dd4382d225a15dc09f92616131eff983

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2001-Mar-29 07:16:57
Detected languages English - United States

Plugin Output

Suspicious The PE is packed or was manually edited. The number of imports reported in the RICH header is inconsistent.
Suspicious The PE contains functions most legitimate programs don't use. Functions which can be used for anti-debugging purposes:
  • ZwQuerySystemInformation
Malicious VirusTotal score: 50/69 (Scanned on 2019-05-03 10:05:50) MicroWorld-eScan: Trojan.Generic.8911810
FireEye: Generic.mg.dd4382d225a15dc0
McAfee: BackDoor-FANF!DD4382D225A1
Cylance: Unsafe
AegisLab: Trojan.Win32.Generic.4!c
Alibaba: TrojanSpy:Win64/Ursnif.06716fde
K7GW: Riskware ( 0040eff71 )
K7AntiVirus: Riskware ( 0040eff71 )
Invincea: heuristic
NANO-Antivirus: Trojan.Win64.Kryptik.dwstdc
Symantec: Trojan.Ransomlock.G
TrendMicro-HouseCall: TROJ_GEN.R002C0CJ118
Paloalto: generic.ml
Kaspersky: HEUR:Trojan.Win32.Generic
BitDefender: Trojan.Generic.8911810
SUPERAntiSpyware: Trojan.Agent/Gen-Malaver
Avast: Win32:Kryptik-OCK [Trj]
Rising: Spyware.Ursnif!8.1DEF (CLOUD)
Endgame: malicious (high confidence)
Emsisoft: Trojan.Generic.8911810 (B)
Comodo: Malware@#7cxmn9euyzsb
F-Secure: Heuristic.HEUR/AGEN.1020079
Zillya: Trojan.Kryptik.Win32.741128
TrendMicro: TROJ_GEN.R002C0CJ118
McAfee-GW-Edition: BackDoor-FANF!DD4382D225A1
Trapmine: malicious.high.ml.score
TheHacker: Trojan/Kryptik.bm
SentinelOne: DFI - Suspicious PE
Jiangmin: Trojan/Generic.bcspz
Webroot: W32.Malware.Heur
Avira: HEUR/AGEN.1020079
Fortinet: W64/Kryptik.BM!tr
Antiy-AVL: Trojan/Win32.Unknown
Arcabit: Trojan.Generic.D87FBC2
ZoneAlarm: HEUR:Trojan.Win32.Generic
Microsoft: TrojanSpy:Win64/Ursnif
Sophos: Troj/Papras-N
AhnLab-V3: Trojan/Win64.Ursnif.C973845
VBA32: TrojanSpy.Win64.Ursnif
MAX: malware (ai score=100)
Ad-Aware: Trojan.Generic.8911810
ESET-NOD32: a variant of Win64/Kryptik.BM
Tencent: Win32.Trojan.Generic.Wstn
Yandex: Trojan.Agent!pKlsT9rOMzg
Ikarus: Trojan-Spy.Win64
GData: Trojan.Generic.8911810
AVG: Win32:Kryptik-OCK [Trj]
Panda: Trj/CI.A
CrowdStrike: win/malicious_confidence_80% (D)
Qihoo-360: Win32/Trojan.e6d

Hashes

MD5 dd4382d225a15dc09f92616131eff983
SHA1 e034be1437c85f6a2d7fdd742e690110232e4e74
SHA256 e759f1968bc80583f51e91aba96e1a4af45f2f86a980cc23cf7064853c4e80d6
SHA3 2d5edf3fa32e8d5a56fb57c3a04f844119ff99174c9037364b1dde839b13dae0
SSDeep 768:7u2131OB5l6VvOqRcOtQqFlf05knUw/8KXRQtS4LJUEk2IlPc+vR443h5rTb35u:51O7lqvOIZWu0wU2yM26vG4MfmpL
Imports Hash d6ab3d3fff76c803aced7480ff511915

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 4
TimeDateStamp 2001-Mar-29 07:16:57
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_LINE_NUMS_STRIPPED

Image Optional Header

Magic PE32+
LinkerVersion 7.0
SizeOfCode 0xda00
SizeOfInitializedData 0x2c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000001690 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x180000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion AA1.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x15000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x800000
SizeofStackCommit 0x7000
SizeofHeapReserve 0x10000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 ba758f5f2e5976995103b45c75ea4372
SHA1 3bf7b029447fb81ee0c0c1611ad374643f50f4d0
SHA256 667b99ca84af613ae8f344f3e0910378b6d1c8109e241705ad236f023521ffd2
SHA3 be3acd7ae86db8cad4d70d242c6b96851f9ef408802793bfc5cacd250926929e
VirtualSize 0xda00
VirtualAddress 0x1000
SizeOfRawData 0xda00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.6807

.data

MD5 2ad0232328ba4329c09da8911af77f76
SHA1 99c30c67a5852885d86645c195d980fb30bf7008
SHA256 66555543d0531fa217d84e822c013342459779ecb8e118d97939df8457156fe5
SHA3 29970fd8033f6e0010129a101a655596d4133bbb88f1cc74c45287ae394fb1bd
VirtualSize 0x2898
VirtualAddress 0xf000
SizeOfRawData 0x2a00
PointerToRawData 0xde00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.72365

.rsrc

MD5 409cfa5ba3242835edf7db9cf32116a5
SHA1 2776d6d9c32c8c060f4edb04eee1a298068d7182
SHA256 4a795ccfe537b68e5964a7068f84852478c445d3c9f74e56aefe1e99220164c0
SHA3 8ade42da8abede844c9b9aa7df556572086bfdaf750926397c1630d8e827d408
VirtualSize 0x1000
VirtualAddress 0x12000
SizeOfRawData 0x200
PointerToRawData 0x10800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.78422

.reloc

MD5 86e5ae490a7badf11851fab95d0d12e7
SHA1 52327f283720df74374275512b2d5132b9f1a27b
SHA256 81044968438e903c5f6f37e27c7d0a874d97372582797ad7886a816781a2787d
SHA3 a330e927199f73f6e90da6d027acb28c9a6e2223bad35d32399a78d296d2f406
VirtualSize 0x2000
VirtualAddress 0x13000
SizeOfRawData 0x200
PointerToRawData 0x10a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0.0815394

Imports

KERNEL32.dll CompareStringA
ReadFile
GetConsoleOutputCP
WriteFile
GetDateFormatA
FileTimeToLocalFileTime
GlobalLock
VirtualAlloc
GetCurrentProcess
GetEnvironmentStrings
GetModuleHandleA
GetModuleFileNameA
GetCurrentThreadId
NTDLL.dll ZwQuerySystemInformation

Delayed Imports

CreateProcessNqtify

Ordinal 1
Address 0x1738

GetLogInfo

Ordinal 2
Address 0x8f36

ReadFile

Ordinal 3
Address 0x25f3

OSSnapshotFreeze

Ordinal 4
Address 0x8f79

RegisterCallback

Ordinal 5
Address 0x3955

EndExternalBackupInstance2

Ordinal 6
Address 0x3c25

CreateDatabase2

Ordinal 7
Address 0x48a3

PrepareUpdate

Ordinal 8
Address 0x222e

OpenTable

Ordinal 9
Address 0x3a95

Term

Ordinal 10
Address 0x6124

CloseTable

Ordinal 11
Address 0x474e

UpgradeDatabase

Ordinal 12
Address 0x6f63

Delete

Ordinal 13
Address 0x7e31

AttachDatabase2

Ordinal 14
Address 0x6e8a

MakeKey

Ordinal 15
Address 0x5df7

Init2

Ordinal 16
Address 0x242e

RestoreInstance

Ordinal 17
Address 0x32fe

BackupInstance

Ordinal 18
Address 0x6acf

CloseFile

Ordinal 19
Address 0x2fe4

CreateIndex2

Ordinal 20
Address 0x2f0a

ComputeStats

Ordinal 21
Address 0x7455

GetDatabaseFileInfo

Ordinal 22
Address 0x4d11

DBUtilities

Ordinal 23
Address 0x7621

Defragment2

Ordinal 24
Address 0x6259

GetSecondaryIndexBookmark

Ordinal 25
Address 0x8092

GetInstanceInfo

Ordinal 26
Address 0x6792

StopBackup

Ordinal 27
Address 0x3dfc

Defragment

Ordinal 28
Address 0x26dc

AddColumn

Ordinal 29
Address 0x7f95

SetSystemParameter

Ordinal 30
Address 0x6238

Backup

Ordinal 31
Address 0x3787

SetColumn

Ordinal 32
Address 0x3e3c

StopBackupInstance

Ordinal 33
Address 0x5944

Init3

Ordinal 34
Address 0x450c

Move

Ordinal 35
Address 0x141a

EnumerateColumns

Ordinal 36
Address 0x1585

GetTableIndexInfo

Ordinal 37
Address 0x1c07

ResetSessionContext

Ordinal 38
Address 0x12bb

TruncateLogInstance

Ordinal 39
Address 0x74ce

DeleteTable

Ordinal 40
Address 0x27a6

SetCurrentIndex4

Ordinal 41
Address 0x734a

EndSession

Ordinal 42
Address 0x7318

CreateDatabaseWithStreaming

Ordinal 43
Address 0x6903

GetObjectInfo

Ordinal 44
Address 0x6ff2

GetCounter

Ordinal 45
Address 0x2dff

DupSession

Ordinal 46
Address 0x6d98

GetBookmark

Ordinal 47
Address 0x7cdb

AttachDatabaseWithStreaming

Ordinal 48
Address 0x6ca2

RenameTable

Ordinal 49
Address 0x551a

SetColumns

Ordinal 50
Address 0x33d5

GetCurrentIndex

Ordinal 51
Address 0x57bc

OpenTempTable2

Ordinal 52
Address 0x3151

BeginSession

Ordinal 53
Address 0x5212

BeginExternalBackupInstance

Ordinal 54
Address 0x7c0b

CloseDatabase

Ordinal 55
Address 0x6ad2

Update

Ordinal 56
Address 0x897e

OpenTempTable3

Ordinal 57
Address 0x2567

GetDatabaseInfo

Ordinal 58
Address 0x6b9e

CreateIndex

Ordinal 59
Address 0x2f8a

BeginTransaction2

Ordinal 60
Address 0x2b0e

Rollback

Ordinal 61
Address 0x2d16

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0xdc
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.01487
MD5 4fab39fb5a527e2cbb8edd2cc0b99dac
SHA1 8910c7a7cc6de28d139cb526394e3f282db23ecb
SHA256 463a399e5cfeda71a8eb4506f4f6264788c9fcd6f3c3b80297d04457f92e633d
SHA3 9dc9c84f6723f1e6632924ae2a405e34e45b8957645e6e1fa83786e7256f7205

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 7.6.2.0
ProductVersion 7.6.2.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xa55ba91b
Unmarked objects 0
117 (16192) 4
Total imports 1
105 (12641) 3
36 (1509) 3
181 (5045) 1
177 (705) 3
151 (12709) 3
Linker (VS2003 (.NET) build 4035) 4

Errors