f599ad38f378a5e96f97d26d27dd8fd1

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-May-10 11:17:51
Detected languages English - United Kingdom
English - United States
CompanyName Barcrest Group
FileDescription XPEsecure BarBoot
FileVersion 4,6,0,44490
InternalName XPEsecure BarBoot
LegalCopyright Copyright � 2004
OriginalFilename BarBoot.exe
ProductName XPE Shell
ProductVersion 4,6,0,44490

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • control.exe
May have dropper capabilities:
  • CurrentControlSet\Services
  • CurrentVersion\Run
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • LoadLibraryA
  • GetProcAddress
Can access the registry:
  • RegCloseKey
  • RegSetValueExA
  • RegEnumKeyExA
  • RegCreateKeyExA
  • RegOpenKeyExA
  • RegQueryValueExA
Possibly launches other programs:
  • WinExec
  • CreateProcessA
Uses Microsoft's cryptographic API:
  • CryptEncrypt
  • CryptDecrypt
  • CryptAcquireContextA
  • CryptCreateHash
  • CryptHashData
  • CryptDeriveKey
  • CryptDestroyHash
  • CryptDestroyKey
  • CryptReleaseContext
Functions related to the privilege level:
  • OpenProcessToken
  • AdjustTokenPrivileges
Enumerates local disk drives:
  • GetDriveTypeA
Can shut the system down or lock the screen:
  • InitiateSystemShutdownA
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 f599ad38f378a5e96f97d26d27dd8fd1
SHA1 4129e454aecacda1e4ade19f3753f5c6f6e0de2a
SHA256 36fbe924b1f411214680d93b0ab436550e4b0883470ac7f740be7a33fec97dcd
SHA3 4dd95c75302ee78375c9657769347d24ebcae66b5136ade2296528a6125d941b
SSDeep 3072:5IkktiPx4uvWWACFXSzgKGlTkEZ4APOWFw/jzIZsYEDnPPas2UYMjH/tZeF3dSr:6kktiPqVCFizl6kGBGWFuzIsuMRZq3
Imports Hash 22a3ed0bda48209755db7c6ceeccf235

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2019-May-10 11:17:51
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x25a00
SizeOfInitializedData 0x12200
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000171EC (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x27000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x3d000
SizeOfHeaders 0x400
Checksum 0x3de1f
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 24c46b26bf5497a6eebf374e01bb60d2
SHA1 841d267ec1fc1988f5d0afb24e6bedabf7f263e8
SHA256 2c9a2651ab14aa8d05d67930770b893d86c82699cf5f6f9d95ff86bde222a5fa
SHA3 c51e75cf64a22b4272c7d1973154f36ea7ef8f9961a1a885057ac094c886f4cf
VirtualSize 0x25993
VirtualAddress 0x1000
SizeOfRawData 0x25a00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.52979

.rdata

MD5 29ef133f8a7feed061548adf9cf6ccdb
SHA1 30f23263b752378dff2f313e6ffc397047306dfb
SHA256 df72db2a9666ea82bd516e5aed5583a5155daa92f0b3a44642bb987cab823666
SHA3 409c30a05dfdbca7c19755d963eac239caed0c8551bf048c6f99aed7bfcc6ce9
VirtualSize 0xa125
VirtualAddress 0x27000
SizeOfRawData 0xa200
PointerToRawData 0x25e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.22327

.data

MD5 cdbb01bda6a4bcb03ade8a4c9a678e9c
SHA1 d7d80543233b6ebf20e260b4a7ca629b7f1d18e3
SHA256 6e2ec8d7de2332253d70fec38503446584ed54d6a1810dfd4292e2d020d09c4f
SHA3 c26dc2e739fade1f9043ffac3ac63e913eb78b539dd1963cdfd68593b26ee02c
VirtualSize 0x5f44
VirtualAddress 0x32000
SizeOfRawData 0x4000
PointerToRawData 0x30000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.93845

.rsrc

MD5 6c52baf2e77736552f33748bab153537
SHA1 de7b4b4ddace6afecd7ef72cca28f1369244c516
SHA256 1e96782c65abb39247282a2405e3308c36901d46c5a95dd6b1e121e58f311574
SHA3 ddde4ed3e3453b2113a44e1d718eba2bb8fa395e1a6241435cdd24ac8c38edd4
VirtualSize 0x4dc
VirtualAddress 0x38000
SizeOfRawData 0x600
PointerToRawData 0x34000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.57872

.reloc

MD5 8e11aeaef3c2b2cfe51969ed3db757fc
SHA1 b7c960898d395ebbb37810dcb57ed9cf725f9152
SHA256 4e902ec807522bde9079469f36780e0b87580453908de1eb49380cfeac888727
SHA3 5456541b301a1b7151c7368b9949097ed5cba689bcf42176a52165fd6809269a
VirtualSize 0x390e
VirtualAddress 0x39000
SizeOfRawData 0x3a00
PointerToRawData 0x34600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.5208

Imports

KERNEL32.dll GetEnvironmentVariableA
GetComputerNameA
HeapFree
HeapAlloc
GetProcessHeap
GetVersionExA
FlushFileBuffers
GetDriveTypeA
GetCurrentProcess
WriteFile
SetFilePointerEx
GetFileSizeEx
SetEndOfFile
SetFilePointer
SetEnvironmentVariableA
LoadLibraryW
OutputDebugStringW
GetVersionExW
WriteConsoleW
GetStringTypeW
HeapSize
GetConsoleMode
WinExec
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
HeapCreate
GetModuleFileNameW
DeleteCriticalSection
GetStdHandle
SetHandleCount
MultiByteToWideChar
LCMapStringW
SetLastError
GetLocalTime
TerminateProcess
GetExitCodeProcess
FormatMessageA
CreateFileA
GetFileSize
ReadFile
MoveFileA
GetTempFileNameA
DeleteFileA
SetFileAttributesA
GetModuleHandleA
GetModuleFileNameA
FindFirstFileA
CreateDirectoryA
FindNextFileA
FindClose
GetCurrentDirectoryA
SetCurrentDirectoryA
CreateProcessA
WaitForSingleObject
CloseHandle
CopyFileA
LoadLibraryA
GetProcAddress
Sleep
FreeLibrary
GetFileAttributesA
RemoveDirectoryA
MoveFileExA
WideCharToMultiByte
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
InterlockedDecrement
GetCurrentThreadId
InterlockedIncrement
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
GetLastError
GetConsoleCP
GetSystemTimeAsFileTime
RtlUnwind
RaiseException
HeapReAlloc
GetModuleHandleW
ExitProcess
DecodePointer
GetCommandLineA
HeapSetInformation
GetStartupInfoW
EncodePointer
SetStdHandle
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
GetFileType
IsProcessorFeaturePresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
CreateFileW
USER32.dll RegisterClassExA
CreateWindowExA
UpdateWindow
ShowWindow
GetSystemMetrics
MessageBeep
MessageBoxA
ShowCursor
GetKeyState
SetCursor
SetCursorPos
DefWindowProcA
EnumDisplaySettingsA
ChangeDisplaySettingsA
DestroyWindow
UnregisterClassA
GetDC
GetClientRect
FillRect
ReleaseDC
PeekMessageA
TranslateMessage
DispatchMessageA
GDI32.dll LineTo
SelectObject
MoveToEx
CreatePen
GetTextExtentPoint32A
TextOutA
DeleteObject
CreateSolidBrush
COMDLG32.dll GetOpenFileNameA
ADVAPI32.dll RegCloseKey
RegSetValueExA
CryptEncrypt
CryptDecrypt
CryptAcquireContextA
CryptCreateHash
CryptHashData
CryptDeriveKey
CryptDestroyHash
CryptDestroyKey
CryptReleaseContext
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
InitiateSystemShutdownA
RegEnumKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
SHELL32.dll SHFileOperationA
VERSION.dll GetFileVersionInfoSizeA
VerQueryValueA
GetFileVersionInfoA
POWRPROF.dll GetActivePwrScheme
GetCurrentPowerPolicies
SetActivePwrScheme
WINMM.dll timeGetTime
IPHLPAPI.DLL GetAdaptersAddresses

Delayed Imports

?Delete_Dir@@YAXPBD@Z

Ordinal 1
Address 0xb5e0

?Enumerate@@YAHPAW4CXPE_Catagory@@HPBDHPAVCXPE_Installer_PFE@@@Z

Ordinal 2
Address 0xb2b0

?GetBPakFileInfo@@YA?AW4CXPE_Result@@PBDPAVCXPE_File_Package_Info_Handler@@0_N@Z

Ordinal 3
Address 0xb370

?GetBPakHeader@@YA?AW4CXPE_Result@@PBDPAVCXPE_File_Hdr@@@Z

Ordinal 4
Address 0xb430

?GetBpakFileType@@YA?AW4CXPE_Catagory@@PBD@Z

Ordinal 5
Address 0xedc0

?Unpack@@YA?AW4CXPE_Result@@PBD00PAVCXPE_Progress@@_NPAVCXPE_File_Package_Info_Handler@@@Z

Ordinal 6
Address 0xb1c0

1

Type RT_VERSION
Language English - United Kingdom
Codepage Latin 1 / Western European
Size 0x2e0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.46753
MD5 32fc708df6e0bc410cc6affd32c28818
SHA1 8a1ed3ca7958acb9cb1149b1ce356c6b862cdfa0
SHA256 0e4e0ebbeab1d1bcfe61ec6f13309359914048a25b57eefcc7df3ab384e89f67
SHA3 ea448f64fd240244be622d338dd13ca239372c66d15941b6a1724aa0cc58b134

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 4.6.0.44490
ProductVersion 4.6.0.44490
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United Kingdom
CompanyName Barcrest Group
FileDescription XPEsecure BarBoot
FileVersion (#2) 4,6,0,44490
InternalName XPEsecure BarBoot
LegalCopyright Copyright � 2004
OriginalFilename BarBoot.exe
ProductName XPE Shell
ProductVersion (#2) 4,6,0,44490
Resource LangID English - United Kingdom

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x434c68
SEHandlerTable 0x42eb50
SEHandlerCount 60

RICH Header

XOR Key 0x7857d3
Unmarked objects 0
ASM objects (VS2010 SP1 build 40219) 24
Imports (VS2008 SP1 build 30729) 21
Total imports 177
175 (VS2010 SP1 build 40219) 3
C objects (VS2010 SP1 build 40219) 142
C++ objects (VS2010 SP1 build 40219) 72
Exports (VS2010 SP1 build 40219) 1
Resource objects (VS2010 SP1 build 40219) 1
Linker (VS2010 SP1 build 40219) 1

Errors

<-- -->