Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 1992-Jun-19 22:22:17 |
Detected languages |
English - United Kingdom
Russian - Russia |
TLS Callbacks | 1 callback(s) detected. |
CompanyName | SarasSoft |
FileDescription | |
FileVersion | 2.3.0.8 |
InternalName | |
LegalCopyright | |
LegalTrademarks | |
OriginalFilename | |
ProductName | |
ProductVersion | 1.0.0.0 |
Comments |
Suspicious | PEiD Signature: |
EXECryptor 2.2.4 -> Strongbit/SoftComplete Development
EXECryptor V2.2X -> softcomplete.com PolyEnE 0.01+ by Lennart Hedlund EXECryptor 2.2.4 -> Strongbit/SoftComplete Development (h3) EXECryptor 2.xx (compressed resources) -> www.strongbit.com * Sign.By.haggar |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to system / monitoring tools:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to MD5
Uses constants related to SHA1 Uses constants related to AES Uses constants related to Blowfish |
Suspicious | The PE is possibly packed. |
Section CODE is both writable and executable.
Unusual section name found: i5eg1oz0 Section i5eg1oz0 is both writable and executable. Unusual section name found: oxd8xwhf Section oxd8xwhf is both writable and executable. Unusual section name found: w0i3jm93 Section w0i3jm93 is both writable and executable. Unusual section name found: fjbe9142 Section fjbe9142 is both writable and executable. Unusual section name found: 6pbn0vkb Section 6pbn0vkb is both writable and executable. Unusual section name found: kn1r7qwu The PE only has 7 import(s). |
Info | The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
|
Suspicious | The PE header may have been manually modified. |
Resource BBOK is possibly compressed or encrypted.
Resource SP_BRUSH_BD is possibly compressed or encrypted. Resource SP_BRUSH_CLEAR is possibly compressed or encrypted. Resource SP_BRUSH_DCROSS is possibly compressed or encrypted. Resource SP_GRAD_HORZ_IN is possibly compressed or encrypted. Resource SP_GRAD_HORZ_INOUT is possibly compressed or encrypted. Resource SP_GRAD_HORZ_OUT is possibly compressed or encrypted. Resource SP_GRAD_VERT_IN is possibly compressed or encrypted. Resource SP_PEN3 is possibly compressed or encrypted. Resource SP_PEN_DASHDOT is possibly compressed or encrypted. Resource SP_PEN_SOLID is possibly compressed or encrypted. Resource 4071 is possibly compressed or encrypted. Resource 4075 is possibly compressed or encrypted. Resource 4076 is possibly compressed or encrypted. Resource 4089 is possibly compressed or encrypted. Resource 4090 is possibly compressed or encrypted. Resource 4094 is possibly compressed or encrypted. Resource TFORM1 is possibly compressed or encrypted. Resource TUFS_PANEL_IMEI_FORM is possibly compressed or encrypted. The resource timestamps differ from the PE header:
|
Malicious | VirusTotal score: 6/71 (Scanned on 2024-11-18 10:02:34) |
APEX:
Malicious
Cylance: Unsafe Kingsoft: malware.kb.a.920 MaxSecure: Trojan.Malware.300983.susgen Trapmine: malicious.high.ml.score tehtris: Generic.Malware |
e_magic | MZ |
---|---|
e_cblp | 0x50 |
e_cp | 0x2 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0xf |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0x1a |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x120 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 12 |
TimeDateStamp | 1992-Jun-19 22:22:17 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 2.0 |
SizeOfCode | 0x144400 |
SizeOfInitializedData | 0x45000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0060E512 (Section: 6pbn0vkb) |
BaseOfCode | 0x3c6000 |
BaseOfData | 0x146000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x610000 |
SizeOfHeaders | 0x1000 |
Checksum | 0x25b8a6 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x208000 |
SizeofStackCommit | 0x4000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
kernel32.dll |
GetModuleHandleA
LoadLibraryA GetProcAddress ExitProcess VirtualAlloc VirtualFree |
---|---|
user32.dll |
MessageBoxA
|
ᚈ켒衫ເ絠⦁࿀耐缨⤀ꜷᔀ箃ѵአ쀐䧠콕砨ᄀ㏐ล⠀֎ᄒừ霫ꀀိ蔎ႃ쏖耨စꕆᒀ |
␇⅀稐퍀͠䐨ᜀ䤒据敲椡ိ⍬丏Ⱡ﹛2 |
✐䀮 䦀䀥䀀ၪ℥慦阢聉၁䓸♪✐ |
✐䀮 䦀䀥䀀ၪ℥慦阢聉၁䓸♪✐ |
⟀⾣꽪䜒䭂㼨┊ᛗའ䴑♓㽠眗湩潤獷怭 |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 2.3.0.8 |
ProductVersion | 2.3.0.8 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United Kingdom |
CompanyName | SarasSoft |
FileDescription | |
FileVersion (#2) | 2.3.0.8 |
InternalName | |
LegalCopyright | |
LegalTrademarks | |
OriginalFilename | |
ProductName | |
ProductVersion (#2) | 1.0.0.0 |
Comments |
Resource LangID | English - United Kingdom |
---|
StartAddressOfRawData | 0x7c6128 |
---|---|
EndAddressOfRawData | 0x7c6138 |
AddressOfIndex | 0x7c6138 |
AddressOfCallbacks | 0x7c613c |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_TYPE_REG
|
Callbacks |
0x00A0E51E
|