0b044d8b7dcbf25b42f8ab93775ac942

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2004-Aug-04 06:01:37
Detected languages Chinese - PRC
CompanyName Microsoft Corporation
FileDescription Win32 Cabinet Self-Extractor
FileVersion 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
InternalName Wextract
LegalCopyright (C) Microsoft Corporation. All rights reserved.
OriginalFilename WEXTRACT.EXE
ProductName Microsoft(R) Windows(R) Operating System
ProductVersion 6.00.2900.2180

Plugin Output

Suspicious PEiD Signature: ASProtect SKE 2.3 -> Alexey Solodovnikov (h)
ASPack v2.12
Suspicious The PE is packed with Aspack or Armadillo Unusual section name found:
Section is both writable and executable.
Unusual section name found:
Section is both writable and executable.
Section .rsrc is both writable and executable.
Section .data is both writable and executable.
Unusual section name found: .adata
Section .adata is both writable and executable.
The PE only has 5 import(s).
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Malicious VirusTotal score: 59/72 (Scanned on 2020-07-10 13:43:42) Bkav: W32.AIDetectVM.malware2
ClamAV: Win.Packed.Nsanti-6971682-0
FireEye: Generic.mg.0b044d8b7dcbf25b
Qihoo-360: Win32/Backdoor.Hupigon.653
McAfee: Artemis!0B044D8B7DCB
Cylance: Unsafe
Zillya: Backdoor.Hupigon.Win32.64463
Sangfor: Malware
K7AntiVirus: Trojan ( 005376ae1 )
Alibaba: Backdoor:Win32/Hupigon.95644e7f
K7GW: Trojan ( 005376ae1 )
CrowdStrike: win/malicious_confidence_100% (D)
TrendMicro: Mal_Pai-6
F-Prot: W32/Hupigon.G.gen!Eldorado
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Cynet: Malicious (score: 100)
Kaspersky: Packed.Win32.Black.d
BitDefender: Backdoor.Hupigon.AYPE
NANO-Antivirus: Trojan.Win32.Hupigon.iziz
AegisLab: Trojan.Win32.Hupigon.lriU
MicroWorld-eScan: Backdoor.Hupigon.AYPE
Avast: Win32:Trojan-gen
Tencent: Win32.Packed.Black.Eem
Endgame: malicious (high confidence)
Sophos: Mal/Behav-270
Comodo: Backdoor@#1fceyh6mfcbvn
F-Secure: Trojan.TR/Dropper.Gen
DrWeb: BackDoor.Pigeon.5402
VIPRE: Trojan.Win32.Generic!BT
Invincea: heuristic
Trapmine: malicious.high.ml.score
Emsisoft: Backdoor.Hupigon.AYPE (B)
Ikarus: Virus.Win32.Oliga
Cyren: W32/Hupigon.G.gen!Eldorado
Jiangmin: Backdoor/Huigezi.2008.fav
Avira: TR/Dropper.Gen
Fortinet: W32/Hupigon.GE!tr.bdr
Arcabit: Backdoor.Hupigon.AYPE
ViRobot: Backdoor.Win32.Hupigon.706048.P
ZoneAlarm: Packed.Win32.Black.d
Microsoft: Backdoor:Win32/Hupigon.FI
AhnLab-V3: Win-Trojan/Hupigon3.Gen
Acronis: suspicious
BitDefenderTheta: AI:Packer.59313CE81D
ALYac: Backdoor.Hupigon.AYPE
MAX: malware (ai score=100)
VBA32: Trojan-Dropper.Kaos
ESET-NOD32: Win32/Packed.ASProtect.AAC
TrendMicro-HouseCall: Mal_Pai-6
Rising: Backdoor.Gpegion!1.6634 (CLOUD)
Yandex: Backdoor.Hupigon!oWYBtbdb8fU
TACHYON: Backdoor/W32.Hupigon.704000.DF
eGambit: Unsafe.AI_Score_100%
GData: Backdoor.Hupigon.AYPE
Ad-Aware: Backdoor.Hupigon.AYPE
AVG: Win32:Trojan-gen
Cybereason: malicious.b7dcbf
Panda: Trj/CI.A

Hashes

MD5 0b044d8b7dcbf25b42f8ab93775ac942
SHA1 ed314a02f01e2944c301d96fbe080db2c33a7127
SHA256 773037dbb35a7a524536b18e577fdf81353d46fab023e06eed4640b076a2520b
SHA3 ba0efd362383dd680025a5373c1e12b11a2d89e103f0f2e62519f8c67d95d722
SSDeep 12288:RnkMDp03+4vRifWJihIO2xUBiUO16xzwRF3Z4mxx2mXQxli0s8NBWqu:FRNavwWJiyxUBiUO16xzwQmX2mXGQ8NC
Imports Hash 264d7f250bdd45acf4e44d99090e6339

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2004-Aug-04 06:01:37
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 7.1
SizeOfCode 0x9a00
SizeOfInitializedData 0x52c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00060000 (Section: )
BaseOfCode 0x1000
BaseOfData 0xb000
ImageBase 0x1000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 5.1
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x110000
SizeOfHeaders 0x400
Checksum 0x5eaf1
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x40000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

Section_1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x5f000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Section_2

MD5 4412b43894fdaaaceb3d2d023df527ab
SHA1 cb82d4fc6cb063602bcb4704696c44c4a018d40a
SHA256 00fb605fefca8a5452f667cf978d83bd2f6449ba98cb3d1bd3570bee99e19e89
SHA3 71688bdff97b89ad883dada0e64c72faee0c1d8d8a62f2b441c2a63581de0ea7
VirtualSize 0x5f000
VirtualAddress 0x60000
SizeOfRawData 0x5cc00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.99948

.rsrc

MD5 5f93efc0fac52545b698fe2b8d91f9ef
SHA1 e69dd16e774da53e8eef8bbdee97258faf7a8f0f
SHA256 d589f1ee2f64cfe566de6a189c763fac31ef19b158210c9255a100f90d1f9530
SHA3 fb3346749d1cd6aac3da116f079d148e28f85519e04ec101f0a28a677925a296
VirtualSize 0x1000
VirtualAddress 0xbf000
SizeOfRawData 0x200
PointerToRawData 0x5d000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.96504

.data

MD5 83142bf5c7eea78263702e4e17112838
SHA1 a413812aac71ff1b42a01947c2538b5502c214ea
SHA256 4828146be66a1c6b1ac36fcd24d6a022c50e39e27cb1c9fee2ca7d407e66f4fd
SHA3 d04ab6ee7a23a06d997f18ddd7a3c6d2a10c764163cbb09e7b818f42a8bf4811
VirtualSize 0x4f000
VirtualAddress 0xc0000
SizeOfRawData 0x4ec00
PointerToRawData 0x5d200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.92193

.adata

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x1000
VirtualAddress 0x10f000
SizeOfRawData 0
PointerToRawData 0xabe00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Imports

kernel32.dll GetProcAddress
GetModuleHandleA
LoadLibraryA
oleaut32.dll VariantChangeTypeEx
kernel32.dll (#2) GetProcAddress
GetModuleHandleA
LoadLibraryA

Delayed Imports

1

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.75013
MD5 760b19b7b9c731af7673221f7781b99f
SHA1 a3b139e52af4b2004a0c7ceca80ff4101ba9b2c4
SHA256 ea5e771d2e590691c5c624a1204015a71d390ccb57781860f9cbc2fed1425f02
SHA3 41108697ba7383a73072bdcefd21fc18a240f55b1b1a2490c3cb172be29c6b19

2

Type RT_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x128
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.53793
MD5 601aa6e69d0cd049a2c9b8177188a07f
SHA1 aa2266a300eb43df1c02acade8868980e3e80b41
SHA256 155ac1573c5f09ad098c18d0fa1cb6dc21081f0d969d743869938146abd9aa5e
SHA3 03a587ecb31a94af9cbfdc4c8c83585aca2a052ab723249ace5a4852f70f5576

3000

Type RT_GROUP_ICON
Language Chinese - PRC
Codepage UNKNOWN
Size 0x22
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.37086
Detected Filetype Icon file
MD5 d59e0d372ea5fd8c1f4de744376a6af4
SHA1 6883ce60e71a83424db0b41d0ab6bf61080e3de2
SHA256 b10e28a32eddb2ab20a46ceae59d9c0786911eb20f0c8dd2a28421f226ea2b8b
SHA3 5e39df982879204dd9f129a37d1e1c2ff906e88de9ae01b4418db5e8455e7ae1

1 (#2)

Type RT_VERSION
Language Chinese - PRC
Codepage UNKNOWN
Size 0x440
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.45068
MD5 bf0c0a1644bbdab5e482c964b6e8fdeb
SHA1 fb71efbc719c0a2eecb36f0934946061e72dc048
SHA256 1f4cbfbb6109b1053e37a26a2fe0809c21410b2ccad7e90a6f0890645ff70db5
SHA3 f7122cd4f34429ac97df759b082d8713331b214d2d454d2d6ed4485ba1cf8dcb

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.0.2900.2180
ProductVersion 6.0.2900.2180
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language Chinese - PRC
CompanyName Microsoft Corporation
FileDescription Win32 Cabinet Self-Extractor
FileVersion (#2) 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
InternalName Wextract
LegalCopyright (C) Microsoft Corporation. All rights reserved.
OriginalFilename WEXTRACT.EXE
ProductName Microsoft(R) Windows(R) Operating System
ProductVersion (#2) 6.00.2900.2180
Resource LangID Chinese - PRC

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x43facbb6
Unmarked objects 0
Imports (VS2003 (.NET) build 4035) 13
Total imports 134
94 (VS2003 (.NET) build 4035) 1
C objects (VS2003 (.NET) build 4035) 27
Linker (VS2003 (.NET) build 4035) 1

Errors

[*] Warning: Section has a size of 0! [*] Warning: Section .adata has a size of 0!