ba963c5b203753f9bf04cfbbffc1f5b4

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2014-Jun-17 17:53:43
Detected languages Process Default Language
Debug artifacts O7hSBMeQeIfm.pdb

Plugin Output

Malicious VirusTotal score: 63/73 (Scanned on 2019-12-31 13:36:24) MicroWorld-eScan: Trojan.GenericKD.30968176
CAT-QuickHeal: Trojan.Emotet.X4
Qihoo-360: HEUR/QVM20.1.D02D.Malware.Gen
ALYac: Trojan.Agent.Emotet
Cylance: Unsafe
VIPRE: Trojan.Win32.Generic!BT
SUPERAntiSpyware: Trojan.Agent/Gen-Downloader
Sangfor: Malware
K7AntiVirus: Trojan ( 00549d461 )
Alibaba: Trojan:Win32/Emotet.12c885b0
K7GW: Trojan ( 00549d461 )
Cybereason: malicious.b20375
Arcabit: Trojan.Generic.D1D88970
Invincea: heuristic
BitDefenderTheta: Gen:NN.ZexaF.33558.huW@aiAQaZbG
Cyren: W32/Emotet.BZ.gen!Eldorado
Symantec: Trojan.Gen.2
APEX: Malicious
Avast: Win32:MalwareX-gen [Trj]
ClamAV: Win.Trojan.Emotet-6748801-0
Kaspersky: HEUR:Trojan.Win32.Generic
BitDefender: Trojan.GenericKD.30968176
NANO-Antivirus: Trojan.Win32.Dovs.feeoxy
Paloalto: generic.ml
ViRobot: Trojan.Win32.S.Agent.122880.FIX
Ad-Aware: Trojan.GenericKD.30968176
Emsisoft: Trojan.Emotet (A)
Comodo: Malware@#pm19w81jd8fi
F-Secure: Trojan.TR/AD.Emotet.T
DrWeb: Trojan.Emotet.240
Zillya: Trojan.Dovs.Win32.5239
TrendMicro: TSPY_EMOTET.NSFACAH
McAfee-GW-Edition: BehavesLike.Win32.Ransomware.ch
Fortinet: W32/Kryptik.GIII!tr
FireEye: Generic.mg.ba963c5b203753f9
Sophos: Troj/Emotet-QO
Ikarus: Trojan-Banker.Emotet
F-Prot: W32/Emotet.BZ.gen!Eldorado
Jiangmin: Trojan.Dovs.fda
Webroot: W32.Trojan.Emotet
Avira: TR/AD.Emotet.T
MAX: malware (ai score=99)
Antiy-AVL: Trojan/Win32.Dovs
Endgame: malicious (high confidence)
Microsoft: Trojan:Win32/Emotet.AD!ibt
AegisLab: Trojan.Win32.Generic.4!c
ZoneAlarm: HEUR:Trojan.Win32.Generic
AhnLab-V3: Win-Trojan/Emotet.Gen
Acronis: suspicious
McAfee: GenericRXFV-FF!BA963C5B2037
TACHYON: Trojan/W32.Emotet.122880
VBA32: BScope.Trojan.EmotetENT
Malwarebytes: Trojan.Downloader
ESET-NOD32: a variant of Win32/Kryptik.GHSP
TrendMicro-HouseCall: TSPY_EMOTET.NSFACAH
Rising: Trojan.Dovs!8.EB4C (TFE:5:5H4my05aBMQ)
Yandex: Trojan.Dovs!
SentinelOne: DFI - Malicious PE
eGambit: Unsafe.AI_Score_98%
GData: Win32.Trojan-Spy.Emotet.RI
AVG: Win32:MalwareX-gen [Trj]
Panda: Trj/Genetic.gen
CrowdStrike: win/malicious_confidence_90% (W)

Hashes

MD5 ba963c5b203753f9bf04cfbbffc1f5b4
SHA1 39b2aa9be6c1d542938ec3909ed2c0c19803b485
SHA256 32f68f3984d3cfc94e777422ce214c62a6f4785d2e4fda2ffc76262cbbd0a90c
SHA3 60ee2c42bda31ed53ddfeea1be6f6bb2c281dc77e694e3511d230e0c72bfaa6d
SSDeep 3072:azq33333333333333333333333333333333333333333333333333333xi/hMRN:Kq33333333333333333333333333333
Imports Hash 36f81ca8de9b7685c745e84aa8fc0832

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xc0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2014-Jun-17 17:53:43
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 12.0
SizeOfCode 0x6000
SizeOfInitializedData 0
SizeOfUninitializedData 0xd000
AddressOfEntryPoint 0x000016C3 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x4000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x1f000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 99521ab2d524f529fbd66e5c604876cc
SHA1 659d5c5fa27a5214ff352715212bfd7b2e23552f
SHA256 7cbc38f57e2a621eac774287106109aa8bc6c5f2012de5b00ee6a74e6599fd71
SHA3 ab868455ba3da6755282246fe595b584266d9be63de377d95a185811385c59d8
VirtualSize 0x2492
VirtualAddress 0x1000
SizeOfRawData 0x3000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.25627

.rdata

MD5 461b40787f921acbe0ce435d60d0a31b
SHA1 3dad1ca5796c3d8724c611e95f0a013d641849f3
SHA256 dd055ad7bedc38ee1dc59b2a2ab4c09cfcd6a7eac4882ffb626761cc955ea797
SHA3 ebdda37051fe412f565d749092fc3d6f597953f5db911bd9948555915bf968c9
VirtualSize 0x327e
VirtualAddress 0x4000
SizeOfRawData 0x4000
PointerToRawData 0x4000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.09579

.pdata

MD5 75cc3ef3238670974fcc747cf30bce90
SHA1 9ece082718aedfa946d5b1fc639ae46619038fe9
SHA256 d8adfb17bad12e1d2126f95d4517823ec32477451a351363b0753018c980900c
SHA3 e89efc3551f1ae202a7b55e4d38779fb58585a10826b85add619f84850f70547
VirtualSize 0x10524
VirtualAddress 0x8000
SizeOfRawData 0x10000
PointerToRawData 0x8000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.45877

.rsrc

MD5 7c13e85ab3eaeeef8d00c3a41dfcfaf5
SHA1 7a5e465679e3283e66ca112efdeb86d8c0b2173d
SHA256 48b80ef9fc628bb2c775b9bd17e3faec8427fdf74d33ab903b94eb62c5433cdf
SHA3 c868e1344fbca15fa0156aca91d441776c2607e506480feb53996603a84edf77
VirtualSize 0x41d0
VirtualAddress 0x19000
SizeOfRawData 0x5000
PointerToRawData 0x18000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.28425

.reloc

MD5 b085100658adf89dffed977e2a4d996b
SHA1 7764075d09fd42698cf32372d263fd649404ecb8
SHA256 bc4340162422b2bacd401d67415417714e84c0c835306b06d48fbeca7c53e9c1
SHA3 8b4023adbb6ba8c862707799e117bd86968584e0b5c57e16afea8f7abee1681a
VirtualSize 0x184
VirtualAddress 0x1e000
SizeOfRawData 0x1000
PointerToRawData 0x1d000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0.926558

Imports

WinSCard.dll SCardGetCardTypeProviderNameW
SHLWAPI.dll PathGetDriveNumberA
RPCRT4.dll NdrClientInitializeNew
USER32.dll GetClipboardViewer
IsWindowUnicode
GetDoubleClickTime
IsWindowVisible
SetClipboardViewer
GetMessageTime
ADVAPI32.dll SetSecurityDescriptorDacl
StartServiceCtrlDispatcherA
GetEventLogInformation
GetNumberOfEventLogRecords
GetServiceKeyNameW
KERNEL32.dll GetProcessIoCounters
GetFileSize
CloseHandle
GetNumberOfConsoleInputEvents
_lclose
SetConsoleDisplayMode
GetLastError
ApplicationRecoveryFinished
GetCurrentProcess
GetSystemTimeAsFileTime
GDI32.dll GetPaletteEntries
GetRasterizerCaps

Delayed Imports

401

Type RT_BITMAP
Language UNKNOWN
Codepage UNKNOWN
Size 0x328
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.45729
MD5 e381acf3758cf9147d00be3ddc821e96
SHA1 4e23bbe421a0573912a7430d51369c274cd40e2f
SHA256 460532c82070521b09213c1e85cde0ef99fcb0a7a55075b8e1851ea712f00f7b
SHA3 71c74fa5a4abba64279fce23a5e789926dbd5c130d0239e97a199295abb6f3d9
Preview

402

Type RT_BITMAP
Language UNKNOWN
Codepage UNKNOWN
Size 0x1828
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.37059
MD5 5b6ced41e6905d5a9c3f11a11b3da930
SHA1 9476deceea3bf7cb1fd11a792f1922f43430efa6
SHA256 aa9cb8eca27bd3fc69b9e1f60c9729e4291aa74cc717a7368ffaa15d394bd617
SHA3 6496770357552f025db86dd82e588eba978012ead9c722fd04df8b8ee10a7971
Preview

403

Type RT_BITMAP
Language Process Default Language
Codepage UNKNOWN
Size 0x1568
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.24067
MD5 775684efe4f2c9577456e309479e2ee3
SHA1 809a0d331cc09b43353428c5f43718a0292e12e3
SHA256 6dc80580045e1e6c518b118b202ad12650002321821217bc498952a2b159f1e0
SHA3 081e742845ca368e9591550f6c87be52fcd463bbf8304c41d717d4e9abb04360
Preview

5021

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x82e
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.4138
MD5 209dce6e72b2abdb1cb2205fa140ff28
SHA1 4fda2aa09a07af98735063f568d3222b06789a43
SHA256 cb58180d2d4b0b405daaa4e957d56946a041601ae9084a5c00b69cb9b2d53f76
SHA3 ce1857b73685b3fdc7410e19818df0a58496af4ebe83e0a0af0bdb3b7ba033ab

5025

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x400
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.18615
MD5 7facf72328b6120a46ffeffdfe5e1ee5
SHA1 746be3cc4785b041b1026e3683960fdcb938525a
SHA256 3cec6fb833450f167c1ab631b5e15a71681e13e610c2c9f8a74fa5d2c5bab78c
SHA3 49c53c406fcdb47eac245471cdabac9e2aad00e46e8cb210152971d5eecf67e3

5027

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x384
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.19723
MD5 60150ba52f33c459cbdf5617e59d5bcd
SHA1 115edc978d4e1b77b6b7d84904ee11dbb96b0d09
SHA256 86972be5229ebdcab788bb5ec77234a62f7a591aeb34e1e6f25b1f95bab43f34
SHA3 f3d37695088227649df7c6c6d6c4f06e17b44918540dfcb168f375fe9d9d5a02

String Table contents

Are you sure you want to delete the '%s' toolbar?
All Commands
This will delete the record of the commands you've used in this application and restore the default set of visible commands to the menus and toolbars. It will not undo any explicit customizations. Are you sure you want to do this?
This is not a valid number.
The number must be between 1 and 1638.
Are you sure you want to reset the changes made to the '%s' toolbar?
Built-in Menus
Are you sure you want to reset the key assignments? This action will remove all custom key assignments at the text level.
This shortcut is currently assigned.
Do you want to re-assign this shortcut?
Due to a software update the toolbar '%s' has changed. Would you like to reset your customized toolbar and load the new one?
All Picture Files|*.bmp;*.wmf;*.emf;*.ico;*.dib;*.png;*.cur;*.gif;*.jpg|Bitmaps (*.bmp;*.dib;*.png;*.gif;*.jpg)|*.bmp;*.dib;*.png;*.gif;*.jpg|Metafiles (*.wmf;*.emf)|*.wmf;*.emf|Icons (*.ico;*.cur)|*.ico;*.cur|All Files (*.*)|*.*||
(System default)
Random
Unfold
Slide
Fade
Set active window
Select file full path
File not found, try sel
ct another file or try again later. Error window does not exist.Not data to stream$Error creating win
ow device contextError creating window class+Cannot focus a disabled or invisible window!Control '%
' has no parent windowCannot hide an MDI Child Form)Cannot change Visible in OnShow or OnHide"Cannot make a visibl
window modalMenu index out of rangeMenu inserted twiceSub-menu is not in menuNot enough timers a
ailableCan notdo write to %sInvalid stream format$''%s'' is not a valid component fileError prop
rty fileError property valueInvalid data type for '%s' File capacity out of bounds (%d)File coun
out of bounds (%d)List index out of bounds (%d)+Out of memory while expanding memory streamError reading %s%s%s:
sStream read errorProperty is read-
nlyFailed to get data for '%s'Failed to set data for '%s'Resource %s not found
Can notdo write to %s
Invalid stream format
''%s'' is not a valid component file
Error property file
Error property value
Invalid data type for '%s'
File capacity out of bounds (%d)
File count out of bounds (%d)
List index out of bounds (%d)
Out of memory while expanding memory stream
Error reading %s%s%s: %s
Stream read error
Property is read-only
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2018-Jun-13 15:41:17
Version 0.0
SizeofData 40
AddressOfRawData 0x6e28
PointerToRawData 0x6e28
Referenced File O7hSBMeQeIfm.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2018-Jun-13 15:41:17
Version 0.0
SizeofData 20
AddressOfRawData 0x6ea4
PointerToRawData 0x6ea4

TLS Callbacks

Load Configuration

RICH Header

Errors

[!] Error: directory 0 has a RVA of 0 but a non-null size.
<-- -->