b4890bb1a8318357e5f8456c363ba647

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2017-May-10 18:30:01
Detected languages English - United States

Plugin Output

Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX -> www.upx.sourceforge.net
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser
Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
The PE only has 8 import(s).
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Can access the registry:
  • RegCloseKey
Malicious VirusTotal score: 14/64 (Scanned on 2018-05-12 14:55:29) MicroWorld-eScan: Trojan.GenericKD.30724561
ALYac: Trojan.GenericKD.30724561
Cylance: Unsafe
TheHacker: Posible_Worm32
BitDefender: Trojan.GenericKD.30724561
Arcabit: Trojan.Generic.D1D4D1D1
F-Secure: Trojan.GenericKD.30724561
McAfee-GW-Edition: Artemis
Emsisoft: Trojan.GenericKD.30724561 (B)
McAfee: Artemis!B4890BB1A831
MAX: malware (ai score=81)
GData: Trojan.GenericKD.30724561
Ad-Aware: Trojan.GenericKD.30724561
CrowdStrike: malicious_confidence_80% (W)

Hashes

MD5 b4890bb1a8318357e5f8456c363ba647
SHA1 0cd5fa5911b12697f29aca7213a0fe87a912512c
SHA256 6d6026bafd12f3b49d286b0abde7d1e5bf925d798c596244a1cd9258886a321d
SHA3 a4c6db246992391c360dc9c2ada2e9c193a1425d7ab212eae138ee57a6cda9c2
SSDeep 384:lpol/QOwfJo6mRx1pjAmcQI9K6wUYw/ul3xwjs8CEG:lponFpjAvh4rl3Os8CE
Imports Hash adb92bf004e493e8ffddc9d4da02b56f

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2017-May-10 18:30:01
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x3000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0xf000
AddressOfEntryPoint 0x00012D30 (Section: UPX1)
BaseOfCode 0x10000
BaseOfData 0x13000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x14000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0xf000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 69901d063aed2b59d76ac1d4ca1e0784
SHA1 f3f439e59ca5a6522d498916484c8c40824a2c9e
SHA256 cb519b187da3bcf791d46da03189f83cb26f684add2da266b5cabdad0f264a37
SHA3 a49189b0680fb66038307916137845dc664ef5d5bf57f063eea78acbca48042f
VirtualSize 0x3000
VirtualAddress 0x10000
SizeOfRawData 0x3000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.79981

.rsrc

MD5 3b1e52d3afb7920695c917d5ae7e9b4b
SHA1 7bb5bfc6b5f6b2ba08f71f6cfa2f89bd90b85dfe
SHA256 b197ac05f8d1e3a521530d2faaa490bd34991e95f64d9ebc07e3460b6372ed06
SHA3 0ad6bffb953b6214dc90e0c3172ef4fa3e02708fec58166612601eedcb911577
VirtualSize 0x1000
VirtualAddress 0x13000
SizeOfRawData 0x400
PointerToRawData 0x3400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.33298

Imports

ADVAPI32.dll RegCloseKey
KERNEL32.DLL LoadLibraryA
ExitProcess
GetProcAddress
VirtualProtect
ucrtbased.dll free
USER32.dll CharUpperA
VCRUNTIME140D.dll memset

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

TLS Callbacks

Load Configuration

Size 0x5c
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x40b728
SEHandlerTable 0x4096d0
SEHandlerCount 1

RICH Header

XOR Key 0xab816046
Unmarked objects 0
239 (40116) 2
Imports (VS2015 UPD3 build 24123) 2
C++ objects (VS2015 UPD3 build 24123) 23
C objects (VS2015 UPD3 build 24123) 13
Imports (65501) 7
Total imports 84
C objects (VS2015 UPD3.1 build 24215) 3
Resource objects (VS2015 UPD3 build 24210) 1
Linker (VS2015 UPD3.1 build 24215) 1

Errors

[*] Warning: Section UPX0 has a size of 0!
<-- -->