Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2012-Jul-13 22:47:16 |
Debug artifacts |
|
Comments | |
CompanyName | .getlucky project |
FileDescription | .getlucky Loader |
FileVersion | 1.3.3.7 |
InternalName | festive.exe |
LegalCopyright | Copyright © 2020 |
LegalTrademarks | |
OriginalFilename | festive.exe |
ProductName | .getlucky |
ProductVersion | 1.3.3.7 |
Assembly Version | 1.3.3.7 |
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Looks for Qemu presence:
|
Info | Cryptographic algorithms detected in the binary: | Uses constants related to CRC32 |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Suspicious | The PE is possibly a dropper. |
Resource __ is possibly compressed or encrypted.
Resources amount for 95.5732% of the executable. |
Malicious | VirusTotal score: 36/71 (Scanned on 2021-02-21 12:21:34) |
Bkav:
W32.AIDetectGBM.malware.02
MicroWorld-eScan: Gen:Variant.MSILPerseus.226220 FireEye: Generic.mg.db92f4ac8e714c7c CAT-QuickHeal: Trojan.Wacatac McAfee: Artemis!DB92F4AC8E71 Cylance: Unsafe Sangfor: Trojan.Win32.Save.a Alibaba: Trojan:Win32/Symmi.dfb00ca8 Cybereason: malicious.c8e714 Cyren: W32/Symmi.O.gen!Eldorado Symantec: ML.Attribute.HighConfidence APEX: Malicious Avast: Win32:MdeClass BitDefender: Gen:Variant.MSILPerseus.226220 Paloalto: generic.ml Rising: Malware.Heuristic!ET#100% (RDMK:cmRtazrejNQaOody5LC+SX4hAa0g) Ad-Aware: Gen:Variant.MSILPerseus.226220 Sophos: ML/PE-A McAfee-GW-Edition: BehavesLike.Win32.Generic.wc Emsisoft: Gen:Variant.MSILPerseus.226220 (B) GData: Gen:Variant.MSILPerseus.226220 eGambit: Unsafe.AI_Score_99% MAX: malware (ai score=86) Arcabit: Trojan.MSILPerseus.D373AC AegisLab: Trojan.Win32.Perseus.4!c Microsoft: HackTool:Win32/AutoKMS!ml Cynet: Malicious (score: 100) BitDefenderTheta: Gen:NN.ZexaF.34574.at0@aGGAqNe ALYac: Gen:Variant.MSILPerseus.226220 Malwarebytes: Generic.Malware/Suspicious TrendMicro-HouseCall: TROJ_GEN.R002H09BH21 SentinelOne: Static AI - Malicious PE Fortinet: W32/PossibleThreat AVG: Win32:MdeClass CrowdStrike: win/malicious_confidence_90% (W) Qihoo-360: Win32/Trojan.Generic.HgIASPMA |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2012-Jul-13 22:47:16 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 9.0 |
SizeOfCode | 0x19800 |
SizeOfInitializedData | 0x2e8e00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000CD2F (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x1b000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.0 |
ImageVersion | 0.0 |
SubsystemVersion | 5.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x307000 |
SizeOfHeaders | 0x400 |
Checksum | 0x23bfb |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
RaiseException
GetLastError MultiByteToWideChar lstrlenA InterlockedDecrement GetProcAddress LoadLibraryA FreeResource SizeofResource LockResource LoadResource FindResourceA GetModuleHandleA Module32Next CloseHandle Module32First CreateToolhelp32Snapshot GetCurrentProcessId SetEndOfFile GetStringTypeW GetStringTypeA LCMapStringW LCMapStringA GetLocaleInfoA HeapFree GetProcessHeap HeapAlloc GetCommandLineA HeapCreate VirtualFree DeleteCriticalSection LeaveCriticalSection EnterCriticalSection VirtualAlloc HeapReAlloc HeapSize TerminateProcess GetCurrentProcess UnhandledExceptionFilter SetUnhandledExceptionFilter IsDebuggerPresent GetModuleHandleW Sleep ExitProcess WriteFile GetStdHandle GetModuleFileNameA WideCharToMultiByte GetConsoleCP GetConsoleMode ReadFile TlsGetValue TlsAlloc TlsSetValue TlsFree InterlockedIncrement SetLastError GetCurrentThreadId FlushFileBuffers SetFilePointer SetHandleCount GetFileType GetStartupInfoA RtlUnwind FreeEnvironmentStringsA GetEnvironmentStrings FreeEnvironmentStringsW GetEnvironmentStringsW QueryPerformanceCounter GetTickCount GetSystemTimeAsFileTime InitializeCriticalSectionAndSpinCount GetCPInfo GetACP GetOEMCP IsValidCodePage CompareStringA CompareStringW SetEnvironmentVariableA WriteConsoleA GetConsoleOutputCP WriteConsoleW SetStdHandle CreateFileA |
---|---|
ole32.dll |
OleInitialize
|
OLEAUT32.dll |
#15
#23 #24 #16 #411 #9 #8 #6 #2 |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 1.3.3.7 |
ProductVersion | 1.3.3.7 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | UNKNOWN |
Comments | |
CompanyName | .getlucky project |
FileDescription | .getlucky Loader |
FileVersion (#2) | 1.3.3.7 |
InternalName | festive.exe |
LegalCopyright | Copyright © 2020 |
LegalTrademarks | |
OriginalFilename | festive.exe |
ProductName | .getlucky |
ProductVersion (#2) | 1.3.3.7 |
Assembly Version | 1.3.3.7 |
Resource LangID | UNKNOWN |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2012-Jul-13 22:47:16 |
Version | 0.0 |
SizeofData | 129 |
AddressOfRawData | 0x20de8 |
PointerToRawData | 0x1f9e8 |
Referenced File |
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x422234 |
SEHandlerTable | 0x420f50 |
SEHandlerCount | 3 |
XOR Key | 0x7eea712c |
---|---|
Unmarked objects | 0 |
ASM objects (VS2008 build 21022) | 19 |
Imports (VS2012 build 50727 / VS2005 build 50727) | 7 |
Total imports | 112 |
C++ objects (VS2008 build 21022) | 48 |
C objects (VS2008 build 21022) | 142 |
Resource objects (VS2008 build 21022) | 1 |