f0e4cf37573cfac1e46e6f1fcdac7c10

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2014-Oct-29 06:41:17
Detected languages English - United States
German - Germany

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
  • LoadLibraryW
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
  • FindWindowA
 Can access the registry:
  • RegSetValueExA
  • RegEnumKeyExA
  • RegCloseKey
  • RegOpenKeyExA
  • RegQueryValueExA
  • RegCreateKeyExA
 Possibly launches other programs:
  • CreateProcessA
  • ShellExecuteA
 Has Internet access capabilities:
  • URLDownloadToFileA
 Manipulates other processes:
  • OpenProcess
  • Process32Next
  • Process32First
Malicious VirusTotal score: 30/47 (Scanned on 2024-04-03 23:10:56) ALYac: Gen:Variant.Doina.7977
APEX: Malicious
AhnLab-V3: Trojan/Win.Generic.R435870
Alibaba: TrojanBanker:Win32/Banbra.f22859aa
Antiy-AVL: Trojan/Win32.Badur
Arcabit: Trojan.Doina.D1F29
Bkav: W32.AIDetectMalware
CrowdStrike: win/malicious_confidence_100% (W)
Cybereason: malicious.7573cf
Cylance: unsafe
Cynet: Malicious (score: 100)
Elastic: malicious (high confidence)
Fortinet: W32/Generic.AC.201A3E!tr
Ikarus: Trojan.Win32.Agent
K7AntiVirus: Trojan ( 0055e3dd1 )
Lionic: Trojan.Win32.Badur.4!c
Malwarebytes: Malware.Heuristic.2009
McAfee: GenericRXAA-AA!F0E4CF37573C
MicroWorld-eScan: Gen:Variant.Doina.7977
Panda: Trj/CI.A
Sangfor: Trojan.Win32.Save.a
Symantec: ML.Attribute.HighConfidence
Tencent: Malware.Win32.Gencirc.114fb0cd
Trapmine: malicious.high.ml.score
TrendMicro: TROJ_INJECTR.DCB
TrendMicro-HouseCall: TROJ_INJECTR.DCB
VIPRE: Gen:Variant.Doina.7977
VirIT: Trojan.Win32.DownLoader11.CIER
Zillya: Trojan.Badur.Win32.7612
tehtris: Generic.Malware

Hashes

MD5 f0e4cf37573cfac1e46e6f1fcdac7c10
SHA1 85fda3811fbbad541a7df8a0050cd4847a55d4d3
SHA256 eb9048578fed559818062b7c3a013117609e8d743dd6f391fe11bd13dea9c6a9
SHA3 4a6191074e3353e638830ab3029ed566cfa9e854b3b534d01911b7b911c36772
SSDeep 1536:WTLbS0hClWT7srxenjYx6Mn1gaOq3d6YuAOXNHb+w6hSSyDyz+0cLQoG6fYCkTv:CbSABGfSYuAkKwrSyD5f7gX/wqAb
Imports Hash f733e95666b1acbbb6fc49d418145c0e

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2014-Oct-29 06:41:17
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x15600
SizeOfInitializedData 0xbc00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000B7B7 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x17000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x26000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 71463020d4567002118c4f1f69b6a0c5
SHA1 1621debcb19f17c305e51b42c9f267eec76af4e0
SHA256 0a3e8fa935d109c5c0fbe6b8cdbfed0b795f7aabfff3af7f417408234945b107
SHA3 7a95351294c940332cf9a8b278eb3eccf4be8d64d51fa0b8fdc99f964d99a398
VirtualSize 0x15450
VirtualAddress 0x1000
SizeOfRawData 0x15600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.58576

.rdata

MD5 7d009c56accf4cb8bb22e1b021deb139
SHA1 a97233cd11ae6b40cdf353308ec4b67062521286
SHA256 f65d5398e7143fee3e77dfaec6a9980fa0110de555c5bfcc4b9a8185bae9f774
SHA3 ee7bf94644f01c4b2480baa42f5fa5a7b399f925203bb7ed398de4e6f8412c06
VirtualSize 0x5d0e
VirtualAddress 0x17000
SizeOfRawData 0x5e00
PointerToRawData 0x15a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.76833

.data

MD5 1b18be8f6faeaec3fb38da0ac6d16b57
SHA1 fc2ad9fe068cba501b2e742b9c38f08e6f08e268
SHA256 00bc86045174d86328e71d4295d8e4cf56eb0c882c99af6e1e4e0e9244f311b6
SHA3 de855f064cb81d9f152dda36a0d516b1e25df09f74c002d6d3b4ab2fb826352c
VirtualSize 0x3664
VirtualAddress 0x1d000
SizeOfRawData 0x1800
PointerToRawData 0x1b800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.06447

.rsrc

MD5 5ef4f1f9a5d7880c06787f66f4b3d201
SHA1 00895bac6e23383db38833a4495940f57c8b266b
SHA256 3443080e9cdb91dfbdacadce4fae4646de7a5a926f1ee466f5032d3cc5e4c09e
SHA3 718725f67bfdb25c39de59a3158a3afac5b7e08e03e4d2734bad9f917bd23580
VirtualSize 0x2800
VirtualAddress 0x21000
SizeOfRawData 0x2800
PointerToRawData 0x1d000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.26302

.reloc

MD5 9b7aed5b7acd844124ead0e6d35e9fbb
SHA1 4981187399d35298834bae86c5d94ead173d5126
SHA256 f6e28ad1753237d42be72be187a88f09a269097eeda24bcf12908db6bd361246
SHA3 056608a20f90f169cd585d576f6eb8e6b2e28cf0c5c1a9bef25e6d36bd60808a
VirtualSize 0x1de0
VirtualAddress 0x24000
SizeOfRawData 0x1e00
PointerToRawData 0x1f800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0

Imports

KERNEL32.DLL WaitForSingleObject
ExpandEnvironmentStringsA
OpenProcess
TerminateProcess
Process32Next
GetModuleFileNameA
CreateToolhelp32Snapshot
CloseHandle
DeleteFileA
CreateFileA
lstrcmpA
SetFilePointer
FreeLibrary
WriteFile
Sleep
GetFileAttributesA
lstrcatA
GetEnvironmentVariableA
SetCurrentDirectoryA
FindFirstFileA
GetProcAddress
FindClose
LoadLibraryA
FindNextFileA
Process32First
lstrcpyA
GetCurrentProcess
CreateProcessA
ReadFile
GetStdHandle
GetLongPathNameA
SetStdHandle
CreatePipe
DuplicateHandle
TerminateThread
ExitThread
CreateThread
GetConsoleWindow
CreateFileW
WriteConsoleW
LoadLibraryW
SetEnvironmentVariableA
CompareStringW
LockResource
SizeofResource
WideCharToMultiByte
LoadResource
FindResourceW
GetCurrentDirectoryA
FindResourceExW
GetConsoleMode
GetConsoleCP
RtlUnwind
FlushFileBuffers
GetStringTypeW
GetCurrentProcessId
RaiseException
EnterCriticalSection
LeaveCriticalSection
GetLastError
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
GetSystemTimeAsFileTime
GetCommandLineA
HeapSetInformation
EncodePointer
DecodePointer
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
SetLastError
GetCurrentThreadId
LCMapStringW
MultiByteToWideChar
IsProcessorFeaturePresent
ExitProcess
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoW
HeapCreate
QueryPerformanceCounter
GetTickCount
ADVAPI32.dll RegSetValueExA
RegEnumKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegCreateKeyExA
SHELL32.dll ShellExecuteExA
SHGetSpecialFolderPathA
ShellExecuteA
urlmon.dll URLDownloadToFileA
USER32.dll EnumChildWindows
SendMessageA
SetActiveWindow
GetWindowThreadProcessId
ShowWindow
FindWindowA
WININET.dll DeleteUrlCacheEntry

Delayed Imports

1

Type RT_ICON
Language German - Germany
Codepage Latin 1 / Western European
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.1061
MD5 69d95e2689633f96263753675856a576
SHA1 6d8898e6d1302a9f73a10cb2ad25b61f343671c7
SHA256 eba7d39df37a38dc77782a62f4f183559dbf8136f53fe7ff852f9d1355698663
SHA3 0b2322ea664bced0a8e1d31117992c1a18bd4ad7abb6eb6e110776bf111f8637

101

Type RT_GROUP_ICON
Language German - Germany
Codepage Latin 1 / Western European
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.91924
Detected Filetype Icon file
MD5 6da8e7d5ae1d5d15e0230a67a7c16c6d
SHA1 678db52cbe5d617c33c6269bfd4b6d8d1a17f956
SHA256 6eb54801f91b6d8effccbfaefe6b2d7705a274a75940e6226e24e0d4ec58c396
SHA3 994fc217c7b8bc8008ac262ff58044403206de6eceafd424d4640ecad395eb2f

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

Version Info

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x41d0b0
SEHandlerTable 0x41aeb0
SEHandlerCount 52

RICH Header

XOR Key 0xb41b8bd6
Unmarked objects 0
ASM objects (VS2010 SP1 build 40219) 22
C objects (VS2010 SP1 build 40219) 99
C++ objects (VS2010 SP1 build 40219) 50
Imports (VS2008 SP1 build 30729) 13
Total imports 131
175 (VS2010 SP1 build 40219) 12
Resource objects (VS2010 SP1 build 40219) 1
Linker (VS2010 SP1 build 40219) 1

Errors

<-- -->