d5a0c746952c6df52a78d2bd7ab08b83

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2009-Feb-20 07:23:53
Detected languages Chinese - PRC
English - United States
Debug artifacts d:\svn\EliteIV3.3\drivers\install\install\setuplh64\x64\Release\winlh64\setup.pdb
FileDescription setuplh6 Application
FileVersion 1, 0, 0, 4
InternalName setuplh6
LegalCopyright Copyright (C) 2009
OriginalFilename setuplh6.exe
ProductName setuplh6 Application
ProductVersion 1, 0, 0, 4

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentControlSet\Services
Info Cryptographic algorithms detected in the binary: Uses constants related to SHA1
Malicious The file headers were tampered with. Section .rsrc is both writable and executable.
The RICH header checksum is invalid.
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
  • LoadLibraryW
 Can access the registry:
  • RegEnumValueW
  • RegOpenKeyW
  • RegSetValueExW
  • RegQueryValueExW
  • RegCloseKey
 Can create temporary files:
  • CreateFileW
  • GetTempPathW
Malicious The PE is possibly a dropper. Resource 126 detected as a PE Executable.
Resource 127 detected as a PE Executable.
Resource 128 detected as a PE Executable.
Malicious VirusTotal score: 36/55 (Scanned on 2016-07-09 12:24:16) Bkav: W32.Vetor.PE
MicroWorld-eScan: Win32.Virtob.Gen.12
CMC: Virus.Win32.Virut.1!O
CAT-QuickHeal: W32.Virut.G
TheHacker: W32/Virtob.Gen(F)
Arcabit: Win32.Virtob.Gen.12
Baidu: Win32.Virus.Virut.gen
Symantec: W32.Virut.CF
ESET-NOD32: Win32/Virut.NBP
TrendMicro-HouseCall: PE_VIRUX.GEN
Avast: Win64:Vitro
Kaspersky: Virus.Win32.Virut.ce
BitDefender: Win32.Virtob.Gen.12
NANO-Antivirus: Virus.Win64.Virut-Gen.bwpxnc
Ad-Aware: Win32.Virtob.Gen.12
Emsisoft: Win32.Virtob.Gen.12 (B)
F-Secure: Win32.Virtob.Gen.12
DrWeb: Win32.Virut.56
VIPRE: Virus.Win32.Virut.ce (v)
TrendMicro: PE_VIRUX.GEN
McAfee-GW-Edition: BehavesLike.Win64.Virut.ch
Sophos: W32/Scribble-B
Cyren: W64/Trojan.VIUL-6357
Jiangmin: Win32/Virut.bn
Avira: TR/Mediyes.Gen
Antiy-AVL: Virus/Win32.Virut.ce
Microsoft: Virus:Win32/Virut.BM
GData: Win32.Virtob.Gen.12
AhnLab-V3: Virus/Win32.Virut.N2043142159
McAfee: W32/Virut.n
AVware: Virus.Win32.Virut.ce (v)
Tencent: Win32.Virus.Virut.Wrzs
Ikarus: Virus.Win32.Virut
Fortinet: W32/Virut.CE
Panda: W32/Sality.AO
Qihoo-360: Win32/Trojan.3d2

Hashes

MD5 d5a0c746952c6df52a78d2bd7ab08b83
SHA1 b56680ad8ab1aa53a2170af5c59d7ce7faecd1f6
SHA256 397ff5925bb8f38f3046e96e19e73bc7080c1eb3cf0b1e08e27a807e80f84133
SHA3 d1518f107381f95edc0b362038ca78e74aeafe747a12445492b612847650b026
SSDeep 3072:ML5jY2m2Ir3ivdS6esD+KK3ls9zp2LLjo/4I3MWO0kiNxpdJy+:MVjKuFS67D+VmrWjeV8WXNx
Imports Hash 280e4a74b836d76bedfac511bd041582

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 5
TimeDateStamp 2009-Feb-20 07:23:53
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32+
LinkerVersion 8.0
SizeOfCode 0xd600
SizeOfInitializedData 0x14200
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000025BD8 (Section: .rsrc)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 5.2
Win32VersionValue 0
SizeOfImage 0x2b000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 8d77ed12a2f67b625f4ea8a9990529ae
SHA1 639f96beaaa70cc7e407697fd2e8204e87774edb
SHA256 0f2a07c456e10b4f9a71a18d3361466baff94b6bf1fbde9b8547252f9e609b1d
SHA3 5b588677e4e429cc0005e68d04ff02d4c640f48e565b091bca0aa0f6981c3736
VirtualSize 0xd5e5
VirtualAddress 0x1000
SizeOfRawData 0xd600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.28424

.rdata

MD5 77693bb38f4b93d282a8a15c574f1d86
SHA1 ecde1b8c7160b32a0deefae15aa8546304227e2a
SHA256 2e183a84d93e9f9168626cc1e20363dc0696169d69e27f3cb0a4a4fffa31dd6b
SHA3 3fea437640f665afbe720128527380bb770747ff97374ea5489d51d0741f7904
VirtualSize 0x4592
VirtualAddress 0xf000
SizeOfRawData 0x4600
PointerToRawData 0xda00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.17004

.data

MD5 3134faecf6137406081f9073de42da7a
SHA1 74a55978554ba8634ab42084fb084135b650b8fc
SHA256 6c25f3f5b24085f414d6c688f18f6f62f3ac5ef7e6813987b7c4199c2cffdbaf
SHA3 1803f27029f56f40217951459df5d763bbb4b370107d44cd57b150c13eb1a144
VirtualSize 0x2398
VirtualAddress 0x14000
SizeOfRawData 0x1200
PointerToRawData 0x12000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.33122

.pdata

MD5 4d5e583d380f0f7bb7c2697216102229
SHA1 5266c48940f08fe2cdc994f3ffec7d962c53f79b
SHA256 c08addee476764b8d5b0b01ff45f56281a57825ab4362781b6eb6f4371217a43
SHA3 cdaa7842f6475eebc05dd24df864519ac4701a411ae594bc0adfc9f35b938363
VirtualSize 0xe4c
VirtualAddress 0x17000
SizeOfRawData 0x1000
PointerToRawData 0x13200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.56552

.rsrc

MD5 9ecfb68acad438fe463f0fc1d5113008
SHA1 0e8070937d29569ce37b1c8f4dcf7650847081ca
SHA256 b24f79ba4ee3ba0ea453754f48440d6acbdde6985f3648037c440905e53db032
SHA3 7c73db7c31976782c8dcd66597f5081c1da56390a4e9835453c0760424135e02
VirtualSize 0x12a00
VirtualAddress 0x18000
SizeOfRawData 0x11e00
PointerToRawData 0x14200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.82259

Imports

SETUPAPI.dll SetupGetInfInformationW
SetupDiGetDeviceInstallParamsW
SetupDiCreateDeviceInfoList
SetupDiGetINFClassW
SetupDiDestroyDeviceInfoList
SetupDiGetClassDevsW
SetupDiCallClassInstaller
SetupDiSetDeviceRegistryPropertyW
SetupDiCreateDeviceInfoW
SetupDiGetDeviceRegistryPropertyW
SetupDiEnumDeviceInfo
SetupQueryInfVersionInformationW
KERNEL32.dll HeapSize
HeapReAlloc
InitializeCriticalSection
LoadLibraryA
WriteFile
GetStdHandle
FindFirstFileW
FindClose
CreateDirectoryW
SystemTimeToFileTime
CreateFileW
GetLastError
SetFileTime
FindResourceW
LoadResource
LockResource
SizeofResource
lstrlenW
DeleteFileW
GetModuleHandleW
GetProcAddress
LocalFree
LocalAlloc
LoadLibraryW
FreeLibrary
FindNextFileW
GetTempPathW
CopyFileW
SetLastError
RaiseException
CloseHandle
GetOEMCP
HeapFree
GetVersionExA
HeapAlloc
GetProcessHeap
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetCPInfo
GetACP
RtlPcToFileHeader
IsValidCodePage
GetModuleHandleA
FlsGetValue
FlsSetValue
TlsFree
FlsFree
GetCurrentThreadId
FlsAlloc
ExitProcess
GetModuleFileNameA
RtlUnwindEx
GetModuleFileNameW
FreeEnvironmentStringsA
MultiByteToWideChar
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
DeleteCriticalSection
HeapSetInformation
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
LCMapStringA
WideCharToMultiByte
LCMapStringW
GetStringTypeA
GetStringTypeW
Sleep
GetLocaleInfoA
ADVAPI32.dll RegEnumValueW
RegOpenKeyW
RegSetValueExW
RegQueryValueExW
RegCloseKey

Delayed Imports

121

Type BCDATA
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x11bb
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.52824
MD5 8e9d9a94c6d8498ced8b69694a217fd9
SHA1 843b101cecd27bff753db071701fa716786e9b32
SHA256 37bf049c6d834f75bdc3058edf285b5aaa530b5663a1f6ee585aed7256dd02bf
SHA3 774f58405d52a35fd4c1748664bdcd1503e56cbd189c82d21bdf6ece0e368c39

122

Type BCDATA
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x26bb
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.81653
MD5 35fa8b8ef76d669d1d8dec6358317297
SHA1 9cfab68c7bceb2b75e1f7fc6748ffc99551f8413
SHA256 1e132e30025a4195e89f6891a61a4a8ebb26f091a269182d86f4960739bb6534
SHA3 57a754a72ab0234638b515df08869f2343ab709c547261e89ccfca9e6b33ef9a

126

Type BCDATA
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x3b00
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.94941
Detected Filetype PE Executable
MD5 3d4d319b3d6cf521e279182a9cef2d0b
SHA1 7e76fc5a02be20b1d031bd81d47f4b251a9f7d67
SHA256 76600bec6b8c5b9e578e4856ce25e74909d62cb246685aeee77bd3646d7e9669
SHA3 e7ad4ff45df0083d8f19a48dc69bb2e130e630e79d3afde0794a8124df59f042

127

Type BCDATA
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x2980
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.68221
Detected Filetype PE Executable
MD5 46f8ff02119652f36f9c7acf1cadbe59
SHA1 991abd27558181b92944f3ada292e4fa10ee7ae2
SHA256 040b4380eeda575b886a908e0eaf9a34a6af26c4cb1ac71434cd83ec85a020f3
SHA3 4d7b9b56149ee909f644449d0bf409b6c347f00f615f3360a1dc6d11c327f47a

128

Type BCDATA
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x3800
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.81445
Detected Filetype PE Executable
MD5 be60686b82a2f91ac8e0def8bd5a8445
SHA1 c86cb9a700bb939f856024cf7835c5fa3334dc04
SHA256 472c600ddc5288b97ac73723ef0adeefbde8a8daffead79eb9783a2662f04dc5
SHA3 434f937e410115a569b571c12156c2e8949e593c900d9e01ed5d1b13ccb20174

1

Type RT_VERSION
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x2b4
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.3347
MD5 a870abec8b2f915e8d02d0691c7fda63
SHA1 61f48d52d81329f729f8236f34edf62192d6ae1f
SHA256 f63f824c52c08df26868d92aef477ef0c422b8f78682527e3a90d3e94e1ffdd5
SHA3 68bbedd9475743775db5d2bc4108856ffe04b4f1878eebc76dc85dda25e31e01

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x56
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.65542
MD5 bd62b6f553a2d1d012cc53fc325221d2
SHA1 c5353cec27b30fb35e414dd5f3d0e9205aaf1c07
SHA256 388f75e900f0c15fd66249d7b2e7edf6e14eeefb859e6f766b75058e44f27af6
SHA3 b59854a353caba5e0be1002399bcb847b4dd99e37cff0c7967dd0d42c1eab089

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.4
ProductVersion 1.0.0.4
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language Chinese - PRC
FileDescription setuplh6 Application
FileVersion (#2) 1, 0, 0, 4
InternalName setuplh6
LegalCopyright Copyright (C) 2009
OriginalFilename setuplh6.exe
ProductName setuplh6 Application
ProductVersion (#2) 1, 0, 0, 4
Resource LangID Chinese - PRC

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2009-Feb-20 07:23:53
Version 0.0
SizeofData 106
AddressOfRawData 0x11310
PointerToRawData 0xfd10
Referenced File d:\svn\EliteIV3.3\drivers\install\install\setuplh64\x64\Release\winlh64\setup.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x72da546e
Unmarked objects 0
ASM objects (VS2012 build 50727 / VS2005 build 50727) 8
C++ objects (VS2012 build 50727 / VS2005 build 50727) 40
C objects (VS2012 build 50727 / VS2005 build 50727) 74
Imports (40310) 7
Total imports 118
114 (VS2012 build 50727 / VS2005 build 50727) 4
Resource objects (VS2012 build 50727 / VS2005 build 50727) 1
Linker (VS2012 build 50727 / VS2005 build 50727) 1

Errors