f7a78e1763baf83357fa78521383e5bf

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2018-Oct-19 18:20:03

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentControlSet\Services
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryW
  • LoadLibraryExW
  • LoadLibraryA
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
  • QueryPerformanceCounter
  • SwitchToThread
Code injection capabilities:
  • OpenProcess
  • WriteProcessMemory
  • VirtualAllocEx
  • CreateRemoteThread
Code injection capabilities (process hollowing):
  • WriteProcessMemory
  • SetThreadContext
  • ResumeThread
Can access the registry:
  • RegQueryValueExW
  • RegOpenKeyExW
  • RegSetValueExW
  • RegCreateKeyW
  • RegCloseKey
  • RegOpenKeyW
  • RegEnumValueW
  • SHDeleteKeyW
Uses Microsoft's cryptographic API:
  • CryptGenRandom
  • CryptGetHashParam
  • CryptReleaseContext
  • CryptAcquireContextA
  • CryptHashData
  • CryptDestroyHash
  • CryptDestroyKey
  • CryptImportKey
  • CryptEncrypt
  • CryptCreateHash
  • CryptStringToBinaryA
  • CryptQueryObject
Can create temporary files:
  • GetTempPathW
  • CreateFileW
  • CreateFileA
Memory manipulation functions often used by packers:
  • VirtualProtectEx
  • VirtualAllocEx
Leverages the raw socket API to access the Internet:
  • #14
  • #115
  • #116
  • #111
  • #23
  • #151
  • #18
  • #112
  • #16
  • #19
  • #2
  • #3
  • #4
  • #5
  • #6
  • #7
  • #9
  • #15
  • #21
  • WSAIoctl
  • getaddrinfo
  • freeaddrinfo
  • #17
  • #20
  • #1
  • #13
  • #10
  • #57
  • #8
Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
Enumerates local disk drives:
  • GetDriveTypeW
Manipulates other processes:
  • OpenProcess
  • WriteProcessMemory
  • ReadProcessMemory
Interacts with the certificate store:
  • CertAddCertificateContextToStore
  • CertOpenStore
Malicious VirusTotal score: 11/68 (Scanned on 2018-12-03 19:44:23) McAfee: Artemis!F7A78E1763BA
Cylance: Unsafe
Invincea: heuristic
Symantec: Trojan.Gen.9
Sophos: Mal/Generic-S
McAfee-GW-Edition: BehavesLike.Win64.BadFile.fh
Trapmine: malicious.moderate.ml.score
Microsoft: Trojan:Win32/Zpevdo.A
Rising: Trojan.Zpevdo!8.F912 (CLOUD)
Cybereason: malicious.6b8631
CrowdStrike: malicious_confidence_70% (W)

Hashes

MD5 f7a78e1763baf83357fa78521383e5bf
SHA1 e9015066b8631f7f3ff64dea5d720028e194d088
SHA256 21d9de9c380ea90d344f079277d1a0a64afbea35ae02dc3953288120e8b93d42
SHA3 c20aa17c63884642781dc00418e47c13ba6312dad3872f1d25ed303fc67d1755
SSDeep 24576:VLoXkLOT+XkSzpXGKMAcNaDxG9xDkb7wWxVrti8ni:loXQoyR12KMW099kbZVpw
Imports Hash 42dd141bab3b835eb6ab21c4ec3d0139

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x108

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 5
TimeDateStamp 2018-Oct-19 18:20:03
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0xb9600
SizeOfInitializedData 0x46000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000047FE8 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x103000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 9f5c4e983850b0b3d90b5a12f25fd7c9
SHA1 f82ab2cbfe0d4826cfb063ac19176dba9a22d271
SHA256 a34d731bbb9fede3f346806b530ddcb9162f853f55585322b08345679c075bf6
SHA3 f08e55d48c6ec04cfcf0c4e09fc13079c6bc69d34badc63f8974979107191805
VirtualSize 0xb94c4
VirtualAddress 0x1000
SizeOfRawData 0xb9600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.45382

.rdata

MD5 4ae56f11651571b5a0b75ebe12494713
SHA1 58bd7af217e15db563f6e4deccc3eb3254504f41
SHA256 b96a943aeb2c51a14b313bbb02d9b068c65ad33867ced80cb85b4045676aebfd
SHA3 4e15c40992bfbfb6aac102d9acdc328050ff715211db1cced7785c2075cdbef4
VirtualSize 0x385d6
VirtualAddress 0xbb000
SizeOfRawData 0x38600
PointerToRawData 0xb9a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.29552

.data

MD5 a58f3f6dedfb1a553fe9f25cd7841d01
SHA1 77f33a3d1950e7764b3d7ee5a3c315c7f183648f
SHA256 3d66133ed499669184a24e50ba0b7721e39f089081aa3c8c3ada6e9032e05342
SHA3 c927ed45d1ade315eadc22dd8f4485a73eaa5b0cb3f86ecf33b9bd5da445402c
VirtualSize 0x487c
VirtualAddress 0xf4000
SizeOfRawData 0x1e00
PointerToRawData 0xf2000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.77946

.pdata

MD5 1e0fe896624dfe6f2d15b1cebf9a1c90
SHA1 7196a2b8e325a51e883b5853c638684efd6fd190
SHA256 7a414b2f4d150f6e4c56c4b024b7cbe8cf959fcfe31b83dd9a474701bf4db274
SHA3 6f30bb536e3c9d5c68ebba33f0dc7b7a9d226d04416a8cfbc9deb9bfac878ca1
VirtualSize 0x7ab8
VirtualAddress 0xf9000
SizeOfRawData 0x7c00
PointerToRawData 0xf3e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.94034

.reloc

MD5 f718b68bc9f2d38a5b1303802b54fe16
SHA1 5895dbfbd4144835bb7d428f37d177f3ff8cf8c1
SHA256 b79b7787ab160f08261c06c588614d99dc0b9208c6d83a4a2b81603dd21f0ef8
SHA3 c83866669527c63cfb7e0f23e0b3715c5d6c063629d90bc198c6d336d39c2660
VirtualSize 0x1350
VirtualAddress 0x101000
SizeOfRawData 0x1400
PointerToRawData 0xfba00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.37204

Imports

ole32.dll CoInitialize
CoCreateInstance
CoUninitialize
CreateStreamOnHGlobal
KERNEL32.dll Thread32First
GetCurrentThreadId
GetCurrentProcessId
WaitForSingleObject
SuspendThread
GetExitCodeThread
TerminateThread
GetProcAddress
GetModuleHandleW
GetThreadTimes
OpenThread
GetModuleFileNameW
GetFileAttributesW
MultiByteToWideChar
LocalFree
WideCharToMultiByte
CreateActCtxW
WriteFile
GetTempPathW
CreateFileW
UnmapViewOfFile
DeleteFileW
GetTempFileNameW
CreateFileMappingW
ReleaseActCtx
MapViewOfFile
ActivateActCtx
GetEnvironmentVariableW
GetSystemDirectoryW
DeactivateActCtx
GetSystemWow64DirectoryW
Module32FirstW
GetCurrentDirectoryW
GetWindowsDirectoryW
DuplicateHandle
Sleep
ResetEvent
GetTickCount
DeviceIoControl
GetCurrentThread
ReadFile
CreateThread
OpenProcess
GetNativeSystemInfo
IsWow64Process
WriteProcessMemory
VirtualProtectEx
GetThreadContext
VirtualAllocEx
ReadProcessMemory
CreateRemoteThread
VirtualFreeEx
SetThreadContext
VirtualQueryEx
LoadLibraryW
FreeLibrary
GetSystemInfo
ExitThread
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetFileInformationByHandle
GetDriveTypeW
GetSystemTimeAsFileTime
Wow64RevertWow64FsRedirection
Wow64DisableWow64FsRedirection
SetThreadExecutionState
ExitProcess
DeleteCriticalSection
DecodePointer
RaiseException
CloseHandle
lstrcpyA
GetLastError
Thread32Next
CreateToolhelp32Snapshot
QueryPerformanceCounter
ResumeThread
InitializeCriticalSection
LeaveCriticalSection
GetCurrentProcess
EnterCriticalSection
CreateNamedPipeW
LocalAlloc
GetSystemDefaultLocaleName
GetSystemTime
WaitForMultipleObjects
SetEvent
CreateEventA
GetStdHandle
GetStringTypeW
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
SwitchToThread
TlsAlloc
TlsGetValue
TlsSetValue
GetFileAttributesExW
EncodePointer
CompareStringW
LCMapStringW
GetLocaleInfoW
GetCPInfo
IsDebuggerPresent
OutputDebugStringW
WaitForSingleObjectEx
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetStartupInfoW
InitializeSListHead
RtlUnwindEx
RtlPcToFileHeader
LoadLibraryExW
GetModuleHandleExW
HeapReAlloc
HeapFree
HeapAlloc
GetFileType
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetTimeZoneInformation
HeapSize
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
SetStdHandle
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetFilePointerEx
WriteConsoleW
lstrcatA
lstrlenA
InitializeCriticalSectionEx
GetSystemPowerStatus
TerminateProcess
RtlUnwind
SetEndOfFile
ReadConsoleW
SleepEx
GetTickCount64
VerSetConditionMask
GetSystemDirectoryA
GetModuleHandleA
LoadLibraryA
VerifyVersionInfoA
ExpandEnvironmentStringsA
PeekNamedPipe
FormatMessageA
CreateFileA
GetFileSizeEx
GetModuleFileNameA
FreeLibraryAndExitThread
GetFullPathNameW
TlsFree
USER32.dll GetLastInputInfo
wsprintfA
wsprintfW
ADVAPI32.dll RegQueryValueExW
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken
RegOpenKeyExW
OpenThreadToken
CryptCreateHash
RegSetValueExW
RegCreateKeyW
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegCloseKey
RegOpenKeyW
RegEnumValueW
SHLWAPI.dll StrStrIA
StrTrimA
StrChrA
SHDeleteKeyW
ntdll.dll RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
CRYPT32.dll CertCloseStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
CertAddCertificateContextToStore
CertGetNameStringA
CryptQueryObject
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertCreateCertificateChainEngine
CertOpenStore
Normaliz.dll IdnToAscii
WLDAP32.dll #26
#143
#46
#211
#60
#45
#50
#41
#22
#301
#27
#32
#33
#35
#79
#30
#200
WS2_32.dll #14
#115
#116
#111
#23
#151
#18
#112
#16
#19
#2
#3
#4
#5
#6
#7
#9
#15
#21
WSAIoctl
getaddrinfo
freeaddrinfo
#17
#20
#1
#13
#10
#57
#8

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2018-Oct-19 18:20:03
Version 0.0
SizeofData 908
AddressOfRawData 0xe5c54
PointerToRawData 0xe4654

TLS Callbacks

StartAddressOfRawData 0x1400e6000
EndAddressOfRawData 0x1400e6008
AddressOfIndex 0x1400f6938
AddressOfCallbacks 0x1400bb940
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x100
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x1400f4180

RICH Header

XOR Key 0xee548e16
Unmarked objects 0
ASM objects (VS2015/2017 runtime 25711) 13
C++ objects (VS2015/2017 runtime 25711) 191
199 (41118) 8
ASM objects (VS 2015/2017 runtime 26706) 9
C++ objects (VS 2015/2017 runtime 26706) 68
C objects (VS2015/2017 runtime 25711) 20
C objects (VS 2015/2017 runtime 26706) 35
C objects (VS2017 v15.8.4 compiler 26729) 113
Imports (VS2015/2017 runtime 25711) 23
Total imports 295
265 (VS2017 v15.8.4 compiler 26729) 62
Linker (VS2017 v15.8.4 compiler 26729) 1

Errors