| Architecture |
IMAGE_FILE_MACHINE_AMD64
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 2018-Oct-19 18:20:03 |
| Suspicious | Strings found in the binary may indicate undesirable behavior: |
May have dropper capabilities:
|
| Info | Cryptographic algorithms detected in the binary: |
Uses constants related to MD5
Microsoft's Cryptography API |
| Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
| Malicious | VirusTotal score: 11/68 (Scanned on 2018-12-03 19:44:23) |
McAfee:
Artemis!F7A78E1763BA
Cylance: Unsafe Invincea: heuristic Symantec: Trojan.Gen.9 Sophos: Mal/Generic-S McAfee-GW-Edition: BehavesLike.Win64.BadFile.fh Trapmine: malicious.moderate.ml.score Microsoft: Trojan:Win32/Zpevdo.A Rising: Trojan.Zpevdo!8.F912 (CLOUD) Cybereason: malicious.6b8631 CrowdStrike: malicious_confidence_70% (W) |
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0x108 |
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_AMD64
|
| NumberofSections | 5 |
| TimeDateStamp | 2018-Oct-19 18:20:03 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xf0 |
| Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
| Magic | PE32+ |
|---|---|
| LinkerVersion | 14.0 |
| SizeOfCode | 0xb9600 |
| SizeOfInitializedData | 0x46000 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x0000000000047FE8 (Section: .text) |
| BaseOfCode | 0x1000 |
| ImageBase | 0x140000000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 6.0 |
| ImageVersion | 0.0 |
| SubsystemVersion | 6.0 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x103000 |
| SizeOfHeaders | 0x400 |
| Checksum | 0 |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve | 0x100000 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
| ole32.dll |
CoInitialize
CoCreateInstance CoUninitialize CreateStreamOnHGlobal |
|---|---|
| KERNEL32.dll |
Thread32First
GetCurrentThreadId GetCurrentProcessId WaitForSingleObject SuspendThread GetExitCodeThread TerminateThread GetProcAddress GetModuleHandleW GetThreadTimes OpenThread GetModuleFileNameW GetFileAttributesW MultiByteToWideChar LocalFree WideCharToMultiByte CreateActCtxW WriteFile GetTempPathW CreateFileW UnmapViewOfFile DeleteFileW GetTempFileNameW CreateFileMappingW ReleaseActCtx MapViewOfFile ActivateActCtx GetEnvironmentVariableW GetSystemDirectoryW DeactivateActCtx GetSystemWow64DirectoryW Module32FirstW GetCurrentDirectoryW GetWindowsDirectoryW DuplicateHandle Sleep ResetEvent GetTickCount DeviceIoControl GetCurrentThread ReadFile CreateThread OpenProcess GetNativeSystemInfo IsWow64Process WriteProcessMemory VirtualProtectEx GetThreadContext VirtualAllocEx ReadProcessMemory CreateRemoteThread VirtualFreeEx SetThreadContext VirtualQueryEx LoadLibraryW FreeLibrary GetSystemInfo ExitThread FileTimeToSystemTime SystemTimeToTzSpecificLocalTime GetFileInformationByHandle GetDriveTypeW GetSystemTimeAsFileTime Wow64RevertWow64FsRedirection Wow64DisableWow64FsRedirection SetThreadExecutionState ExitProcess DeleteCriticalSection DecodePointer RaiseException CloseHandle lstrcpyA GetLastError Thread32Next CreateToolhelp32Snapshot QueryPerformanceCounter ResumeThread InitializeCriticalSection LeaveCriticalSection GetCurrentProcess EnterCriticalSection CreateNamedPipeW LocalAlloc GetSystemDefaultLocaleName GetSystemTime WaitForMultipleObjects SetEvent CreateEventA GetStdHandle GetStringTypeW SetLastError InitializeCriticalSectionAndSpinCount CreateEventW SwitchToThread TlsAlloc TlsGetValue TlsSetValue GetFileAttributesExW EncodePointer CompareStringW LCMapStringW GetLocaleInfoW GetCPInfo IsDebuggerPresent OutputDebugStringW WaitForSingleObjectEx UnhandledExceptionFilter SetUnhandledExceptionFilter IsProcessorFeaturePresent GetStartupInfoW InitializeSListHead RtlUnwindEx RtlPcToFileHeader LoadLibraryExW GetModuleHandleExW HeapReAlloc HeapFree HeapAlloc GetFileType IsValidLocale GetUserDefaultLCID EnumSystemLocalesW GetTimeZoneInformation HeapSize FindClose FindFirstFileExW FindNextFileW IsValidCodePage GetACP GetOEMCP GetCommandLineA GetCommandLineW GetEnvironmentStringsW FreeEnvironmentStringsW SetEnvironmentVariableW GetProcessHeap SetStdHandle FlushFileBuffers GetConsoleCP GetConsoleMode SetFilePointerEx WriteConsoleW lstrcatA lstrlenA InitializeCriticalSectionEx GetSystemPowerStatus TerminateProcess RtlUnwind SetEndOfFile ReadConsoleW SleepEx GetTickCount64 VerSetConditionMask GetSystemDirectoryA GetModuleHandleA LoadLibraryA VerifyVersionInfoA ExpandEnvironmentStringsA PeekNamedPipe FormatMessageA CreateFileA GetFileSizeEx GetModuleFileNameA FreeLibraryAndExitThread GetFullPathNameW TlsFree |
| USER32.dll |
GetLastInputInfo
wsprintfA wsprintfW |
| ADVAPI32.dll |
RegQueryValueExW
CryptGenRandom CryptGetHashParam CryptReleaseContext CryptAcquireContextA CryptHashData CryptDestroyHash CryptDestroyKey CryptImportKey CryptEncrypt LookupPrivilegeValueW AdjustTokenPrivileges OpenProcessToken RegOpenKeyExW OpenThreadToken CryptCreateHash RegSetValueExW RegCreateKeyW ConvertStringSecurityDescriptorToSecurityDescriptorW RegCloseKey RegOpenKeyW RegEnumValueW |
| SHLWAPI.dll |
StrStrIA
StrTrimA StrChrA SHDeleteKeyW |
| ntdll.dll |
RtlCaptureContext
RtlLookupFunctionEntry RtlVirtualUnwind |
| CRYPT32.dll |
CertCloseStore
CertFindCertificateInStore CertFreeCertificateContext CryptStringToBinaryA CertAddCertificateContextToStore CertGetNameStringA CryptQueryObject CertFreeCertificateChainEngine CertGetCertificateChain CertFreeCertificateChain CertCreateCertificateChainEngine CertOpenStore |
| Normaliz.dll |
IdnToAscii
|
| WLDAP32.dll |
#26
#143 #46 #211 #60 #45 #50 #41 #22 #301 #27 #32 #33 #35 #79 #30 #200 |
| WS2_32.dll |
#14
#115 #116 #111 #23 #151 #18 #112 #16 #19 #2 #3 #4 #5 #6 #7 #9 #15 #21 WSAIoctl getaddrinfo freeaddrinfo #17 #20 #1 #13 #10 #57 #8 |
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2018-Oct-19 18:20:03 |
| Version | 0.0 |
| SizeofData | 908 |
| AddressOfRawData | 0xe5c54 |
| PointerToRawData | 0xe4654 |
| StartAddressOfRawData | 0x1400e6000 |
|---|---|
| EndAddressOfRawData | 0x1400e6008 |
| AddressOfIndex | 0x1400f6938 |
| AddressOfCallbacks | 0x1400bb940 |
| SizeOfZeroFill | 0 |
| Characteristics |
IMAGE_SCN_ALIGN_4BYTES
|
| Callbacks | (EMPTY) |
| Size | 0x100 |
|---|---|
| TimeDateStamp | 1970-Jan-01 00:00:00 |
| Version | 0.0 |
| GlobalFlagsClear | (EMPTY) |
| GlobalFlagsSet | (EMPTY) |
| CriticalSectionDefaultTimeout | 0 |
| DeCommitFreeBlockThreshold | 0 |
| DeCommitTotalFreeThreshold | 0 |
| LockPrefixTable | 0 |
| MaximumAllocationSize | 0 |
| VirtualMemoryThreshold | 0 |
| ProcessAffinityMask | 0 |
| ProcessHeapFlags | (EMPTY) |
| CSDVersion | 0 |
| Reserved1 | 0 |
| EditList | 0 |
| SecurityCookie | 0x1400f4180 |
| XOR Key | 0xee548e16 |
|---|---|
| Unmarked objects | 0 |
| ASM objects (VS2015/2017 runtime 25711) | 13 |
| C++ objects (VS2015/2017 runtime 25711) | 191 |
| 199 (41118) | 8 |
| ASM objects (VS 2015/2017 runtime 26706) | 9 |
| C++ objects (VS 2015/2017 runtime 26706) | 68 |
| C objects (VS2015/2017 runtime 25711) | 20 |
| C objects (VS 2015/2017 runtime 26706) | 35 |
| C objects (VS2017 v15.8.4 compiler 26729) | 113 |
| Imports (VS2015/2017 runtime 25711) | 23 |
| Total imports | 295 |
| 265 (VS2017 v15.8.4 compiler 26729) | 62 |
| Linker (VS2017 v15.8.4 compiler 26729) | 1 |