CXS!tr
Kingsoft: Win32.Troj.Undef.(kcloud)
Arcabit: Trojan.Heur.RP.E8B334
AhnLab-V3: Trojan/Win32.Xema
AVware: Trojan.Win32.Generic!BT
VBA32: suspected of Trojan.Downloader.gen.h
Panda: Trj/CI.A
Tencent: Win32.Trojan.Dlder.Lpbp
Ikarus: Win32.SuspectCrc
GData: Gen:Trojan.Heur.RP.amW@aK50nkh
Baidu-International: Backdoor.Win32.FBVO.gen
Qihoo-360: HEUR/Malware.QVM07.Gen

Hashes

MD5 ab9db28eec90696575bef33e293c0410
SHA1 810ba3a28f9e22125ed0b10c90f2151bcfb02203
SHA256 73428f344caa5704d0c54bdd3237478489f4e9752f668846b430356544c6fcf7
SHA3 d7157ddad791bcaf99c3a01b0dac9ce0a12c7475bc691c6d09b06905e83278e4
SSDeep 192:gSWmO21PIud1yYQKpJOz1409zHJA/jsIaP1oynQiI3Ft:aW6aJyb8/4Ik1Js
Imports Hash 6f18349cd0fabece8fa72437f54de12b

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2014-Jan-13 08:57:08
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x1a00
SizeOfInitializedData 0x1600
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000027A2 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x3000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x5000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 88a14a77d12c831b59e25f00c83bf22a
SHA1 cda90e521bf552a38a3d0d0cca1aff1d13ae6073
SHA256 f28b88f4e1dc8b02ef38ec40fb83d01c0fe7b36c48db4cc6e1baac11f15c0c13
SHA3 49744bf618bf5e6ca04c466f0411cd3c939da70d8c82def95d20b112bbc453a1
VirtualSize 0x193c
VirtualAddress 0x1000
SizeOfRawData 0x1a00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.21226

.rdata

MD5 92c7b03e59de4dde698f09a7fe1a6899
SHA1 78001f02928567131ab40ad34473641a802e7388
SHA256 c7ec4d6662a51b787630e6184e909589ce8cb664ad32f01a95096161f144f3e7
SHA3 7c54b5b590842e471945b6eb5ee7404f2e4cd116bff2a39cc4f03a17bfe83d24
VirtualSize 0x904
VirtualAddress 0x3000
SizeOfRawData 0xa00
PointerToRawData 0x1e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.42044

.data

MD5 71bfd00d954e9db6abb4472a46458f26
SHA1 47cbf5bb6bbce51b939df2a666cdc2a4853fe71c
SHA256 340da43e1159caf1226d981dac235712aa523c4d85129d2fea8131024b68556a
SHA3 5e6dfec7c68bcad60300d47910314dfb18b2a8365ce29a6e491e6bbd8ddb7304
VirtualSize 0xb28
VirtualAddress 0x4000
SizeOfRawData 0x400
PointerToRawData 0x2800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.51722

Imports

KERNEL32.dll LoadLibraryA
DeleteFileA
GetStartupInfoA
Sleep
GetModuleFileNameA
GetTempFileNameA
GetTempPathA
DisconnectNamedPipe
TerminateProcess
WaitForMultipleObjects
TerminateThread
GetProcAddress
CloseHandle
CreateProcessA
DuplicateHandle
GetCurrentProcess
CreatePipe
CreateEventA
ExitThread
ReadFile
PeekNamedPipe
SetEvent
WriteFile
CreateThread
FreeLibrary
GetModuleHandleA
ADVAPI32.dll RegCloseKey
WININET.dll InternetOpenA
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
MSVCRT.dll _XcptFilter
_controlfp
??3@YAXPAX@Z
free
malloc
strncmp
fread
fclose
fwrite
fopen
atoi
??2@YAPAXI@Z
_strnicmp
_exit
_except_handler3
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x8586f87
Unmarked objects 0
C objects (VS98 build 8168) 11
14 (7299) 1
Linker (VS98 build 8168) 2
Imports (2179) 7
Total imports 57
C++ objects (VS98 build 8168) 3

Errors