c64249794f893f82adbaa9e31f99c0d7

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 1992-Jun-19 22:40:53
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • HACK
Suspicious The PE is possibly packed. Unusual section name found: CODE
Unusual section name found: DATA
Unusual section name found: BSS
Info The PE contains common functions which appear in legitimate applications. Can access the registry:
  • RegQueryValueExA
  • RegOpenKeyExA
  • RegCloseKey
Possibly launches other programs:
  • WinExec
Suspicious The file contains overlay data. 3491840 bytes of data starting at offset 0xf800.
The overlay data has an entropy of 7.99994 and is possibly compressed or encrypted.
Overlay data amounts for 98.2143% of the executable.
Malicious VirusTotal score: 62/70 (Scanned on 2019-02-02 01:29:06) Bkav: W32.BackdoorWabot.Trojan
MicroWorld-eScan: Gen:Trojan.ShellIni.zJZ@amwuoini
CMC: Backdoor.Win32.Wabot!O
CAT-QuickHeal: Trojan.Wabot.A8
McAfee: W32/Wabot
Cylance: Unsafe
TheHacker: Trojan/Delf.nrf
K7GW: Backdoor ( 0040f5511 )
K7AntiVirus: Backdoor ( 0040f5511 )
Arcabit: Trojan.ShellIni.EDD1C7C
Invincea: heuristic
Baidu: Win32.Backdoor.Wabot.a
NANO-Antivirus: Trojan.Win32.Wabot.dmukv
Cyren: W32/Backdoor.PJEB-4161
Symantec: W32.Wabot
TotalDefense: Win32/DCMgreen.A
TrendMicro-HouseCall: BKDR_WABOT.SMIA
Avast: Win32:Wabot [Trj]
ClamAV: Win.Trojan.Wabot-6113548-0
Kaspersky: Backdoor.Win32.Wabot.a
BitDefender: Gen:Trojan.ShellIni.zJZ@amwuoini
Tencent: Trojan.Win32.Wabot.a
Ad-Aware: Gen:Trojan.ShellIni.zJZ@amwuoini
Sophos: Troj/Luiha-M
Comodo: Backdoor.Win32.Wabot.A@4knk5y
F-Secure: Gen:Trojan.ShellIni.zJZ@amwuoini
DrWeb: Trojan.MulDrop6.64369
Zillya: Backdoor.Wabot.Win32.1
TrendMicro: BKDR_WABOT.SMIA
McAfee-GW-Edition: BehavesLike.Win32.Wabot.wc
Trapmine: malicious.high.ml.score
Emsisoft: Gen:Trojan.ShellIni.zJZ@amwuoini (B)
SentinelOne: static engine - malicious
F-Prot: W32/Wabot.A
Jiangmin: Backdoor/Wabot.z
Webroot: Backdoor/Win32.Wabot.Gen
Avira: TR/Dldr.Delphi.Gen
Fortinet: W32/Luiha.M!tr
Antiy-AVL: Trojan[Backdoor]/Win32.Wabot.a
Endgame: malicious (high confidence)
Microsoft: Backdoor:Win32/Wabot.A
ViRobot: Backdoor.Win32.Wabot.157619
ZoneAlarm: Backdoor.Win32.Wabot.a
TACHYON: Worm/W32.DP-IRCBot.3555328
AhnLab-V3: Worm/Win32.IRCBot.R3689
Acronis: suspicious
ALYac: Gen:Trojan.ShellIni.zJZ@amwuoini
MAX: malware (ai score=87)
VBA32: BScope.Malware-Cryptor.Hlux
Malwarebytes: Backdoor.Wabot
Zoner: Trojan.Win32.22025
ESET-NOD32: Win32/Delf.NRF
Rising: Worm.Chilly!1.661C (RDM+:cmRtazpRiYdqsHk17PVMSW6DaRNB)
Yandex: Backdoor.Wabot!I7fzIkq6cuc
Ikarus: P2P-Worm.Win32.Delf
eGambit: Unsafe.AI_Score_99%
GData: Gen:Trojan.ShellIni.zJZ@amwuoini
AVG: Win32:Wabot [Trj]
Cybereason: malicious.94f893
Panda: Backdoor Program
CrowdStrike: malicious_confidence_100% (D)
Qihoo-360: HEUR/QVM05.1.F2B1.Malware.Gen

Hashes

MD5 c64249794f893f82adbaa9e31f99c0d7
SHA1 2cf18953c25cc5080f808ec86ff723f1a4c8e1bd
SHA256 fc283ab5b16afce04ffcf1a90060ea2759bd8dd0ca5e9141f5a69456e2c57d6e
SHA3 7d8df7297e5baa266da08ba03aabc862f52a638d83b4937f418cc41d099a3ccc
SSDeep 98304:SeqcE5dl86os8BQiVW4oyqm36UBB6Rmzrc6k:Ah86X8bhoeK9f6k
Imports Hash 740df356ec59d38fee4bc39c590b50ad

DOS Header

e_magic MZ
e_cblp 0x50
e_cp 0x2
e_crlc 0
e_cparhdr 0x4
e_minalloc 0xf
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0x1a
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 8
TimeDateStamp 1992-Jun-19 22:40:53
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 2.0
SizeOfCode 0xca00
SizeOfInitializedData 0x2a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000D86C (Section: CODE)
BaseOfCode 0x1000
BaseOfData 0xe000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x16000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x4000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

CODE

MD5 b764d8122a196188ed697c8f75d76d82
SHA1 abfae9d26d64c58191944dc580ab1c5ccb56e442
SHA256 413a58959d85d5e4e90a9349da523d5eb02be7d1e70c9701c4c05fbbe5bbf5cc
SHA3 d7ce672c87f3f429d02db7597aec7c7c9b52c00e06a3e1ddc2954deba37bac87
VirtualSize 0xc984
VirtualAddress 0x1000
SizeOfRawData 0xca00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.57246

DATA

MD5 5bd558c4cfa6af8832a10b063dfaf1ed
SHA1 9e959d3881cf6a951acf2934d6dd6c026c24e1af
SHA256 4c816a52c6838aded115733a848562213170c4e0ee88178f13ab85fb0cf7d0be
SHA3 31a3aee3e4dfd2e83cc4741fa06838077caa1fa1263f16b0465cea84b2a2e45c
VirtualSize 0xa1c
VirtualAddress 0xe000
SizeOfRawData 0xc00
PointerToRawData 0xce00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.53369

BSS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x1111
VirtualAddress 0xf000
SizeOfRawData 0
PointerToRawData 0xda00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata

MD5 96b1d121243ee63bbbbb3c2ce0e5d05f
SHA1 9ba385e53b7a03ecb6d244713db733f0d95b916d
SHA256 f3313eb083f6c71de7f5402b2576ad7ac55075604bef8b551a8047978d7087a2
SHA3 13b04ba52a8a8c26db7d9ff09f38e82fcc2d809a1e4ffd17648c85fe5da78c31
VirtualSize 0x83e
VirtualAddress 0x11000
SizeOfRawData 0xa00
PointerToRawData 0xda00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.16947

.tls

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x8
VirtualAddress 0x12000
SizeOfRawData 0
PointerToRawData 0xe400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata

MD5 c8f3ad504b4e880ce32a390a76c71bfb
SHA1 d48d96581315deffb068a31293b0976eb7e4a0bb
SHA256 e48049dfb6cd47cd1a8cca9ba704a8121cdce2e1dde58889cfada3c4f13e9fa5
SHA3 50444b3be37e4b74aa42f2e8ca1dddff073a3bf64fb24eff0b1ca092046acb3b
VirtualSize 0x18
VirtualAddress 0x13000
SizeOfRawData 0x200
PointerToRawData 0xe400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_SHARED
Entropy 0.210826

.reloc

MD5 9ae567482e1a613b2c236fb19412ef5f
SHA1 f922c43a6828b5f997d6487efa6afa4015816f44
SHA256 7dbd8f9741533ec584c8a2872a08f15e67c73dae3504f8735900f4c4e3c50a60
SHA3 b2a800b47838c12d15a3c593a0437c1a090b3e326a1690b204f792c50e187ae1
VirtualSize 0x710
VirtualAddress 0x14000
SizeOfRawData 0x800
PointerToRawData 0xe600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_SHARED
Entropy 6.25716

.rsrc

MD5 8aecab0831ee04aa1f4e332ba2eda8f1
SHA1 6f5ff47eb09b5418beb3dfa04c662a5a541b7d29
SHA256 56a6bd2985037dbae389209a101b53cfb428f3e13245c3ea126b61a1a90366ed
SHA3 3a07eb3c832749df6978baf8bb0016fab582355491ff883ff52f09230201ea9c
VirtualSize 0x93c
VirtualAddress 0x15000
SizeOfRawData 0xa00
PointerToRawData 0xee00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_SHARED
Entropy 3.41611

Imports

kernel32.dll DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetCurrentThreadId
GetStartupInfoA
GetModuleFileNameA
GetLastError
GetCommandLineA
FreeLibrary
ExitProcess
CreateThread
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetSystemTime
GetFileType
CreateFileA
CloseHandle
user32.dll GetKeyboardType
MessageBoxA
CharNextA
advapi32.dll RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll SysFreeString
kernel32.dll (#2) DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetCurrentThreadId
GetStartupInfoA
GetModuleFileNameA
GetLastError
GetCommandLineA
FreeLibrary
ExitProcess
CreateThread
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetSystemTime
GetFileType
CreateFileA
CloseHandle
advapi32.dll (#2) RegQueryValueExA
RegOpenKeyExA
RegCloseKey
kernel32.dll (#3) DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetCurrentThreadId
GetStartupInfoA
GetModuleFileNameA
GetLastError
GetCommandLineA
FreeLibrary
ExitProcess
CreateThread
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetSystemTime
GetFileType
CreateFileA
CloseHandle
user32.dll (#2) GetKeyboardType
MessageBoxA
CharNextA
wsock32.dll WSACleanup
WSAStartup
gethostbyname
socket
send
select
recv
ntohs
listen
inet_ntoa
inet_addr
htons
htonl
getsockname
connect
closesocket
bind
accept

Delayed Imports

1

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x128
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.93081
MD5 c67e99d351fa2695476b7fe533eb4a85
SHA1 6f76a60d6152ffabf85cfb911d3cefaa863944d9
SHA256 59b4959ce4b09dd02f15edcc92c2de5982513c4ee6b956250cc9705298b7bacb
SHA3 3731b2cda6904105100c0c0832b0d0d06fb5b7f35478a4a77976c4adbe7f6f93

1 (#2)

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.08347
MD5 8ccdae08eb841d81177e45fbfc230060
SHA1 baf668a991a360535d5a6ef48e3da72301e22e69
SHA256 6ce5f95744c6e13947558dfcdac15a631c63ae11015441973b3846ef9dc93eb5
SHA3 de6e7359e7c386229b1db910faf8dd0e53ed629ebf48b575f5b5c4b6a29e34ac

2

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x128
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.33778
MD5 8bf974bb45faaf4f3708e5c9c41eb489
SHA1 7b23c113b992c5dddcf0c05a41240147334caed0
SHA256 03ed4216d6e7f8d6ed7141293d722dd1dd7402f8027f84b1fc75391dee8cd56b
SHA3 347089be31c453bac1525cf848ed08dcc7448341bb8335b346e4c5fbc100c828

DVCLAL

Type RT_RCDATA
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x10
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4
MD5 d8090aba7197fbf9c7e2631c750965a8
SHA1 04f73efb0801b18f6984b14cd057fb56519cd31b
SHA256 88d14cc6638af8a0836f6d868dfab60df92907a2d7becaefbbd7e007acb75610
SHA3 a5a67ad8166061d38fc75cfb2c227911de631166c6531a6664cd49cfb207e8bb

PACKAGEINFO

Type RT_RCDATA
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x78
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.68029
MD5 bc11185dd08cd43e66dbbd9814e5845b
SHA1 1fc20106326c8dd70884474f106374ccec99f68e
SHA256 5bca7ea07beab1af9048e57a0bcadd92139ec7b283f50b52b43b7d045a688f9b
SHA3 f211f5447a65fb34b2e4d6dbd72906c8de267fb1039cfec89cedf393ae265037

MAINICON

Type RT_GROUP_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x22
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.37086
Detected Filetype Icon file
MD5 d59e0d372ea5fd8c1f4de744376a6af4
SHA1 6883ce60e71a83424db0b41d0ab6bf61080e3de2
SHA256 b10e28a32eddb2ab20a46ceae59d9c0786911eb20f0c8dd2a28421f226ea2b8b
SHA3 5e39df982879204dd9f129a37d1e1c2ff906e88de9ae01b4418db5e8455e7ae1

Version Info

TLS Callbacks

StartAddressOfRawData 0x412000
EndAddressOfRawData 0x412008
AddressOfIndex 0x40f6f8
AddressOfCallbacks 0x413010
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks (EMPTY)

Load Configuration

RICH Header

Errors

[*] Warning: Section BSS has a size of 0! [*] Warning: Section .tls has a size of 0!