Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 1970-Jan-01 00:00:00 |
Detected languages |
English - United States
|
TLS Callbacks | 3 callback(s) detected. |
CompanyName | Google Inc. |
FileDescription | Google Chrome |
FileVersion | 67.0.3396.62 |
InternalName | chrome_exe |
LegalCopyright | Copyright 2017 Google Inc. All rights reserved. |
OriginalFilename | chrome.exe |
ProductName | Google Chrome |
ProductVersion | 67.0.3396.62 |
CompanyShortName | |
ProductShortName | Chrome |
LastChange | babbbb5b433370f9a7feeb9f98a57599ad1c4676-refs/branch-heads/3396@{#702} |
Official Build | 1 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to internet browsers:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to SHA256 Uses constants related to AES Microsoft's Cryptography API |
Suspicious | The PE is possibly packed. | Unusual section name found: .xdata |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Malicious | The program tries to mislead users about its origins. | The PE pretends to be from Google but is not signed! |
Malicious | VirusTotal score: 52/68 (Scanned on 2020-08-21 10:33:36) |
Elastic:
malicious (high confidence)
MicroWorld-eScan: Application.BitCoinMiner.IG Qihoo-360: Win64/Virus.RiskTool.f33 Cylance: Unsafe Zillya: Tool.BitCoinMiner.Win64.3 Sangfor: Malware Alibaba: RiskWare:Win32/Miners.a0bab468 Cybereason: malicious.0dc5c0 TrendMicro: TROJ_GEN.R002C0OHI20 Cyren: W64/BitCoinMiner.D Symantec: Linux.Coinminer ESET-NOD32: a variant of Win64/CoinMiner.U potentially unwanted APEX: Malicious Paloalto: generic.ml ClamAV: Win.Trojan.Bitcoinminer-73 Kaspersky: not-a-virus:RiskTool.Win64.BitCoinMiner.ju BitDefender: Application.BitCoinMiner.IG NANO-Antivirus: Riskware.Win64.Coinbit.fdvzhd ViRobot: Adware.Bitcoinminer.525824 Avast: Win32:Miner-BA [Trj] Rising: Trojan.CoinMiner!1.A92B (C64:YzY0Ondx5mhM/lZm) Ad-Aware: Application.BitCoinMiner.IG Comodo: ApplicUnwnt@#yn0q6ufwrq37 F-Secure: Heuristic.HEUR/AGEN.1135641 DrWeb: Trojan.Coinbit.43 VIPRE: Trojan.Win32.Generic!BT Invincea: heuristic FireEye: Generic.mg.ff317550dc5c0fef Sophos: Internet Download Manager - Miner (PUA) Ikarus: Gen.Application.Heur2 Jiangmin: RiskTool.BitCoinMiner.eq Avira: HEUR/AGEN.1135641 Antiy-AVL: RiskWare[RiskTool]/Win64.BitCoinMiner Microsoft: PUA:Win32/CoinMiner Arcabit: Application.BitCoinMiner.IG AegisLab: Riskware.Win64.BitCoinMiner.1!c ZoneAlarm: not-a-virus:RiskTool.Win64.BitCoinMiner.ju GData: Win32.Application.CoinMiner.X Cynet: Malicious (score: 85) AhnLab-V3: Trojan/Win32.HDC.C582588 Acronis: suspicious McAfee: GenericRXAA-AA!FF317550DC5C MAX: malware (ai score=99) Malwarebytes: RiskWare.BitCoinMiner TrendMicro-HouseCall: TROJ_GEN.R002C0OHI20 Yandex: Riskware.BitCoinMiner! SentinelOne: DFI - Suspicious PE eGambit: Trojan.Generic Fortinet: Riskware/BitCoinMiner AVG: Win32:Miner-BA [Trj] Panda: Trj/CI.A CrowdStrike: win/malicious_confidence_60% (D) |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x80 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 10 |
TimeDateStamp | 1970-Jan-01 00:00:00 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32+ |
---|---|
LinkerVersion | 2.0 |
SizeOfCode | 0x61000 |
SizeOfInitializedData | 0x1f200 |
SizeOfUninitializedData | 0x2400 |
AddressOfEntryPoint | 0x0000000000001500 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 5.2 |
Win32VersionValue | 0 |
SizeOfImage | 0x89000 |
SizeOfHeaders | 0x400 |
Checksum | 0x86cc2 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
SizeofStackReserve | 0xa00000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
ADVAPI32.dll |
CryptAcquireContextA
CryptCreateHash CryptDestroyHash CryptGetHashParam CryptHashData CryptReleaseContext |
---|---|
KERNEL32.dll |
CloseHandle
CreateEventA CreateSemaphoreA DeleteCriticalSection DuplicateHandle EnterCriticalSection ExpandEnvironmentStringsA FormatMessageA FreeLibrary GetCurrentProcess GetCurrentProcessId GetCurrentThread GetCurrentThreadId GetFileType GetHandleInformation GetLastError GetModuleFileNameW GetProcAddress GetProcessAffinityMask GetStartupInfoA GetStdHandle GetSystemInfo GetSystemTimeAsFileTime GetThreadContext GetThreadPriority GetTickCount GetTimeZoneInformation GetVersionExA InitializeCriticalSection LeaveCriticalSection LoadLibraryA PeekNamedPipe QueryPerformanceCounter ReadFile ReleaseSemaphore ResetEvent ResumeThread RtlAddFunctionTable RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind SetCriticalSectionSpinCount SetEvent SetLastError SetProcessAffinityMask SetThreadContext SetThreadPriority SetUnhandledExceptionFilter Sleep SleepEx SuspendThread TerminateProcess TlsAlloc TlsGetValue TlsSetValue TryEnterCriticalSection UnhandledExceptionFilter VirtualAlloc VirtualProtect VirtualQuery WaitForMultipleObjects WaitForSingleObject |
msvcrt.dll |
__C_specific_handler
__argv __dllonexit __getmainargs __initenv __iob_func __lconv_init __set_app_type __setusermatherr _acmdln _amsg_exit _beginthreadex _cexit _endthreadex _errno _exit _fmode _fstat64 _ftime _ftime64 _gmtime64 _initterm _localtime64 _lock _lseeki64 _onexit _setjmp _snwprintf _stat64 _stricmp _strnicmp _sys_nerr _time64 _unlock _vsnprintf abort atoi calloc exit fclose feof fflush fgetc fgets fopen fprintf fputc fread free fseek fwprintf fwrite getenv isalnum isalpha isgraph islower isprint isspace isupper isxdigit localeconv malloc mbstowcs memchr memcmp memcpy memmove memset printf puts qsort raise rand realloc setlocale signal sprintf srand sscanf strcat strchr strcmp strcpy strerror strlen strncmp strncpy strrchr strstr strtok strtol strtoul tolower vfprintf wcscpy wcstombs longjmp _write _strdup _read _open _getpid _close |
USER32.dll |
MessageBoxW
|
WLDAP32.dll |
ber_free
ldap_err2string ldap_first_attribute ldap_first_entry ldap_get_dn ldap_get_values_len ldap_init ldap_memfree ldap_msgfree ldap_next_attribute ldap_next_entry ldap_search_s ldap_set_option ldap_simple_bind_s ldap_sslinit ldap_unbind_s ldap_value_free_len |
WS2_32.dll |
WSACleanup
WSAGetLastError WSAIoctl WSASetLastError WSAStartup __WSAFDIsSet accept bind closesocket connect freeaddrinfo getaddrinfo gethostname getpeername getsockname getsockopt htons ioctlsocket listen ntohs recv recvfrom select send sendto setsockopt socket |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 67.0.3396.62 |
ProductVersion | 67.0.3396.62 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Google Inc. |
FileDescription | Google Chrome |
FileVersion (#2) | 67.0.3396.62 |
InternalName | chrome_exe |
LegalCopyright | Copyright 2017 Google Inc. All rights reserved. |
OriginalFilename | chrome.exe |
ProductName | Google Chrome |
ProductVersion (#2) | 67.0.3396.62 |
CompanyShortName | |
ProductShortName | Chrome |
LastChange | babbbb5b433370f9a7feeb9f98a57599ad1c4676-refs/branch-heads/3396@{#702} |
Official Build | 1 |
Resource LangID | English - United States |
---|
StartAddressOfRawData | 0x485000 |
---|---|
EndAddressOfRawData | 0x485060 |
AddressOfIndex | 0x48078c |
AddressOfCallbacks | 0x484040 |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_TYPE_REG
|
Callbacks |
0x000000000045AC80
0x000000000045AC50 0x0000000000456520 |