dca162879895c95f5a14399535730395

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2021-Apr-19 00:16:33
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Can create temporary files:
  • GetTempPathW
  • CreateFileW
 Has Internet access capabilities:
  • InternetOpenW
  • InternetCloseHandle
  • InternetConnectW
 Enumerates local disk drives:
  • GetVolumeInformationW
Malicious VirusTotal score: 11/70 (Scanned on 2023-05-11 19:51:36) CrowdStrike: win/malicious_confidence_100% (W)
Elastic: malicious (high confidence)
Cynet: Malicious (score: 100)
APEX: Malicious
F-Secure: Heuristic.HEUR/AGEN.1319135
FireEye: Generic.mg.dca162879895c95f
Webroot: W32.Malware.Gen
Avira: HEUR/AGEN.1319135
VBA32: suspected of Trojan.Downloader.gen
MaxSecure: Trojan.Malware.300983.susgen
BitDefenderTheta: Gen:NN.ZexaF.36196.huW@aiOUqPgi

Hashes

MD5 dca162879895c95f5a14399535730395
SHA1 8a87bc82625a74a3883a698ddaa88d95daabb7c3
SHA256 1073625d91f97076db2b7e247bc453fc46b5886db48f4cadec2ae6d1e5f5ac7d
SHA3 fa54c7e8c3342b09fb918f51814bfb650d5259461ab2089d8298b7c08d6cc34d
SSDeep 3072:yxS0pOowJQVvKkLqcAgTwRGdhswjBdbmGflVl8ZE2uhSw0G0VZv96TtmjbV:SkFJQYjswRG39mAVQuhSX5Zv3jbV
Imports Hash 53d57cde68f1d4548981003b5d60f9f5

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x110

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2021-Apr-19 00:16:33
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x16200
SizeOfInitializedData 0x9800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001FD2 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x18000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x24000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 73074a7d51f0dad56a458d255eff32be
SHA1 f984f107194a864f4e0ae21a202e24854c8b259c
SHA256 efa733fffc853516e330e482fffe6101707ca5c880b05fc4d7f53a98a21ce0b8
SHA3 4b500a378773bc9927a3c29cf51f7d33d6609929f7ce6bbcaee715d93a2c4a22
VirtualSize 0x16073
VirtualAddress 0x1000
SizeOfRawData 0x16200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.63963

.rdata

MD5 5d822baf22f06d67deee59dce913a8c9
SHA1 83930c84dcb8e93f32d6899ed433391661338a3b
SHA256 e3826ac79dabca99109c8265586e0b2e8db3ef2b1c4a49a12a0de3432a14c39c
SHA3 71296ba935c2381e09aa9ab580dd2ed51a0224d34b214158f8278f6877b4ef3d
VirtualSize 0x6c10
VirtualAddress 0x18000
SizeOfRawData 0x6e00
PointerToRawData 0x16600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.20535

.data

MD5 dcd9fcd9f967bbd39a5b29d5457c6b30
SHA1 672702244f53786736b5f90a1613f3062ba88c92
SHA256 81db8922c6102c0a4b810c0745ae43bcea1685949f09c4147e8235777ede0dcc
SHA3 defb66e2e46660768f85de4edfd65983e300e53d7e2ad5951dbdad3a112312b9
VirtualSize 0x1464
VirtualAddress 0x1f000
SizeOfRawData 0xa00
PointerToRawData 0x1d400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.91435

.rsrc

MD5 0381d5c32fe99c362eb31d4a44fa82fd
SHA1 cb864f1693e51b9d409e02558a0c8539a4727923
SHA256 9ba3d60c4336705293286d0926d13fd70cfa903c819853856e41b528dd4bd702
SHA3 2090feb6a61489e0dc041e0de7bbb1cba903e3d4e44fd30e67a302cccaf369a0
VirtualSize 0x1e0
VirtualAddress 0x21000
SizeOfRawData 0x200
PointerToRawData 0x1de00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.71768

.reloc

MD5 d017c29c1bf355c8ce4c649d6cf448ad
SHA1 c833275c6f392264a4816f905334d64634bb8747
SHA256 23d9e7543eab1528652164ff7b45fa6f08fc9d0004914e92e97a098fe8da9df2
SHA3 bf93ad825adc8d89c96e4e8a87c30737de0658f32298c0ece40e1ba251de83d6
VirtualSize 0x1104
VirtualAddress 0x22000
SizeOfRawData 0x1200
PointerToRawData 0x1e000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.3999

Imports

KERNEL32.dll Sleep
GetLastError
GetTempPathW
CloseHandle
GetSystemTime
WriteConsoleW
DeleteFileW
CreateMutexA
GetVolumeInformationW
SetEndOfFile
ReadConsoleW
ReadFile
HeapReAlloc
HeapSize
CreateFileW
SetFilePointerEx
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwind
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
RaiseException
GetTimeZoneInformation
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
HeapFree
HeapAlloc
WideCharToMultiByte
GetCPInfo
MultiByteToWideChar
CompareStringW
LCMapStringW
GetFileType
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetStringTypeW
GetProcessHeap
FlushFileBuffers
GetConsoleCP
GetConsoleMode
GetFileSizeEx
DecodePointer
DNSAPI.dll DnsQuery_W
WININET.dll HttpSendRequestW
HttpQueryInfoW
InternetOpenW
HttpOpenRequestW
InternetCloseHandle
InternetConnectW

Delayed Imports

?SecondStageDownloader@@YAXXZ

Ordinal 1
Address 0x1c50

?connection_init@@YAXXZ

Ordinal 2
Address 0x1c40

?decrypt_payload@@YAXXZ

Ordinal 3
Address 0x1c40

?domainLookup@@YAXXZ

Ordinal 4
Address 0x1c40

?encrypt_payload@@YAXXZ

Ordinal 5
Address 0x1c40

?scramble@@YAXXZ

Ordinal 6
Address 0x1c40

?uninstall@@YAXXZ

Ordinal 7
Address 0x1c40

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2021-Apr-19 00:16:33
Version 0.0
SizeofData 672
AddressOfRawData 0x1dbcc
PointerToRawData 0x1c1cc

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2021-Apr-19 00:16:33
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

Size 0xbc
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x41f004
SEHandlerTable 0x41dbc0
SEHandlerCount 3

RICH Header

XOR Key 0x690369a3
Unmarked objects 0
ASM objects (VS2017 v14.15 compiler 26715) 10
C++ objects (VS2017 v14.15 compiler 26715) 150
C objects (VS2017 v14.15 compiler 26715) 18
C++ objects (VS 2015/2017/2019 runtime 29118) 37
C objects (VS 2015/2017/2019 runtime 29118) 17
ASM objects (VS 2015/2017/2019 runtime 29118) 19
Imports (VS2017 v14.15 compiler 26715) 7
Total imports 95
C++ objects (LTCG) (VS2019 Update 8 (16.8.2) compiler 29334) 1
Exports (VS2019 Update 8 (16.8.2) compiler 29334) 1
Resource objects (VS2019 Update 8 (16.8.2) compiler 29334) 1
Linker (VS2019 Update 8 (16.8.2) compiler 29334) 1

Errors

<-- -->