f300317af13482d53a001ec2d6a0f1f9

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2010-Jul-14 22:03:32
Detected languages Chinese - PRC
CompanyName Microsoft Corporation
FileDescription Windows Service Pack Uninstall
FileVersion 6.3.0004.1 built by: dnsrv
InternalName SPUNINST.EXE
LegalCopyright (C) Microsoft Corporation. All rights reserved.
OriginalFilename SPUNINST.EXE
ProductName Microsoft(R) Windows(R) Operating System
ProductVersion 6.3.0004.1

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentControlSet\seRviCes
Contains another PE executable:
  • This program cannot be run in DOS mode.
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Suspicious The PE is possibly packed. Unusual section name found: .idata2
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
Can access the registry:
  • SHGetValueA
  • SHDeleteKeyA
  • SHCopyKeyA
Possibly launches other programs:
  • CreateProcessA
Can create temporary files:
  • GetTempPathA
  • CreateFileA
Leverages the raw socket API to access the Internet:
  • closesocket
  • getprotobynumber
Manipulates other processes:
  • Process32Next
  • Process32First
Malicious The PE's digital signature is invalid. Signer: Kaspersky Lab
Issuer: VeriSign Class 3 Code Signing 2004 CA
The file was modified after it was signed.
Malicious VirusTotal score: 69/73 (Scanned on 2020-01-16 07:26:25) Bkav: W32.ZegostQKB.Trojan
MicroWorld-eScan: Gen:Variant.Zegost.2
VBA32: TrojanPSW.Bjlog
FireEye: Generic.mg.f300317af13482d5
CAT-QuickHeal: TrojanDropper.Zegost.C5
McAfee: BackDoor-CEP.gen.cn
Cylance: Unsafe
Zillya: Trojan.Bjlog.Win32.11309
SUPERAntiSpyware: Trojan.Agent/Gen-Zegost
Sangfor: Malware
K7AntiVirus: Unwanted-Program ( 004ae6551 )
Alibaba: TrojanPSW:Win32/Bjlog.059b93a8
K7GW: Unwanted-Program ( 004ae6551 )
Cybereason: malicious.af1348
Arcabit: Trojan.Zegost.2
Invincea: heuristic
Baidu: Win32.Backdoor.Zegost.b
F-Prot: W32/Zegost.C.gen!Eldorado
Symantec: Trojan Horse
TotalDefense: Win32/Zegost.CJ
APEX: Malicious
Avast: Win32:Zegost-C [Trj]
ClamAV: Win.Spyware.78740-1
Kaspersky: Trojan-PSW.Win32.Bjlog.dtwr
BitDefender: Gen:Variant.Zegost.2
NANO-Antivirus: Trojan.Win32.Bjlog.drshei
Paloalto: generic.ml
ViRobot: Trojan.Win32.A.PSW-Bjlog.42428
Tencent: Backdoor.Win32.Zegost.aaa
Endgame: malicious (high confidence)
Emsisoft: Gen:Variant.Zegost.2 (B)
Comodo: Backdoor.Win32.Zegost.B@1qlsm2
F-Secure: Backdoor:W32/Bjlog.D
DrWeb: BackDoor.Zegost.48
VIPRE: Trojan.Win32.Generic.pak!cobra
TrendMicro: BKDR_ZEGOST.SMZZ
McAfee-GW-Edition: BackDoor-CEP.gen.cn
Trapmine: malicious.high.ml.score
CMC: Trojan-PSW.Win32.Bjlog!O
Sophos: Mal/PWS-GA
SentinelOne: DFI - Malicious PE
Cyren: W32/Zegost.L.gen!Eldorado
Jiangmin: Trojan/PSW.Bjlog.bvd
Webroot: W32.Trojan.Gen
Avira: TR/PSW.Bjlog.lfzb
Fortinet: W32/Bjlog.GL!tr
Antiy-AVL: Trojan[PSW]/Win32.Bjlog.dtwr
Microsoft: TrojanDropper:Win32/Zegost.B
AegisLab: Trojan.Win32.Bjlog.l9ov
ZoneAlarm: Trojan-PSW.Win32.Bjlog.dtwr
TACHYON: Trojan-PWS/W32.Bjlog.209384
AhnLab-V3: Trojan/Win32.Bjlog.R2244
Acronis: suspicious
BitDefenderTheta: AI:Packer.5AF68E151F
ALYac: Gen:Variant.Zegost.2
MAX: malware (ai score=100)
Ad-Aware: Gen:Variant.Zegost.2
Malwarebytes: Trojan.Dropper
ESET-NOD32: a variant of Win32/Redosdru.FP
TrendMicro-HouseCall: BKDR_ZEGOST.SMZZ
Rising: Backdoor.Win32.GenFxj.c (CLOUD)
Yandex: Trojan.Zegost.Gen.5
Ikarus: Trojan.Agent
eGambit: Unsafe.AI_Score_99%
GData: Gen:Variant.Zegost.2
AVG: Win32:Zegost-C [Trj]
Panda: Generic Malware
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: Dropper.Win32.Zegost.A

Hashes

MD5 f300317af13482d53a001ec2d6a0f1f9
SHA1 0e5ba65affd69f93062cefdacf8bf143b24d22bb
SHA256 ccd37df0ab155d1378d4ba9fd5f862b4c162bea0668c3951905d45b0c5210d56
SHA3 d92fbe2e758ddeb1a26c9283b1ed8f427bffee32b06427cba14301617e499ae9
SSDeep 6144:8sItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX+:5tWUzJq8YPbncT3+I
Imports Hash c509dbcf0dade053e5588087a4d64742

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2010-Jul-14 22:03:32
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x5000
SizeOfInitializedData 0x2b000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00002C46 (Section: CODE)
BaseOfCode 0x1000
BaseOfData 0x6000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x31800
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

CODE

MD5 724bafa43942ace1c9c643b75c40e926
SHA1 56e080fdd83ec2006fa5f4b4c3ca48a97055734e
SHA256 bbd712c58fda6d5dae8d1284c129380c479f240f1034263a5488a0be662705ba
SHA3 b297656a57b5dc3daf81df41c1066715b40148841e9610d40b42e6c94b08f274
VirtualSize 0x4af8
VirtualAddress 0x1000
SizeOfRawData 0x4af8
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.19665

.data

MD5 200c6a73f1a1e932c7db531bb411db72
SHA1 20fc8d5ae7d61907f38344ab18a839a53619f951
SHA256 c22f4d62034c298ab3102a8e5e8963938d0b639cd226005d82aa1bfe26be67d3
SHA3 f9f7cc5fe4249a12924b5ec00fc51be46692cb4ce966d29c5e2d5cc62d29f3cb
VirtualSize 0x29990
VirtualAddress 0x6000
SizeOfRawData 0x29990
PointerToRawData 0x6000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.50752

.rsrc

MD5 616d25b4d6b22b2bccf1a51a19bc7f51
SHA1 9e2842c7b606270acb13dddc699d4eff4e9bc5c2
SHA256 ded86c896afbb93371eab95547028a89dc073f95c4d204c5b32f3165f39ec185
SHA3 510abd1f41fac9253ed3941136c9d09a7436010784657eb929de30ee77e69682
VirtualSize 0x7a0
VirtualAddress 0x30000
SizeOfRawData 0x7a0
PointerToRawData 0x30000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.64922

.idata2

MD5 de557d7c4177caf67c6461f82c4d050e
SHA1 acf7bf1a05bfeac8df16cde96282494c90192735
SHA256 549c70630a2e03d5fbe606f806ce983ba86673b3d487ad57144d6c5021809f03
SHA3 5c4ff3485f511740f462765eb10d09b4c58f0da01252983e0aad9e2fa27c02f6
VirtualSize 0x1000
VirtualAddress 0x31000
SizeOfRawData 0x800
PointerToRawData 0x30800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 36864
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.06373

Imports

kernel32.dll ExitProcess
GetTickCount
IsBadWritePtr
GetProcAddress
GetModuleHandleA
GetLastError
Sleep
LoadLibraryA
GetCurrentDirectoryA
GetTempPathA
CloseHandle
WriteFile
SetFilePointer
CreateFileA
WaitForSingleObject
GetCurrentProcess
CreateEventA
ExpandEnvironmentStringsA
GetSystemDirectoryA
SetEnvironmentVariableA
SleepEx
IsBadReadPtr
ExitThread
GetExitCodeThread
CreateThread
SetUnhandledExceptionFilter
CreateProcessA
GetStartupInfoA
CopyFileA
GetCommandLineA
GetCurrentThreadId
GetModuleFileNameA
Process32Next
lstrcmpi
Process32First
CreateToolhelp32Snapshot
CreateDirectoryA
DeleteFileA
SetFileAttributesA
GetFileAttributesA
LocalAlloc
InterlockedExchange
RaiseException
FreeLibrary
msvcrt.dll _itoa
_except_handler3
memset
__CxxFrameHandler
memmove
srand
rand
_ftol
tolower
malloc
strncmp
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
??1type_info@@UAE@XZ
_controlfp
SHLWAPI.dll PathFileExistsA
SHGetValueA
SHDeleteKeyA
SHCopyKeyA
USER32.dll GetActiveWindow
wsprintfA
FlashWindow
WS2_32.dll closesocket
getprotobynumber

Delayed Imports

1

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x2ea
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.4319
MD5 7e0a1312448bc8ce72d4ca785d01a372
SHA1 bf395a78934e29f5bb86b2511c815e262733218e
SHA256 8f32551949beee37c8895980a889b2626bc6f31fc37dd99cd54376dd27968e3e
SHA3 9d94a5dca3bdfff8c7d01b55c30fa8d1c83fbea416fe661d9dcd4889640d38b3

118

Type RT_GROUP_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.16096
Detected Filetype Icon file
MD5 370606d3b3e5b3ca49795c5ca64e6590
SHA1 eacf05988a48ea58535ee73031b46e751fcaa7b1
SHA256 1911f30279ca3ca4a7f5aa7df361cb39b5ad4ec2860339fad699f8e233abcea1
SHA3 e85e3b62a9adac8af587c4d31e9bbb261f685bea62f192b67f9be103f49827a8

1 (#2)

Type RT_VERSION
Language Chinese - PRC
Codepage UNKNOWN
Size 0x3a4
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.48874
MD5 22b92abc3db99043ae35950109f524fb
SHA1 d6ccae7211ae726bb945b2dbc9ba884cba30d417
SHA256 b10d868e1284a2bb5a34368f9afeb9091611a68a3a8f8d1450625b77164f4c09
SHA3 f33990908b3e1d9346b50835afc847e6b18a25610152d3899813b31a02d125d4

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.3.4.1
ProductVersion 6.3.4.1
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language Chinese - PRC
CompanyName Microsoft Corporation
FileDescription Windows Service Pack Uninstall
FileVersion (#2) 6.3.0004.1 built by: dnsrv
InternalName SPUNINST.EXE
LegalCopyright (C) Microsoft Corporation. All rights reserved.
OriginalFilename SPUNINST.EXE
ProductName Microsoft(R) Windows(R) Operating System
ProductVersion (#2) 6.3.0004.1
Resource LangID Chinese - PRC

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xaa373b29
Unmarked objects 0
12 (7291) 2
14 (7299) 2
C objects (VS98 build 8168) 11
Linker (VS98 build 8168) 2
Imports (VS2003 (.NET) build 4035) 9
Total imports 130
Resource objects (VS98 cvtres build 1720) 1
C++ objects (VS98 build 8168) 9

Errors

[*] Warning: Could not read the name of the DLL to be delay-loaded!