ac1a85d3ca1b6265cad4ed41b696f9b7

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2008-Apr-01 19:35:07

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to internet browsers:
  • iexplore.exe
May have dropper capabilities:
  • CurrentControlSet\Services
Malicious The file headers were tampered with. Unusual section name found: .cdata
The RICH header checksum is invalid.
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Code injection capabilities:
  • OpenProcess
  • WriteProcessMemory
  • CreateRemoteThread
  • VirtualAllocEx
Can access the registry:
  • RegQueryValueExA
  • RegEnumValueA
  • RegOpenKeyA
  • RegDeleteValueA
  • RegOpenKeyExA
  • RegCloseKey
Possibly launches other programs:
  • CreateProcessA
  • CreateProcessAsUserA
Functions related to the privilege level:
  • OpenProcessToken
  • DuplicateTokenEx
Manipulates other processes:
  • OpenProcess
  • WriteProcessMemory
  • ReadProcessMemory
Malicious VirusTotal score: 15/67 (Scanned on 2019-10-08 22:16:35) Zillya: Trojan.GenericKD.Win32.115912
F-Prot: W32/Backdoor.GV.gen!Eldorado
APEX: Malicious
Tencent: Win32.Trojan.Qwer.Ygca
Cyren: W32/Backdoor.GV.gen!Eldorado
Jiangmin: Backdoor.DoubleAgent.a
Antiy-AVL: Trojan[Backdoor]/Win32.DoubleAgent
ViRobot: Trojan.Win32.Agent.17408.EC
TACHYON: Backdoor/W32.DoubleAgent.17408
AhnLab-V3: Trojan/Win32.Agent.C2487603
VBA32: Backdoor.DoubleAgent
Zoner: Trojan.Win32.68260
Rising: Trojan.Generic@ML.83 (RDMK:NfM8lUs5lfR4KRh9vUE4Sg)
Yandex: Backdoor.DoubleAgent!
Cybereason: malicious.efffad

Hashes

MD5 ac1a85d3ca1b6265cad4ed41b696f9b7
SHA1 8ff7b74efffadb3a102ed0ec614c918526d0ea6b
SHA256 32d8c36c829be1cdbed56201a0e663227fe74d479f1732a7974fb50fdf09c02e
SHA3 875980658ccef3761d4b031747487987b2ef3ed7d0d6a53d7fbc7ede04831626
SSDeep 384:R1Wx2a/j+HF400vvnIPxAvDJ1SvAPnXnG1l:R1I2ab+l400nnIpAN1SvAP36
Imports Hash 2d3a84dfeb99a2f4534843b7c5817fbc

DOS Header

e_magic MZ
e_cblp 0x4
e_cp 0x1
e_crlc 0
e_cparhdr 0x4
e_minalloc 0x1
e_maxalloc 0xffff
e_ss 0x6a06
e_sp 0xcb00
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xa8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2008-Apr-01 19:35:07
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 7.0
SizeOfCode 0x3600
SizeOfInitializedData 0xa00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000348D (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x5000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x8000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 a536203225a7074c37fff81d46687ec1
SHA1 20637d56544acc8a1070b9fb497bc9b91c55e999
SHA256 41b197c6460a065c96a8a6cbfeb3b6338c3d1277a435874cc326cd78700fde0b
SHA3 59418c3c36bc6cd5dc3dae65dc74689dbf8da975b273f832c3aa8e09ede59f5f
VirtualSize 0x35f6
VirtualAddress 0x1000
SizeOfRawData 0x3600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.40208

.data

MD5 4031479fbcd57a5f6c8dbf647bfcd376
SHA1 1ddbc29868bb42f598db5dcffdea0b1fe9f8d951
SHA256 0277c751df8e8abc55fe2bace1a2ca1292e96ef3de276706161d48d7bcd835bd
SHA3 a00ca26f5cacea198f45643320cf1c44b32d466dd089fca4d85887e141b14f4b
VirtualSize 0x164
VirtualAddress 0x5000
SizeOfRawData 0x200
PointerToRawData 0x3a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.00828

.cdata

MD5 948511b4a40017a4f17b5af4066e5e15
SHA1 f6bb08ea8fcf70da93ae5a03f1665cc08d43c6c4
SHA256 64849681744296a1582f67b47b63d0be61145eb3f473ba8e6198e43db7867e8d
SHA3 b774fb347aa6e18fbe8acd20d05245ac999e3ce8f1245c233921dd3e8d2a4fee
VirtualSize 0x23c
VirtualAddress 0x6000
SizeOfRawData 0x400
PointerToRawData 0x3c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_SHARED
IMAGE_SCN_MEM_WRITE
Entropy 1.32372

.reloc

MD5 7f5f3ba1ba90b8791121f26ba95facf6
SHA1 5999a0599cba75340c2726fc35949557be105cc2
SHA256 d8b9535677f13a3b4132313153fff2dc13f61f7267697361ae08a06e5db5135b
SHA3 9f70cc48fccb1a8f6890cc9be6ba2b399797a2c48d0d4aa114b765194beab5af
VirtualSize 0x338
VirtualAddress 0x7000
SizeOfRawData 0x400
PointerToRawData 0x4000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.79343

Imports

WSOCK32.dll #11
#115
#116
USER32.dll DefWindowProcA
wsprintfA
PostQuitMessage
RegisterClassA
TranslateMessage
GetMessageA
PeekMessageA
PostMessageA
DispatchMessageA
CreateWindowExA
SetTimer
PostThreadMessageA
KillTimer
KERNEL32.dll VirtualFreeEx
DeleteCriticalSection
OpenProcess
WriteFile
CloseHandle
RtlUnwind
GetVersion
LocalAlloc
SetFilePointer
CreateProcessA
GetModuleHandleA
GetLastError
LocalFree
ExitThread
SetEvent
ReadFile
TerminateProcess
WaitForSingleObject
WriteProcessMemory
ReadProcessMemory
ResetEvent
LeaveCriticalSection
GetStdHandle
TerminateThread
ExitProcess
InitializeCriticalSection
GetModuleFileNameA
GetProcAddress
WaitForMultipleObjects
CreateRemoteThread
lstrlenA
CreateEventA
GetExitCodeThread
CreateThread
lstrcmpiA
EnterCriticalSection
GetCurrentProcessId
CreateFileA
SetThreadPriority
ResumeThread
lstrcpyA
GetOverlappedResult
FreeLibrary
RaiseException
GetCurrentThreadId
lstrcatA
GetEnvironmentVariableA
SetStdHandle
VirtualAllocEx
Sleep
CopyFileA
LoadLibraryA
ADVAPI32.dll RegQueryValueExA
RegEnumValueA
RegOpenKeyA
RegDeleteValueA
SetServiceStatus
OpenProcessToken
RegOpenKeyExA
StartServiceCtrlDispatcherA
SetTokenInformation
RegCloseKey
RegisterServiceCtrlHandlerA
DuplicateTokenEx
CreateProcessAsUserA

Delayed Imports

rpcnetp

Ordinal 1
Address 0x34e1

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x77224aa4
Unmarked objects 0
Imports (2067) 2
Imports (2179) 7
Total imports 82
Unmarked objects (#2) 5
C objects (VS2003 (.NET) build 3077) 14
C++ objects (VS2003 (.NET) build 3077) 1
Exports (VS2003 (.NET) build 3077) 1
Linker (VS2003 (.NET) build 3077) 1

Errors