af5592c091781fd67d3e7bbefe8aa677
Summary
| Architecture |
IMAGE_FILE_MACHINE_I386
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 2023-Oct-03 07:51:19 |
| Detected languages |
English - United States
|
| Debug artifacts |
D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
|
Plugin Output
| Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
| Suspicious | Strings found in the binary may indicate undesirable behavior: |
Accesses the WMI:
|
| Info | Cryptographic algorithms detected in the binary: |
Uses constants related to SHA1
Uses constants related to SHA256 Uses constants related to AES |
| Info | The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
|
| Info | The PE is digitally signed. |
Signer: Technik Markt TMA e.K.
Issuer: Sectigo Public Code Signing CA EV R36 |
| Suspicious | VirusTotal score: 2/70 (Scanned on 2026-01-15 18:01:33) |
APEX:
Malicious
VBA32: Backdoor.Bladabindi |
Hashes
DOS Header
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0x118 |
PE Header
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_I386
|
| NumberofSections | 6 |
| TimeDateStamp | 2023-Oct-03 07:51:19 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xe0 |
| Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Image Optional Header
| Magic | PE32 |
|---|---|
| LinkerVersion | 14.0 |
| SizeOfCode | 0x34600 |
| SizeOfInitializedData | 0x40600 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x00021D50 (Section: .text) |
| BaseOfCode | 0x1000 |
| BaseOfData | 0x36000 |
| ImageBase | 0x400000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 5.1 |
| ImageVersion | 0.0 |
| SubsystemVersion | 5.1 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x79000 |
| SizeOfHeaders | 0x400 |
| Checksum | 0x2d1cb8 |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve | 0x100000 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
.text
.rdata
.data
.didat
.rsrc
.reloc
Imports
| KERNEL32.dll |
GetLastError
SetLastError FormatMessageW GetCurrentProcess DeviceIoControl SetFileTime CloseHandle CreateDirectoryW RemoveDirectoryW CreateFileW DeleteFileW CreateHardLinkW GetShortPathNameW GetLongPathNameW MoveFileW GetFileType GetStdHandle WriteFile ReadFile FlushFileBuffers SetEndOfFile SetFilePointer GetCurrentProcessId SetFileAttributesW GetFileAttributesW FindClose FindFirstFileW FindNextFileW InterlockedDecrement GetVersionExW GetCurrentDirectoryW GetFullPathNameW FoldStringW GetModuleFileNameW GetModuleHandleW FindResourceW FreeLibrary GetProcAddress ExitProcess SetThreadExecutionState Sleep LoadLibraryW GetSystemDirectoryW CompareStringW AllocConsole FreeConsole AttachConsole WriteConsoleW GetProcessAffinityMask CreateThread SetThreadPriority InitializeCriticalSection EnterCriticalSection LeaveCriticalSection DeleteCriticalSection SetEvent ResetEvent ReleaseSemaphore WaitForSingleObject CreateEventW CreateSemaphoreW GetSystemTime SystemTimeToTzSpecificLocalTime TzSpecificLocalTimeToSystemTime SystemTimeToFileTime FileTimeToLocalFileTime LocalFileTimeToFileTime FileTimeToSystemTime GetCPInfo IsDBCSLeadByte MultiByteToWideChar WideCharToMultiByte GlobalAlloc LockResource GlobalLock GlobalUnlock GlobalFree LoadResource SizeofResource SetCurrentDirectoryW GetTimeFormatW GetDateFormatW LocalFree GetExitCodeProcess GetLocalTime GetTickCount MapViewOfFile UnmapViewOfFile CreateFileMappingW OpenFileMappingW GetCommandLineW SetEnvironmentVariableW ExpandEnvironmentStringsW GetTempPathW MoveFileExW GetLocaleInfoW GetNumberFormatW DecodePointer SetFilePointerEx GetConsoleMode GetConsoleCP HeapSize SetStdHandle GetProcessHeap FreeEnvironmentStringsW GetEnvironmentStringsW GetCommandLineA GetOEMCP RaiseException GetSystemInfo VirtualProtect VirtualQuery LoadLibraryExA UnhandledExceptionFilter SetUnhandledExceptionFilter TerminateProcess IsProcessorFeaturePresent IsDebuggerPresent GetStartupInfoW QueryPerformanceCounter GetCurrentThreadId GetSystemTimeAsFileTime InitializeSListHead RtlUnwind EncodePointer InitializeCriticalSectionAndSpinCount TlsAlloc TlsGetValue TlsSetValue TlsFree LoadLibraryExW QueryPerformanceFrequency GetModuleHandleExW GetModuleFileNameA GetACP HeapFree HeapReAlloc HeapAlloc GetStringTypeW LCMapStringW FindFirstFileExA FindNextFileA IsValidCodePage |
|---|---|
| OLEAUT32.dll |
SysAllocString
SysFreeString VariantClear |
| gdiplus.dll |
GdipAlloc
GdipDisposeImage GdipCloneImage GdipCreateBitmapFromStream GdipCreateBitmapFromStreamICM GdipCreateHBITMAPFromBitmap GdiplusStartup GdiplusShutdown GdipFree |
| USER32.dll (delay-loaded) |
GetDlgItemTextW
SendDlgItemMessageW SetFocus DialogBoxParamW GetSysColor LoadBitmapW LoadIconW DestroyIcon IsDialogMessageW IsWindowVisible WaitForInputIdle PostMessageW PeekMessageW DispatchMessageW TranslateMessage GetMessageW wvsprintfW CopyImage GetClassNameW FindWindowExW MessageBoxW ReleaseDC GetDC SendMessageW LoadCursorW CopyRect MapWindowPoints UpdateWindow DestroyWindow IsWindow CreateWindowExW RegisterClassExW DefWindowProcW CharUpperW OemToCharBuffA LoadStringW GetWindow SetProcessDefaultLayout SetWindowLongW GetWindowLongW GetWindowRect GetClientRect GetSystemMetrics SetDlgItemTextW SetWindowPos GetParent SetWindowTextW EnableWindow GetDlgItem EndDialog SetForegroundWindow ShowWindow |
Delayed Imports
| Attributes | 0x1 |
|---|---|
| Name | USER32.dll |
| ModuleHandle | 0x65cf8 |
| DelayImportAddressTable | 0x670b4 |
| DelayImportNameTable | 0x3fc70 |
| BoundDelayImportTable | 0x40414 |
| UnloadDelayImportTable | 0 |
| TimeStamp | 1970-Jan-01 00:00:00 |
101
102
1
2
3
4
5
6
7
ASKNEXTVOL
GETPASSWORD1
LICENSEDLG
RENAMEDLG
REPLACEFILEDLG
STARTDLG
7 (#2)
8
9
10
11
12
13
14
15
16
100
1 (#2)
String Table contents
| Select destination folder |
| Extracting %s |
| Skipping %s |
| Unexpected end of archive |
| The file "%s" header is corrupt |
| Corrupt header is found |
| Main archive header is corrupt |
| The archive comment header is corrupt |
| The archive comment is corrupt |
| Not enough memory |
| Unknown method in %s |
| Cannot open %s |
| Cannot create %s |
| Cannot create folder %s |
| Checksum error in the encrypted file %s. Corrupt file or wrong password. |
| Checksum error in %s |
| Packed data checksum error in %s |
| Write error in the file %s |
| Read error in the file %s |
| File close error |
| The required volume is absent |
| The archive is either in unknown format or damaged |
| Extracting from %s |
| Next volume |
| The archive header is corrupt |
| Close |
| Error |
| Errors encountered while performing the operation |
| Look at the information window for more details |
| bytes |
| modified on |
| folder is not accessible |
| Some files could not be created. |
| You can try to repeat the installation after closing other applications and restarting Windows. |
| Some installation files are corrupt. |
| Please download a fresh copy and retry the installation |
| All files |
| <ul><li>Press <b>Install</b> button to start extraction.</li><br><br> |
| <ul><li>Press <b>Extract</b> button to start extraction.</li><br><br> |
| <li>Use <b>Browse</b> button to select the destination |
| folder from the folders tree. It can be also entered |
| manually.</li><br><br> |
| <li>If the destination folder does not exist, it will be |
| created automatically before extraction.</li></ul> |
| The archive is corrupt |
| Extracting files to %s folder |
| Extracting files to temporary folder |
| Extract |
| Extraction progress |
| Total path and file name length must not exceed %d characters |
| Unknown encryption method in %s |
| The specified password is incorrect. |
| Incorrect password for %s |
| Cannot copy %s to %s. |
| Cannot create symbolic link %s |
| Cannot create hard link %s |
| You need to unpack the link target first |
| You may need to run this self-extracting archive as administrator |
| Pause |
| Continue |
| Security warning |
| Please remove %s from folder %s. It is unsecure to run %s until it is done. |
Version Info
IMAGE_DEBUG_TYPE_CODEVIEW
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2023-Oct-03 07:51:19 |
| Version | 0.0 |
| SizeofData | 81 |
| AddressOfRawData | 0x3e804 |
| PointerToRawData | 0x3d204 |
| Referenced File | D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb |
IMAGE_DEBUG_TYPE_VC_FEATURE
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2023-Oct-03 07:51:19 |
| Version | 0.0 |
| SizeofData | 20 |
| AddressOfRawData | 0x3e858 |
| PointerToRawData | 0x3d258 |
IMAGE_DEBUG_TYPE_POGO
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2023-Oct-03 07:51:19 |
| Version | 0.0 |
| SizeofData | 964 |
| AddressOfRawData | 0x3e86c |
| PointerToRawData | 0x3d26c |
TLS Callbacks
Load Configuration
| Size | 0xc0 |
|---|---|
| TimeDateStamp | 1970-Jan-01 00:00:00 |
| Version | 0.0 |
| GlobalFlagsClear | (EMPTY) |
| GlobalFlagsSet | (EMPTY) |
| CriticalSectionDefaultTimeout | 0 |
| DeCommitFreeBlockThreshold | 0 |
| DeCommitTotalFreeThreshold | 0 |
| LockPrefixTable | 0 |
| MaximumAllocationSize | 0 |
| VirtualMemoryThreshold | 0 |
| ProcessAffinityMask | 0 |
| ProcessHeapFlags | (EMPTY) |
| CSDVersion | 0 |
| Reserved1 | 0 |
| EditList | 0 |
| SecurityCookie | 0x44277c |
| SEHandlerTable | 0x43e654 |
| SEHandlerCount | 44 |
| GuardCFCheckFunctionPointer | 4416120 |
| GuardCFDispatchFunctionPointer | 0 |
| GuardCFFunctionTable | 0 |
| GuardCFFunctionCount | 0 |
| GuardFlags | (EMPTY) |
| CodeIntegrity.Flags | 0 |
| CodeIntegrity.Catalog | 0 |
| CodeIntegrity.CatalogOffset | 0 |
| CodeIntegrity.Reserved | 0 |
| GuardAddressTakenIatEntryTable | 0 |
| GuardAddressTakenIatEntryCount | 0 |
| GuardLongJumpTargetTable | 0 |
| GuardLongJumpTargetCount | 0 |
RICH Header
| XOR Key | 0xe9a736a9 |
|---|---|
| Unmarked objects | 0 |
| 241 (40116) | 13 |
| 243 (40116) | 142 |
| 242 (40116) | 24 |
| 253 (VS2022 Update 3 (17.3.0) compiler 31616) | 2 |
| C objects (VS2022 Update 3 (17.3.0) compiler 31616) | 19 |
| ASM objects (VS2022 Update 3 (17.3.0) compiler 31616) | 22 |
| C++ objects (VS2022 Update 3 (17.3.0) compiler 31616) | 53 |
| C objects (VS2008 SP1 build 30729) | 11 |
| Imports (VS2008 SP1 build 30729) | 7 |
| Total imports | 282 |
| C++ objects (VS2022 Update 3 (17.3.4-6) compiler 31630) | 49 |
| Exports (VS2022 Update 3 (17.3.4-6) compiler 31630) | 1 |
| Resource objects (VS2022 Update 3 (17.3.4-6) compiler 31630) | 1 |
| Linker (VS2022 Update 3 (17.3.4-6) compiler 31630) | 1 |