b4af9d42196cc7735385aa67674e5776

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2011-Jun-30 20:47:55
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
MASM/TASM - sig1(h)
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Contains domain names:
  • http://nmap.org
  • http://www.openssl.org
  • http://www.openssl.org/support/faq.html
  • insecure.org
  • openssl.org
  • www.openssl.org
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Uses constants related to SHA512
Uses constants related to AES
Uses constants related to Blowfish
Microsoft's Cryptography API
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • GetProcAddress
  • LoadLibraryA
Possibly launches other programs:
  • CreateProcessA
Uses Windows's Native API:
  • ntohl
  • ntohs
Uses Microsoft's cryptographic API:
  • CryptReleaseContext
  • CryptAcquireContextA
  • CryptGenRandom
Leverages the raw socket API to access the Internet:
  • ioctlsocket
  • WSASocketA
  • getsockopt
  • sendto
  • getsockname
  • WSAStartup
  • bind
  • ntohl
  • gethostname
  • socket
  • setsockopt
  • recvfrom
  • listen
  • connect
  • WSACreateEvent
  • WSAEventSelect
  • WSACloseEvent
  • shutdown
  • select
  • recv
  • WSASetLastError
  • ntohs
  • getservbyport
  • gethostbyaddr
  • htons
  • getservbyname
  • htonl
  • inet_ntoa
  • gethostbyname
  • WSAGetLastError
  • inet_addr
  • send
  • accept
  • closesocket
  • __WSAFDIsSet
  • getpeername
Enumerates local disk drives:
  • GetDriveTypeW
  • GetDriveTypeA
Can take screenshots:
  • BitBlt
  • CreateCompatibleDC
Malicious VirusTotal score: 22/70 (Scanned on 2023-05-21 07:38:47) FireEye: Generic.mg.b4af9d42196cc773
Malwarebytes: Malware.AI.3800302863
K7AntiVirus: Unwanted-Program ( 0055f3201 )
K7GW: Unwanted-Program ( 0055f3201 )
BitDefenderTheta: Gen:NN.ZexaF.36196.LzW@aalyECfi
Elastic: malicious (moderate confidence)
ESET-NOD32: a variant of Win32/NetTool.Ncat.B potentially unsafe
Kaspersky: not-a-virus:RemoteAdmin.Win32.NetCat.bns
NANO-Antivirus: Trojan.Win32.Mlw.ivbbwt
Tencent: Malware.Win32.Gencirc.10bea1ca
Zillya: Trojan.Cimag.Win32.5300
Sophos: Generic Reputation PUA (PUA)
Jiangmin: Trojan.Generic.aixtw
Gridinsoft: Risk.Win32.RemoteAdmin.vb!s1
ZoneAlarm: not-a-virus:RemoteAdmin.Win32.NetCat.bns
VBA32: BScope.Trojan.Swrort
Cylance: unsafe
Rising: Trojan.Generic@AI.81 (RDML:X9d56K5P5beHaERsHUvY3A)
Yandex: Trojan.Swrort!uXkeQ613Jro
Fortinet: Riskware/NetTool_Ncat
DeepInstinct: MALICIOUS
CrowdStrike: win/grayware_confidence_100% (D)

Hashes

MD5 b4af9d42196cc7735385aa67674e5776
SHA1 d09aad7f598c4abe6427fa6e39f2e23f3b13a077
SHA256 60e8340536b9739935cca15c454d945569d4caeeb243b7650ead478314ff8ae4
SHA3 342eae6ad602990ebf31eb39f9e104493b1bcf2344c769f62ade16ca8523be77
SSDeep 49152:xmVoAe227S4KEOSAvwU/9r9xL7p/OpSTsARAr4:8Ve2ySWva9r9xfFTs
Imports Hash e2ce0ecb0c84cd0540751b3b21b23988

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 6
TimeDateStamp 2011-Jun-30 20:47:55
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x134a00
SizeOfInitializedData 0x67e00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000C25B7 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x136000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x1a1000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 20685f2ce1d981d5a3062e31151503f1
SHA1 6a3db773a33cfcccf48d1111993276cc7b0c8f34
SHA256 72c171abc58ab1a10a12bc3e299a73f829bc2245d0559c2208f13aca45b1124a
SHA3 27fd3875a4e25c63bb0c89e79aafceb151b78521ab584b8d59c5858d85f6e209
VirtualSize 0x134804
VirtualAddress 0x1000
SizeOfRawData 0x134a00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.86798

.rdata

MD5 0692b9a6ecb4f2810220ce7843b0334d
SHA1 e8ee20d211570a015bfe2cadfc7fe4aa0e42b05c
SHA256 94e131937274b778ef57f80cbdc7b7871515903726df25bf2582f3fa88c9c8cc
SHA3 ed06ce91ce23c1a2c3af150f2adc18af1a8d2c6b8907518b0352fd8da26660ce
VirtualSize 0x496db
VirtualAddress 0x136000
SizeOfRawData 0x49800
PointerToRawData 0x134e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.0415

.data

MD5 4a7736628b37e67c489a713b0d6320bb
SHA1 57ecfb1ed6965795d8b6b6816de3a326fee76686
SHA256 cf9ac1be463df63d9e89e1138d2f517b6ddfea5212810ef6b5cd190bc6ecbf75
SHA3 2f15f5946c3f6b0e4cc6893bb359c000a64f480ff62670c01df713684ec586ab
VirtualSize 0xf6a4
VirtualAddress 0x180000
SizeOfRawData 0x9e00
PointerToRawData 0x17e600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.25084

.idata

MD5 509b8a598ffc3136ebe9a826cdb0ee0f
SHA1 77e92b6c711737e7268e689e081bdfb15e2b89b7
SHA256 8660e95adff80dde8d90e08fea6ae256873dc8fb38efae81dd2e32f11371f30b
SHA3 12d127c2121a100df1be2b5053da6cc9fe2c99f53819866b0e07ebe7ff6c7c85
VirtualSize 0x15ad
VirtualAddress 0x190000
SizeOfRawData 0x1600
PointerToRawData 0x188400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.26973

.rsrc

MD5 9e743de7baf937fdbccd843a20b76b51
SHA1 97b9669566ea531206c52419e126e1e2020849c0
SHA256 251d1c17ced69403e91dc51ef72a61d762d207ee66871b1bcc9de6e719264596
SHA3 b40f10c6dd70e267e7d426bed4b8e2de5ffde9ec182a583112da0006f4c8596a
VirtualSize 0x459
VirtualAddress 0x192000
SizeOfRawData 0x600
PointerToRawData 0x189a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.25329

.reloc

MD5 b0f070bb5b968636ac11806e53a8f143
SHA1 16d9c5d0647881f34c265e8478246c93ca622a21
SHA256 ace7114d58ef1b17fc1683552a33e6a78c53b5e206329c85c218577383edf427
SHA3 bf447e3f0bff75166085a50f3501c7ec6c5f71d161f8612e796355b5bb45e91f
VirtualSize 0xd196
VirtualAddress 0x193000
SizeOfRawData 0xd200
PointerToRawData 0x18a000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.26985

Imports

KERNEL32.DLL GetFileInformationByHandle
GetFullPathNameA
FlushFileBuffers
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetFilePointer
CreateFileW
RtlUnwind
HeapSize
GetLocaleInfoW
GetCurrentDirectoryW
DeleteCriticalSection
GetStartupInfoW
SetHandleCount
LoadLibraryW
LCMapStringW
IsValidCodePage
GetOEMCP
GetACP
SetCurrentDirectoryW
GetStringTypeW
GetUserDefaultLCID
GetLocaleInfoA
GetCPInfo
HeapDestroy
HeapCreate
IsProcessorFeaturePresent
IsDebuggerPresent
EnumSystemLocalesA
IsValidLocale
CompareStringW
SetEnvironmentVariableA
SetEndOfFile
GetProcessHeap
GetDriveTypeW
FindNextFileA
FatalAppExitA
GetVersion
FreeLibrary
GetProcAddress
LoadLibraryA
GetSystemDirectoryA
ReleaseMutex
WaitForSingleObject
CreateMutexA
CreateProcessA
GetStdHandle
SetHandleInformation
CreateFileA
CloseHandle
CreateNamedPipeA
GetLastError
CreatePipe
TerminateProcess
GetExitCodeProcess
ExitProcess
GetOverlappedResult
WriteFile
ResetEvent
WaitForMultipleObjects
ReadFile
CreateThread
GetModuleFileNameA
GetModuleHandleA
FormatMessageA
DuplicateHandle
GetCurrentProcess
Sleep
SetStdHandle
PeekNamedPipe
GetCurrentThreadId
FindFirstFileA
GetFileType
MultiByteToWideChar
GetTickCount
QueryPerformanceCounter
GetCurrentProcessId
GlobalMemoryStatus
GetVersionExA
FlushConsoleInputBuffer
SetLastError
HeapFree
WriteConsoleW
GetModuleFileNameW
EnterCriticalSection
LeaveCriticalSection
GetModuleHandleW
DecodePointer
EncodePointer
SetConsoleCtrlHandler
HeapAlloc
InterlockedExchange
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
GetCommandLineA
HeapSetInformation
HeapReAlloc
GetFileAttributesA
FindClose
FileTimeToSystemTime
FileTimeToLocalFileTime
GetDriveTypeA
FindFirstFileExA
GetTimeZoneInformation
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
ReadConsoleInputA
SetConsoleMode
PeekConsoleInputA
GetNumberOfConsoleInputEvents
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
InterlockedDecrement
GetCurrentThread
UnhandledExceptionFilter
SetUnhandledExceptionFilter
ADVAPI32.dll CryptReleaseContext
CryptAcquireContextA
RegisterEventSourceA
ReportEventA
DeregisterEventSource
CryptGenRandom
GDI32.dll SelectObject
CreateCompatibleBitmap
BitBlt
GetBitmapBits
DeleteObject
DeleteDC
GetDeviceCaps
CreateCompatibleDC
GetObjectA
CreateDCA
USER32.dll MessageBoxA
GetDesktopWindow
GetProcessWindowStation
GetUserObjectInformationW
WS2_32.dll ioctlsocket
WSASocketA
getsockopt
sendto
getsockname
WSAStartup
bind
ntohl
gethostname
socket
setsockopt
recvfrom
listen
connect
WSACreateEvent
WSAEventSelect
WSACloseEvent
shutdown
select
recv
WSASetLastError
ntohs
getservbyport
gethostbyaddr
htons
getservbyname
htonl
inet_ntoa
gethostbyname
WSAGetLastError
inet_addr
send
accept
closesocket
__WSAFDIsSet
getpeername

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x196
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.93317
MD5 7cb71b006fcdcf8ade80e31fd5ab8060
SHA1 655380fb2cca01b0ca707f748fc7dcf006732518
SHA256 be8918559280a2e74748bf8f6238b568ed7cbf75183b2180a6a8a979a1ebf243
SHA3 1a03e76e664cba5cc9c5b4570c991d3f72475aebcf3d870270d080dcf1246092

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x690d6ee2
Unmarked objects 0
152 (20115) 3
ASM objects (VS2010 build 30319) 47
Total imports 176
Imports (VS2008 SP1 build 30729) 11
C objects (VS2008 SP1 build 30729) 1
C objects (VS2010 build 30319) 619
C++ objects (VS2010 build 30319) 74
Resource objects (VS2010 build 30319) 1
Linker (VS2010 build 30319) 1

Errors

<-- -->