dd193b5a1353c93124db34d067747a26

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2023-Oct-17 12:50:23
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
 Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
Suspicious The file contains overlay data. 15490048 bytes of data starting at offset 0x3a400.
Overlay data amounts for 98.4831% of the executable.
Malicious VirusTotal score: 27/72 (Scanned on 2023-10-17 13:59:16) APEX: Malicious
AVG: PWSX-gen [Trj]
AhnLab-V3: Malware/Win.Generic.C5513027
Avast: PWSX-gen [Trj]
BitDefenderTheta: Gen:NN.ZexaE.36738.@tZ@aiNN@Hci
Bkav: W32.AIDetectMalware
CrowdStrike: win/malicious_confidence_90% (D)
Cybereason: malicious.15b6ff
Cylance: unsafe
Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
ESET-NOD32: a variant of Win32/Kryptik.HTUK
Elastic: malicious (high confidence)
FireEye: Generic.mg.dd193b5a1353c931
GData: Win32.Trojan.PSE.11AU12L
Google: Detected
Ikarus: Trojan-Spy.Cinoshi
Jiangmin: TrojanDownloader.Deyma.arb
K7AntiVirus: Trojan ( 005a9f911 )
K7GW: Trojan ( 005a9f911 )
Microsoft: Trojan:Win32/Sabsik.FL.B!ml
Rising: Backdoor.Agent!8.C5D (TFE:5:2amkDsTMsKK)
Sangfor: Trojan.Win32.Save.a
SentinelOne: Static AI - Malicious PE
Sophos: ML/PE-A
Symantec: ML.Attribute.HighConfidence
Trapmine: malicious.high.ml.score

Hashes

MD5 dd193b5a1353c93124db34d067747a26
SHA1 5411fa815b6ff8f3303db7916372bee026ff87a7
SHA256 3e2c6cd39b3b01c8f0c7707917e20f77d3d06dd4efc04cee4ccdf4885b02156c
SHA3 fa8d406f8ddea54537e8601e919c40327847246de26ada8d824a203d24a86dd7
SSDeep 3072:fa6x7AVW86PFJNNwtYSYOEyhzuMkj0SHnKyWkVuwC4NoeA7d7u1epKpK:fpsVYHPwyqzO4SHnTWkVnC4NoLpcGKY
Imports Hash d9695adf5088d4aed8e28d82cde0c102

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2023-Oct-17 12:50:23
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 9.0
SizeOfCode 0x12000
SizeOfInitializedData 0x28c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00008F80 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x13000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x3d000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 61f38ffdcfafc69aa46e93e71d061b4f
SHA1 50a6a58d5ffb27b9cb4e09313292fa5f96f5ca8c
SHA256 63f96a7c21f7f97ac2f6a81bbfc0d00c85a33e193814269e39b4b631ef17681c
SHA3 b78f46fe0baeed90be7f45dcfafedf651335b90c8a34d1bf3a5fb99ba0bbcc87
VirtualSize 0x11ecf
VirtualAddress 0x1000
SizeOfRawData 0x12000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.85584

.rdata

MD5 8e023ec97f3112befa1c71b4268c9b61
SHA1 9e5485e8f870947c70c09dd900cfdfa373d2f9c5
SHA256 825c0163c8d0019364eaf1520e129b6cc85beeb99926cd71fe5b0a4be4eac9d2
SHA3 b0797f4863f208b9d1f2817a204f788ce4743b3e2d11d37d00fd1af3d74e5aad
VirtualSize 0x4964
VirtualAddress 0x13000
SizeOfRawData 0x4a00
PointerToRawData 0x12400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.49534

.data

MD5 3d88e118fa3c1e1e62e0e54db0a2cb07
SHA1 c6ea38b7ed54e5cadbd2b86042fa8e6d2f5a2ed3
SHA256 eaa2444a41251357bc277967b48313ac4cc7e63dfb1728b07f538757d806ea24
SHA3 e6868b7917cfc9aa2e99217df355d1989f51ea8866a4f282acd2bf07087ee15e
VirtualSize 0x1c58
VirtualAddress 0x18000
SizeOfRawData 0x1200
PointerToRawData 0x16e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.60392

.rsrc

MD5 0c79815917fa960251b9187f8fbe7253
SHA1 70cfef132096cc89df5d4af086f96c18a68a38cb
SHA256 59e5ccec7cbd54f74385b0e133a53ed71b822aa3a3232f2ceb5852236127a95f
SHA3 1439eb05b498b2a66e4a3603a3f99053287dbbcd06b7a0e8cd0db116827a40f6
VirtualSize 0x22260
VirtualAddress 0x1a000
SizeOfRawData 0x22400
PointerToRawData 0x18000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.95364

Imports

KERNEL32.dll WaitForSingleObject
Sleep
CreateThread
lstrlenW
VirtualProtect
GetProcAddress
LoadLibraryA
VirtualAlloc
LockResource
LoadResource
SizeofResource
FindResourceW
GetModuleHandleW
GetModuleHandleA
EnumSystemCodePagesW
FreeConsole
GetLastError
HeapFree
HeapAlloc
RtlUnwind
RaiseException
GetCommandLineA
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
InitializeCriticalSectionAndSpinCount
HeapSize
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
USER32.dll GetWindowTextLengthW

Delayed Imports

5

Type RT_RCDATA
Language English - United States
Codepage UNKNOWN
Size 0x22200
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.94754
MD5 98329cc43837b01c43cc471687a31e91
SHA1 3f9406e0c3d8eda93ce1c1e3c115ed1c9513659f
SHA256 d605f594bc0c9033d258ba59e1cf01a492faebaa2a27a22afe690a9d6590a994
SHA3 bde97229f519dc0b90bb022a0eaa0cf73a54cb7f9c65b52b74d5362c0b2ab392

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x30856e6e
Unmarked objects 0
ASM objects (VS2008 build 21022) 20
C objects (VS2008 build 21022) 89
C++ objects (VS2008 build 21022) 39
Imports (VS2012 build 50727 / VS2005 build 50727) 2
Imports (VS2003 (.NET) build 4035) 3
Total imports 86
C++ objects (VS2008 SP1 build 30729) 1
Linker (VS2008 build 21022) 1
Resource objects (VS2008 SP1 build 30729) 1

Errors

[*] Warning: Yara callback received an unhandled message (6).
<-- -->