Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2008-Apr-01 19:35:07 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to internet browsers:
|
Malicious | The file headers were tampered with. |
Unusual section name found: .cdata
The RICH header checksum is invalid. |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 15/67 (Scanned on 2019-10-08 22:16:35) |
Zillya:
Trojan.GenericKD.Win32.115912
F-Prot: W32/Backdoor.GV.gen!Eldorado APEX: Malicious Tencent: Win32.Trojan.Qwer.Ygca Cyren: W32/Backdoor.GV.gen!Eldorado Jiangmin: Backdoor.DoubleAgent.a Antiy-AVL: Trojan[Backdoor]/Win32.DoubleAgent ViRobot: Trojan.Win32.Agent.17408.EC TACHYON: Backdoor/W32.DoubleAgent.17408 AhnLab-V3: Trojan/Win32.Agent.C2487603 VBA32: Backdoor.DoubleAgent Zoner: Trojan.Win32.68260 Rising: Trojan.Generic@ML.83 (RDMK:NfM8lUs5lfR4KRh9vUE4Sg) Yandex: Backdoor.DoubleAgent! Cybereason: malicious.efffad |
e_magic | MZ |
---|---|
e_cblp | 0x4 |
e_cp | 0x1 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0x1 |
e_maxalloc | 0xffff |
e_ss | 0x6a06 |
e_sp | 0xcb00 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xa8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2008-Apr-01 19:35:07 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 7.0 |
SizeOfCode | 0x3600 |
SizeOfInitializedData | 0xa00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000348D (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x5000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x8000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
WSOCK32.dll |
#11
#115 #116 |
---|---|
USER32.dll |
DefWindowProcA
wsprintfA PostQuitMessage RegisterClassA TranslateMessage GetMessageA PeekMessageA PostMessageA DispatchMessageA CreateWindowExA SetTimer PostThreadMessageA KillTimer |
KERNEL32.dll |
VirtualFreeEx
DeleteCriticalSection OpenProcess WriteFile CloseHandle RtlUnwind GetVersion LocalAlloc SetFilePointer CreateProcessA GetModuleHandleA GetLastError LocalFree ExitThread SetEvent ReadFile TerminateProcess WaitForSingleObject WriteProcessMemory ReadProcessMemory ResetEvent LeaveCriticalSection GetStdHandle TerminateThread ExitProcess InitializeCriticalSection GetModuleFileNameA GetProcAddress WaitForMultipleObjects CreateRemoteThread lstrlenA CreateEventA GetExitCodeThread CreateThread lstrcmpiA EnterCriticalSection GetCurrentProcessId CreateFileA SetThreadPriority ResumeThread lstrcpyA GetOverlappedResult FreeLibrary RaiseException GetCurrentThreadId lstrcatA GetEnvironmentVariableA SetStdHandle VirtualAllocEx Sleep CopyFileA LoadLibraryA |
ADVAPI32.dll |
RegQueryValueExA
RegEnumValueA RegOpenKeyA RegDeleteValueA SetServiceStatus OpenProcessToken RegOpenKeyExA StartServiceCtrlDispatcherA SetTokenInformation RegCloseKey RegisterServiceCtrlHandlerA DuplicateTokenEx CreateProcessAsUserA |
Ordinal | 1 |
---|---|
Address | 0x34e1 |
XOR Key | 0x77224aa4 |
---|---|
Unmarked objects | 0 |
Imports (2067) | 2 |
Imports (2179) | 7 |
Total imports | 82 |
Unmarked objects (#2) | 5 |
C objects (VS2003 (.NET) build 3077) | 14 |
C++ objects (VS2003 (.NET) build 3077) | 1 |
Exports (VS2003 (.NET) build 3077) | 1 |
Linker (VS2003 (.NET) build 3077) | 1 |