d2da675a8adfef9d0c146154084fff62

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Jul-14 22:40:25

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
MASM/TASM - sig1(h)
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
Can access the registry:
  • SHDeleteKeyW
Enumerates local disk drives:
  • GetVolumeInformationW
Malicious VirusTotal score: 44/68 (Scanned on 2019-09-09 06:42:23) MicroWorld-eScan: Gen:Variant.Graftor.487501
FireEye: Generic.mg.d2da675a8adfef9d
McAfee: Trojan-FPIA!D2DA675A8ADF
Cylance: Unsafe
K7AntiVirus: Trojan ( 0052cf421 )
Alibaba: Trojan:Win32/Autophyte.f462ec75
K7GW: Trojan ( 0052cf421 )
Cybereason: malicious.a8adfe
Arcabit: Trojan.Graftor.D7704D
TrendMicro: TROJ_GEN.R002C0DI819
F-Prot: W32/Trojan3.AOLG
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Paloalto: generic.ml
Kaspersky: HEUR:Trojan.Win32.Generic
BitDefender: Gen:Variant.Graftor.487501
NANO-Antivirus: Trojan.Win32.NukeSped.fyopnf
AegisLab: Trojan.Win32.Generic.4!c
Ad-Aware: Gen:Variant.Graftor.487501
Emsisoft: Gen:Variant.Graftor.487501 (B)
F-Secure: Trojan.TR/NukeSped.nsanz
McAfee-GW-Edition: Trojan-FPIA!D2DA675A8ADF
Trapmine: malicious.moderate.ml.score
Sophos: Mal/Generic-S
SentinelOne: DFI - Suspicious PE
Cyren: W32/Trojan.ATKI-5308
Avira: TR/NukeSped.nsanz
Fortinet: W32/NukeSped.AU!tr
Antiy-AVL: Trojan/Win32.Autophyte
Endgame: malicious (high confidence)
Microsoft: Trojan:Win32/Autophyte.E!dha
ViRobot: Trojan.Win32.Z.Graftor.139264.HN
ZoneAlarm: HEUR:Trojan.Win32.Generic
AhnLab-V3: Trojan/Win32.Akdoor.R207815
VBA32: BScope.Trojan.Autophyte
MAX: malware (ai score=100)
ESET-NOD32: a variant of Win32/NukeSped.AU
TrendMicro-HouseCall: TROJ_GEN.R002C0DI819
Ikarus: Trojan.Win32.NukeSped
GData: Gen:Variant.Graftor.487501
AVG: FileRepMalware
Panda: Trj/GdSda.A
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: HEUR/QVM07.1.BD6D.Malware.Gen

Hashes

MD5 d2da675a8adfef9d0c146154084fff62
SHA1 c55d080ea24e542397bbbfa00edc6402ec1c902c
SHA256 f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03
SHA3 189ba5cca73e66c1f0bbfc064045cb7b80380f07369b903598aa9e363c764e41
SSDeep 3072:1QGYFFzYCGUXBk/hbpjYr9Lde0NPV1Y88PxbE:1SFhYaXBkjYJLde0Nd1Hqb
Imports Hash 86e90e40d8e53d1e5b06a22353734ed4

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2017-Jul-14 22:40:25
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x1c000
SizeOfInitializedData 0x8000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0001CD2F (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1d000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x25000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 66e2b83909b4d47d3e3d20ad44df1acc
SHA1 6c45db2f3c329c18abbbba48c3ca8d28f8620f72
SHA256 c934555557fa502839be5de8947adbcfeadf38d5d9085d6bf1825adb9472d9f6
SHA3 e3b14021e98f0f723fcf6cc8e8d1c24eff758391436b27bcfd1b9984b17ace79
VirtualSize 0x1bfe0
VirtualAddress 0x1000
SizeOfRawData 0x1c000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.66028

.rdata

MD5 d20ad0b8b42883ae6eb4c89cfbbd893b
SHA1 dc4261a17f3c64edf7af0c1f5ccc171e3aaf85e4
SHA256 c6b3c98e1be78bd2675d18069ed1ff7b33a09849763f3b85092f58c4b362057e
SHA3 e58d179512ba20125c68948407f6b51ec102b001e2bcae1379e010ed098c9214
VirtualSize 0x3892
VirtualAddress 0x1d000
SizeOfRawData 0x4000
PointerToRawData 0x1d000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.0577

.data

MD5 5e1b09084dfc15dda52bdac606eaed3d
SHA1 19aabd457f5c0eec40344ac81d70c611b50fcf06
SHA256 0e5edfc0c85884234654e6efa424d70ce108cf44fe7f943718a745c0c7cbca90
SHA3 ecefae7fbfbfbaa33a0fc3788181cedec666d754b356ed96b07465f373594b22
VirtualSize 0x367c
VirtualAddress 0x21000
SizeOfRawData 0x1000
PointerToRawData 0x21000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.82497

Imports

KERNEL32.dll GetProcAddress
LoadLibraryA
CloseHandle
GetModuleHandleW
FreeLibrary
GetVolumeInformationW
Module32FirstW
CreateToolhelp32Snapshot
FileTimeToLocalFileTime
GetTickCount
GetSystemInfo
GetVersionExW
WideCharToMultiByte
CreateDirectoryW
Sleep
CopyFileW
FileTimeToSystemTime
GetACP
lstrlenW
GetModuleHandleA
FindFirstFileW
FindNextFileW
GetLastError
FindClose
UnmapViewOfFile
WriteFile
GetCurrentProcess
DuplicateHandle
CreateFileW
CreateFileMappingW
MapViewOfFile
GetFileType
GetFileInformationByHandle
GetSystemTime
GetLocalTime
SystemTimeToFileTime
GetFileSize
SetFilePointer
ReadFile
FileTimeToDosDateTime
GetStartupInfoA
USER32.dll GetSystemMetrics
SHLWAPI.dll SHDeleteKeyW
MSVCRT.dll wcstombs
memcpy
strlen
memset
memmove
memcmp
malloc
free
strstr
sscanf
wcsrchr
localtime
time
mktime
??2@YAPAXI@Z
_EH_prolog
strcat
strcpy
_stricmp
_tzset
__dllonexit
_onexit
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
_wfopen
fwprintf
fclose
__CxxFrameHandler
srand
rand
_vsnwprintf
wcscmp
wcschr
_wcsicmp
wcscat
wcsncpy
swprintf
_wtoi
_waccess
wcscpy
wcslen
strncmp
??3@YAXPAX@Z

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xb55b4bd4
Unmarked objects 0
14 (7299) 5
Linker (VS98 build 8168) 2
12 (7291) 2
C objects (VS98 build 8168) 25
Imports (VS2003 (.NET) build 4035) 7
Total imports 115
C++ objects (VS98 build 8168) 10

Errors