ba963c5b203753f9bf04cfbbffc1f5b4

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2014-Jun-17 17:53:43
Detected languages Process Default Language
Debug artifacts O7hSBMeQeIfm.pdb

Plugin Output

Malicious VirusTotal score: 23/67 (Scanned on 2018-06-13 10:17:32) Cylance: Unsafe
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9999
Symantec: ML.Attribute.HighConfidence
ESET-NOD32: a variant of Win32/Kryptik.GHSP
Paloalto: generic.ml
GData: Win32.Trojan-Spy.Emotet.RI
Kaspersky: UDS:DangerousObject.Multi.Generic
Avast: FileRepMalware
McAfee-GW-Edition: BehavesLike.Win32.Emotet.ch
Emsisoft: Trojan.Emotet (A)
SentinelOne: static engine - malicious
Webroot: W32.Trojan.Emotet
Endgame: malicious (high confidence)
AegisLab: W32.Troj.Spy!c
ZoneAlarm: UDS:DangerousObject.Multi.Generic
MAX: malware (ai score=94)
VBA32: Malware-Cryptor.Limpopo
Ikarus: Trojan-Banker.Emotet
Fortinet: W32/Kryptik.GHPK!tr
AVG: FileRepMalware
Cybereason: malicious.be6c1d
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: HEUR/QVM20.1.D02D.Malware.Gen

Hashes

MD5 ba963c5b203753f9bf04cfbbffc1f5b4
SHA1 39b2aa9be6c1d542938ec3909ed2c0c19803b485
SHA256 32f68f3984d3cfc94e777422ce214c62a6f4785d2e4fda2ffc76262cbbd0a90c
SHA3 a71024b5a6557dbc7bd862f36bd3401636607a3fb0a2ad77f5e8feab70fdba06
SSDeep 3072:azq33333333333333333333333333333333333333333333333333333xi/hMRN:Kq33333333333333333333333333333
Imports Hash 36f81ca8de9b7685c745e84aa8fc0832

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xc0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2014-Jun-17 17:53:43
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 12.0
SizeOfCode 0x6000
SizeOfInitializedData 0
SizeOfUninitializedData 0xd000
AddressOfEntryPoint 0x000016C3 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x4000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x1f000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 99521ab2d524f529fbd66e5c604876cc
SHA1 659d5c5fa27a5214ff352715212bfd7b2e23552f
SHA256 7cbc38f57e2a621eac774287106109aa8bc6c5f2012de5b00ee6a74e6599fd71
SHA3 2e599e27933ddbc97944bada32d49abdc6feb27026ddb2dd499763ae2fb7c0f5
VirtualSize 0x2492
VirtualAddress 0x1000
SizeOfRawData 0x3000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.25627

.rdata

MD5 461b40787f921acbe0ce435d60d0a31b
SHA1 3dad1ca5796c3d8724c611e95f0a013d641849f3
SHA256 dd055ad7bedc38ee1dc59b2a2ab4c09cfcd6a7eac4882ffb626761cc955ea797
SHA3 1122389eefa802b96965058a806a6f0d53aea3ed7bf6d9ab5fb7ec548f748cda
VirtualSize 0x327e
VirtualAddress 0x4000
SizeOfRawData 0x4000
PointerToRawData 0x4000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.09579

.pdata

MD5 75cc3ef3238670974fcc747cf30bce90
SHA1 9ece082718aedfa946d5b1fc639ae46619038fe9
SHA256 d8adfb17bad12e1d2126f95d4517823ec32477451a351363b0753018c980900c
SHA3 05505f9fa2b9f0f2647074b04f3030437317f8a6ca1808fd7e4078ce18e44573
VirtualSize 0x10524
VirtualAddress 0x8000
SizeOfRawData 0x10000
PointerToRawData 0x8000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.45877

.rsrc

MD5 7c13e85ab3eaeeef8d00c3a41dfcfaf5
SHA1 7a5e465679e3283e66ca112efdeb86d8c0b2173d
SHA256 48b80ef9fc628bb2c775b9bd17e3faec8427fdf74d33ab903b94eb62c5433cdf
SHA3 92e4037b6ce3b4bd8a040d6bfca2d075bc963090afd649991c95b85eb39239fd
VirtualSize 0x41d0
VirtualAddress 0x19000
SizeOfRawData 0x5000
PointerToRawData 0x18000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.28425

.reloc

MD5 b085100658adf89dffed977e2a4d996b
SHA1 7764075d09fd42698cf32372d263fd649404ecb8
SHA256 bc4340162422b2bacd401d67415417714e84c0c835306b06d48fbeca7c53e9c1
SHA3 2b5c1c61dbbca959bf6262ab15f6e532ccd0cc91b2de00bf47d097a386204641
VirtualSize 0x184
VirtualAddress 0x1e000
SizeOfRawData 0x1000
PointerToRawData 0x1d000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0.926558

Imports

WinSCard.dll SCardGetCardTypeProviderNameW
SHLWAPI.dll PathGetDriveNumberA
RPCRT4.dll NdrClientInitializeNew
USER32.dll GetClipboardViewer
IsWindowUnicode
GetDoubleClickTime
IsWindowVisible
SetClipboardViewer
GetMessageTime
ADVAPI32.dll SetSecurityDescriptorDacl
StartServiceCtrlDispatcherA
GetEventLogInformation
GetNumberOfEventLogRecords
GetServiceKeyNameW
KERNEL32.dll GetProcessIoCounters
GetFileSize
CloseHandle
GetNumberOfConsoleInputEvents
_lclose
SetConsoleDisplayMode
GetLastError
ApplicationRecoveryFinished
GetCurrentProcess
GetSystemTimeAsFileTime
GDI32.dll GetPaletteEntries
GetRasterizerCaps

Delayed Imports

401

Type RT_BITMAP
Language UNKNOWN
Codepage UNKNOWN
Size 0x328
Entropy 4.45729
MD5 e381acf3758cf9147d00be3ddc821e96
SHA1 4e23bbe421a0573912a7430d51369c274cd40e2f
SHA256 460532c82070521b09213c1e85cde0ef99fcb0a7a55075b8e1851ea712f00f7b
SHA3 1c48ea18fa2129d7c56af1eda89401b2890a21a4f915bdecf9be3160519a73c8
Preview

402

Type RT_BITMAP
Language UNKNOWN
Codepage UNKNOWN
Size 0x1828
Entropy 3.37059
MD5 5b6ced41e6905d5a9c3f11a11b3da930
SHA1 9476deceea3bf7cb1fd11a792f1922f43430efa6
SHA256 aa9cb8eca27bd3fc69b9e1f60c9729e4291aa74cc717a7368ffaa15d394bd617
SHA3 fe802d753e0168efc1746f8eaf79caa424de335c15e047340fae1ad92ee5b734
Preview

403

Type RT_BITMAP
Language Process Default Language
Codepage UNKNOWN
Size 0x1568
Entropy 3.24067
MD5 775684efe4f2c9577456e309479e2ee3
SHA1 809a0d331cc09b43353428c5f43718a0292e12e3
SHA256 6dc80580045e1e6c518b118b202ad12650002321821217bc498952a2b159f1e0
SHA3 337db8930094028639425059cbdbb1ed1bf248cf3483fad8a50a6b30a9e58a52
Preview

5021

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x82e
Entropy 3.4138
MD5 209dce6e72b2abdb1cb2205fa140ff28
SHA1 4fda2aa09a07af98735063f568d3222b06789a43
SHA256 cb58180d2d4b0b405daaa4e957d56946a041601ae9084a5c00b69cb9b2d53f76
SHA3 889f66487d432e45307c48235ef2b99e71d1e658906894a8b8aecf10afc32853

5025

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x400
Entropy 3.18615
MD5 7facf72328b6120a46ffeffdfe5e1ee5
SHA1 746be3cc4785b041b1026e3683960fdcb938525a
SHA256 3cec6fb833450f167c1ab631b5e15a71681e13e610c2c9f8a74fa5d2c5bab78c
SHA3 c045d4c450b297d4ad89855954415dff7c5decd1617e285658dbb5d94ae0489a

5027

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x384
Entropy 3.19723
MD5 60150ba52f33c459cbdf5617e59d5bcd
SHA1 115edc978d4e1b77b6b7d84904ee11dbb96b0d09
SHA256 86972be5229ebdcab788bb5ec77234a62f7a591aeb34e1e6f25b1f95bab43f34
SHA3 1c6a60b547a624bd1a9dc9ae2323bebb69fceb3b50518f6ca169b92e66f160a8

String Table contents

Are you sure you want to delete the '%s' toolbar?
All Commands
This will delete the record of the commands you've used in this application and restore the default set of visible commands to the menus and toolbars. It will not undo any explicit customizations. Are you sure you want to do this?
This is not a valid number.
The number must be between 1 and 1638.
Are you sure you want to reset the changes made to the '%s' toolbar?
Built-in Menus
Are you sure you want to reset the key assignments? This action will remove all custom key assignments at the text level.
This shortcut is currently assigned.
Do you want to re-assign this shortcut?
Due to a software update the toolbar '%s' has changed. Would you like to reset your customized toolbar and load the new one?
All Picture Files|*.bmp;*.wmf;*.emf;*.ico;*.dib;*.png;*.cur;*.gif;*.jpg|Bitmaps (*.bmp;*.dib;*.png;*.gif;*.jpg)|*.bmp;*.dib;*.png;*.gif;*.jpg|Metafiles (*.wmf;*.emf)|*.wmf;*.emf|Icons (*.ico;*.cur)|*.ico;*.cur|All Files (*.*)|*.*||
(System default)
Random
Unfold
Slide
Fade
Set active window
Select file full path
File not found, try sel
ct another file or try again later. Error window does not exist.Not data to stream$Error creating win
ow device contextError creating window class+Cannot focus a disabled or invisible window!Control '%
' has no parent windowCannot hide an MDI Child Form)Cannot change Visible in OnShow or OnHide"Cannot make a visibl
window modalMenu index out of rangeMenu inserted twiceSub-menu is not in menuNot enough timers a
ailableCan notdo write to %sInvalid stream format$''%s'' is not a valid component fileError prop
rty fileError property valueInvalid data type for '%s' File capacity out of bounds (%d)File coun
out of bounds (%d)List index out of bounds (%d)+Out of memory while expanding memory streamError reading %s%s%s:
sStream read errorProperty is read-
nlyFailed to get data for '%s'Failed to set data for '%s'Resource %s not found
Can notdo write to %s
Invalid stream format
''%s'' is not a valid component file
Error property file
Error property value
Invalid data type for '%s'
File capacity out of bounds (%d)
File count out of bounds (%d)
List index out of bounds (%d)
Out of memory while expanding memory stream
Error reading %s%s%s: %s
Stream read error
Property is read-only
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2018-Jun-13 15:41:17
Version 0.0
SizeofData 40
AddressOfRawData 0x6e28
PointerToRawData 0x6e28
Referenced File O7hSBMeQeIfm.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2018-Jun-13 15:41:17
Version 0.0
SizeofData 20
AddressOfRawData 0x6ea4
PointerToRawData 0x6ea4

TLS Callbacks

Load Configuration

RICH Header

Errors

[!] Error: directory 0 has a RVA of 0 but a non-null size.