f5b12f5f6625413bb87c228282c53f9b
Summary
| Architecture |
IMAGE_FILE_MACHINE_I386
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 2012-Jan-29 21:32:28 |
| Detected languages |
English - United Kingdom
English - United States |
| FileVersion | 3, 3, 8, 1 |
| CompiledScript | AutoIt v3 Script: 3, 3, 8, 1 |
Plugin Output
| Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
| Suspicious | Strings found in the binary may indicate undesirable behavior: |
Looks for Qemu presence:
|
| Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to MD5 Uses known Mersenne Twister constants |
| Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
| Suspicious | The file contains overlay data. |
837798 bytes of data starting at offset 0xb1c00.
The overlay data has an entropy of 7.99974 and is possibly compressed or encrypted. |
| Malicious | VirusTotal score: 50/69 (Scanned on 2022-05-13 20:46:48) |
Bkav:
W32.AIDetect.malware2
Lionic: Trojan.Win32.Inject.4!c tehtris: Generic.Malware MicroWorld-eScan: Trojan.Autoit.AXK ALYac: Trojan.Autoit.AXK Cylance: Unsafe Sangfor: Trojan.Win32.Autoit.AXK K7AntiVirus: Trojan ( 0055e3991 ) Alibaba: Trojan:Win32/Predator.ali2000022 K7GW: Trojan ( 0055e3991 ) Cybereason: malicious.f66254 Arcabit: Trojan.Autoit.AXK Symantec: Trojan.Gen.6 Elastic: malicious (high confidence) ESET-NOD32: multiple detections APEX: Malicious Paloalto: generic.ml Kaspersky: Trojan.Win32.Inject.ewwq BitDefender: Trojan.Autoit.AXK NANO-Antivirus: Trojan.Win32.TrjGen.bcljuy Avast: AutoIt:Agent-IO [Trj] Tencent: Win32.Trojan.Inject.Eegv Ad-Aware: Trojan.Autoit.AXK TACHYON: Trojan/W32.Inject.1565862 Emsisoft: Trojan.Autoit.AXK (B) Comodo: Malware@#2rh3yrgep5ab1 DrWeb: Trojan.Siggen2.24588 Zillya: Dropper.Autoit.Win32.914 TrendMicro: TROJ_MALAGENT.NTIM McAfee-GW-Edition: BehavesLike.Win32.AutoitDropper.tc FireEye: Generic.mg.f5b12f5f6625413b Sophos: Generic ML PUA (PUA) Ikarus: Worm.Win32.AutoIt Jiangmin: TrojanDropper.Autoit.afy Webroot: W32.Malware.Gen Avira: HEUR/AGEN.1213919 Microsoft: Backdoor:Win32/Fynloski GData: Trojan.Autoit.AXK (2x) Cynet: Malicious (score: 100) McAfee: Artemis!F5B12F5F6625 VBA32: Trojan.Autoit.F Malwarebytes: Trojan.Injector.AutoIt TrendMicro-HouseCall: TROJ_MALAGENT.NTIM Rising: Trojan.Obfus/Autoit!1.C075 (CLASSIC) MaxSecure: Trojan.Autoit.AZA Fortinet: W32/Injector.ADH!tr BitDefenderTheta: AI:Packer.420FF19216 AVG: AutoIt:Agent-IO [Trj] Panda: Trj/CI.A CrowdStrike: win/malicious_confidence_90% (W) |
Hashes
DOS Header
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0xf8 |
PE Header
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_I386
|
| NumberofSections | 4 |
| TimeDateStamp | 2012-Jan-29 21:32:28 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xe0 |
| Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED
|
Image Optional Header
| Magic | PE32 |
|---|---|
| LinkerVersion | 10.0 |
| SizeOfCode | 0x80800 |
| SizeOfInitializedData | 0x1dc00 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x000165C1 (Section: .text) |
| BaseOfCode | 0x1000 |
| BaseOfData | 0x82000 |
| ImageBase | 0x400000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 5.0 |
| ImageVersion | 0.0 |
| SubsystemVersion | 5.0 |
| Win32VersionValue | 0 |
| SizeOfImage | 0xc8000 |
| SizeOfHeaders | 0x400 |
| Checksum | 0xa961f |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve | 0x400000 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x400000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
.text
.rdata
.data
.rsrc
Imports
| WSOCK32.dll |
__WSAFDIsSet
setsockopt ntohs recvfrom sendto htons select listen WSAStartup bind closesocket connect socket send WSACleanup ioctlsocket accept WSAGetLastError inet_addr gethostbyname gethostname recv |
|---|---|
| VERSION.dll |
VerQueryValueW
GetFileVersionInfoW GetFileVersionInfoSizeW |
| WINMM.dll |
timeGetTime
waveOutSetVolume mciSendStringW |
| COMCTL32.dll |
ImageList_Remove
ImageList_SetDragCursorImage ImageList_BeginDrag ImageList_DragEnter ImageList_DragLeave ImageList_EndDrag ImageList_DragMove ImageList_ReplaceIcon ImageList_Create InitCommonControlsEx ImageList_Destroy |
| MPR.dll |
WNetCancelConnection2W
WNetGetConnectionW WNetAddConnection2W WNetUseConnectionW |
| WININET.dll |
InternetReadFile
InternetCloseHandle InternetOpenW InternetSetOptionW InternetCrackUrlW HttpQueryInfoW InternetConnectW HttpOpenRequestW HttpSendRequestW FtpOpenFileW FtpGetFileSize InternetOpenUrlW InternetQueryOptionW InternetQueryDataAvailable |
| PSAPI.DLL |
EnumProcesses
GetModuleBaseNameW GetProcessMemoryInfo EnumProcessModules |
| USERENV.dll |
CreateEnvironmentBlock
DestroyEnvironmentBlock UnloadUserProfile LoadUserProfileW |
| KERNEL32.dll |
HeapAlloc
Sleep GetCurrentThreadId RaiseException MulDiv GetVersionExW GetSystemInfo InterlockedIncrement InterlockedDecrement WideCharToMultiByte lstrcpyW MultiByteToWideChar lstrlenW lstrcmpiW GetModuleHandleW QueryPerformanceCounter VirtualFreeEx OpenProcess VirtualAllocEx WriteProcessMemory ReadProcessMemory CreateFileW SetFilePointerEx ReadFile WriteFile FlushFileBuffers TerminateProcess CreateToolhelp32Snapshot Process32FirstW Process32NextW SetFileTime GetFileAttributesW FindFirstFileW FindClose DeleteFileW FindNextFileW MoveFileW CopyFileW CreateDirectoryW RemoveDirectoryW GetProcessHeap QueryPerformanceFrequency FindResourceW LoadResource LockResource SizeofResource EnumResourceNamesW OutputDebugStringW GetLocalTime CompareStringW DeleteCriticalSection EnterCriticalSection LeaveCriticalSection InitializeCriticalSectionAndSpinCount GetStdHandle CreatePipe InterlockedExchange TerminateThread GetTempPathW GetTempFileNameW VirtualFree FormatMessageW GetExitCodeProcess SetErrorMode GetPrivateProfileStringW WritePrivateProfileStringW GetPrivateProfileSectionW WritePrivateProfileSectionW GetPrivateProfileSectionNamesW FileTimeToLocalFileTime FileTimeToSystemTime SystemTimeToFileTime LocalFileTimeToFileTime GetDriveTypeW GetDiskFreeSpaceExW GetDiskFreeSpaceW GetVolumeInformationW SetVolumeLabelW CreateHardLinkW DeviceIoControl SetFileAttributesW GetShortPathNameW CreateEventW SetEvent GetEnvironmentVariableW SetEnvironmentVariableW GlobalLock GlobalUnlock GlobalAlloc GetFileSize GlobalFree GlobalMemoryStatusEx Beep GetSystemDirectoryW GetComputerNameW GetWindowsDirectoryW GetCurrentProcessId GetCurrentThread GetProcessIoCounters CreateProcessW SetPriorityClass LoadLibraryW VirtualAlloc LoadLibraryExW HeapFree WaitForSingleObject CreateThread DuplicateHandle GetLastError CloseHandle GetCurrentProcess GetProcAddress LoadLibraryA FreeLibrary GetModuleFileNameW GetFullPathNameW SetCurrentDirectoryW IsDebuggerPresent GetCurrentDirectoryW ExitProcess ExitThread GetSystemTimeAsFileTime ResumeThread GetTimeFormatW GetDateFormatW GetCommandLineW GetStartupInfoW IsProcessorFeaturePresent HeapSize GetCPInfo GetACP GetOEMCP IsValidCodePage TlsAlloc TlsGetValue TlsSetValue TlsFree SetLastError UnhandledExceptionFilter SetUnhandledExceptionFilter GetStringTypeW HeapCreate SetHandleCount GetFileType SetStdHandle GetConsoleCP GetConsoleMode LCMapStringW RtlUnwind SetFilePointer GetTimeZoneInformation FreeEnvironmentStringsW GetEnvironmentStringsW GetTickCount HeapReAlloc WriteConsoleW SetEndOfFile SetSystemPowerState SetEnvironmentVariableA |
| USER32.dll |
GetCursorInfo
RegisterHotKey ClientToScreen GetKeyboardLayoutNameW IsCharAlphaW IsCharAlphaNumericW IsCharLowerW IsCharUpperW GetMenuStringW GetSubMenu GetCaretPos IsZoomed MonitorFromPoint GetMonitorInfoW SetWindowLongW SetLayeredWindowAttributes FlashWindow GetClassLongW TranslateAcceleratorW IsDialogMessageW GetSysColor InflateRect DrawFocusRect DrawTextW FrameRect DrawFrameControl FillRect PtInRect DestroyAcceleratorTable CreateAcceleratorTableW SetCursor GetWindowDC GetSystemMetrics GetActiveWindow CharNextW wsprintfW RedrawWindow DrawMenuBar DestroyMenu SetMenu GetWindowTextLengthW CreateMenu IsDlgButtonChecked DefDlgProcW ReleaseCapture SetCapture WindowFromPoint LoadImageW CreateIconFromResourceEx mouse_event ExitWindowsEx SetActiveWindow FindWindowExW EnumThreadWindows SetMenuDefaultItem InsertMenuItemW IsMenu TrackPopupMenuEx GetCursorPos DeleteMenu CheckMenuRadioItem SetWindowPos GetMenuItemCount SetMenuItemInfoW GetMenuItemInfoW SetForegroundWindow IsIconic FindWindowW SystemParametersInfoW TranslateMessage SendInput GetAsyncKeyState SetKeyboardState GetKeyboardState GetKeyState VkKeyScanW LoadStringW DialogBoxParamW MessageBeep EndDialog SendDlgItemMessageW GetDlgItem SetWindowTextW CopyRect ReleaseDC GetDC EndPaint BeginPaint GetClientRect GetMenu DestroyWindow EnumWindows GetDesktopWindow IsWindow IsWindowEnabled IsWindowVisible EnableWindow InvalidateRect GetWindowLongW AttachThreadInput GetFocus GetWindowTextW ScreenToClient SendMessageTimeoutW EnumChildWindows CharUpperBuffW GetClassNameW GetParent GetDlgCtrlID SendMessageW MapVirtualKeyW PostMessageW GetWindowRect SetUserObjectSecurity GetUserObjectSecurity CloseDesktop CloseWindowStation OpenDesktopW SetProcessWindowStation GetProcessWindowStation OpenWindowStationW MessageBoxW DefWindowProcW CopyImage AdjustWindowRectEx SetRect SetClipboardData EmptyClipboard CountClipboardFormats CloseClipboard GetClipboardData IsClipboardFormatAvailable OpenClipboard BlockInput GetMessageW LockWindowUpdate GetMenuItemID DispatchMessageW MoveWindow SetFocus PostQuitMessage KillTimer CreatePopupMenu RegisterWindowMessageW SetTimer ShowWindow CreateWindowExW RegisterClassExW LoadIconW LoadCursorW GetSysColorBrush GetForegroundWindow MessageBoxA DestroyIcon PeekMessageW UnregisterHotKey CharLowerBuffW keybd_event MonitorFromRect GetWindowThreadProcessId |
| GDI32.dll |
DeleteObject
AngleArc GetTextExtentPoint32W ExtCreatePen StrokeAndFillPath StrokePath EndPath SetPixel CloseFigure CreateCompatibleBitmap CreateCompatibleDC SelectObject StretchBlt GetDIBits GetDeviceCaps MoveToEx DeleteDC GetPixel CreateDCW Ellipse PolyDraw BeginPath Rectangle SetViewportOrgEx GetObjectW SetBkMode RoundRect SetBkColor CreatePen CreateSolidBrush SetTextColor CreateFontW GetTextFaceW GetStockObject LineTo |
| COMDLG32.dll |
GetSaveFileNameW
GetOpenFileNameW |
| ADVAPI32.dll |
RegEnumValueW
RegDeleteValueW RegDeleteKeyW RegEnumKeyExW RegSetValueExW RegCreateKeyExW GetUserNameW RegConnectRegistryW CloseServiceHandle UnlockServiceDatabase OpenThreadToken OpenProcessToken LookupPrivilegeValueW DuplicateTokenEx CreateProcessAsUserW CreateProcessWithLogonW InitializeSecurityDescriptor InitializeAcl GetLengthSid CopySid LogonUserW LockServiceDatabase GetTokenInformation GetSecurityDescriptorDacl GetAclInformation GetAce AddAce SetSecurityDescriptorDacl RegOpenKeyExW RegQueryValueExW AdjustTokenPrivileges InitiateSystemShutdownExW OpenSCManagerW RegCloseKey |
| SHELL32.dll |
DragQueryPoint
ShellExecuteExW SHGetFolderPathW DragQueryFileW SHEmptyRecycleBinW SHBrowseForFolderW SHFileOperationW SHGetPathFromIDListW SHGetDesktopFolder SHGetMalloc ExtractIconExW Shell_NotifyIconW ShellExecuteW DragFinish |
| ole32.dll |
OleSetMenuDescriptor
MkParseDisplayName OleSetContainedObject CLSIDFromString StringFromGUID2 CoInitialize CoUninitialize CoCreateInstance CreateStreamOnHGlobal CoTaskMemAlloc CoTaskMemFree ProgIDFromCLSID OleInitialize CreateBindCtx CLSIDFromProgID CoInitializeSecurity CoCreateInstanceEx CoSetProxyBlanket OleUninitialize IIDFromString |
| OLEAUT32.dll |
VariantChangeType
VariantCopyInd DispCallFunc CreateStdDispatch CreateDispTypeInfo SysFreeString SafeArrayDestroyDescriptor SafeArrayDestroyData SafeArrayUnaccessData SysStringLen SafeArrayAllocData GetActiveObject QueryPathOfRegTypeLib SafeArrayAllocDescriptorEx SafeArrayCreateVector SysAllocString VariantCopy VariantClear VariantTimeToSystemTime VarR8FromDec SafeArrayGetVartype OleLoadPicture SafeArrayAccessData VariantInit |
Delayed Imports
1
2
3
4
5
6
7
8
166
1000
7 (#2)
8 (#2)
9
10
11
12
313
99
162
164
169
1 (#2)
1 (#3)
String Table contents
| (Paused) |
| AutoIt Error |
| AutoIt has detected the stack has become corrupt. |
| Stack corruption typically occurs when either the wrong calling convention is used or when the function is called with the wrong number of arguments. |
| AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention. |
| Badly formatted "Func" statement. |
| Missing right bracket ')' in expression. |
| Missing operator in expression. |
| Unbalanced brackets in expression. |
| Error in expression. |
| Error parsing function call. |
| Incorrect number of parameters in function call. |
| "ReDim" used without an array variable. |
| Illegal text at the end of statement (one statement per line). |
| "If" statement has no matching "EndIf" statement. |
| "Else" statement with no matching "If" statement. |
| "EndIf" statement with no matching "If" statement. |
| Too many "Else" statements for matching "If" statement. |
| "While" statement has no matching "Wend" statement. |
| "Wend" statement with no matching "While" statement. |
| Variable used without being declared. |
| Array variable has incorrect number of subscripts or subscript dimension range exceeded. |
| Array variable subscript badly formatted. |
| Subscript used with non-Array variable. |
| Too many subscripts used for an array. |
| Missing subscript dimensions in "Dim" statement. |
| No variable given for "Dim", "Local", "Global", "Struct" or "Const" statement. |
| Expected a "=" operator in assignment statement. |
| Invalid keyword at the start of this line. |
| Array maximum size exceeded. |
| "Func" statement has no matching "EndFunc". |
| Duplicate function name. |
| Unknown function name. |
| Unknown macro. |
| Unable to get a list of running processes. |
| Unable to get the process token. |
| Invalid element in a DllStruct. |
| Unknown option or bad parameter specified. |
| Unable to load the internet libraries. |
| "Struct" statement has no matching "EndStruct". |
| Unable to open file, the maximum number of open files has been exceeded. |
| "ContinueLoop" statement with no matching "While", "Do" or "For" statement. |
| Invalid file filter given. |
| Expected a variable in user function call. |
| "Do" statement has no matching "Until" statement. |
| "Until" statement with no matching "Do" statement. |
| "For" statement is badly formatted. |
| "Next" statement with no matching "For" statement. |
| "ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop. |
| "For" statement has no matching "Next" statement. |
| "Case" statement with no matching "Select"or "Switch" statement. |
| "EndSelect" statement with no matching "Select" statement. |
| Recursion level has been exceeded - AutoIt will quit to prevent stack overflow. |
| Cannot make existing variables static. |
| Cannot make static variables into regular variables. |
| Badly formated Enum statement |
| This keyword cannot be used after a "Then" keyword. |
| "Select" statement is missing "EndSelect" or "Case" statement. |
| "If" statements must have a "Then" keyword. |
| Badly formated Struct statement. |
| Cannot assign values to constants. |
| Cannot make existing variables into constants. |
| Only Object-type variables allowed in a "With" statement. |
| "long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead. |
| Object referenced outside a "With" statement. |
| Nested "With" statements are not allowed. |
| Variable must be of type "Object". |
| The requested action with this object has failed. |
| Variable appears more than once in function declaration. |
| ReDim array can not be initialized in this manner. |
| An array variable can not be used in this manner. |
| Can not redeclare a constant. |
| Can not redeclare a parameter inside a user function. |
| Can pass constants by reference only to parameters with "Const" keyword. |
| Can not initialize a variable with itself. |
| Incorrect way to use this parameter. |
| "EndSwitch" statement with no matching "Switch" statement. |
| "Switch" statement is missing "EndSwitch" or "Case" statement. |
| "ContinueCase" statement with no matching "Select"or "Switch" statement. |
| Assert Failed! |
| Obsolete function/parameter. |
| Invalid Exitcode (reserved for AutoIt internal use). |
| Unable to parse line. |
| Unable to open the script file. |
| String missing closing quote. |
| Badly formated variable or macro. |
| Missing separator character after keyword. |
Version Info
| Signature | 0xfeef04bd |
|---|---|
| StructVersion | 0x10000 |
| FileVersion | 3.3.8.1 |
| ProductVersion | 3.3.8.1 |
| FileFlags | (EMPTY) |
| FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
| FileType |
VFT_UNKNOWN
|
| Language | English - United Kingdom |
| FileVersion (#2) | 3, 3, 8, 1 |
| CompiledScript | AutoIt v3 Script: 3, 3, 8, 1 |
| Resource LangID | English - United Kingdom |
|---|
TLS Callbacks
Load Configuration
RICH Header
| XOR Key | 0xecfa7f86 |
|---|---|
| Unmarked objects | 0 |
| 152 (20115) | 2 |
| C objects (VS2010 SP1 build 40219) | 175 |
| C++ objects (VS2010 SP1 build 40219) | 53 |
| C objects (VS2008 SP1 build 30729) | 9 |
| Imports (VS2008 SP1 build 30729) | 33 |
| Total imports | 528 |
| 180 (VS2010 SP1 build 40219) | 72 |
| ASM objects (VS2010 SP1 build 40219) | 28 |
| Resource objects (VS2010 SP1 build 40219) | 1 |
| 151 | 1 |
| Linker (VS2010 SP1 build 40219) | 1 |