df5ae09a57543c8f8b30061218469e8c
Summary
| Architecture |
IMAGE_FILE_MACHINE_I386
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 2019-Aug-06 07:57:19 |
| Detected languages |
English - United Kingdom
|
Plugin Output
| Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
| Suspicious | Strings found in the binary may indicate undesirable behavior: |
Is an AutoIT compiled script:
|
| Info | Cryptographic algorithms detected in the binary: | Uses constants related to CRC32 |
| Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
| Info | The PE's resources present abnormal characteristics. |
Resource CELMHRNBFYLOSJR is possibly compressed or encrypted.
Resource DYS is possibly compressed or encrypted. Resource EJHLYETHBOXTIWGWS is possibly compressed or encrypted. Resource EWGWRTJTFHSJFFMEYNQ is possibly compressed or encrypted. Resource TFBOGPTXCXX is possibly compressed or encrypted. Resource WOQTEFOWINYIEBJH is possibly compressed or encrypted. Resource XKXLCRRDZQRM is possibly compressed or encrypted. Resource ZAXHG is possibly compressed or encrypted. Resource SCRIPT is possibly compressed or encrypted. |
| Malicious | VirusTotal score: 29/66 (Scanned on 2019-08-06 10:16:33) |
MicroWorld-eScan:
AIT:Trojan.Agent.EBPO
Malwarebytes: Trojan.MalPack.AutoIt BitDefender: AIT:Trojan.Agent.EBPO Arcabit: AIT:Trojan.Agent.EBPO ESET-NOD32: a variant of Win32/Injector.Autoit.EEN APEX: Malicious Paloalto: generic.ml Kaspersky: UDS:DangerousObject.Multi.Generic Alibaba: Trojan:AutoIt/AgentTesla.784ebfbf Endgame: malicious (high confidence) DrWeb: Trojan.PWS.Stealer.23680 Invincea: heuristic McAfee-GW-Edition: BehavesLike.Win32.Downloader.tc Trapmine: suspicious.low.ml.score FireEye: Generic.mg.df5ae09a57543c8f Emsisoft: AIT:Trojan.Agent.EBPO (B) Ikarus: Trojan.Autoit Fortinet: AutoIt/Packed.NH!tr Antiy-AVL: GrayWare/Autoit.RunPE.a Microsoft: Trojan:AutoIt/AgentTesla.SZ!MTB ZoneAlarm: UDS:DangerousObject.Multi.Generic AhnLab-V3: Trojan/Win32.RL_AutoInj.R272810 Acronis: suspicious MAX: malware (ai score=86) Ad-Aware: AIT:Trojan.Agent.EBPO Cylance: Unsafe SentinelOne: DFI - Suspicious PE GData: AIT:Trojan.Agent.EBPO (2x) Qihoo-360: HEUR/QVM10.1.0587.Malware.Gen |
Hashes
DOS Header
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0x110 |
PE Header
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_I386
|
| NumberofSections | 5 |
| TimeDateStamp | 2019-Aug-06 07:57:19 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xe0 |
| Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Image Optional Header
| Magic | PE32 |
|---|---|
| LinkerVersion | 12.0 |
| SizeOfCode | 0x8e000 |
| SizeOfInitializedData | 0x90e00 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x0002800A (Section: .text) |
| BaseOfCode | 0x1000 |
| BaseOfData | 0x8f000 |
| ImageBase | 0x400000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 5.1 |
| ImageVersion | 0.0 |
| SubsystemVersion | 5.1 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x125000 |
| SizeOfHeaders | 0x400 |
| Checksum | 0x110619 |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve | 0x400000 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x400000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
.text
.rdata
.data
.rsrc
.reloc
Imports
| WSOCK32.dll |
#116
#23 #12 #21 #15 #17 #10 #9 #115 #151 #18 #1 #13 #2 #3 #111 #16 #20 #19 #11 #52 #57 #4 |
|---|---|
| VERSION.dll |
GetFileVersionInfoW
GetFileVersionInfoSizeW VerQueryValueW |
| WINMM.dll |
timeGetTime
waveOutSetVolume mciSendStringW |
| COMCTL32.dll |
ImageList_ReplaceIcon
ImageList_Destroy ImageList_Remove ImageList_SetDragCursorImage ImageList_BeginDrag ImageList_DragEnter ImageList_DragLeave ImageList_EndDrag ImageList_DragMove InitCommonControlsEx ImageList_Create |
| MPR.dll |
WNetUseConnectionW
WNetCancelConnection2W WNetGetConnectionW WNetAddConnection2W |
| WININET.dll |
InternetQueryDataAvailable
InternetCloseHandle InternetOpenW InternetSetOptionW InternetCrackUrlW HttpQueryInfoW InternetQueryOptionW HttpOpenRequestW HttpSendRequestW FtpOpenFileW FtpGetFileSize InternetOpenUrlW InternetReadFile InternetConnectW |
| PSAPI.DLL |
GetProcessMemoryInfo
|
| IPHLPAPI.DLL |
IcmpCreateFile
IcmpCloseHandle IcmpSendEcho |
| USERENV.dll |
DestroyEnvironmentBlock
UnloadUserProfile CreateEnvironmentBlock LoadUserProfileW |
| UxTheme.dll |
IsThemeActive
|
| KERNEL32.dll |
DuplicateHandle
CreateThread WaitForSingleObject HeapAlloc GetProcessHeap HeapFree Sleep GetCurrentThreadId MultiByteToWideChar MulDiv GetVersionExW IsWow64Process GetSystemInfo FreeLibrary LoadLibraryA GetProcAddress SetErrorMode GetModuleFileNameW WideCharToMultiByte lstrcpyW lstrlenW GetModuleHandleW QueryPerformanceCounter VirtualFreeEx OpenProcess VirtualAllocEx WriteProcessMemory ReadProcessMemory CreateFileW SetFilePointerEx SetEndOfFile ReadFile WriteFile FlushFileBuffers TerminateProcess CreateToolhelp32Snapshot Process32FirstW Process32NextW SetFileTime GetFileAttributesW FindFirstFileW SetCurrentDirectoryW GetLongPathNameW GetShortPathNameW DeleteFileW FindNextFileW CopyFileExW MoveFileW CreateDirectoryW RemoveDirectoryW SetSystemPowerState QueryPerformanceFrequency FindResourceW LoadResource LockResource SizeofResource EnumResourceNamesW OutputDebugStringW GetTempPathW GetTempFileNameW DeviceIoControl GetLocalTime CompareStringW GetCurrentProcess EnterCriticalSection LeaveCriticalSection GetStdHandle CreatePipe InterlockedExchange TerminateThread LoadLibraryExW FindResourceExW CopyFileW VirtualFree FormatMessageW GetExitCodeProcess GetPrivateProfileStringW WritePrivateProfileStringW GetPrivateProfileSectionW WritePrivateProfileSectionW GetPrivateProfileSectionNamesW FileTimeToLocalFileTime FileTimeToSystemTime SystemTimeToFileTime LocalFileTimeToFileTime GetDriveTypeW GetDiskFreeSpaceExW GetDiskFreeSpaceW GetVolumeInformationW SetVolumeLabelW CreateHardLinkW SetFileAttributesW CreateEventW SetEvent GetEnvironmentVariableW SetEnvironmentVariableW GlobalLock GlobalUnlock GlobalAlloc GetFileSize GlobalFree GlobalMemoryStatusEx Beep GetSystemDirectoryW HeapReAlloc HeapSize GetComputerNameW GetWindowsDirectoryW GetCurrentProcessId GetProcessIoCounters CreateProcessW GetProcessId SetPriorityClass LoadLibraryW VirtualAlloc IsDebuggerPresent GetCurrentDirectoryW lstrcmpiW DecodePointer GetLastError RaiseException InitializeCriticalSectionAndSpinCount DeleteCriticalSection InterlockedDecrement InterlockedIncrement GetCurrentThread CloseHandle GetFullPathNameW EncodePointer ExitProcess GetModuleHandleExW ExitThread GetSystemTimeAsFileTime ResumeThread GetCommandLineW IsProcessorFeaturePresent IsValidCodePage GetACP GetOEMCP GetCPInfo SetLastError UnhandledExceptionFilter SetUnhandledExceptionFilter TlsAlloc TlsGetValue TlsSetValue TlsFree GetStartupInfoW GetStringTypeW SetStdHandle GetFileType GetConsoleCP GetConsoleMode RtlUnwind ReadConsoleW GetTimeZoneInformation GetDateFormatW GetTimeFormatW LCMapStringW GetEnvironmentStringsW FreeEnvironmentStringsW WriteConsoleW FindClose SetEnvironmentVariableA |
| USER32.dll |
AdjustWindowRectEx
CopyImage SetWindowPos GetCursorInfo RegisterHotKey ClientToScreen GetKeyboardLayoutNameW IsCharAlphaW IsCharAlphaNumericW IsCharLowerW IsCharUpperW GetMenuStringW GetSubMenu GetCaretPos IsZoomed MonitorFromPoint GetMonitorInfoW SetWindowLongW SetLayeredWindowAttributes FlashWindow GetClassLongW TranslateAcceleratorW IsDialogMessageW GetSysColor InflateRect DrawFocusRect DrawTextW FrameRect DrawFrameControl FillRect PtInRect DestroyAcceleratorTable CreateAcceleratorTableW SetCursor GetWindowDC GetSystemMetrics GetActiveWindow CharNextW wsprintfW RedrawWindow DrawMenuBar DestroyMenu SetMenu GetWindowTextLengthW CreateMenu IsDlgButtonChecked DefDlgProcW CallWindowProcW ReleaseCapture SetCapture CreateIconFromResourceEx mouse_event ExitWindowsEx SetActiveWindow FindWindowExW EnumThreadWindows SetMenuDefaultItem InsertMenuItemW IsMenu TrackPopupMenuEx GetCursorPos DeleteMenu SetRect GetMenuItemID GetMenuItemCount SetMenuItemInfoW GetMenuItemInfoW SetForegroundWindow IsIconic FindWindowW MonitorFromRect keybd_event SendInput GetAsyncKeyState SetKeyboardState GetKeyboardState GetKeyState VkKeyScanW LoadStringW DialogBoxParamW MessageBeep EndDialog SendDlgItemMessageW GetDlgItem SetWindowTextW CopyRect ReleaseDC GetDC EndPaint BeginPaint GetClientRect GetMenu DestroyWindow EnumWindows GetDesktopWindow IsWindow IsWindowEnabled IsWindowVisible EnableWindow InvalidateRect GetWindowLongW GetWindowThreadProcessId AttachThreadInput GetFocus GetWindowTextW ScreenToClient SendMessageTimeoutW EnumChildWindows CharUpperBuffW GetParent GetDlgCtrlID SendMessageW MapVirtualKeyW PostMessageW GetWindowRect SetUserObjectSecurity CloseDesktop CloseWindowStation OpenDesktopW SetProcessWindowStation GetProcessWindowStation OpenWindowStationW GetUserObjectSecurity MessageBoxW DefWindowProcW SetClipboardData EmptyClipboard CountClipboardFormats CloseClipboard GetClipboardData IsClipboardFormatAvailable OpenClipboard BlockInput GetMessageW LockWindowUpdate DispatchMessageW TranslateMessage PeekMessageW UnregisterHotKey CheckMenuRadioItem CharLowerBuffW MoveWindow SetFocus PostQuitMessage KillTimer CreatePopupMenu RegisterWindowMessageW SetTimer ShowWindow CreateWindowExW RegisterClassExW LoadIconW LoadCursorW GetSysColorBrush GetForegroundWindow MessageBoxA DestroyIcon SystemParametersInfoW LoadImageW GetClassNameW |
| GDI32.dll |
StrokePath
DeleteObject GetTextExtentPoint32W ExtCreatePen GetDeviceCaps EndPath SetPixel CloseFigure CreateCompatibleBitmap CreateCompatibleDC SelectObject StretchBlt GetDIBits LineTo AngleArc MoveToEx Ellipse DeleteDC GetPixel CreateDCW GetStockObject GetTextFaceW CreateFontW SetTextColor PolyDraw BeginPath Rectangle SetViewportOrgEx GetObjectW SetBkMode RoundRect SetBkColor CreatePen CreateSolidBrush StrokeAndFillPath |
| COMDLG32.dll |
GetOpenFileNameW
GetSaveFileNameW |
| ADVAPI32.dll |
GetAce
RegEnumValueW RegDeleteValueW RegDeleteKeyW RegEnumKeyExW RegSetValueExW RegOpenKeyExW RegCloseKey RegQueryValueExW RegConnectRegistryW InitializeSecurityDescriptor InitializeAcl AdjustTokenPrivileges OpenThreadToken OpenProcessToken LookupPrivilegeValueW DuplicateTokenEx CreateProcessAsUserW CreateProcessWithLogonW GetLengthSid CopySid LogonUserW AllocateAndInitializeSid CheckTokenMembership RegCreateKeyExW FreeSid GetTokenInformation GetSecurityDescriptorDacl GetAclInformation AddAce SetSecurityDescriptorDacl GetUserNameW InitiateSystemShutdownExW |
| SHELL32.dll |
DragQueryPoint
ShellExecuteExW DragQueryFileW SHEmptyRecycleBinW SHGetPathFromIDListW SHBrowseForFolderW SHCreateShellItem SHGetDesktopFolder SHGetSpecialFolderLocation SHGetFolderPathW SHFileOperationW ExtractIconExW Shell_NotifyIconW ShellExecuteW DragFinish |
| ole32.dll |
CoTaskMemAlloc
CoTaskMemFree CLSIDFromString ProgIDFromCLSID CLSIDFromProgID OleSetMenuDescriptor MkParseDisplayName OleSetContainedObject CoCreateInstance IIDFromString StringFromGUID2 CreateStreamOnHGlobal OleInitialize OleUninitialize CoInitialize CoUninitialize GetRunningObjectTable CoGetInstanceFromFile CoGetObject CoSetProxyBlanket CoCreateInstanceEx CoInitializeSecurity |
| OLEAUT32.dll |
#183
#11 #3 #6 #38 #39 #24 #23 #37 #41 #411 #163 #32 #146 #12 #7 #185 #220 #77 #10 #9 #418 #164 #442 #443 #186 #31 #2 #8 |
Delayed Imports
1
2
3
4
166
7
8
9
10
11
12
313
CELMHRNBFYLOSJR
DYS
EJHLYETHBOXTIWGWS
EWGWRTJTFHSJFFMEYNQ
TFBOGPTXCXX
WOQTEFOWINYIEBJH
XKXLCRRDZQRM
ZAXHG
SCRIPT
99
162
164
169
1 (#2)
1 (#3)
String Table contents
| (Paused) |
| AutoIt Error |
| AutoIt has detected the stack has become corrupt. |
| Stack corruption typically occurs when either the wrong calling convention is used or when the function is called with the wrong number of arguments. |
| AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention. |
| "EndWith" missing "With". |
| Badly formatted "Func" statement. |
| "With" missing "EndWith". |
| Missing right bracket ')' in expression. |
| Missing operator in expression. |
| Unbalanced brackets in expression. |
| Error in expression. |
| Error parsing function call. |
| Incorrect number of parameters in function call. |
| "ReDim" used without an array variable. |
| Illegal text at the end of statement (one statement per line). |
| "If" statement has no matching "EndIf" statement. |
| "Else" statement with no matching "If" statement. |
| "EndIf" statement with no matching "If" statement. |
| Too many "Else" statements for matching "If" statement. |
| "While" statement has no matching "Wend" statement. |
| "Wend" statement with no matching "While" statement. |
| Variable used without being declared. |
| Array variable has incorrect number of subscripts or subscript dimension range exceeded. |
| Variable subscript badly formatted. |
| Subscript used on non-accessible variable. |
| Too many subscripts used for an array. |
| Missing subscript dimensions in "Dim" statement. |
| No variable given for "Dim", "Local", "Global", "Struct" or "Const" statement. |
| Expected a "=" operator in assignment statement. |
| Invalid keyword at the start of this line. |
| Array maximum size exceeded. |
| "Func" statement has no matching "EndFunc". |
| Duplicate function name. |
| Unknown function name. |
| Unknown macro. |
| Unable to get a list of running processes. |
| Invalid element in a DllStruct. |
| Unknown option or bad parameter specified. |
| Unable to load the internet libraries. |
| "Struct" statement has no matching "EndStruct". |
| Unable to open file, the maximum number of open files has been exceeded. |
| "ContinueLoop" statement with no matching "While", "Do" or "For" statement. |
| Invalid file filter given. |
| Expected a variable in user function call. |
| "Do" statement has no matching "Until" statement. |
| "Until" statement with no matching "Do" statement. |
| "For" statement is badly formatted. |
| "Next" statement with no matching "For" statement. |
| "ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop. |
| "For" statement has no matching "Next" statement. |
| "Case" statement with no matching "Select"or "Switch" statement. |
| "EndSelect" statement with no matching "Select" statement. |
| Recursion level has been exceeded - AutoIt will quit to prevent stack overflow. |
| Cannot make existing variables static. |
| Cannot make static variables into regular variables. |
| Badly formated Enum statement |
| This keyword cannot be used after a "Then" keyword. |
| "Select" statement is missing "EndSelect" or "Case" statement. |
| "If" statements must have a "Then" keyword. |
| Badly formated Struct statement. |
| Cannot assign values to constants. |
| Cannot make existing variables into constants. |
| Only Object-type variables allowed in a "With" statement. |
| "long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead. |
| Object referenced outside a "With" statement. |
| Nested "With" statements are not allowed. |
| Variable must be of type "Object". |
| The requested action with this object has failed. |
| Variable appears more than once in function declaration. |
| ReDim array can not be initialized in this manner. |
| An array variable can not be used in this manner. |
| Can not redeclare a constant. |
| Can not redeclare a parameter inside a user function. |
| Can pass constants by reference only to parameters with "Const" keyword. |
| Can not initialize a variable with itself. |
| Incorrect way to use this parameter. |
| "EndSwitch" statement with no matching "Switch" statement. |
| "Switch" statement is missing "EndSwitch" or "Case" statement. |
| "ContinueCase" statement with no matching "Select"or "Switch" statement. |
| Assert Failed! |
| Obsolete function/parameter. |
| Invalid Exitcode (reserved for AutoIt internal use). |
| Variable cannot be accessed in this manner. |
| Func reassign not allowed. |
| Func reassign on global level not allowed. |
| Unable to parse line. |
| Unable to open the script file. |
| String missing closing quote. |
| Badly formated variable or macro. |
| Missing separator character after keyword. |
Version Info
| Signature | 0xfeef04bd |
|---|---|
| StructVersion | 0x10000 |
| FileVersion | 0.0.0.0 |
| ProductVersion | 0.0.0.0 |
| FileFlags | (EMPTY) |
| FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
| FileType |
VFT_APP
|
| Language | English - United Kingdom |
| Resource LangID | English - United Kingdom |
|---|
IMAGE_DEBUG_TYPE_RESERVED
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2018-Mar-15 13:14:39 |
| Version | 0.0 |
| SizeofData | 4 |
| AddressOfRawData | 0xb6f18 |
| PointerToRawData | 0xb6318 |
TLS Callbacks
Load Configuration
| Size | 0x48 |
|---|---|
| TimeDateStamp | 1970-Jan-01 00:00:00 |
| Version | 0.0 |
| GlobalFlagsClear | (EMPTY) |
| GlobalFlagsSet | (EMPTY) |
| CriticalSectionDefaultTimeout | 0 |
| DeCommitFreeBlockThreshold | 0 |
| DeCommitTotalFreeThreshold | 0 |
| LockPrefixTable | 0 |
| MaximumAllocationSize | 0 |
| VirtualMemoryThreshold | 0 |
| ProcessAffinityMask | 0 |
| ProcessHeapFlags | (EMPTY) |
| CSDVersion | 0 |
| Reserved1 | 0 |
| EditList | 0 |
| SecurityCookie | 0x4bfd50 |
| SEHandlerTable | 0 |
| SEHandlerCount | 0 |
RICH Header
| XOR Key | 0xc1fc1252 |
|---|---|
| Unmarked objects | 0 |
| C++ objects (20806) | 2 |
| 199 (41118) | 1 |
| ASM objects (VS2013 build 21005) | 51 |
| C objects (VS2013 build 21005) | 177 |
| C++ objects (VS2013 build 21005) | 53 |
| C objects (VS2008 SP1 build 30729) | 9 |
| Imports (VS2008 SP1 build 30729) | 37 |
| Total imports | 544 |
| 234 (VS2013 UPD5 build 40629) | 80 |
| ASM objects (VS2013 UPD5 build 40629) | 1 |
| Resource objects (VS2013 build 21005) | 1 |
| 151 | 1 |
| Linker (VS2013 UPD5 build 40629) | 1 |