e2bf42217a67e46433da8b6f4507219e

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2011-Apr-08 17:54:23

Plugin Output

Info Matching compiler(s): Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Suspicious Strings found in the binary may indicate undesirable behavior: Contains obfuscated function names:
  • 6 24 35 11 33 2e 22 0 25 25 33 24 32 32
  • d 2e 20 25 d 28 23 33 20 33 38
Contains a XORed PE executable:
  • 15 29 28 32 61 31 33 2e 26 33 20 2c 61 22 20 2f 2f 2e 35 61 ...
Malicious The PE contains functions mostly used by malwares. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Code injection capabilities (process hollowing):
  • ResumeThread
  • SetThreadContext
  • WriteProcessMemory
Possibly launches other programs:
  • CreateProcessA
Manipulates other processes:
  • WriteProcessMemory
  • ReadProcessMemory
Malicious VirusTotal score: 57/67 (Scanned on 2018-02-11 02:13:29) MicroWorld-eScan: Gen:Win32.ExplorerHijack.dqW@aO9ui3p
nProtect: Trojan/W32.Agent.53248.EGF
CAT-QuickHeal: Trojan.Agent
McAfee: RDN/Autorun.worm.gen
Cylance: Unsafe
Zillya: Trojan.Agent.Win32.229238
TheHacker: Trojan/Injector.ret
K7GW: Trojan ( 004bd2471 )
K7AntiVirus: Trojan ( 004bd2471 )
TrendMicro: TROJ_SPNR.29C414
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9935
Cyren: W32/Dropper.gen8!Maximus
Symantec: Trojan.Gen
ESET-NOD32: a variant of Win32/Injector.RET
TrendMicro-HouseCall: TROJ_SPNR.29C414
Paloalto: generic.ml
Kaspersky: Trojan.Win32.Agent.hwkc
BitDefender: Gen:Win32.ExplorerHijack.dqW@aO9ui3p
NANO-Antivirus: Trojan.Win32.Mayachok.dpbvnh
Avast: Win32:Malware-gen
Tencent: Win32.Trojan.Inject.Auto
Ad-Aware: Gen:Win32.ExplorerHijack.dqW@aO9ui3p
Emsisoft: Gen:Win32.ExplorerHijack.dqW@aO9ui3p (B)
Comodo: UnclassifiedMalware
F-Secure: Gen:Win32.ExplorerHijack.dqW@aO9ui3p
DrWeb: Trojan.Inject.64211
VIPRE: Trojan.Win32.Encpk.agsb (v)
McAfee-GW-Edition: RDN/Autorun.worm.gen
Sophos: Mal/Generic-S
SentinelOne: static engine - malicious
F-Prot: W32/Dropper.gen8!Maximus
Jiangmin: Trojan/Generic.xbgc
Webroot: W32.Dropper.Gen
Avira: TR/Dldr.Waski.24576.4
Antiy-AVL: Trojan/Win32.Agent
Kingsoft: Win32.Troj.Undef.(kcloud)
Microsoft: Trojan:Win32/Tiggre!rfn
Endgame: malicious (high confidence)
Arcabit: Gen:Win32.ExplorerHijack.E88CBE
AegisLab: Troj.W32.Agent.hwkc!c
ZoneAlarm: Trojan.Win32.Agent.hwkc
GData: Gen:Win32.ExplorerHijack.dqW@aO9ui3p
AhnLab-V3: Dropper/Win32.Agent.R194628
ALYac: Gen:Win32.ExplorerHijack.dqW@aO9ui3p
AVware: Trojan.Win32.Encpk.agsb (v)
MAX: malware (ai score=100)
VBA32: Trojan.Agent
Malwarebytes: Trojan.Agent.LB
Rising: Trojan.Agent!8.B1E (TFE:5:i7VOefkBImN)
Yandex: Trojan.Hijacker!zx3nusjBhh8
Ikarus: Trojan.SuspectCRC
eGambit: Unsafe.AI_Score_73%
Fortinet: W32/Generic.AP.419160
AVG: Win32:Malware-gen
Cybereason: malicious.17a67e
CrowdStrike: malicious_confidence_90% (W)
Qihoo-360: Win32/Trojan.b75

Hashes

MD5 e2bf42217a67e46433da8b6f4507219e
SHA1 daf263702f11dc0430d30f9bf443e7885cf91fcb
SHA256 ae8a1c7eb64c42ea2a04f97523ebf0844c27029eb040d910048b680f884b9dce
SHA3 c9ba6424a6b445ef21785979fbc932fcdfcc0e0f5e881326891ebf18d8e2a1db
SSDeep 384:WFVmdLgy5rg8g3SRrmlmwTwJrgmoS+GFbenP56cbwRG10IOp2n40iFLcH:GX4g8LRjhgmoDGFyP3+zb4nGY
Imports Hash e0017b10cd72d6d03248c4d8d7943a88

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2011-Apr-08 17:54:23
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x3000
SizeOfInitializedData 0x9000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x1adb (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x4000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0xd000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics (EMPTY)
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 6136eddaf1a45e63de5a2e952f0fed00
SHA1 c4cf5ac27223eed23d9897ed07a0675b96ed4d62
SHA256 ec2abf4b782ad037f47d8ac9456c1a52cb8a73aeab896af55d343bfa53a882bc
SHA3 a0542ef0abf2144ee3bc4e23d301cc103c54085df799bae75e375e67f2577716
VirtualSize 0x2e96
VirtualAddress 0x1000
SizeOfRawData 0x3000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.40292

.rdata

MD5 95592e16bc9e062a40f5401dd8710aa4
SHA1 b3176edf4f5289b598d75178e007a9c1729b5abd
SHA256 bae47c5dce098b3b028a172e0e9bea14aabd7186035bfd27dbea539e3bab95e0
SHA3 4825cfc2f703cd8b65f606ca5e31a21524fe082f1347fd38bad61ee958a55a71
VirtualSize 0x8f2
VirtualAddress 0x4000
SizeOfRawData 0x1000
PointerToRawData 0x4000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.55009

.data

MD5 56a763da2a21f2a86f8621add71fd12a
SHA1 cf6c13293c241381f4bf11c2b31bbf52c5961e07
SHA256 81db422fe30638a362ff1df231a7a0dc61a2f0de2f2906ac643c4303210f0a4c
SHA3 35307a9bba20ee0c56e67c4d15687f6a6b799eb47ef8b8d067839737bf5a6a3e
VirtualSize 0x7dc
VirtualAddress 0x5000
SizeOfRawData 0x1000
PointerToRawData 0x5000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.761837

.rsrc

MD5 9aa5d035dcb6f2dff70161c7a8f5bfa0
SHA1 74f2f5081f30cef9982e686ce92e35bcfda307af
SHA256 0e43284a1c0f52125ee9efa0684fac6c64921219ab697a1f3b2b0925eeb05a8d
SHA3 4a86bda7034989e470fdbdaa2a22a50e6b907fe46faf623e1a83d2e5a78868d9
VirtualSize 0x6084
VirtualAddress 0x6000
SizeOfRawData 0x7000
PointerToRawData 0x6000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.47335

Imports

KERNEL32.dll CloseHandle
VirtualFree
ReadFile
VirtualAlloc
GetFileSize
CreateFileA
ResumeThread
SetThreadContext
WriteProcessMemory
VirtualAllocEx
GetProcAddress
GetModuleHandleA
ReadProcessMemory
GetThreadContext
CreateProcessA
FreeResource
SizeofResource
LockResource
LoadResource
FindResourceA
GetSystemDirectoryA
Sleep
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
HeapDestroy
HeapCreate
HeapFree
RtlUnwind
WriteFile
HeapAlloc
GetCPInfo
GetACP
GetOEMCP
HeapReAlloc
LoadLibraryA
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW

Delayed Imports

LOCALIZATION

Type UNICODE
Language UNKNOWN
Codepage UNKNOWN
Size 0x6000
Entropy 4.54319
MD5 969811ec2e06a9f0f294f02296762e66
SHA1 02fe059e8d7274f16f5d7d316ce3afb7f73bccc7
SHA256 9018b97f555383cccdea6362e8ba41b9ee84c9ec69ff6ea6d24af2c289376549
SHA3 55d61b0454195c1be0d7e6292c6216ddfc30bca3fa20cadbf197bf502b3b38c0

Version Info

TLS Callbacks

Load Configuration

Errors