e36e8281b2a225205cdeb32edb0bdaa0

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2017-Nov-17 20:28:44
Detected languages English - United States

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryW
 Code injection capabilities (process hollowing):
  • ResumeThread
  • SetThreadContext
  • WriteProcessMemory
  • Wow64SetThreadContext
 Possibly launches other programs:
  • CreateProcessA
 Manipulates other processes:
  • WriteProcessMemory
Suspicious VirusTotal score: 1/68 (Scanned on 2019-07-23 19:43:57) Trapmine: suspicious.low.ml.score

Hashes

MD5 e36e8281b2a225205cdeb32edb0bdaa0
SHA1 e427bbebe19cbbbf2d1ea602b8671db65d4f2423
SHA256 03f59f7eda2d2bd64052b2962b6779dddedf87dc29588238c94da0613f4f7a83
SHA3 e0df89ab1a9ca37f0ac709d9073b77404802c9d54084c80e4dc93aea5d81da06
SSDeep 1536:6M27sZcVTTHgjr10I2dCvRy3Mo6t7BncHwUkxNcBj:L27/VTTHgjr10LdCpSMo6ttqwJxNcB
Imports Hash b57d839f67b49bbf3023cadacc365fbf

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2017-Nov-17 20:28:44
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 11.0
SizeOfCode 0xb600
SizeOfInitializedData 0x8000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000002540 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x18000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 379fa0cd6a1d8e14f03035b480337fad
SHA1 aec53c5f51535f2bb4166061659138388e7c627e
SHA256 f97a633b66a7f590d3e25c82d5baff4a75dd84cad6a217bf4d35c0cc59b4d5cf
SHA3 6518f3e7ca02ab8e5f5506220c3e8c5b23d741f7e525c05ea256e1b573faeb61
VirtualSize 0xb59a
VirtualAddress 0x1000
SizeOfRawData 0xb600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.34221

.rdata

MD5 75e61350f6ba35cadae48841b79a9163
SHA1 60bebd83ed849c685e5efcafc11b6d049d0bf929
SHA256 9c8d31d483564bbf5bb4b2c8e9cbd205f71f4b43f3adff042a51546adc534a0f
SHA3 429f3d3d9b7cac8ccbe1dbf36377e99980c0659e0c043ac190b8ae5542ef9da4
VirtualSize 0x37aa
VirtualAddress 0xd000
SizeOfRawData 0x3800
PointerToRawData 0xba00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.89737

.data

MD5 8bd2a29271bae2a2a035d760d5ff662f
SHA1 18f36666e94d05a9bda6b5700a650c4e16fececb
SHA256 26432f08ce4ec71a443d0526625d04b927491c92f8c33a2123b89f16c60b69da
SHA3 4e527447df050b3bc6ce282753fdfcc8f2b17571693bef0f30bb97fc88f19339
VirtualSize 0x3588
VirtualAddress 0x11000
SizeOfRawData 0x1400
PointerToRawData 0xf200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.85919

.pdata

MD5 6cced80857f3158db62015b0f6f5f70f
SHA1 f8360390df7da079e3aac2a93a9a04168caf00b9
SHA256 96d6f965580985a1f242a64651f8946fa4e2814cae9f0e2ca82f68273f7c6e38
SHA3 7ca203f1b59557eb2f2861b419d38666c43dc3a6e6bd3eda60604b90ed5f09a4
VirtualSize 0xa8c
VirtualAddress 0x15000
SizeOfRawData 0xc00
PointerToRawData 0x10600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.12077

.rsrc

MD5 c970c10a1e848ee974b87923ecbe6a2f
SHA1 6ec2704ce400703f30cf17cd7f5fb2ff7e4f9d67
SHA256 89f09174fd3a95dbea4b9e942ebd1106fa66ab65b71e2f1b47ad03120f498cd6
SHA3 3f834a2458f6aff655a398bb54821be6722cecca1ad1d0c3f33d8ef5408ca9d5
VirtualSize 0x1e0
VirtualAddress 0x16000
SizeOfRawData 0x200
PointerToRawData 0x11200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.70616

.reloc

MD5 2515a17690dfff820277affdb8a060d3
SHA1 16da425b1b9a74e4059cb572b7c42812ed3c5c05
SHA256 8961fa9390b536271cf04e28e1787c29b3ddffe29d8ce207346652d85a6972ad
SHA3 1d4ad32c0b199440cba3b2703f52112aff931e431d65e44f9aca66b44053ca4a
VirtualSize 0x314
VirtualAddress 0x17000
SizeOfRawData 0x400
PointerToRawData 0x11400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 2.73642

Imports

KERNEL32.dll ExpandEnvironmentStringsA
CloseHandle
GetLastError
ResumeThread
CreateProcessA
GetThreadContext
SetThreadContext
VirtualAllocEx
WriteProcessMemory
Wow64GetThreadContext
Wow64SetThreadContext
VirtualFree
CreateFileA
GetFileSize
VirtualAlloc
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
GetCommandLineA
IsDebuggerPresent
EncodePointer
DecodePointer
IsProcessorFeaturePresent
EnterCriticalSection
LeaveCriticalSection
RtlUnwindEx
HeapFree
SetLastError
GetCurrentThreadId
ExitProcess
GetModuleHandleExW
GetProcAddress
AreFileApisANSI
MultiByteToWideChar
GetStdHandle
WriteFile
GetModuleFileNameW
GetProcessHeap
GetFileType
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InitOnceExecuteOnce
GetStartupInfoW
GetModuleFileNameA
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount64
GetEnvironmentStringsW
FreeEnvironmentStringsW
WideCharToMultiByte
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetCurrentProcess
TerminateProcess
GetModuleHandleW
Sleep
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
WaitForSingleObject
GetExitCodeProcess
GetFileAttributesExW
LoadLibraryExW
OutputDebugStringW
LoadLibraryW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
HeapAlloc
HeapReAlloc
GetStringTypeW
SetFilePointerEx
SetEnvironmentVariableA
HeapSize
CompareStringEx
LCMapStringEx
SetStdHandle
WriteConsoleW
CreateFileW

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

TLS Callbacks

Load Configuration

Size 0x70
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140011000

RICH Header

XOR Key 0x307751a5
Unmarked objects 0
C++ objects (50628) 33
C objects (50628) 104
ASM objects (50628) 7
Total imports 98
185 (30716) 3
C++ objects (VS2012 build 50727 / VS2005 build 50727) 7
Resource objects (VS2012 build 50727 / VS2005 build 50727) 1
Linker (VS2012 build 50727 / VS2005 build 50727) 1

Errors

<-- -->