b6e621887c747e2946f459f173861cf6

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Mar-10 21:13:32
FileDescription
FileVersion 6.3
InternalName Codom.exe
LegalCopyright Copyright © 2016
OriginalFilename Codom.exe
ProductName Windows Os
ProductVersion 6.3
Assembly Version 6.3

Plugin Output

Info Matching compiler(s): Microsoft Visual Basic v5.0/v6.0
Microsoft Visual Basic v5.0 - v6.0
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • rundll32.exe
 May have dropper capabilities:
  • Programs\Startup
Info Cryptographic algorithms detected in the binary: Uses constants related to TEA
Malicious VirusTotal score: 29/69 (Scanned on 2019-05-11 20:20:01) MicroWorld-eScan: Gen:Variant.Johnnie.169933
CMC: Trojan.Win32.VBInject!O
McAfee: GenericRXHI-SW!B6E621887C74
Cylance: Unsafe
BitDefender: Gen:Variant.Johnnie.169933
Arcabit: Trojan.Johnnie.D297CD
ESET-NOD32: a variant of Win32/Injector.EESJ
Kaspersky: Backdoor.Win32.DarkKomet.ifdq
Alibaba: Trojan:Win32/Injector.b3dd41d2
Endgame: malicious (high confidence)
DrWeb: BackDoor.Tordev.976
McAfee-GW-Edition: GenericRXHI-SW!B6E621887C74
Trapmine: malicious.moderate.ml.score
FireEye: Generic.mg.b6e621887c747e29
Emsisoft: Gen:Variant.Johnnie.169933 (B)
SentinelOne: DFI - Suspicious PE
MAX: malware (ai score=80)
Antiy-AVL: Trojan/Win32.Fuerboos
Microsoft: Trojan:Win32/Fuerboos.E!cl
ZoneAlarm: Backdoor.Win32.DarkKomet.ifdq
GData: Gen:Variant.Johnnie.169933
AhnLab-V3: Trojan/Win32.RL_Hpvb.R264220
ALYac: Gen:Variant.Johnnie.169933
Ad-Aware: Gen:Variant.Johnnie.169933
Fortinet: W32/Generic.AC.4380E0!tr
AVG: FileRepMalware
Cybereason: malicious.87c747
Avast: FileRepMalware
CrowdStrike: win/malicious_confidence_100% (W)

Hashes

MD5 b6e621887c747e2946f459f173861cf6
SHA1 9eca9b27ce98f9ad780eebd3f0643f81630543b7
SHA256 d84fc4b2bb5ac2b9c99f8811694c2307dcef22103e5193f44fd4af7f74617fcd
SHA3 a6081242fa0c449e621b9b88f8ab738f950cc09f9409745c169ae67d6657c7c2
SSDeep 12288:O7Dthqrj1qnt7UTWIQBZOAfWnZ3VZtRYKv8IcsVKYlIE1f:O7C1FTGfWnZ3VZtqKv8IV
Imports Hash 285c1c4af031776d4fb995c31a47dfc8

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xb8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2017-Mar-10 21:13:32
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.534
SizeOfCode 0xa7000
SizeOfInitializedData 0x7000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000034FC (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xa8000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 36.216
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0xaf000
SizeOfHeaders 0x1000
Checksum 0xb660e
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 e3986ec81b53a3f9709190a20e168b60
SHA1 343b0c6b0d37ee31760ab017bea7d2ecabe68769
SHA256 4d48d308c78fb1f0c2104a7db6fb501281c62b2c4ee26083ce9ecc0ce1c31522
SHA3 2d4f3dd9dd1e3d5abe9f2e25ebb8d5b12e2867b5c48709f4032949c44ead9e6a
VirtualSize 0xa6a4c
VirtualAddress 0x1000
SizeOfRawData 0xa7000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.51768

.data

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA3 a99f9ed58079237f7f0275887f0c03a0c9d7d8de4443842297fceea67e423563
VirtualSize 0x5928
VirtualAddress 0xa8000
SizeOfRawData 0x1000
PointerToRawData 0xa8000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.rsrc

MD5 9755f32e85e62bed1c310967617f3c67
SHA1 2be0fae10a17dfe535f534e50df2d64f1371600f
SHA256 ac61c7b40c2011ab4a7d41fb547f3cc6e60107032e15bcd648d318ed75b85117
SHA3 1994f3c037f50515d9280bc6686b21050ce630d1761c128dd89d99c7b319d231
VirtualSize 0x7c8
VirtualAddress 0xae000
SizeOfRawData 0x1000
PointerToRawData 0xa9000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.49969

Imports

MSVBVM60.DLL __vbaVarTstGt
__vbaVarSub
__vbaStrI2
#690
_CIcos
_adj_fptan
#585
__vbaHresultCheck
__vbaStrI4
__vbaVarMove
__vbaRedimPreserveVar
__vbaVarVargNofree
__vbaAryMove
__vbaFreeVar
#588
__vbaLenBstr
__vbaLateIdCall
__vbaStrVarMove
__vbaVarIdiv
__vbaPut3
__vbaEnd
__vbaFreeVarList
_adj_fdiv_m64
__vbaFpCDblR8
__vbaVarIndexStore
#620
__vbaNextEachVar
__vbaRaiseEvent
#621
__vbaFreeObjList
#516
__vbaStrErrVarCopy
__vbaVarIndexLoadRef
#517
_adj_fprem1
#518
__vbaRecAnsiToUni
#519
__vbaResume
__vbaForEachCollAd
__vbaStrCat
#660
__vbaLsetFixstr
__vbaRecDestruct
__vbaSetSystemError
#662
__vbaHresultCheckObj
#556
#558
__vbaLenVar
_adj_fdiv_m32
__vbaVarTstLe
#666
__vbaAryVar
#667
__vbaVarXor
__vbaVarCmpGe
__vbaAryDestruct
#669
__vbaLateMemSt
#592
__vbaForEachCollObj
__vbaBoolStr
#593
__vbaExitProc
__vbaVarForInit
#594
__vbaFileCloseAll
__vbaOnError
__vbaObjSet
#595
_adj_fdiv_m16i
__vbaVarIndexStoreObj
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaVarIndexLoad
#598
#599
__vbaFpR4
#520
__vbaStrFixstr
__vbaRefVarAry
__vbaFpR8
__vbaVarTstLt
__vbaBoolVarNull
_CIsin
__vbaErase
#631
__vbaLateMemStAd
#525
__vbaNextEachCollObj
__vbaVargVarMove
__vbaVarZero
#632
__vbaChkstk
#526
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaExitEachColl
__vbaGet3
#529
__vbaStrCmp
__vbaGet4
__vbaPutOwner3
__vbaAryConstruct2
__vbaVarTstEq
__vbaR4Str
__vbaPrintObj
#561
__vbaI2I4
__vbaVarLikeVar
__vbaObjVar
DllFunctionCall
__vbaVarOr
__vbaVarLateMemSt
__vbaFpUI1
#564
__vbaCastObjVar
__vbaLbound
__vbaStrR4
__vbaRedimPreserve
_adj_fpatan
__vbaR4Var
__vbaFixstrConstruct
__vbaLateIdCallLd
__vbaRedim
__vbaUI1ErrVar
__vbaRecUniToAnsi
EVENT_SINK_Release
__vbaNew
#600
#601
__vbaUI1I2
_CIsqrt
__vbaVarAnd
__vbaObjIs
EVENT_SINK_QueryInterface
__vbaVarMul
__vbaStrUI1
__vbaUI1I4
__vbaExceptHandler
#711
__vbaStrToUnicode
__vbaPrintFile
#712
__vbaDateStr
#606
#713
_adj_fprem
_adj_fdivr_m64
#607
__vbaVarDiv
#714
__vbaI2Str
#608
__vbaVarCmpLe
#716
__vbaFPException
#717
__vbaInStrVar
__vbaGetOwner3
__vbaUbound
__vbaStrVarVal
__vbaVarCat
#534
__vbaCheckType
__vbaDateVar
#535
__vbaI2Var
#536
__vbaLsetFixstrFree
#537
#644
#645
_CIlog
#539
__vbaErrorOverflow
__vbaFileOpen
__vbaR8Str
__vbaVar2Vec
__vbaNew2
#648
__vbaInStr
#570
_adj_fdiv_m32i
#572
_adj_fdivr_m32i
#573
__vbaStrCopy
#681
__vbaI4Str
__vbaVarNot
__vbaVarCmpLt
__vbaFreeStrList
#576
_adj_fdivr_m32
__vbaPowerR8
__vbaR8Var
_adj_fdiv_r
#578
#685
#100
__vbaVarTstNe
__vbaVarSetVar
__vbaI4Var
__vbaVarCmpEq
#689
__vbaLateMemCall
__vbaAryLock
__vbaVarAdd
__vbaVarDup
__vbaStrToAnsi
#613
#614
__vbaFpI2
#616
__vbaVarTstGe
__vbaUnkVar
__vbaVarLateMemCallLd
__vbaFpI4
__vbaVarCopy
__vbaLateMemCallLd
__vbaVarSetObjAddref
__vbaRecDestructAnsi
#617
_CIatan
__vbaCastObj
__vbaUI1Str
__vbaAryCopy
#618
__vbaStrMove
__vbaForEachVar
__vbaStrVarCopy
__vbaR8IntI4
#619
#650
_allmul
__vbaLenVarB
__vbaLateIdSt
_CItan
#546
__vbaNextEachCollAd
__vbaUI1Var
__vbaFPInt
__vbaAryUnlock
__vbaVarForNext
_CIexp
__vbaMidStmtBstr
__vbaRecAssign
__vbaI4ErrVar
#580
__vbaFreeStr
__vbaFreeObj
#581

Delayed Imports

30001

Type RT_ICON
Language UNKNOWN
Codepage Unicode (UTF 16LE)
Size 0x2e8
TimeDateStamp 2017-Mar-10 21:13:32
Entropy 1.30563
MD5 96560c6805e9f065e6218ffd203bdbd3
SHA1 9df1c5e994185523a172ccad1e701f015e96e946
SHA256 886db6f6b014c86422512ed1abcc0ebc9ead53ca66c5cfd9ede9871ea852df32
SHA3 a99b4b9e40da2c5c158d4772b715814bcd7e4431ccc1218bbedab4485bac1855

30002

Type RT_ICON
Language UNKNOWN
Codepage Unicode (UTF 16LE)
Size 0x128
TimeDateStamp 2017-Mar-10 21:13:32
Entropy 1.4937
MD5 3db7c2af9a240afedca486d755eec079
SHA1 d41383c2b141de13b57333c06d22e950299f4c19
SHA256 0f754de1eb270ab8e6981b768ac8445f188a9c16d04c73c4de6fae5cc2e27471
SHA3 f25a23373a2bff1f84ed49a5521b1e81e12d5c3bf98c2074af84cf4319e25e2d

1

Type RT_GROUP_ICON
Language UNKNOWN
Codepage Unicode (UTF 16LE)
Size 0x24
TimeDateStamp 2017-Mar-10 21:13:32
Entropy 2.72548
Detected Filetype Icon file
MD5 c4f48133dbcc07ceefc04d3ce27ffb83
SHA1 c2516993f0770e709032ff32cff190ea04ab57d3
SHA256 36ffc54b2f83526d52a67d16d4575b1b8907f31af12c3eadf55e9900927bbd72
SHA3 82f5c982a8e7ae483e576b47e1fe1745da177665ba5ca8d783ca8d48d8e15abe

1 (#2)

Type RT_VERSION
Language UNKNOWN
Codepage Unicode (UTF 16LE)
Size 0x27c
TimeDateStamp 2017-Mar-10 21:13:32
Entropy 3.35801
MD5 198703ed1385993fd53e8f5a81f2d092
SHA1 3125f5e67d680f41e94dcc7f22b90ab3554fe1bc
SHA256 8466d2b19cb8cdfed1581860ea9326494e400a560c8f98a8a10d93071c7daf5e
SHA3 95f9902b0ccf6da74fdfac78fcfe1b5e08f694ce666b1758aa300d0e81e15ec1

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.17.1.2
ProductVersion 6.17.1.2
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
FileDescription
FileVersion (#2) 6.3
InternalName Codom.exe
LegalCopyright Copyright © 2016
OriginalFilename Codom.exe
ProductName Windows Os
ProductVersion (#2) 6.3
Assembly Version 6.3
Resource LangID UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x83cdad41
Unmarked objects 0
14 (7299) 1
9 (8041) 19
13 (8169) 1

Errors

[!] Error: Could not reach the requested directory (offset=0x0).
<-- -->