e97c622b03fb2a2598bf019fbbe29f2c

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2013-May-09 14:21:53

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Functions which can be used for anti-debugging purposes:
  • QueryPerformanceCounter
Possibly launches other programs:
  • CreateProcessA

Hashes

MD5 e97c622b03fb2a2598bf019fbbe29f2c
SHA1 32698bd1d3a0ff6cf441770d1b2b816285068d19
SHA256 5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160
SHA3 f65a090ad9af5de069c1bde1397693823c5a4d69e1bf92653a89648f42d8d874
SSDeep 768:nMgEYaPKRsVvd7M826QXqVXDjPXHyRhQcBU+zGqJS967GMctEvdGA9SYxQ:Mg/6/tM8NXDjPX0QWlfGMckTQ
Imports Hash ba2c974ed567c90fe365844af978f320

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2013-May-09 14:21:53
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 9.0
SizeOfCode 0xca00
SizeOfInitializedData 0x4e00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00002613 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xe000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x14000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 9c1449c399f02a55d49d67dd9413e89c
SHA1 54ac39978541bb7675077cdcfcd1199c8919ce59
SHA256 aec8718e14ee5d0189e2772e8d63e09410f9a6f3bcd00fa0e2b5d2824e1d5ccc
SHA3 25f7e58fd1279008f5ab9f8df2e60aafb2c6e5d50a15b41b1ce67f2119f9a6ad
VirtualSize 0xc9ed
VirtualAddress 0x1000
SizeOfRawData 0xca00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.61814

.rdata

MD5 c3c323d1b4244bb08b2144d7f6ccb84f
SHA1 97cad25a79269b9bf7f64b62baa59fdf492ce36b
SHA256 351a1a3befdcb9acd6f8d44c209ce51d5eba08929b5a304e71248040c81fc4d6
SHA3 eec3057601ad1beff671bd710f33d4f74256dd574488570c6d2756c0285634f0
VirtualSize 0x2068
VirtualAddress 0xe000
SizeOfRawData 0x2200
PointerToRawData 0xce00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.29095

.data

MD5 3ecb8d5c354d07019fd9bd96c5e5f3a1
SHA1 7f7c781cf577387378dee296be60861d4d822622
SHA256 a2e96f83f14ada11555c4d454bad5290e2817a676de71e4c1d0d5a99f8372e76
SHA3 7630f47ddcdc765852d7f0c57d6a2b37a2e227df1581609268cc49ad5acbfeea
VirtualSize 0x2bc4
VirtualAddress 0x11000
SizeOfRawData 0x1000
PointerToRawData 0xf000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.25129

Imports

KERNEL32.dll GenerateConsoleCtrlEvent
GetExitCodeProcess
WaitForSingleObject
CreateProcessA
SetConsoleCtrlHandler
GetModuleFileNameA
EnterCriticalSection
LeaveCriticalSection
GetModuleHandleW
Sleep
GetProcAddress
ExitProcess
GetCommandLineA
GetStartupInfoA
SetHandleCount
GetStdHandle
GetFileType
DeleteCriticalSection
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetLastError
HeapFree
HeapAlloc
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
WriteFile
LoadLibraryA
InitializeCriticalSectionAndSpinCount
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
RtlUnwind
HeapReAlloc
VirtualAlloc
GetConsoleCP
GetConsoleMode
FlushFileBuffers
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetFilePointer
HeapSize
CloseHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
CreateFileA
CompareStringA
CompareStringW
SetEnvironmentVariableA
ReadFile
SetEndOfFile
GetProcessHeap
GetFileAttributesA

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x411280
SEHandlerTable 0x40f4d0
SEHandlerCount 3

RICH Header

XOR Key 0x8bae32a0
Unmarked objects 0
Imports (VS2012 build 50727 / VS2005 build 50727) 3
Total imports 91
150 (20413) 4
C++ objects (VS2008 build 21022) 36
ASM objects (VS2008 build 21022) 18
C objects (VS2008 build 21022) 113
Resource objects (VS2008 build 21022) 1

Errors

[!] Error: Query to VirusTotal failed (resolve: Host not found (authoritative)).