c622241ee1f3c1b1193a877a5e6111ed

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2018-Jul-26 20:10:57
Detected languages Danish - Denmark
InternalName fuvosa.exe

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX v2.0 -> Markus, Laszlo & Reiser (h)
UPX -> www.upx.sourceforge.net
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
Malicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
The RICH header checksum is invalid.
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
  • LoadLibraryW
Possibly launches other programs:
  • ShellExecuteW
Has Internet access capabilities:
  • WinHttpQueryDataAvailable
  • WinHttpOpen
  • WinHttpCreateUrl
  • WinHttpReadData
  • WinHttpConnect
  • WinHttpWriteData
Enumerates local disk drives:
  • GetDriveTypeA
Malicious VirusTotal score: 28/67 (Scanned on 2019-01-23 03:31:39) K7AntiVirus: Trojan ( 004bcce41 )
MicroWorld-eScan: Gen:Variant.Brresmon.103
K7GW: Trojan ( 004bcce41 )
Cybereason: malicious.ee1f3c
Arcabit: Trojan.Brresmon.103
Symantec: ML.Attribute.HighConfidence
Avast: Win32:DUmPeX [Susp]
BitDefender: Gen:Variant.Brresmon.103
Rising: Spyware.Zbot!8.16B/N3#84% (RDM+:cmRtazoutc7yeA4RzNCtM2EiV5k1)
Ad-Aware: Gen:Variant.Brresmon.103
Comodo: Packed.Win32.MUPX.Gen@24tbus
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.PWSZbot.dt
Trapmine: suspicious.low.ml.score
Emsisoft: Gen:Variant.Brresmon.103 (B)
SentinelOne: static engine - malicious
Avira: TR/Crypt.XPACK.Gen
Endgame: malicious (moderate confidence)
Microsoft: Trojan:Win32/Fuerboos.C!cl
GData: Gen:Variant.Brresmon.103
Acronis: suspicious
VBA32: BScope.Trojan.Chapak
ALYac: Gen:Variant.Brresmon.103
MAX: malware (ai score=82)
eGambit: Unsafe.AI_Score_59%
AVG: Win32:DUmPeX [Susp]
CrowdStrike: malicious_confidence_100% (D)
Qihoo-360: HEUR/QVM10.1.BB16.Malware.Gen

Hashes

MD5 c622241ee1f3c1b1193a877a5e6111ed
SHA1 e851ca7be35713a2df4ac44a2b0fdafc613f3fe5
SHA256 1019925b6a4b578b2ff4ab34a23b8b24b82302f6e941cfda7dc7ffcbec3424cd
SHA3 ea0ac0d16374cc28c85b037e8c3b84a0bad3d8d58533905619a313841a488885
SSDeep 1536:PpINka5dAYSb9MuGH8naJIkQW33H2yeWvtTMPc0E9ISFW2pChaNjpvsJRTeTCcJ:P6grePWyfGPvE9ISFW2QUvkTUjNdoQy
Imports Hash cbc6d9b86af1185b371570fa6ba29082

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2018-Jul-26 20:10:57
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x16000
SizeOfInitializedData 0x2000
SizeOfUninitializedData 0x2a000
AddressOfEntryPoint 0x000054AF (Section: UPX0)
BaseOfCode 0x2b000
BaseOfData 0x41000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x43000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 593fe62a479fa295511551ea41124238
SHA1 3c13e5da728eea3dc91cd4ec2c53593904a8a896
SHA256 c4b056a02c81942c08dc1ff9ffdb261174cfab16c36b1c79a53d601adc956ead
SHA3 5bc557aeec953df9cd81306fe5c966ac72d1c1aede39f0ed4626a66b4f73fdf5
VirtualSize 0x2a000
VirtualAddress 0x1000
SizeOfRawData 0x2a000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.41199

UPX1

MD5 0ca6dbc7a14ab5663de8dca7f37b2f76
SHA1 9921804f3d77257f423bbfdd7c2b5ee9592eb1db
SHA256 04db7f68dc42ee487284412dff1a56a2039ac7f0a5dc82bbc1d59f40d6023012
SHA3 dc567fd3ec78a2684d10375615ae276737ada9136ab0419a79c8761a50319177
VirtualSize 0x16000
VirtualAddress 0x2b000
SizeOfRawData 0x16000
PointerToRawData 0x2a400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.27377

.rsrc

MD5 20411a992d4bfe98436ac7ce64222f49
SHA1 f6606aff6f615b246f507a2ffdf04afa74f00e80
SHA256 88cf80dfe9b96d823738a72b0da407af485faceb6f62abd2e77353a5bebf3c63
SHA3 2556642656663f1c3cecde555d2305729a9919891eb902751984a8d8e8ce5976
VirtualSize 0x2000
VirtualAddress 0x41000
SizeOfRawData 0x1c00
PointerToRawData 0x40400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.39503

Imports

KERNEL32.DLL SetComputerNameExW
GetHandleInformation
GetLastError
GetProcAddress
LoadLibraryA
GetProcessWorkingSetSize
LocalAlloc
TransmitCommChar
SetProcessWorkingSetSize
GetThreadPriority
GetProcessShutdownParameters
GetCommTimeouts
GetProcessAffinityMask
FatalExit
DeleteCriticalSection
CloseHandle
CreateFileW
EnumSystemLocalesW
lstrcpyA
LocalFileTimeToFileTime
GetStringTypeW
MultiByteToWideChar
LCMapStringW
WideCharToMultiByte
HeapReAlloc
IsValidCodePage
GetOEMCP
GetACP
LoadLibraryW
TerminateProcess
GetProcessHandleCount
GlobalAlloc
GetProcessTimes
GetDriveTypeA
GetTickCount
GetProcessIoCounters
GetCurrentProcess
GetCPInfo
GetNativeSystemInfo
GetConsoleProcessList
ExitProcess
HeapSize
Sleep
RtlUnwind
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
GetCommandLineW
HeapSetInformation
GetStartupInfoW
RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapAlloc
HeapFree
IsProcessorFeaturePresent
EncodePointer
DecodePointer
GetModuleHandleW
WriteFile
GetStdHandle
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
ADVAPI32.dll SetSecurityDescriptorDacl
LookupPrivilegeNameA
ReportEventA
GDI32.dll StretchBlt
SetDCBrushColor
SetBitmapDimensionEx
GetMapMode
PaintRgn
GetMetaFileBitsEx
MSIMG32.dll TransparentBlt
GradientFill
SHELL32.dll ShellAboutA
ShellExecuteW
#179
USER32.dll GetIconInfo
GetCapture
SetPropA
CallMsgFilterW
GetScrollRange
GetMenuInfo
LoadImageW
CopyImage
GetFocus
FindWindowExA
BeginPaint
SetScrollRange
WINHTTP.dll WinHttpQueryDataAvailable
WinHttpOpen
WinHttpCreateUrl
WinHttpReadData
WinHttpConnect
WinHttpWriteData

Delayed Imports

MyFunc31

Ordinal 1
Address 0x1af60

MyFunc32

Ordinal 2
Address 0x1af50

163

Type RT_BITMAP
Language Danish - Denmark
Codepage UNKNOWN
Size 0x2cb8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.28685
MD5 696c5b4574b474bf939afda2b65dc370
SHA1 e7a874f00b640b680ca5d814da3e869a34434025
SHA256 9f99141ab1c7b906eef30e93eac7355fd95656d14a1f469357a2ae5f99017786
SHA3 5ea5b176d29c54895d8ccaf38be6d5316033dc35cbaa1fcb0fab4adfccc6cd80
Preview

1

Type RT_ICON
Language Danish - Denmark
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.11821
MD5 ee87aef447ba5aa77316dd65285b0fcc
SHA1 d63b53baa0c298a007325e39abf2e0f5f96bfeb3
SHA256 3158e1b3ea8d1c284ab9c8d9491827429f31e3987d58dd2500d57ee430b08f1d
SHA3 55638ac2ad7bd4b82e1138b2a8e426aef5e44aa76b4604e17be580e0fca690c6

2

Type RT_ICON
Language Danish - Denmark
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.34246
MD5 1010a2ddfe85abdc0bafe39cb21329c7
SHA1 d6717a17d097662efff5e66dcf7a97c924ad4160
SHA256 a54965686efa6b47c32a4e7ac3a28eb1528edf7051ab19e87d1e4152f743afa1
SHA3 bfa6f1d0989719bcd3067acca29dae3bc337c83d3431ebe582d933b026664c9d

10

Type RT_STRING
Language Danish - Denmark
Codepage UNKNOWN
Size 0x2a6
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.3236
MD5 167a470ed5b9921dbe4b8aad271fd92b
SHA1 c56ac4ad22e3e88838138a4c6205d6a9fd2a7b40
SHA256 39e08c6b10a5483c8f75e8d0aa74bd945b151566f339c4c19e947c654786c53f
SHA3 43897289a9d6a8b19c94651c128ae53cfbf86a213a4c13ffcbbd08e67aeebca7

101

Type RT_ACCELERATOR
Language Danish - Denmark
Codepage UNKNOWN
Size 0x48
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.73379
MD5 a952d15376079c040a20c8c60fd3aeb2
SHA1 7e0ead2834d26cb87cb34a57a991b2bbf8d9773e
SHA256 56b4a596124759a1be97cca0a4f9fd6a2a23df170f55a2c2c49e560a50a5be63
SHA3 f975b4b9013233cc0c1f68075a33f40b2c97e9d76db3cefbb40fa0c20567894b

132

Type RT_GROUP_ICON
Language Danish - Denmark
Codepage UNKNOWN
Size 0x22
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.21059
Detected Filetype Icon file
MD5 1ca559e52ba2941be4c2e87cc5728277
SHA1 c011eca07769f90224f28775462d15f9cfc00994
SHA256 e253d797afc8a4f3ad497c5b82981225b6a8d2843873a18dc2b3c155c91e0b36
SHA3 c4a71ffdf8bd18d49fc966d35a8337126f25be2b68a201a6191da4e136ac5bb3

1 (#2)

Type RT_VERSION
Language Danish - Denmark
Codepage UNKNOWN
Size 0x114
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.98118
MD5 7a29b957cfef956a9ee5c9b1e58e25ac
SHA1 c1d7256947ebc5b6b739be44c356a575667b8f34
SHA256 f8d5ee67704a1c967a8d05094f688cf4ae20626e536a96411932c7b6d99e44a5
SHA3 957033b248987e2ecc96ed8cfc18e00bf15ac992ebf00d92cd906ac72b420f14

String Table contents

Kusojidok tapiwog xosejenutafufe
Godazocecemeni bohepa wizudodimepute weh lubixit
Madajisixa sejavukap xorekonagos
Mufocojuciyi
Hapav lumuranohayijih wex
Fewixarepaxogoh muyagibuyuy zerubuzitixegaz bahenami tije
Feben
Foy xijohufih vimapanageriyin fimonerulan pesinoniwowor
Yamelu goyahagopuci
Wihemo wojikusuki bidawobip
Sax
Xeni zac

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.0
ProductVersion 1.0.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
InternalName fuvosa.exe
Resource LangID Danish - Denmark

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x41e07c
SEHandlerTable 0x403740
SEHandlerCount 8

RICH Header

XOR Key 0xe5c073f3
Unmarked objects 0
ASM objects (VS2010 build 30319) 21
C objects (VS2010 build 30319) 90
C++ objects (VS2010 build 30319) 31
Imports (VS2008 SP1 build 30729) 15
Total imports 123
175 (VS2010 build 30319) 1
59417 (10434) 1
Resource objects (VS2010 build 30319) 1
63850 (9021) 1

Errors

<-- -->