e2bf42217a67e46433da8b6f4507219e

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2011-Apr-08 17:54:23

Plugin Output

Info Matching compiler(s): Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Suspicious Strings found in the binary may indicate undesirable behavior: Contains obfuscated function names:
  • 06 24 35 11 33 2e 22 00 25 25 33 24 32 32
  • 0d 2e 20 25 0d 28 23 33 20 33 38
 Contains a XORed PE executable:
  • 15 29 28 32 61 31 33 2e 26 33 20 2c 61 22 20 2f 2f 2e 35 61 ...
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
 Code injection capabilities (process hollowing):
  • ResumeThread
  • SetThreadContext
  • WriteProcessMemory
 Possibly launches other programs:
  • CreateProcessA
 Manipulates other processes:
  • WriteProcessMemory
  • ReadProcessMemory
Malicious VirusTotal score: 57/67 (Scanned on 2018-02-11 02:13:29) MicroWorld-eScan: Gen:Win32.ExplorerHijack.dqW@aO9ui3p
nProtect: Trojan/W32.Agent.53248.EGF
CAT-QuickHeal: Trojan.Agent
McAfee: RDN/Autorun.worm.gen
Cylance: Unsafe
Zillya: Trojan.Agent.Win32.229238
TheHacker: Trojan/Injector.ret
K7GW: Trojan ( 004bd2471 )
K7AntiVirus: Trojan ( 004bd2471 )
TrendMicro: TROJ_SPNR.29C414
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9935
Cyren: W32/Dropper.gen8!Maximus
Symantec: Trojan.Gen
ESET-NOD32: a variant of Win32/Injector.RET
TrendMicro-HouseCall: TROJ_SPNR.29C414
Paloalto: generic.ml
Kaspersky: Trojan.Win32.Agent.hwkc
BitDefender: Gen:Win32.ExplorerHijack.dqW@aO9ui3p
NANO-Antivirus: Trojan.Win32.Mayachok.dpbvnh
Avast: Win32:Malware-gen
Tencent: Win32.Trojan.Inject.Auto
Ad-Aware: Gen:Win32.ExplorerHijack.dqW@aO9ui3p
Emsisoft: Gen:Win32.ExplorerHijack.dqW@aO9ui3p (B)
Comodo: UnclassifiedMalware
F-Secure: Gen:Win32.ExplorerHijack.dqW@aO9ui3p
DrWeb: Trojan.Inject.64211
VIPRE: Trojan.Win32.Encpk.agsb (v)
McAfee-GW-Edition: RDN/Autorun.worm.gen
Sophos: Mal/Generic-S
SentinelOne: static engine - malicious
F-Prot: W32/Dropper.gen8!Maximus
Jiangmin: Trojan/Generic.xbgc
Webroot: W32.Dropper.Gen
Avira: TR/Dldr.Waski.24576.4
Antiy-AVL: Trojan/Win32.Agent
Kingsoft: Win32.Troj.Undef.(kcloud)
Microsoft: Trojan:Win32/Tiggre!rfn
Endgame: malicious (high confidence)
Arcabit: Gen:Win32.ExplorerHijack.E88CBE
AegisLab: Troj.W32.Agent.hwkc!c
ZoneAlarm: Trojan.Win32.Agent.hwkc
GData: Gen:Win32.ExplorerHijack.dqW@aO9ui3p
AhnLab-V3: Dropper/Win32.Agent.R194628
ALYac: Gen:Win32.ExplorerHijack.dqW@aO9ui3p
AVware: Trojan.Win32.Encpk.agsb (v)
MAX: malware (ai score=100)
VBA32: Trojan.Agent
Malwarebytes: Trojan.Agent.LB
Rising: Trojan.Agent!8.B1E (TFE:5:i7VOefkBImN)
Yandex: Trojan.Hijacker!zx3nusjBhh8
Ikarus: Trojan.SuspectCRC
eGambit: Unsafe.AI_Score_73%
Fortinet: W32/Generic.AP.419160
AVG: Win32:Malware-gen
Cybereason: malicious.17a67e
CrowdStrike: malicious_confidence_90% (W)
Qihoo-360: Win32/Trojan.b75

Hashes

MD5 e2bf42217a67e46433da8b6f4507219e
SHA1 daf263702f11dc0430d30f9bf443e7885cf91fcb
SHA256 ae8a1c7eb64c42ea2a04f97523ebf0844c27029eb040d910048b680f884b9dce
SHA3 db008b436f90d1d406c49d09e28584a4649ed8619e8764608260254ab728d562
SSDeep 384:WFVmdLgy5rg8g3SRrmlmwTwJrgmoS+GFbenP56cbwRG10IOp2n40iFLcH:GX4g8LRjhgmoDGFyP3+zb4nGY
Imports Hash e0017b10cd72d6d03248c4d8d7943a88

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2011-Apr-08 17:54:23
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x3000
SizeOfInitializedData 0x9000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001ADB (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x4000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0xd000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 6136eddaf1a45e63de5a2e952f0fed00
SHA1 c4cf5ac27223eed23d9897ed07a0675b96ed4d62
SHA256 ec2abf4b782ad037f47d8ac9456c1a52cb8a73aeab896af55d343bfa53a882bc
SHA3 23eb91d7f1adeb7891dc1d39c453d6f6c335c20901b737c7d91f48b095bf8a56
VirtualSize 0x2e96
VirtualAddress 0x1000
SizeOfRawData 0x3000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.40292

.rdata

MD5 95592e16bc9e062a40f5401dd8710aa4
SHA1 b3176edf4f5289b598d75178e007a9c1729b5abd
SHA256 bae47c5dce098b3b028a172e0e9bea14aabd7186035bfd27dbea539e3bab95e0
SHA3 94dcdc3b4eaa15effd0a961116c240784b8566e377b37781a021b0b283d31f17
VirtualSize 0x8f2
VirtualAddress 0x4000
SizeOfRawData 0x1000
PointerToRawData 0x4000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.55009

.data

MD5 56a763da2a21f2a86f8621add71fd12a
SHA1 cf6c13293c241381f4bf11c2b31bbf52c5961e07
SHA256 81db422fe30638a362ff1df231a7a0dc61a2f0de2f2906ac643c4303210f0a4c
SHA3 c75f3f222777c2d657897e77fad05fec3a323b0ef63a0d6ae7e4b36543fb3450
VirtualSize 0x7dc
VirtualAddress 0x5000
SizeOfRawData 0x1000
PointerToRawData 0x5000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.761837

.rsrc

MD5 9aa5d035dcb6f2dff70161c7a8f5bfa0
SHA1 74f2f5081f30cef9982e686ce92e35bcfda307af
SHA256 0e43284a1c0f52125ee9efa0684fac6c64921219ab697a1f3b2b0925eeb05a8d
SHA3 bcad661acf5a47b54fafb010d15346db927ca61f08e6f53dcf18aefdb96a3c16
VirtualSize 0x6084
VirtualAddress 0x6000
SizeOfRawData 0x7000
PointerToRawData 0x6000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.47335

Imports

KERNEL32.dll CloseHandle
VirtualFree
ReadFile
VirtualAlloc
GetFileSize
CreateFileA
ResumeThread
SetThreadContext
WriteProcessMemory
VirtualAllocEx
GetProcAddress
GetModuleHandleA
ReadProcessMemory
GetThreadContext
CreateProcessA
FreeResource
SizeofResource
LockResource
LoadResource
FindResourceA
GetSystemDirectoryA
Sleep
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
HeapDestroy
HeapCreate
HeapFree
RtlUnwind
WriteFile
HeapAlloc
GetCPInfo
GetACP
GetOEMCP
HeapReAlloc
LoadLibraryA
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW

Delayed Imports

LOCALIZATION

Type UNICODE
Language UNKNOWN
Codepage UNKNOWN
Size 0x6000
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.54319
MD5 969811ec2e06a9f0f294f02296762e66
SHA1 02fe059e8d7274f16f5d7d316ce3afb7f73bccc7
SHA256 9018b97f555383cccdea6362e8ba41b9ee84c9ec69ff6ea6d24af2c289376549
SHA3 8f2b1eb9a8ea051f057fa6c474505358364dc30d23f153b704f7dbf8c1956423

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xc0dabba1
Unmarked objects 0
C++ objects (VS98 build 8168) 1
C objects (VS98 build 8168) 19
14 (7299) 10
19 (8034) 3
Total imports 55
C objects (VS98 build 8168) (#2) 1

Errors

<-- -->