f0d50245f0cc81cc791ffe2a5cd977d4

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2016-Mar-20 07:29:20
Detected languages English - United States
Russian - Russia
CompanyName Oleg N. Scherbakov
FileDescription 7z Setup SFX (x86)
FileVersion 1.6.2.3888
InternalName 7ZSfxMod
LegalCopyright Copyright © 2005-2015 Oleg N. Scherbakov
OriginalFilename 7ZSfxMod_x86.exe
PrivateBuild March 20, 2016
ProductName 7-Zip SFX
ProductVersion 1.6.2.3888

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to SHA256
Uses constants related to AES
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Possibly launches other programs:
  • ShellExecuteW
  • CreateProcessW
Can create temporary files:
  • CreateFileW
  • GetTempPathW
Functions related to the privilege level:
  • CheckTokenMembership
Enumerates local disk drives:
  • GetDriveTypeW
Can take screenshots:
  • CreateCompatibleDC
  • GetDC
Malicious The PE's digital signature is invalid. Signer: Piriform Software Ltd
Issuer: DigiCert SHA2 Assured ID Code Signing CA
The file was modified after it was signed.
Malicious VirusTotal score: 5/68 (Scanned on 2021-04-08 07:45:19) Bkav: W32.AIDetect.malware2
Rising: Trojan.HiddenRun/SFX!1.D2BC (CLASSIC)
Jiangmin: TrojanDropper.Agent.gifx
eGambit: PE.Heur.InvalidSig
CrowdStrike: win/malicious_confidence_60% (D)

Hashes

MD5 f0d50245f0cc81cc791ffe2a5cd977d4
SHA1 09544d4a27f9732a5e37837af0ec8a040f63af2f
SHA256 20d567e641415ff1d1a6ab4e9ccde98cb693b98b1f18505e738ed381bbe2a932
SHA3 93af51f8ed1d15f09c724a66a04ffcb1b423bda7ef95151b077bac4ba61c7d80
SSDeep 49152:Px4ts9SDXUoDiJNrUz5eu8Cx1/RRv86J7N165TjZ:P+e9qNT5eIxNvNZN8fZ
Imports Hash 2b914b6fd04316572d777593dc737715

DOS Header

e_magic MZ
e_cblp 0x60
e_cp 0x1
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x60

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2016-Mar-20 07:29:20
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 8.0
SizeOfCode 0x18200
SizeOfInitializedData 0x2da00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0001887F (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1a000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x4d000
SizeOfHeaders 0x200
Checksum 0x1d87bb
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 9c1bd5315d0129c1d4e3e874ade40de3
SHA1 5213b43d50655329096f42d95ce882d7e52bc993
SHA256 4cbf077b959cf4b8772f1d2b3e2e5edb5f59f58c97e309ebfac329cbfdda8cc6
SHA3 eacef476d3aa4808f9ada8cd8bc785b98725e7a51e8a85ecfc83800d639d13fc
VirtualSize 0x181ea
VirtualAddress 0x1000
SizeOfRawData 0x18200
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.67958

.rdata

MD5 81a1d7f50e32f02730ec307ff827ecd1
SHA1 0c5b2e4337d8d7b4bb9d23f0c8f0e4a90d6f2279
SHA256 7fa89be3f6da52802e6a8ad876cb3f6b0c845bc3e36f077188a22e41266ec51e
SHA3 f5858b10d0c5c093ad7057b711a839bf446b76f6943257e606aaf8f1c8a5d924
VirtualSize 0x3dc6
VirtualAddress 0x1a000
SizeOfRawData 0x3e00
PointerToRawData 0x18400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.77447

.data

MD5 dc318d75f5d8315b90d586a08693827f
SHA1 b3e3703c543927189aecaf994e9ea1082e64c0d4
SHA256 303fefdb8bae50320e4d1eb0b8f4af9a7a200cc01cead9962a031ba11d1cd93d
SHA3 2cafbf4c71fae2e69a4e223f433a7b636c7a01464d2bfc4e82922e47c889609a
VirtualSize 0x4ab0
VirtualAddress 0x1e000
SizeOfRawData 0x800
PointerToRawData 0x1c200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.503

.rsrc

MD5 8dbd53b3397a41a156411620ec3a0f2f
SHA1 f1ce39fdfeea79f6634bca062bbe4986a00f9c63
SHA256 8f1a6b11a3d0dca6ca310739ad245a6c39c22f285418ddd9d99c94c169d5049e
SHA3 b1f85d74cf67131efead482f1193c5b0d6c4c49f5690fab5789eedc668c9d51a
VirtualSize 0x29262
VirtualAddress 0x23000
SizeOfRawData 0x29400
PointerToRawData 0x1ca00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.10873

Imports

COMCTL32.dll #17
SHELL32.dll SHGetSpecialFolderPathW
ShellExecuteW
SHGetMalloc
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetFileInfoW
ShellExecuteExW
GDI32.dll CreateCompatibleDC
CreateFontIndirectW
DeleteObject
DeleteDC
GetCurrentObject
StretchBlt
GetDeviceCaps
CreateCompatibleBitmap
SelectObject
SetStretchBltMode
GetObjectW
ADVAPI32.dll FreeSid
AllocateAndInitializeSid
CheckTokenMembership
USER32.dll CreateWindowExW
GetDesktopWindow
wsprintfA
SetWindowPos
SetTimer
GetMessageW
ScreenToClient
KillTimer
CharUpperW
SendMessageW
EndDialog
wsprintfW
MessageBoxW
GetParent
CopyImage
ReleaseDC
GetWindowDC
GetMenu
GetWindowLongW
DispatchMessageW
GetWindowTextW
GetWindowTextLengthW
SetWindowTextW
GetSysColor
DestroyWindow
MessageBoxA
BringWindowToTop
ShowWindow
GetKeyState
GetDlgItem
GetClientRect
SetWindowLongW
UnhookWindowsHookEx
SetFocus
GetSystemMetrics
SystemParametersInfoW
DrawTextW
GetDC
ClientToScreen
GetWindow
DialogBoxIndirectParamW
DrawIconEx
CallWindowProcW
DefWindowProcW
CallNextHookEx
PtInRect
SetWindowsHookExW
LoadImageW
LoadIconW
MessageBeep
EnableWindow
IsWindow
EnableMenuItem
GetSystemMenu
CreateWindowExA
wvsprintfW
GetClassNameA
GetWindowRect
ole32.dll CreateStreamOnHGlobal
CoCreateInstance
CoInitialize
OLEAUT32.dll SysAllocStringLen
VariantClear
SysFreeString
OleLoadPicture
SysAllocString
KERNEL32.dll SetFileTime
SetEndOfFile
GetFileInformationByHandle
VirtualFree
GetModuleHandleA
WaitForMultipleObjects
VirtualAlloc
ReadFile
SetFilePointer
GetFileSize
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
FormatMessageW
lstrcpyW
LocalFree
IsBadReadPtr
SuspendThread
TerminateThread
GetSystemDirectoryW
GetCurrentThreadId
InitializeCriticalSection
ResetEvent
SetEvent
CreateEventW
GetVersionExW
GetModuleFileNameW
GetCurrentProcess
SetProcessWorkingSetSize
GetDriveTypeW
CreateFileW
SetEnvironmentVariableW
GetTempPathW
GetCommandLineW
GetStartupInfoW
CreateProcessW
CreateJobObjectW
ResumeThread
AssignProcessToJobObject
CreateIoCompletionPort
SetInformationJobObject
GetQueuedCompletionStatus
GetExitCodeProcess
CloseHandle
LoadLibraryA
SetThreadLocale
lstrlenW
GetSystemTimeAsFileTime
ExpandEnvironmentStringsW
CompareFileTime
WideCharToMultiByte
FindFirstFileW
lstrcmpW
DeleteFileW
FindNextFileW
FindClose
SetCurrentDirectoryW
RemoveDirectoryW
GetEnvironmentVariableW
lstrcmpiW
GetLocaleInfoW
MultiByteToWideChar
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
GetSystemDefaultLCID
lstrcmpiA
GlobalAlloc
GlobalFree
MulDiv
FindResourceExA
SizeofResource
LoadResource
LockResource
GetProcAddress
GetModuleHandleW
GetStdHandle
ExitProcess
lstrcatW
GetDiskFreeSpaceExW
SetLastError
SetFileAttributesW
Sleep
GetExitCodeThread
WaitForSingleObject
CreateThread
GetLastError
SystemTimeToFileTime
GetLocalTime
GetFileAttributesW
CreateDirectoryW
lstrlenA
WriteFile
GetStartupInfoA
MSVCRT.dll _purecall
memcmp
??2@YAPAXI@Z
memmove
memcpy
_wtol
strncpy
_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
??1type_info@@UAE@XZ
_onexit
__dllonexit
malloc
free
wcsstr
_CxxThrowException
wcscmp
_beginthreadex
_EH_prolog
?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z
memset
_wcsnicmp
strncmp
wcsncmp
wcsncpy
??3@YAXPAX@Z

Delayed Imports

1

Type RT_ICON
Language Russian - Russia
Codepage UNKNOWN
Size 0x10b7
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.73152
Detected Filetype PNG graphic file
MD5 936d2f92e9c68e1ef5f643018269bb44
SHA1 8033e8c60badf73ee20cdaed2aeb65184939c6af
SHA256 704692840b9bf6f1587b3e6a4a9f05a384664f65ba8bbf25b7c49671a2795bb8
SHA3 d35ec034297daf2196f6eea4794f26e0140b1f027223b8106234f9d5b8b21134

2

Type RT_ICON
Language Russian - Russia
Codepage UNKNOWN
Size 0x10828
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.45739
MD5 878d20b34440c207df61d04d30a0559d
SHA1 0096a8831ba3e3746e9ba7f833f46536a37ce7eb
SHA256 09e57e2e19d0671e8780b76c0d9c4a2da545c2c83d6769b4dcdba2d16c823d99
SHA3 68c0b8a77be96185558b159f62e675979d21809fd5302439572e9febfeefe181

3

Type RT_ICON
Language Russian - Russia
Codepage UNKNOWN
Size 0x94a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.75008
MD5 3757df4e784c3aabb92c12fbbc7e36af
SHA1 e270d27967b5002371bab9c482a0ed13284819af
SHA256 497118d4c2ff8be3e3500fb5bdea1818b7282794546a07f2eacb52499ee1a5a4
SHA3 0cb2c5f762ef33af0934b762171f41a8c920101e0a0917f22c944437cb4b5945

4

Type RT_ICON
Language Russian - Russia
Codepage UNKNOWN
Size 0x5488
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.73957
MD5 cf00d8ad9c45d424883ae6b23e8b006d
SHA1 903a0ae7dfd265781e083db7deca3206e7a80290
SHA256 016cdbb05981e2f6e62cbae225eae5b98b403f387f103e258f0936130410d41d
SHA3 cc8eab514327c451773b87f63746e41c56893cca7078ac2a5f7be3b4804bca28

5

Type RT_ICON
Language Russian - Russia
Codepage UNKNOWN
Size 0x4228
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.58049
MD5 fa1c24976e5cdc91edbe153472ddbc8b
SHA1 3d876fe5f11aae3ca9cbf3636db4c50d0bc2caa9
SHA256 7651b09a6d140edbdf4a256f80df4354e7bc570c88793c3a6407aa85bc2678ba
SHA3 0513f70efb698eb344a5bc35a0283ae45d1a417a2ea4dc911ba291adbb29fed7

6

Type RT_ICON
Language Russian - Russia
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.96902
MD5 b03ba4b7243b79602bddac043dab92cf
SHA1 4cd7e8cdc4f81fc907d12af42ea41c6169feb29a
SHA256 959636c8668280d422b4fe86e478c6410a75086aa58b1d8d95f465c85218be8f
SHA3 c6425603cd384ff5f97485ec6e3a74c5bfb0d7c9a11846c614b85382cf13decb

7

Type RT_ICON
Language Russian - Russia
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.06033
MD5 e3a4b3d3b5aa55d0b8e5b839f0de76c1
SHA1 771802bfb41b86d2e88570810a4723ab5426a54f
SHA256 1e07cf2f4a867d9872fde7fdee01da9e737fb1c26bd237da6af0f2f9a1c73a55
SHA3 94d86b24ff7b56ee024590f702a3fd4204de57bc01e85d2e27becd8084caf046

8

Type RT_ICON
Language Russian - Russia
Codepage UNKNOWN
Size 0x988
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.38646
MD5 b868b1283058a6ae55cdb761a593c548
SHA1 2207b5cab0c4500ae9def9092fe1f7a823a902c5
SHA256 3ac2c89e099c87660acee7a00037c968046257ba8f011a2b5465b98783ec3195
SHA3 07d37afff6943a3bd63fa112f0a52c01a2f3333193de9505b19ce2e82ca1ba07

9

Type RT_ICON
Language Russian - Russia
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.66261
MD5 2e7ccb58057ef49143920a4cd5970ff1
SHA1 bad4f96313e52e6fbf73e3b6f36628848cedddda
SHA256 ffaa0d418c03c93398a5b5f30ca1fbd0c4b7fbf06c296e8f70f0e04a9c129c87
SHA3 43649d4da547cdb39eeff79e637bb2e9f5d91d345730fcb29b4dab28d856d432

101

Type RT_GROUP_ICON
Language Russian - Russia
Codepage Latin 1 / Western European
Size 0x84
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.01007
Detected Filetype Icon file
MD5 465710f6327708b87333558529904c39
SHA1 6ea79942306f5740294117114d2545c2e03ff668
SHA256 c91b7593f139c4aa8738a52caaa53531d19466527b8de2ab9dfb97a6cc5230f2
SHA3 606460c62f13fa3cfa11ebbaa5ddee924b7b2f74c2a2cdb16cd5607ab34c6663

1 (#2)

Type RT_VERSION
Language English - United States
Codepage Latin 1 / Western European
Size 0x354
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.54413
MD5 72e8ec2b66779881fd1149cf58c6a8e5
SHA1 d64b6d7285df04259986176704f288c9b0a67817
SHA256 e27a5098067367127dfddbae57e931de61c79eb7df3630370de2b1824431bd01
SHA3 5473707d3abfd1ae4409e73c53df0b3ea96c409491c6363d40b34fcbd70d5b97

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x362
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.22911
MD5 a3abf371887d1b9c79d8ab2a1f5da3a3
SHA1 ba83ee73d18e9d972b7e848398922673d79a6469
SHA256 86e41bca34fa14afea7769e6ced262c3f09fdf4de2129730a8adcdf5434f5d17
SHA3 dd2bf46ab23768800ed8925cef5ac576781384862f78018fe0b1e6e4ee45e0b1

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.6.1.3888
ProductVersion 1.6.1.3888
FileFlags VS_FF_PRIVATEBUILD
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
CompanyName Oleg N. Scherbakov
FileDescription 7z Setup SFX (x86)
FileVersion (#2) 1.6.2.3888
InternalName 7ZSfxMod
LegalCopyright Copyright © 2005-2015 Oleg N. Scherbakov
OriginalFilename 7ZSfxMod_x86.exe
PrivateBuild March 20, 2016
ProductName 7-Zip SFX
ProductVersion (#2) 1.6.2.3888
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

Errors

<-- -->