Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2010-Aug-01 10:32:37 |
Detected languages |
English - United States
|
Info | Matching compiler(s): |
Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++ 7.0 DLL MASM/TASM - sig2(h) .NET DLL -> Microsoft Microsoft Visual C++ Microsoft Visual C++ v6.0 |
Suspicious | PEiD Signature: |
FASM 1.5x
FASM v1.5x |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Looks for VirtualBox presence:
|
Suspicious | The PE is possibly packed. |
Section .code is both writable and executable.
Unusual section name found: .NewSec Section .NewSec is both writable and executable. |
Info | The PE contains common functions which appear in legitimate applications. |
Possibly launches other programs:
|
Suspicious | The PE header may have been manually modified. |
The resource timestamps differ from the PE header:
|
Suspicious | The file contains overlay data. |
1040563 bytes of data starting at offset 0x8000.
Overlay data amounts for 96.9471% of the executable. |
Malicious | VirusTotal score: 58/72 (Scanned on 2019-05-17 07:56:08) |
Bkav:
W32.OverlayND.PE
MicroWorld-eScan: Gen:Variant.Ulise.1219 FireEye: Generic.mg.adb4923f68b31f04 CAT-QuickHeal: W32.Sivis.A5 McAfee: Packed-SU!ADB4923F68B3 Cylance: Unsafe SUPERAntiSpyware: Ransom.Winlock/Variant K7GW: Trojan ( 00517a0d1 ) K7AntiVirus: Trojan ( 005205011 ) Invincea: heuristic F-Prot: W32/S-a846205f!Eldorado Symantec: W32.Suviapen APEX: Malicious ClamAV: Win.Packed.Sivis-6726654-0 Kaspersky: Packed.Win32.Krap.jc BitDefender: Gen:Variant.Ulise.1219 NANO-Antivirus: Trojan.Win32.Krap.espnuv ViRobot: Trojan.Win32.Agent.Gen.C Avast: Win32:Agent-BCFZ [Trj] Tencent: Trojan.Win32.Kryptik.fwwy Ad-Aware: Gen:Variant.Ulise.1219 Emsisoft: Gen:Variant.Ulise.1219 (B) Comodo: Virus.Win32.VirLock.GA@7lv9go F-Secure: Trojan.TR/ATRAPS.Gen2 DrWeb: Trojan.Encoder.14453 Zillya: Trojan.Black.Win32.51155 TrendMicro: PE_LUMER.MR McAfee-GW-Edition: BehavesLike.Win32.Sivis.tt Trapmine: malicious.high.ml.score TheHacker: Trojan/Kryptik.FWWY.gen SentinelOne: DFI - Malicious PE Cyren: W32/S-a846205f!Eldorado Jiangmin: Packed.Krap.fyig Avira: TR/ATRAPS.Gen2 Fortinet: W32/Ausiv.A Antiy-AVL: Trojan[Packed]/Win32.Krap Endgame: malicious (high confidence) Arcabit: Trojan.Ulise.D4C3 ZoneAlarm: Packed.Win32.Krap.jc Microsoft: Trojan:Win32/Ausiv TACHYON: Trojan/W32.Agent.Zen.EOR Sophos: W32/Sivis-B AhnLab-V3: Trojan/Win32.Ransom.R213603 Acronis: suspicious VBA32: Trojan.Encoder ALYac: Gen:Variant.Ulise.1219 MAX: malware (ai score=89) Malwarebytes: Ransom.Winlock ESET-NOD32: Win32/Kryptik.FWWY.Gen TrendMicro-HouseCall: PE_LUMER.MR Rising: Trojan.Ausiv!8.F240 (RDM+:cmRtazrtFgJZgnULRco8JM9DyWje) Ikarus: Trojan.Win32.Ausiv MaxSecure: Packed.Krap.JC GData: Gen:Variant.Ulise.1219 AVG: Win32:Agent-BCFZ [Trj] Cybereason: malicious.f68b31 CrowdStrike: win/malicious_confidence_100% (D) Qihoo-360: HEUR/QVM19.1.3D5B.Malware.Gen |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x80 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 6 |
TimeDateStamp | 2010-Aug-01 10:32:37 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 2.0 |
SizeOfCode | 0x3200 |
SizeOfInitializedData | 0x1e00 |
SizeOfUninitializedData | 0x1000 |
AddressOfEntryPoint | 0x00001000 (Section: .code) |
BaseOfCode | 0x1000 |
BaseOfData | 0x4000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x8000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
MSVCRT.dll |
memset
memcpy _stricmp strncmp _strnicmp strcmp memmove strlen strcpy strcat strncpy |
---|---|
KERNEL32.dll |
GetModuleHandleA
HeapCreate HeapDestroy ExitProcess GetCurrentThreadId GetTickCount HeapAlloc HeapFree WriteFile CloseHandle CreateFileA GetFileSize ReadFile SetFilePointer InitializeCriticalSection GetModuleFileNameA GetCurrentProcess DuplicateHandle CreatePipe GetStdHandle CreateProcessA WaitForSingleObject EnterCriticalSection LeaveCriticalSection GetCurrentProcessId GetDriveTypeA FindFirstFileA FindClose GetFileAttributesA CreateDirectoryA GetLastError FindNextFileA SetFileAttributesA HeapReAlloc |
COMCTL32.DLL |
InitCommonControls
|
USER32.DLL |
MessageBoxA
GetWindowThreadProcessId IsWindowVisible IsWindowEnabled GetForegroundWindow EnableWindow EnumWindows |
SHELL32.DLL |
ShellExecuteExA
|
OLE32.DLL |
CoInitialize
|