Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2017-Jul-14 22:40:25 |
Info | Matching compiler(s): |
Microsoft Visual C++ 6.0 - 8.0
MASM/TASM - sig1(h) Microsoft Visual C++ Microsoft Visual C++ v6.0 Microsoft Visual C++ v5.0/v6.0 (MFC) |
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to MD5 Uses constants related to SHA1 |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 44/68 (Scanned on 2019-09-09 06:42:23) |
MicroWorld-eScan:
Gen:Variant.Graftor.487501
FireEye: Generic.mg.d2da675a8adfef9d McAfee: Trojan-FPIA!D2DA675A8ADF Cylance: Unsafe K7AntiVirus: Trojan ( 0052cf421 ) Alibaba: Trojan:Win32/Autophyte.f462ec75 K7GW: Trojan ( 0052cf421 ) Cybereason: malicious.a8adfe Arcabit: Trojan.Graftor.D7704D TrendMicro: TROJ_GEN.R002C0DI819 F-Prot: W32/Trojan3.AOLG Symantec: ML.Attribute.HighConfidence APEX: Malicious Paloalto: generic.ml Kaspersky: HEUR:Trojan.Win32.Generic BitDefender: Gen:Variant.Graftor.487501 NANO-Antivirus: Trojan.Win32.NukeSped.fyopnf AegisLab: Trojan.Win32.Generic.4!c Ad-Aware: Gen:Variant.Graftor.487501 Emsisoft: Gen:Variant.Graftor.487501 (B) F-Secure: Trojan.TR/NukeSped.nsanz McAfee-GW-Edition: Trojan-FPIA!D2DA675A8ADF Trapmine: malicious.moderate.ml.score Sophos: Mal/Generic-S SentinelOne: DFI - Suspicious PE Cyren: W32/Trojan.ATKI-5308 Avira: TR/NukeSped.nsanz Fortinet: W32/NukeSped.AU!tr Antiy-AVL: Trojan/Win32.Autophyte Endgame: malicious (high confidence) Microsoft: Trojan:Win32/Autophyte.E!dha ViRobot: Trojan.Win32.Z.Graftor.139264.HN ZoneAlarm: HEUR:Trojan.Win32.Generic AhnLab-V3: Trojan/Win32.Akdoor.R207815 VBA32: BScope.Trojan.Autophyte MAX: malware (ai score=100) ESET-NOD32: a variant of Win32/NukeSped.AU TrendMicro-HouseCall: TROJ_GEN.R002C0DI819 Ikarus: Trojan.Win32.NukeSped GData: Gen:Variant.Graftor.487501 AVG: FileRepMalware Panda: Trj/GdSda.A CrowdStrike: win/malicious_confidence_100% (W) Qihoo-360: HEUR/QVM07.1.BD6D.Malware.Gen |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 3 |
TimeDateStamp | 2017-Jul-14 22:40:25 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0x1c000 |
SizeOfInitializedData | 0x8000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0001CD2F (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x1d000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x1000 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x25000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetProcAddress
LoadLibraryA CloseHandle GetModuleHandleW FreeLibrary GetVolumeInformationW Module32FirstW CreateToolhelp32Snapshot FileTimeToLocalFileTime GetTickCount GetSystemInfo GetVersionExW WideCharToMultiByte CreateDirectoryW Sleep CopyFileW FileTimeToSystemTime GetACP lstrlenW GetModuleHandleA FindFirstFileW FindNextFileW GetLastError FindClose UnmapViewOfFile WriteFile GetCurrentProcess DuplicateHandle CreateFileW CreateFileMappingW MapViewOfFile GetFileType GetFileInformationByHandle GetSystemTime GetLocalTime SystemTimeToFileTime GetFileSize SetFilePointer ReadFile FileTimeToDosDateTime GetStartupInfoA |
---|---|
USER32.dll |
GetSystemMetrics
|
SHLWAPI.dll |
SHDeleteKeyW
|
MSVCRT.dll |
wcstombs
memcpy strlen memset memmove memcmp malloc free strstr sscanf wcsrchr localtime time mktime ??2@YAPAXI@Z _EH_prolog strcat strcpy _stricmp _tzset __dllonexit _onexit _exit _XcptFilter exit _acmdln __getmainargs _initterm __setusermatherr _adjust_fdiv __p__commode __p__fmode __set_app_type _except_handler3 _controlfp _wfopen fwprintf fclose __CxxFrameHandler srand rand _vsnwprintf wcscmp wcschr _wcsicmp wcscat wcsncpy swprintf _wtoi _waccess wcscpy wcslen strncmp ??3@YAXPAX@Z |
XOR Key | 0xb55b4bd4 |
---|---|
Unmarked objects | 0 |
14 (7299) | 5 |
Linker (VS98 build 8168) | 2 |
12 (7291) | 2 |
C objects (VS98 build 8168) | 25 |
Imports (VS2003 (.NET) build 4035) | 7 |
Total imports | 115 |
C++ objects (VS98 build 8168) | 10 |