dcd68e3b83518dd62c854b26dd33044f

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2009-Jul-23 08:54:42
Detected languages Process Default Language

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Suspicious Strings found in the binary may indicate undesirable behavior: Looks for Qemu presence:
  • QEmU
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryExA
  • LoadLibraryA
  • GetProcAddress
 Functions which can be used for anti-debugging purposes:
  • FindWindowA
 Code injection capabilities (PowerLoader):
  • FindWindowA
  • GetWindowLongA
 Can access the registry:
  • RegQueryValueExA
  • RegOpenKeyExA
  • RegDeleteValueA
  • RegQueryInfoKeyA
  • RegEnumKeyExA
  • RegCloseKey
  • RegSetValueExA
  • RegCreateKeyExA
 Possibly launches other programs:
  • CreateProcessA
  • ShellExecuteA
 Can create temporary files:
  • GetTempPathA
  • CreateFileA
 Functions related to the privilege level:
  • DuplicateToken
  • OpenProcessToken
  • AdjustTokenPrivileges
 Enumerates local disk drives:
  • GetLogicalDriveStringsA
  • GetDriveTypeA
 Can take screenshots:
  • FindWindowA
  • GetDC
  • CreateCompatibleDC
  • BitBlt
 Can shut the system down or lock the screen:
  • ExitWindowsEx
Suspicious The file contains overlay data. 28541317 bytes of data starting at offset 0x31600.
The overlay data has an entropy of 7.99992 and is possibly compressed or encrypted.
Overlay data amounts for 99.2964% of the executable.
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 dcd68e3b83518dd62c854b26dd33044f
SHA1 cf0b0a43dccf7f3a4a64437d58fb7ba913e40754
SHA256 c7518e4415f9520d8ac457ae75f0f29ed91f1b1e3f10f20282320ce7828c290b
SHA3 b3b8eaae889c795c09d60a9c7cf988a23caa0b7ef0c49012eda7dcb10d43eeb2
SSDeep 786432:5zzegYbxztW47mMyiWFbZl7a8m2wP6bhBe4uHGPFp:peg6htWH7/7a8bwP6bhk4uGX
Imports Hash 6a8c517136f230ad3ae17fece9173e61

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2009-Jul-23 08:54:42
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x2a600
SizeOfInitializedData 0x58600
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00028E02 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x2c000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 6.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x86000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 30fc2ffb20f83fd993942f27b8c89d35
SHA1 412db23aeb928e013b62ef602526460100e8b45a
SHA256 5317a466124b9bad62ad40778e4d747a78d21ce5abb8b1dc31c84b576d7f0ecf
SHA3 38c4a49cd28ef750fe9b8ca77ceac663e15b92e9eccf77c23ca9db71dd99a871
VirtualSize 0x2a507
VirtualAddress 0x1000
SizeOfRawData 0x2a600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.60662

.rdata

MD5 3ab9a34f086c7bcc861f170b4a1dc548
SHA1 d1e3fb6ad41792cb1bbc52149bf4c5ecc1e16276
SHA256 b48b89bc6b61a00ffc2ede13c0c4708f111399124df1d1b09df156cd7808dfba
SHA3 728cc9531d382f165ce41480e6cac89c9dbf73297fbb8cb8fe810d9f208fa7b7
VirtualSize 0x247a
VirtualAddress 0x2c000
SizeOfRawData 0x2600
PointerToRawData 0x2aa00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.63958

.data

MD5 961beca59dab6091c0bec2019f44d7d0
SHA1 993c7de3f5090611e02531805c55f58877657cf3
SHA256 bb9f9145e7a89978a5a74b7b371049507af9c74f02e39ff3e5c1329fa1ffa1ef
SHA3 5f24d5d68030b4b8ce6abe53a99d6ec95f2ca4290b72a0e600980ba337d8102e
VirtualSize 0x54d38
VirtualAddress 0x2f000
SizeOfRawData 0x3400
PointerToRawData 0x2d000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.60665

.rsrc

MD5 fddb6a43011f069a74b918fb08042a71
SHA1 06ade20d7e47134d9e1df2b55373399368818ec3
SHA256 fc002cdeb9e33c7683db89ff35f1527c28ee85c8acb852ed57982762c860da10
SHA3 0756750df4d9e9778ce2cfd3aef15999561fd4e2886b16fde80c3842afd87f60
VirtualSize 0x10d0
VirtualAddress 0x84000
SizeOfRawData 0x1200
PointerToRawData 0x30400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.28327

Imports

KERNEL32.dll GetExitCodeProcess
lstrcpynA
WaitForSingleObject
GetCommandLineA
GetDateFormatA
GetSystemDirectoryA
GetVersionExA
CreateMutexA
GetPrivateProfileIntA
GetPrivateProfileStringA
lstrcmpA
GetSystemTime
LocalFree
LocalAlloc
GetVersion
GetWindowsDirectoryA
GetSystemInfo
GetComputerNameA
SetEndOfFile
LCMapStringA
GetStringTypeW
GetStringTypeA
GetModuleFileNameA
GetACP
GetCPInfo
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
UnhandledExceptionFilter
HeapSize
HeapReAlloc
VirtualAlloc
VirtualFree
HeapCreate
HeapDestroy
GetStartupInfoA
RtlUnwind
TerminateProcess
HeapAlloc
HeapFree
SetFileTime
GlobalMemoryStatus
GetShortPathNameA
LoadLibraryExA
WritePrivateProfileStringA
WritePrivateProfileSectionA
CreateProcessA
MoveFileExA
GetCurrentProcess
ExitProcess
WideCharToMultiByte
RemoveDirectoryA
GetFileTime
VerLanguageNameA
CompareFileTime
MoveFileA
CopyFileA
GetFileSize
DeviceIoControl
GetLogicalDriveStringsA
FreeLibrary
GetCurrentDirectoryA
SetCurrentDirectoryA
SetErrorMode
MultiByteToWideChar
SetFileAttributesA
GetTempPathA
GetFileAttributesA
CreateDirectoryA
GetLocaleInfoA
FindFirstFileA
lstrcmpiA
FindNextFileA
LCMapStringW
FindClose
GetDriveTypeA
lstrcatA
GetModuleHandleA
LoadLibraryA
GetProcAddress
GetTickCount
Sleep
GetCurrentThread
QueryPerformanceFrequency
QueryPerformanceCounter
GetThreadPriority
SetThreadPriority
GlobalReAlloc
GlobalUnlock
GlobalFree
GlobalAlloc
GlobalLock
GetUserDefaultLangID
MulDiv
lstrlenA
GetLastError
FormatMessageA
WriteFile
ReadFile
lstrcpyA
SetFilePointer
CreateFileA
CloseHandle
GetOEMCP
DeleteFileA
USER32.dll IsIconic
RegisterClassW
RegisterClassA
SetRectEmpty
CharUpperA
ExitWindowsEx
PeekMessageA
MsgWaitForMultipleObjects
GetMessageA
TranslateMessage
OffsetRect
FillRect
SetWindowPos
GetActiveWindow
EndDialog
EnableWindow
LoadBitmapA
CreateDialogParamA
PostMessageA
SendDlgItemMessageW
SetDlgItemTextA
CallWindowProcA
IsWindowEnabled
GetSystemMetrics
FindWindowA
RegisterClassExW
CreateWindowExW
GetClassInfoExA
RegisterClassExA
GetClientRect
SetTimer
IsWindowVisible
PtInRect
SetCursor
InvalidateRect
GetDlgItemTextA
PostQuitMessage
LoadIconA
LoadImageA
GetSysColor
KillTimer
GetWindowTextLengthA
WaitMessage
IsDialogMessageA
MessageBoxA
MessageBoxW
CopyRect
SetWindowTextW
DrawEdge
SendDlgItemMessageA
GetDlgItem
ReleaseDC
GetDC
DestroyWindow
DefWindowProcA
EnumDisplaySettingsA
SendMessageW
GetClassInfoExW
DefWindowProcW
GetWindowRect
GetDesktopWindow
SystemParametersInfoA
GetFocus
GetWindowLongA
GetWindowTextA
DrawTextA
SetForegroundWindow
DialogBoxParamA
SendMessageA
ScreenToClient
DrawFocusRect
CreateWindowExA
SetWindowLongA
MoveWindow
SetFocus
GetSystemMenu
DeleteMenu
AppendMenuA
ShowWindow
SetWindowTextA
LoadCursorA
GetCursorPos
DispatchMessageA
GDI32.dll SetMapMode
SetViewportOrgEx
RestoreDC
StartDocA
StartPage
EndPage
EndDoc
RemoveFontResourceA
CreateScalableFontResourceA
AddFontResourceA
CreatePalette
CreateDIBitmap
CreateBitmap
GetTextExtentPoint32W
TextOutW
StretchDIBits
CreateCompatibleBitmap
SetBkColor
CreateCompatibleDC
GetStockObject
CreateSolidBrush
SetTextColor
GetTextExtentPoint32A
TextOutA
SetBkMode
SelectObject
CreateFontA
GetDeviceCaps
BitBlt
DeleteDC
SaveDC
SetTextAlign
DeleteObject
comdlg32.dll PrintDlgA
GetOpenFileNameA
ADVAPI32.dll SetSecurityDescriptorDacl
RegQueryValueExA
RegOpenKeyExA
RegDeleteValueA
RegQueryInfoKeyA
RegEnumKeyExA
OpenThreadToken
DuplicateToken
AllocateAndInitializeSid
InitializeSecurityDescriptor
GetLengthSid
InitializeAcl
AddAccessAllowedAce
RegCloseKey
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
IsValidSecurityDescriptor
AccessCheck
FreeSid
GetUserNameA
RegSetValueExA
RegCreateKeyExA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
SHELL32.dll SHChangeNotify
ShellExecuteExA
SHFileOperationA
SHBrowseForFolderA
SHGetPathFromIDListA
SHGetMalloc
ShellExecuteA
SHGetSpecialFolderLocation
ole32.dll CoCreateInstance
CoUninitialize
OleInitialize
OleUninitialize
CoInitialize
OLEAUT32.dll #161
#163
WINMM.dll midiOutGetNumDevs
joyGetPos
waveOutGetNumDevs
COMCTL32.dll ImageList_Create
ImageList_Add
#17
VERSION.dll GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Delayed Imports

2

Type RT_CURSOR
Language Process Default Language
Codepage UNKNOWN
Size 0x134
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.59572
MD5 5eda44171a239586bd6adce2d8692994
SHA1 125f95574828cf9910c3ac70a3bca98004bf2c29
SHA256 dc72b2c4e8fe887c26fb57c00eb21139f7799e297bdf74b2b4db3474fee90509
SHA3 9f38c6942e31c4c34bc6a541bdc7e5db204e698722ee904bd0d9f415df00f315

127

Type RT_BITMAP
Language Process Default Language
Codepage UNKNOWN
Size 0x1d4
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.4905
MD5 86302956a7e6a46262e449697995be4e
SHA1 6e5af57ffa4049952874984a3dd93cb320ab25f9
SHA256 72848a9db7e29a4671343bd2f2830fbce13835f1d6530427734d7ea45116208f
SHA3 13afddd4938eb7b5f932353fabd27e9a6ecded24cc876e1310c1276bd228c8b2
Preview

1

Type RT_ICON
Language Process Default Language
Codepage UNKNOWN
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.49439
MD5 1c939cd27f43766a88390bb51166736b
SHA1 8acc0235bdf3b51061802a3c6da9520172691a8e
SHA256 6f07b81878ae14770e9759882dbd96fa4e2bf3fe7525fbcabf8b84a3d14870a5
SHA3 35aa14d8aa432c19a3462a5307397f08a195674019c88c3d66932e77f0c95957

18

Type RT_DIALOG
Language Process Default Language
Codepage UNKNOWN
Size 0xf0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.26469
MD5 07c6ad7eb1fba27875e07316bf7ccdbc
SHA1 45232d59cc89c452d72b43b42f5839f10d494a77
SHA256 a767c603eaa3b4f1910673447ab41b035a4e81999b4de7b21ccb4dd9e5a1e790
SHA3 de2e278dea74c29bccb271539d442a3622399933f9fb885a6286bd2fd20c5359

114

Type RT_DIALOG
Language Process Default Language
Codepage UNKNOWN
Size 0x1e0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.41754
MD5 0e23649a47a12b2ba53353f2dd88f1f9
SHA1 e87dc6acea7bb0a7de1a830830efa7bf38d977c2
SHA256 50e8be1c9c233802873b90278af2dca3c7b9d4038e7ed7ef5e819a9faf864e3a
SHA3 24e63b42c3c12ecb633fb2b9df26696ba29b919bb9ba4240642b6938b42bb1d0

138

Type RT_DIALOG
Language Process Default Language
Codepage UNKNOWN
Size 0xa6
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.69978
MD5 fa55835de496a4232ad49d9b9401f4d3
SHA1 e511943697cd9d379d23ce9ea7abaec05e68763c
SHA256 388ffe294d6ead69d527f10edfcb26e73c7f60921c96ceb0346497cf74b33cc6
SHA3 815ac7f0f6bd9ac55fb0a3d67c25cfe93ce0f5e59e19ad231a9757ee0b55d7f0

154

Type RT_DIALOG
Language Process Default Language
Codepage UNKNOWN
Size 0xb6
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.02015
MD5 3b0eced673a8a4c24c846ddc72367159
SHA1 25b1ec83820778e223ce01ece4cf0e88fca729c1
SHA256 ad52b410226d1c18f993de6a9b45bf19758921674595ad8ef55b8361ba99c359
SHA3 0fbc10504fe80c09a668bd6a202d05bdfc0febb2f6ac0a291123ac693bf5d6e6

152

Type RT_GROUP_CURSOR
Language Process Default Language
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.91924
Detected Filetype Cursor file
MD5 aff0f5e372bd49ceb9f615b9a04c97df
SHA1 e3205724d7ee695f027ab5ea8d8e1a453aaad0dd
SHA256 b07e022f8ef0a8e5fd3f56986b2e5bf06df07054e9ea9177996b0a6c27d74d7c
SHA3 9cb042121a5269b80d18c3c5a94c0e453890686aedade960097752377dfa9712
Preview

2000

Type RT_GROUP_ICON
Language Process Default Language
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.16096
Detected Filetype Icon file
MD5 42cf62b780813706e75fb9f2b2e8c258
SHA1 a022d5c1cfdd8aace0089f3e72f2eedd41bda464
SHA256 a0c9d012e2bf6b2fe05c2d97cb5594d97cf2f539e97935c12abd7a3562f4d9bf
SHA3 0aafc8e3d8b6bde595537da4ffe0efc5fe53f01dafe336a2a5828b6a71283d3c

1 (#2)

Type RT_MANIFEST
Language Process Default Language
Codepage UNKNOWN
Size 0x3d2
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.8344
MD5 c1dd50829f70c46ca0c88ac975f08b24
SHA1 5590e7003bcab9003b624413469b591fb33fed7c
SHA256 5c812b24ccdacb92c43e0b38bc25822911a36122e2a1e27b17f37440c3017fab
SHA3 5b452658a5954c722d06d7ceb98861e6e81474f2c4ab32a79db39e8258b0f5dd

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xce3250a
Unmarked objects 0
12 (7291) 5
C++ objects (VS98 build 8168) 3
14 (7299) 23
C objects (VS98 build 8168) 45
C++ objects (9178) 1
19 (8022) 4
Unmarked objects (#2) 8
19 (8034) 19
Total imports 276
C++ objects (VC++ 6.0 SP5 imp/exp build 8447) 36
Resource objects (VS98 SP6 cvtres build 1736) 1

Errors

<-- -->