Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 1992-Jun-19 22:40:53 |
Detected languages |
English - United States
|
Info | Matching compiler(s): | Microsoft Visual C++ 8.0 |
Info | The PE contains common functions which appear in legitimate applications. |
Can access the registry:
|
Suspicious | The file contains overlay data. |
3491840 bytes of data starting at offset 0xf800.
The overlay data has an entropy of 7.99994 and is possibly compressed or encrypted. Overlay data amounts for 98.2143% of the executable. |
Malicious | VirusTotal score: 62/70 (Scanned on 2019-02-02 01:29:06) |
Bkav:
W32.BackdoorWabot.Trojan
MicroWorld-eScan: Gen:Trojan.ShellIni.zJZ@amwuoini CMC: Backdoor.Win32.Wabot!O CAT-QuickHeal: Trojan.Wabot.A8 McAfee: W32/Wabot Cylance: Unsafe TheHacker: Trojan/Delf.nrf K7GW: Backdoor ( 0040f5511 ) K7AntiVirus: Backdoor ( 0040f5511 ) Arcabit: Trojan.ShellIni.EDD1C7C Invincea: heuristic Baidu: Win32.Backdoor.Wabot.a NANO-Antivirus: Trojan.Win32.Wabot.dmukv Cyren: W32/Backdoor.PJEB-4161 Symantec: W32.Wabot TotalDefense: Win32/DCMgreen.A TrendMicro-HouseCall: BKDR_WABOT.SMIA Avast: Win32:Wabot [Trj] ClamAV: Win.Trojan.Wabot-6113548-0 Kaspersky: Backdoor.Win32.Wabot.a BitDefender: Gen:Trojan.ShellIni.zJZ@amwuoini Tencent: Trojan.Win32.Wabot.a Ad-Aware: Gen:Trojan.ShellIni.zJZ@amwuoini Sophos: Troj/Luiha-M Comodo: Backdoor.Win32.Wabot.A@4knk5y F-Secure: Gen:Trojan.ShellIni.zJZ@amwuoini DrWeb: Trojan.MulDrop6.64369 Zillya: Backdoor.Wabot.Win32.1 TrendMicro: BKDR_WABOT.SMIA McAfee-GW-Edition: BehavesLike.Win32.Wabot.wc Trapmine: malicious.high.ml.score Emsisoft: Gen:Trojan.ShellIni.zJZ@amwuoini (B) SentinelOne: static engine - malicious F-Prot: W32/Wabot.A Jiangmin: Backdoor/Wabot.z Webroot: Backdoor/Win32.Wabot.Gen Avira: TR/Dldr.Delphi.Gen Fortinet: W32/Luiha.M!tr Antiy-AVL: Trojan[Backdoor]/Win32.Wabot.a Endgame: malicious (high confidence) Microsoft: Backdoor:Win32/Wabot.A ViRobot: Backdoor.Win32.Wabot.157619 ZoneAlarm: Backdoor.Win32.Wabot.a TACHYON: Worm/W32.DP-IRCBot.3555328 AhnLab-V3: Worm/Win32.IRCBot.R3689 Acronis: suspicious ALYac: Gen:Trojan.ShellIni.zJZ@amwuoini MAX: malware (ai score=87) VBA32: BScope.Malware-Cryptor.Hlux Malwarebytes: Backdoor.Wabot Zoner: Trojan.Win32.22025 ESET-NOD32: Win32/Delf.NRF Rising: Worm.Chilly!1.661C (RDM+:cmRtazpRiYdqsHk17PVMSW6DaRNB) Yandex: Backdoor.Wabot!I7fzIkq6cuc Ikarus: P2P-Worm.Win32.Delf eGambit: Unsafe.AI_Score_99% GData: Gen:Trojan.ShellIni.zJZ@amwuoini AVG: Win32:Wabot [Trj] Cybereason: malicious.94f893 Panda: Backdoor Program CrowdStrike: malicious_confidence_100% (D) Qihoo-360: HEUR/QVM05.1.F2B1.Malware.Gen |
e_magic | MZ |
---|---|
e_cblp | 0x50 |
e_cp | 0x2 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0xf |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0x1a |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x100 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 8 |
TimeDateStamp | 1992-Jun-19 22:40:53 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 2.0 |
SizeOfCode | 0xca00 |
SizeOfInitializedData | 0x2a00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000D86C (Section: CODE) |
BaseOfCode | 0x1000 |
BaseOfData | 0xe000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x16000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x4000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
kernel32.dll |
DeleteCriticalSection
LeaveCriticalSection EnterCriticalSection InitializeCriticalSection VirtualFree VirtualAlloc LocalFree LocalAlloc GetCurrentThreadId GetStartupInfoA GetModuleFileNameA GetLastError GetCommandLineA FreeLibrary ExitProcess CreateThread WriteFile UnhandledExceptionFilter SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetSystemTime GetFileType CreateFileA CloseHandle |
---|---|
user32.dll |
GetKeyboardType
MessageBoxA CharNextA |
advapi32.dll |
RegQueryValueExA
RegOpenKeyExA RegCloseKey |
oleaut32.dll |
SysFreeString
|
kernel32.dll (#2) |
DeleteCriticalSection
LeaveCriticalSection EnterCriticalSection InitializeCriticalSection VirtualFree VirtualAlloc LocalFree LocalAlloc GetCurrentThreadId GetStartupInfoA GetModuleFileNameA GetLastError GetCommandLineA FreeLibrary ExitProcess CreateThread WriteFile UnhandledExceptionFilter SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetSystemTime GetFileType CreateFileA CloseHandle |
advapi32.dll (#2) |
RegQueryValueExA
RegOpenKeyExA RegCloseKey |
kernel32.dll (#3) |
DeleteCriticalSection
LeaveCriticalSection EnterCriticalSection InitializeCriticalSection VirtualFree VirtualAlloc LocalFree LocalAlloc GetCurrentThreadId GetStartupInfoA GetModuleFileNameA GetLastError GetCommandLineA FreeLibrary ExitProcess CreateThread WriteFile UnhandledExceptionFilter SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetSystemTime GetFileType CreateFileA CloseHandle |
user32.dll (#2) |
GetKeyboardType
MessageBoxA CharNextA |
wsock32.dll |
WSACleanup
WSAStartup gethostbyname socket send select recv ntohs listen inet_ntoa inet_addr htons htonl getsockname connect closesocket bind accept |
StartAddressOfRawData | 0x412000 |
---|---|
EndAddressOfRawData | 0x412008 |
AddressOfIndex | 0x40f6f8 |
AddressOfCallbacks | 0x413010 |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_TYPE_REG
|
Callbacks | (EMPTY) |