Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 1992-Jun-19 22:22:17 |
Detected languages |
English - United States
Russian - Russia |
Suspicious | The PE is possibly packed. | Unusual section name found: .itext |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Suspicious | The PE header may have been manually modified. |
The resource timestamps differ from the PE header:
|
Suspicious | The file contains overlay data. |
585746 bytes of data starting at offset 0x62600.
The overlay data has an entropy of 7.99764 and is possibly compressed or encrypted. |
Malicious | VirusTotal score: 48/67 (Scanned on 2019-08-12 21:56:06) |
MicroWorld-eScan:
Trojan.GenericKD.41521576
CAT-QuickHeal: Trojan.Zebrocy Qihoo-360: Win32/Trojan.cc1 McAfee: RDN/Generic.grp Cylance: Unsafe K7AntiVirus: Trojan ( 005546741 ) Alibaba: Trojan:Win32/Zebrocy.8df34ffe K7GW: Trojan ( 005546741 ) CrowdStrike: win/malicious_confidence_70% (W) Arcabit: Trojan.Generic.D27991A8 Cyren: W32/DelfInject.A.gen!Eldorado Symantec: ML.Attribute.HighConfidence ESET-NOD32: Win32/Sednit.DH Paloalto: generic.ml GData: Trojan.GenericKD.41521576 Kaspersky: Trojan.Win32.Zebrocy.p BitDefender: Trojan.GenericKD.41521576 NANO-Antivirus: Trojan.Win32.Bifrose.iswp Avast: Win32:Trojan-gen Ad-Aware: Trojan.GenericKD.41521576 Sophos: Mal/Behav-328 F-Secure: Dropper.DR/Delphi.Gen DrWeb: Trojan.PWS.Stealer.26708 Invincea: heuristic McAfee-GW-Edition: BehavesLike.Win32.Pluto.dc Trapmine: malicious.moderate.ml.score FireEye: Generic.mg.ff03e53ccdf82e93 Emsisoft: Trojan.GenericKD.41521576 (B) Ikarus: Trojan.Win32.Buzus F-Prot: W32/DelfInject.A.gen!Eldorado Avira: DR/Delphi.Gen MAX: malware (ai score=100) Antiy-AVL: Trojan/Win32.Zebrocy Microsoft: VirTool:Win32/DelfInject.gen!BV AegisLab: Trojan.Win32.Zebrocy.4!c ZoneAlarm: Trojan.Win32.Zebrocy.p AhnLab-V3: Trojan/Win32.Inject.C3371964 VBA32: BScope.Trojan.Packed ALYac: Trojan.GenericKD.41521576 TACHYON: Trojan/W32.DP-Zebrocy.988690 Malwarebytes: Trojan.Sednit Yandex: Trojan.Zebrocy! SentinelOne: DFI - Suspicious PE Fortinet: W32/Injector.fam!tr AVG: Win32:Trojan-gen Cybereason: malicious.95e152 Panda: Trj/GdSda.A MaxSecure: Trojan.Malware.300983.susgen |
e_magic | MZ |
---|---|
e_cblp | 0x50 |
e_cp | 0x2 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0xf |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0x1a |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x100 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 9 |
TimeDateStamp | 1992-Jun-19 22:22:17 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 2.0 |
SizeOfCode | 0x54200 |
SizeOfInitializedData | 0xe000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000556D8 (Section: .itext) |
BaseOfCode | 0x1000 |
BaseOfData | 0x56000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x6c000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x4000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
oleaut32.dll |
SysFreeString
SysReAllocStringLen SysAllocStringLen |
---|---|
advapi32.dll |
RegQueryValueExA
RegOpenKeyExA RegCloseKey |
user32.dll |
GetKeyboardType
DestroyWindow LoadStringA MessageBoxA CharNextA |
kernel32.dll |
GetACP
Sleep VirtualFree VirtualAlloc GetTickCount QueryPerformanceCounter GetCurrentThreadId InterlockedDecrement InterlockedIncrement VirtualQuery WideCharToMultiByte MultiByteToWideChar lstrlenA lstrcpynA LoadLibraryExA GetThreadLocale GetStartupInfoA GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetCommandLineA FreeLibrary FindFirstFileA FindClose ExitProcess CompareStringA WriteFile UnhandledExceptionFilter RtlUnwind RaiseException GetStdHandle |
kernel32.dll (#2) |
GetACP
Sleep VirtualFree VirtualAlloc GetTickCount QueryPerformanceCounter GetCurrentThreadId InterlockedDecrement InterlockedIncrement VirtualQuery WideCharToMultiByte MultiByteToWideChar lstrlenA lstrcpynA LoadLibraryExA GetThreadLocale GetStartupInfoA GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetCommandLineA FreeLibrary FindFirstFileA FindClose ExitProcess CompareStringA WriteFile UnhandledExceptionFilter RtlUnwind RaiseException GetStdHandle |
user32.dll (#2) |
GetKeyboardType
DestroyWindow LoadStringA MessageBoxA CharNextA |
gdi32.dll |
UnrealizeObject
StretchBlt SetWindowOrgEx SetViewportOrgEx SetTextColor SetStretchBltMode SetROP2 SetPixel SetDIBColorTable SetBrushOrgEx SetBkMode SetBkColor SelectPalette SelectObject SaveDC RestoreDC RectVisible RealizePalette PatBlt MoveToEx MaskBlt LineTo IntersectClipRect GetWindowOrgEx GetTextMetricsA GetTextExtentPoint32A GetSystemPaletteEntries GetStockObject GetRgnBox GetPixel GetPaletteEntries GetObjectA GetDeviceCaps GetDIBits GetDIBColorTable GetDCOrgEx GetCurrentPositionEx GetClipBox GetBrushOrgEx GetBitmapBits ExcludeClipRect DeleteObject DeleteDC CreateSolidBrush CreatePenIndirect CreatePalette CreateHalftonePalette CreateFontIndirectA CreateDIBitmap CreateDIBSection CreateCompatibleDC CreateCompatibleBitmap CreateBrushIndirect CreateBitmap BitBlt |
version.dll |
VerQueryValueA
GetFileVersionInfoSizeA GetFileVersionInfoA |
kernel32.dll (#3) |
GetACP
Sleep VirtualFree VirtualAlloc GetTickCount QueryPerformanceCounter GetCurrentThreadId InterlockedDecrement InterlockedIncrement VirtualQuery WideCharToMultiByte MultiByteToWideChar lstrlenA lstrcpynA LoadLibraryExA GetThreadLocale GetStartupInfoA GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetCommandLineA FreeLibrary FindFirstFileA FindClose ExitProcess CompareStringA WriteFile UnhandledExceptionFilter RtlUnwind RaiseException GetStdHandle |
advapi32.dll (#2) |
RegQueryValueExA
RegOpenKeyExA RegCloseKey |
kernel32.dll (#4) |
GetACP
Sleep VirtualFree VirtualAlloc GetTickCount QueryPerformanceCounter GetCurrentThreadId InterlockedDecrement InterlockedIncrement VirtualQuery WideCharToMultiByte MultiByteToWideChar lstrlenA lstrcpynA LoadLibraryExA GetThreadLocale GetStartupInfoA GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetCommandLineA FreeLibrary FindFirstFileA FindClose ExitProcess CompareStringA WriteFile UnhandledExceptionFilter RtlUnwind RaiseException GetStdHandle |
oleaut32.dll (#2) |
SysFreeString
SysReAllocStringLen SysAllocStringLen |
comctl32.dll |
_TrackMouseEvent
ImageList_SetIconSize ImageList_GetIconSize ImageList_Write ImageList_Read ImageList_DragShowNolock ImageList_DragMove ImageList_DragLeave ImageList_DragEnter ImageList_EndDrag ImageList_BeginDrag ImageList_Remove ImageList_DrawEx ImageList_Draw ImageList_GetBkColor ImageList_SetBkColor ImageList_Add ImageList_GetImageCount ImageList_Destroy ImageList_Create |
No help found for %s |
No context-sensitive help installed |
No help found for context |
No topic-based help system installed |
Up |
Right |
Down |
Ins |
Del |
Shift+ |
Ctrl+ |
Alt+ |
Clipboard does not support Icons |
Menu '%s' is already being used by another form |
Docked control must have a name |
Error removing control from dock tree |
- Dock zone not found |
- Dock zone has no control |
Error loading dock zone from the stream. Expecting version %d, but found %d. |
Unable to find a Table of Contents |
&Abort |
&Retry |
&Ignore |
&All |
N&o to All |
Yes to &All |
BkSp |
Tab |
Esc |
Enter |
Space |
PgUp |
PgDn |
End |
Home |
Left |
Menu inserted twice |
Sub-menu is not in menu |
Not enough timers available |
GroupIndex cannot be less than a previous menu item's GroupIndex |
Cannot create form. No MDI forms are currently active |
A control cannot have itself as its parent |
Cannot drag a form |
Warning |
Error |
Information |
Confirm |
&Yes |
&No |
OK |
Cancel |
&Help |
Unsupported clipboard format |
Out of system resources |
Canvas does not allow drawing |
Invalid image size |
Invalid ImageList |
Invalid ImageList Index |
Failed to read ImageList data from stream |
Failed to write ImageList data to stream |
Error creating window device context |
Error creating window class |
Cannot focus a disabled or invisible window |
Control '%s' has no parent window |
Cannot hide an MDI Child Form |
Cannot change Visible in OnShow or OnHide |
Cannot make a visible window modal |
Menu index out of range |
Error reading %s%s%s: %s |
Stream read error |
Property is read-only |
Failed to get data for '%s' |
Resource %s not found |
%s.Seek not implemented |
Operation not allowed on sorted list |
%s not in a class registration group |
Property %s does not exist |
Stream write error |
Invalid buffer size for decryption |
Stream read error |
Stream write error |
Bitmap image is not valid |
Icon image is not valid |
Cannot change the size of an icon |
Class %s not found |
A class named %s already exists |
List does not allow duplicates ($0%x) |
A component named %s already exists |
String list does not allow duplicates |
Cannot create file "%s". %s |
Cannot open file "%s". %s |
Invalid stream format |
''%s'' is not a valid component name |
Invalid property path |
Invalid property value |
Invalid data type for '%s' |
List capacity out of bounds (%d) |
List count out of bounds (%d) |
List index out of bounds (%d) |
Out of memory while expanding memory stream |
Wed |
Thu |
Fri |
Sat |
Sunday |
Monday |
Tuesday |
Wednesday |
Thursday |
Friday |
Saturday |
Ancestor for '%s' not found |
Cannot assign a %s to a %s |
Bits index out of range |
Can't write to a read-only resource stream |
CheckSynchronize called from thread $%x, which is NOT the main thread |
Dec |
January |
February |
March |
April |
May |
June |
July |
August |
September |
October |
November |
December |
Sun |
Mon |
Tue |
%s (%s, line %d) |
Abstract Error |
Access violation at address %p in module '%s'. %s of address %p |
System Error. Code: %d. |
%s |
A call to an OS function failed |
Jan |
Feb |
Mar |
Apr |
May |
Jun |
Jul |
Aug |
Sep |
Oct |
Nov |
Variant or safe array index out of bounds |
Variant or safe array is locked |
Invalid variant type conversion |
Invalid variant operation |
Invalid variant operation (%s%.8x) |
%s |
Could not convert variant of type (%s) into type (%s) |
Overflow while converting variant of type (%s) into type (%s) |
Variant overflow |
Invalid argument |
Invalid variant type |
Operation not supported |
Unexpected variant error |
External exception %x |
Assertion failed |
Interface not supported |
Exception in safecall method |
Floating point underflow |
Invalid pointer operation |
Invalid class typecast |
Access violation at address %p. %s of address %p |
Access violation |
Stack overflow |
Control-C hit |
Privileged instruction |
Exception %s in module %s at %p. |
%s%s |
Application Error |
Format '%s' invalid or incompatible with argument |
No argument for format '%s' |
Variant method calls not supported |
Read |
Write |
Error creating variant or safe array |
'%s' is not a valid integer value |
Out of memory |
I/O error %d |
File not found |
Invalid filename |
Too many open files |
File access denied |
Read beyond end of file |
Disk full |
Invalid numeric input |
Division by zero |
Range check error |
Integer overflow |
Invalid floating point operation |
Floating point division by zero |
Floating point overflow |
StartAddressOfRawData | 0x460000 |
---|---|
EndAddressOfRawData | 0x460034 |
AddressOfIndex | 0x45678c |
AddressOfCallbacks | 0x461010 |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_TYPE_REG
|
Callbacks | (EMPTY) |