dc0d983eeb82f3022465465b44e68b6b763510f7c912518576cab4f357979faf

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2014-Jan-01 22:07:45
TLS Callbacks 3 callback(s) detected.

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Tries to detect virtualized environments:
  • HARDWARE\DESCRIPTION\System
  • HARDWARE\Description\System
 Looks for VMWare presence:
  • VEN_15AD
  • VMTools
  • VMware
  • hgfs.sys
  • mhgfs.sys
  • vmmemctl
  • vmmouse
  • vmtools
  • vmx86
 Looks for VirtualBox presence:
  • HARDWARE\ACPI\DSDT\VBOX__
  • HARDWARE\ACPI\FADT\VBOX__
  • HARDWARE\ACPI\RSDT\VBOX__
  • SOFTWARE\Oracle\VirtualBox Guest Additions
  • VBoxGuest
  • VBoxHook.dll
  • VBoxMouse
  • VBoxSF
  • VBoxService
  • VBoxTray
  • VEN_80EE
  • \\.\pipe\VBoxMiniRdDN
  • \\.\pipe\VBoxTrayIPC
 Looks for Qemu presence:
  • QEMU
  • Qemu
  • qemu
 May have dropper capabilities:
  • CurrentControlSet\Services
 Accesses the WMI:
  • ROOT\CIMV2
 Contains domain names:
  • api.telegram.org
  • https://api.ipapi.is
  • https://api.ipapi.is/text
  • telegram.org
Suspicious The PE is possibly packed. Unusual section name found: .xdata
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryW
 Functions which can be used for anti-debugging purposes:
  • CheckRemoteDebuggerPresent
  • CreateToolhelp32Snapshot
 Can access the registry:
  • RegCloseKey
  • RegEnumKeyExA
  • RegOpenKeyExA
  • RegQueryInfoKeyA
  • RegQueryValueExA
 Can create temporary files:
  • CreateFileA
  • GetTempPathA
 Has Internet access capabilities:
  • InternetCloseHandle
  • InternetConnectA
  • InternetOpenA
  • InternetOpenUrlA
  • InternetReadFile
 Interacts with services:
  • EnumServicesStatusExA
  • OpenSCManagerA
 Enumerates local disk drives:
  • GetVolumeInformationA
 Manipulates other processes:
  • OpenProcess
  • Process32FirstW
  • Process32NextW
Suspicious The file contains overlay data. 11767 bytes of data starting at offset 0x106600.
The overlay data has an entropy of 7.30939 and is possibly compressed or encrypted.

Hashes

MD5 dcdcac4d23070bcf0d1e95a2e5e1eb51
SHA1 3a5761dba8ed7bafcb5ffc92ebb7cab568fac045
SHA256 dc0d983eeb82f3022465465b44e68b6b763510f7c912518576cab4f357979faf
SHA3 27a584ecf2717bc0f9362aab8b20e174ea50b49fc752f294d0b7716f2f17a0cf
SSDeep 24576:CmQYWCcXtHHvXqojIvoidQc539tq8mNxP3A3aVU3G:CmQYWRXzUAidx39tq8mNkawG
Imports Hash 4a1cf9a68a2621a371c61ab390807489

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 9
TimeDateStamp 2014-Jan-01 22:07:45
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED

Image Optional Header

Magic PE32+
LinkerVersion 2.0
SizeOfCode 0xcf000
SizeOfInitializedData 0x37200
SizeOfUninitializedData 0xe00
AddressOfEntryPoint 0x0000000000001420 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 5.2
Win32VersionValue 0
SizeOfImage 0x10c000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x200000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 af0e31205d3c98f734e33385a6e6d362
SHA1 78caf64866820f9cd4da866033db8ed6f7886f56
SHA256 c72eab390391b967c6bfdaaba3f119e9736ae7c6a41a108b25086e492efee296
SHA3 78790152781e64c44c2daaec07e34db6beb045c171cae4df73ac2c8f37d572e0
VirtualSize 0xcefd0
VirtualAddress 0x1000
SizeOfRawData 0xcf000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.16992

.data

MD5 7b5b230c7f9c5492402621d4b329f6dc
SHA1 659a80376524bc7cd5f17ab7b86f8ad07e62c8fc
SHA256 d2c54cc8522fbdb03304a24f5bf20dc7ac54328e81e5b1721729054cf7027dbd
SHA3 8935214eb2f2211bc3e4b3be24aa9f85d7d668ab8bf106ea509f0ba299c4e2e0
VirtualSize 0x2410
VirtualAddress 0xd0000
SizeOfRawData 0x2600
PointerToRawData 0xcf400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.876255

.rdata

MD5 3f498b50b7b9afcf1e4ae17533840c95
SHA1 980734bae931ecc11962d0dc6bf7a436d6b8d654
SHA256 f2ba49b50c58496b9f838cb96996a08231fec22b0aa51126703fda2c5daef3b6
SHA3 db45ce2b35c07d7aeedb798a2c7f7a6f7a2ddf615b4ee57cca6d845868deadc3
VirtualSize 0x171e0
VirtualAddress 0xd3000
SizeOfRawData 0x17200
PointerToRawData 0xd1a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.71395

.pdata

MD5 02ee9aff564d02f480564121b4a77037
SHA1 b2001dd4ea4b223d682c2c06d5a3dfc06c424515
SHA256 157fe4d52a3b4cb568d5a1b68790175ba1cf3a0791b65641645a3012bf796aaf
SHA3 500725d0fa6ea84bd1991f1dfc751ae7a75b2f05268f3192461916e09edd4312
VirtualSize 0xb154
VirtualAddress 0xeb000
SizeOfRawData 0xb200
PointerToRawData 0xe8c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.98042

.xdata

MD5 ad7e5b55ce1859356896874413dfa2c5
SHA1 2dffd373f4cdd3840d416301894e21fd519fadff
SHA256 faf412b36405bbba1337cc3e22d2a6973a2eec0da73dba68c3f40098f99c9942
SHA3 794a300767511e34a6f493735aefa39fb6db083f68628ab124bdef30c3473faf
VirtualSize 0xed7c
VirtualAddress 0xf7000
SizeOfRawData 0xee00
PointerToRawData 0xf3e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.93646

.bss

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0xc30
VirtualAddress 0x106000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata

MD5 fb02997fe9e75e2e75705aca327979ba
SHA1 36cf363f907e8b566c10f576d2e14e8c7ea8ecbc
SHA256 54481025968cde558c7e979dcfefb3117a2444ac1be5a5e693143b09ef677236
SHA3 cdb7551d029cd53937d05d6287831262644f200d42cdba8e36476e0489ff90da
VirtualSize 0x1eb8
VirtualAddress 0x107000
SizeOfRawData 0x2000
PointerToRawData 0x102c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.16119

.tls

MD5 bf619eac0cdf3f68d496ea9344137e8b
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
SHA3 622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59
VirtualSize 0x20
VirtualAddress 0x109000
SizeOfRawData 0x200
PointerToRawData 0x104c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.reloc

MD5 3febabd5c4dd77c8dcbefad8e75f5671
SHA1 02d9f761de2bb531e542cb40528b83626fb83650
SHA256 00e6ba73e6a689a267982d72d57c7ac5f11b47a84306b846ba759b0d19e48d05
SHA3 574980be02d435c859ad6c17ea9549b2ef8edea577bf1b1e0af9fdc1508fa835
VirtualSize 0x16c0
VirtualAddress 0x10a000
SizeOfRawData 0x1800
PointerToRawData 0x104e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.36702

Imports

ADVAPI32.dll CloseEventLog
CloseServiceHandle
EnumServicesStatusExA
GetNumberOfEventLogRecords
OpenEventLogA
OpenSCManagerA
RegCloseKey
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
GDI32.dll GetDeviceCaps
IPHLPAPI.DLL GetAdaptersInfo
KERNEL32.dll BuildCommDCBAndTimeoutsA
CheckRemoteDebuggerPresent
CloseHandle
CreateEventA
CreateFileA
CreateSemaphoreA
CreateToolhelp32Snapshot
DeleteCriticalSection
DuplicateHandle
EnterCriticalSection
FindClose
FindFirstFileA
FindNextFileA
FormatMessageA
GetCPInfo
GetComputerNameA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDiskFreeSpaceExA
GetEnvironmentVariableA
GetFileAttributesA
GetLastError
GetModuleHandleA
GetProcAddress
GetProcessAffinityMask
GetStartupInfoA
GetSystemDefaultLCID
GetSystemInfo
GetSystemPowerStatus
GetSystemTimeAsFileTime
GetTempPathA
GetThreadContext
GetThreadPriority
GetTickCount
GetTickCount64
GetTimeZoneInformation
GetUserDefaultUILanguage
GetVolumeInformationA
GlobalMemoryStatusEx
InitializeCriticalSection
IsDBCSLeadByte
IsDebuggerPresent
K32EnumDeviceDrivers
K32GetDeviceDriverFileNameW
LeaveCriticalSection
LoadLibraryW
LocalFree
Module32FirstW
Module32NextW
MultiByteToWideChar
OpenMutexA
OpenProcess
OutputDebugStringA
Process32FirstW
Process32NextW
QueryFullProcessImageNameW
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReleaseSemaphore
ResetEvent
ResumeThread
RtlCaptureContext
RtlLookupFunctionEntry
RtlUnwindEx
RtlVirtualUnwind
SetEvent
SetLastError
SetProcessAffinityMask
SetThreadContext
SetThreadPriority
SetUnhandledExceptionFilter
Sleep
SuspendThread
TlsAlloc
TlsGetValue
TlsSetValue
TryEnterCriticalSection
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
MFPlat.DLL MFShutdown
MFStartup
MFTEnumEx
msvcrt.dll iswctype
_assert
__C_specific_handler
___lc_codepage_func
___mb_cur_max_func
__getmainargs
__initenv
__iob_func
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_beginthreadex
_cexit
_commode
_endthreadex
_errno
_fmode
_initterm
_setjmp
_setmode
_time64
_vscprintf
_vsnprintf
abort
atexit
calloc
exit
fclose
fflush
fopen
fprintf
fputc
fputs
free
fwrite
getenv
localeconv
longjmp
malloc
memchr
memcmp
memcpy
memmove
memset
realloc
setlocale
setvbuf
signal
strchr
strcmp
strcoll
strerror
strftime
strlen
strncmp
strtoul
strxfrm
towlower
towupper
vfprintf
wcscoll
wcsftime
wcslen
wcsxfrm
_strdup
_read
_fileno
ole32.dll CoCreateInstance
CoInitializeEx
CoInitializeSecurity
CoSetProxyBlanket
CoTaskMemFree
CoUninitialize
OLEAUT32.dll SysAllocString
SysFreeString
VariantClear
VariantInit
SETUPAPI.dll SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetClassDevsA
USER32.dll EnumWindows
GetCursorPos
GetDC
GetLastInputInfo
GetSystemMetrics
GetWindowTextA
IsClipboardFormatAvailable
IsWindowVisible
ReleaseDC
WININET.dll HttpOpenRequestA
HttpSendRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetReadFile

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData 0x140109000
EndAddressOfRawData 0x140109018
AddressOfIndex 0x14010607c
AddressOfCallbacks 0x1400ea1b0
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks 0x0000000140019220
0x0000000140019200
0x00000001400282E0

Load Configuration

RICH Header

Errors

[*] Warning: Section .bss has a size of 0! [!] Error: [plugin_virustotal] VirusTotal API request rate limit reached!
Leave a comment

No comments yet.