inst.exe - Win.Trojan.Demp-114

info
MZ
PE
resources
imports
foremost
signature
hexdump
disasm
log
discuss
donate

filename	inst.exe
size	297824 (0x48b60)
md5	19ce485869607e34c12eb5e0403c940b

type	PE32 executable (GUI) Intel 80386, for MS Windows
mimetype	application/x-dosexec

clamav	Win.Trojan.Demp-114 FOUND
virustotal	→ scan with virustotal.com

histogram

MZ Header

signature	MZ
bytes_in_last_block	0x50
blocks_in_file	2
num_relocs	0
header_paragraphs	4
min_extra_paragraphs	0xf
max_extra_paragraphs	0xffff
ss	0
sp	0xb8
checksum	0
ip	0
cs	0
reloc_table_offset	0x40
overlay_number	0x1a
reserved0	0
oem_id	0
oem_info	0
reserved2	0
reserved3	0
reserved4	0
reserved5	0
reserved6	0
lfanew	0x100

DOS stub

00000000: ba 10 00 0e 1f b4 09 cd  21 b8 01 4c cd 21 90 90  |........!..L.!..|
00000010: 54 68 69 73 20 70 72 6f  67 72 61 6d 20 6d 75 73  |This program mus|
00000020: 74 20 62 65 20 72 75 6e  20 75 6e 64 65 72 20 57  |t be run under W|
00000030: 69 6e 33 32 0d 0a 24 37  00 00 00 00 00 00 00 00  |in32..$7........|
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0:

PE Header

Signature	PE
Machine	0x14c
NumberOfSections	0xa
TimeDateStamp	0x536cd94e
PointerToSymbolTable	0
NumberOfSymbols	0
SizeOfOptionalHeader	0xe0
Characteristics	0x818e
Magic	0x10b
LinkerVersion	2.25
SizeOfCode	0x5800
SizeOfInitializedData	0x3800
SizeOfUninitializedData	0
AddressOfEntryPoint	0x70d4
BaseOfCode	0x1000
BaseOfData	0x8000
ImageBase	0x400000
SectionAlignment	0x1000
FileAlignment	0x200
OperatingSystemVersion	5.0
ImageVersion	0.0
SubsystemVersion	5.0
Reserved1	0
SizeOfImage	0x13000
SizeOfHeaders	0x400
CheckSum	0x52def
Subsystem	2
DllCharacteristics	0
SizeOfStackReserve	0x100000
SizeOfStackCommit	0x4000
SizeOfHeapReserve	0x100000
SizeOfHeapCommit	0x1000
LoaderFlags	0
NumberOfRvaAndSizes	0x10

Packer / Compiler

Borland Delphi 2006

Sections

name	va	vsize	raw size	flags
.text	0x1000	0x5540	0x5600	R-X CODE
.itext	0x7000	0x108	0x200	R-X CODE
.data	0x8000	0x824	0xa00	RW- IDATA
.bss	0x9000	0x2ba8	0	RW-
.idata	0xc000	0x4c8	0x600	RW- IDATA
.didata	0xd000	0x24	0x200	RW- IDATA
.tls	0xe000	8	0	RW-
.rdata	0xf000	0x18	0x200	R-- IDATA
.reloc	0x10000	0xf5c	0x1000	R-- IDATA DISCARDABLE
.rsrc	0x11000	0x1400	0x1400	R-- IDATA

Data Directory

type	va	size
EXPORT	0	0
IMPORT	0xc000	0x4c8
RESOURCE	0x11000	0x1400
EXCEPTION	0	0
SECURITY	0x483c0	0x7a0
BASERELOC	0x10000	0xf5c
DEBUG	0	0
ARCHITECTURE	0	0
GLOBALPTR	0	0
TLS	0xf000	0x18
LOAD_CONFIG	0	0
Bound_IAT	0	0
IAT	0xc130	0xb8
Delay_IAT	0xd000	0x24
CLR_Header	0	0

TLS

raw start	raw end	index	callbks	zero fill	flags
0x40e000	0x40e008	0x408798	0x40f010	0	0

show previews

type	name	size
ICON	#1	4264
RCDATA	DVCLAL	16
RCDATA	PACKAGEINFO	144
GROUP_ICON	MAINICON	20

module_name	hint	ord	function_name
user32.dll			MessageBoxA
kernel32.dll			Sleep
kernel32.dll			VirtualFree
kernel32.dll			VirtualAlloc
kernel32.dll			VirtualQuery
kernel32.dll			GetSystemInfo
kernel32.dll			GetVersion
kernel32.dll			SetThreadLocale
kernel32.dll			GetACP
kernel32.dll			GetStartupInfoW
kernel32.dll			GetProcAddress
kernel32.dll			GetModuleHandleW
kernel32.dll			GetCommandLineW
kernel32.dll			FreeLibrary
kernel32.dll			UnhandledExceptionFilter
kernel32.dll			RtlUnwind
kernel32.dll			RaiseException
kernel32.dll			ExitProcess
kernel32.dll			GetCurrentThreadId
kernel32.dll			DeleteCriticalSection
kernel32.dll			InitializeCriticalSection
kernel32.dll			WriteFile
kernel32.dll			GetStdHandle
kernel32.dll			CloseHandle
kernel32.dll			GetProcAddress
kernel32.dll			RaiseException
kernel32.dll			LoadLibraryA
kernel32.dll			GetLastError
kernel32.dll			TlsSetValue
kernel32.dll			TlsGetValue
kernel32.dll			LocalFree
kernel32.dll			LocalAlloc
kernel32.dll			GetModuleHandleW
kernel32.dll			FreeLibrary
user32.dll			CreateWindowExW
user32.dll			PostQuitMessage
user32.dll			LoadCursorW
user32.dll			DefWindowProcW
kernel32.dll			GetVersionExW
kernel32.dll			FreeLibrary
kernel32.dll			ExitProcess

OpenSSL (terse)
ASN.1 (verbose)

Signers (1)

issuer: /CN=CA365 Free Root Certificate/O=CA365/L=Beijing/ST=Beijing/DC=http://www.ca365.com/C=CN

serial: 25B74EF3E0B99C19

Certificates (1)

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2717727709495663641 (0x25b74ef3e0b99c19)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=CA365 Free Root Certificate, O=CA365, L=Beijing, ST=Beijing, DC=http://www.ca365.com, C=CN
        Validity
            Not Before: Jun 19 07:31:05 2013 GMT
            Not After : Jun 18 07:37:58 2014 GMT
        Subject: CN=XXOO, OU=\xE4\xBA\x92\xE8\x81\x94\xE7\xBD\x91\xE5\xAE\x89\xE5\x85\xA8, O=\xE5\x8C\x97\xE4\xBA\xAC\xE5\xAE\x89\xE5\x85\xA8\xE5\x85\xAC\xE5\x8F\xB8, L=\xE5\x8C\x97\xE4\xBA\xAC, ST=\xE5\x8C\x97\xE4\xBA\xAC, DC=www.360.cn, C=CN
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ac:ea:9c:d5:2f:79:15:85:15:a9:75:0a:2f:85:
                    4f:91:ae:91:e3:17:22:64:fb:b2:52:25:62:3d:1d:
                    30:50:77:7d:92:75:d6:8d:6f:cf:4c:65:ab:e7:c3:
                    8b:e5:71:a8:88:06:06:6e:d2:70:b0:09:e9:ab:42:
                    50:37:39:db:4c:00:66:87:f3:97:9c:a4:bf:9b:15:
                    74:b5:63:89:a8:d1:a0:fd:fe:10:ef:e1:27:10:a5:
                    ad:d2:03:dd:f3:f7:77:6a:82:79:14:c2:a5:f9:72:
                    4a:c1:16:48:d8:28:e6:c8:d8:60:45:00:f1:26:0c:
                    39:19:f1:9e:b6:79:ed:11:27:c7:3a:92:8f:87:6b:
                    c1:a9:5a:58:78:9a:f3:47:ff:d3:20:d3:f5:0b:34:
                    ff:8a:62:c3:9c:40:11:d5:e9:1e:71:bf:e1:1c:e9:
                    3c:14:d6:5b:ad:da:54:7e:c9:03:22:74:58:86:e3:
                    30:69:d8:1c:d1:ca:c0:c2:8d:99:7b:57:2c:64:9a:
                    36:71:47:65:7a:f8:a3:da:07:38:78:0f:5b:b8:5d:
                    38:c2:1e:e2:8e:65:70:d9:4a:f3:65:6d:01:9a:fc:
                    6b:aa:45:7c:c4:c1:44:b4:c6:9a:35:10:31:aa:9d:
                    3b:a8:0c:8c:16:2e:ea:36:d4:65:d0:dc:17:df:3c:
                    49:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 CRL Distribution Points: critical

                Full Name:
                  URI:http://www.ca365.com/crl.crl?sn=2`aaa3663ac0f544d0a1e9c5eb549a948a

            X509v3 Subject Key Identifier: 
                D4:43:9B:49:D1:2A:68:33:3B:33:A6:69:D3:9A:15:26:F3:61:1E:BA
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:A6:44:8A:78:1B:B7:1E:81:A1:A7:D7:48:D3:93:1E:96:AF:BA:45:9F

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                Code Signing, Time Stamping, Any Extended Key Usage
            X509v3 Subject Alternative Name: 
                email:mail@360.cn, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
         0d:cc:d8:2f:79:ce:cf:14:9a:95:3f:1e:d9:85:2a:93:e4:4a:
         38:0a:c3:63:a0:60:e9:24:c8:e1:4e:68:3f:c9:c0:9e:8b:f4:
         74:d3:b8:d6:94:d2:b8:ff:ac:9a:22:6f:8b:78:a0:92:78:20:
         c9:09:9e:77:1f:ec:60:dd:fe:ad:91:90:02:ba:8b:60:d6:52:
         09:44:9d:e3:fc:e2:f8:15:64:a3:a7:c2:cb:13:fb:1c:ec:59:
         53:2d:48:ec:e9:d4:d4:4b:4f:fa:f1:b8:7a:69:89:c0:65:4e:
         dd:7a:c9:55:50:da:31:55:31:c6:f8:0b:6e:56:88:a9:93:cd:
         b7:fc:cc:28:23:8c:3e:47:dd:3e:51:13:7c:de:7a:06:1b:17:
         58:7a:04:bd:18:8a:55:6f:74:82:1a:55:ac:78:b7:c9:03:a0:
         ba:00:62:66:a1:e1:18:fb:e1:ca:da:31:30:da:6b:c4:6b:fa:
         ca:c7:8e:90:c8:75:e4:fd:72:05:18:ff:f2:6b:cb:a8:0c:0c:
         1c:0e:e7:b1:2a:28:63:d4:6f:f6:e3:05:d5:33:c7:b6:06:77:
         04:2a:9f:a5:01:2d:74:00:a3:19:2e:ff:b3:a9:7a:f9:f6:49:
         74:13:08:89:59:f3:b1:43:7b:8f:14:18:64:f9:67:90:0d:02:
         4d:8a:c5:bc

pkcs7-signedData

SHA1: nil

1.3.6.1.4.1.311.2.1.4

1.3.6.1.4.1.311.2.1.15

00 3c 00 3c 00 3c 00 4f  00 62 00 73 00 6f 00 6c  |.<.<.<.O.b.s.o.l|
00 65 00 74 00 65 00 3e  00 3e 00 3e              |.e.t.e.>.>.>    |

SHA1

0f ef 56 25 63 f4 1c a4 03 7f e9 94 d4 e4 a0 83 |..V%c...........| cb 78 f6 48 |.x.H |

2
- 25:B7:4E:F3:E0:B9:9C:19
- RSA-SHA1: nil
- #2
  - CN: CA365 Free Root Certificate
  - O: CA365
  - L: Beijing
  - ST: Beijing
  - DC: http://www.ca365.com
  - C: CN
- 2013-06-19 07:31:05 UTC: 2014-06-18 07:37:58 UTC
- #4
  - CN: XXOO
  - OU:
```
e4 ba 92 e8 81 94 e7 bd  91 e5 ae 89 e5 85 a8     |............... |
```
  - O:
```
e5 8c 97 e4 ba ac e5 ae  89 e5 85 a8 e5 85 ac e5  |................|
8f b8                                             |..              |
```
  - L:
```
e5 8c 97 e4 ba ac                                 |......          |
```
  - ST:
```
e5 8c 97 e4 ba ac                                 |......          |
```
  - DC: www.360.cn
  - C: CN
- #5
  - rsaEncryption: nil
  - AC:EA:9C:D5:2F:79:15:85:15:A9:75:0A:2F:85:4F:91:
    AE:91:E3:17:22:64:FB:B2:52:25:62:3D:1D:30:50:77:
    7D:92:75:D6:8D:6F:CF:4C:65:AB:E7:C3:8B:E5:71:A8:
    88:06:06:6E:D2:70:B0:09:E9:AB:42:50:37:39:DB:4C:
    00:66:87:F3:97:9C:A4:BF:9B:15:74:B5:63:89:A8:D1:
    A0:FD:FE:10:EF:E1:27:10:A5:AD:D2:03:DD:F3:F7:77:
    6A:82:79:14:C2:A5:F9:72:4A:C1:16:48:D8:28:E6:C8:
    D8:60:45:00:F1:26:0C:39:19:F1:9E:B6:79:ED:11:27:
    C7:3A:92:8F:87:6B:C1:A9:5A:58:78:9A:F3:47:FF:D3:
    20:D3:F5:0B:34:FF:8A:62:C3:9C:40:11:D5:E9:1E:71:
    BF:E1:1C:E9:3C:14:D6:5B:AD:DA:54:7E:C9:03:22:74:
    58:86:E3:30:69:D8:1C:D1:CA:C0:C2:8D:99:7B:57:2C:
    64:9A:36:71:47:65:7A:F8:A3:DA:07:38:78:0F:5B:B8:
    5D:38:C2:1E:E2:8E:65:70:D9:4A:F3:65:6D:01:9A:FC:
    6B:AA:45:7C:C4:C1:44:B4:C6:9A:35:10:31:AA:9D:3B:
    A8:0C:8C:16:2E:EA:36:D4:65:D0:DC:17:DF:3C:49:99: 0x010001
- #6
  - crlDistributionPoints: true, http://www.ca365.com/crl.crl?sn=2`aaa3663ac0f544d0a1e9c5eb549a948a
  - subjectKeyIdentifier:
```
d4 43 9b 49 d1 2a 68 33  3b 33 a6 69 d3 9a 15 26  |.C.I.*h3;3.i...&|
f3 61 1e ba                                       |.a..            |
```
  - basicConstraints
    - true
    - nil
  - authorityKeyIdentifier:
```
a6 44 8a 78 1b b7 1e 81  a1 a7 d7 48 d3 93 1e 96  |.D.x.......H....|
af ba 45 9f                                       |..E.            |
```
  - keyUsage: true, 0xe0
  - extendedKeyUsage
    - codeSigning: timeStamping, anyExtendedKeyUsage
  - subjectAltName
    - mail@360.cn
      - msUPN: mail@360.cn

RSA-SHA1:

0d cc d8 2f 79 ce cf 14  9a 95 3f 1e d9 85 2a 93  |.../y.....?...*.|
e4 4a 38 0a c3 63 a0 60  e9 24 c8 e1 4e 68 3f c9  |.J8..c.`.$..Nh?.|
c0 9e 8b f4 74 d3 b8 d6  94 d2 b8 ff ac 9a 22 6f  |....t........."o|
8b 78 a0 92 78 20 c9 09  9e 77 1f ec 60 dd fe ad  |.x..x ...w..`...|
91 90 02 ba 8b 60 d6 52  09 44 9d e3 fc e2 f8 15  |.....`.R.D......|
64 a3 a7 c2 cb 13 fb 1c  ec 59 53 2d 48 ec e9 d4  |d........YS-H...|
d4 4b 4f fa f1 b8 7a 69  89 c0 65 4e dd 7a c9 55  |.KO...zi..eN.z.U|
50 da 31 55 31 c6 f8 0b  6e 56 88 a9 93 cd b7 fc  |P.1U1...nV......|
cc 28 23 8c 3e 47 dd 3e  51 13 7c de 7a 06 1b 17  |.(#.>G.>Q.|.z...|
58 7a 04 bd 18 8a 55 6f  74 82 1a 55 ac 78 b7 c9  |Xz....Uot..U.x..|
03 a0 ba 00 62 66 a1 e1  18 fb e1 ca da 31 30 da  |....bf.......10.|
6b c4 6b fa ca c7 8e 90  c8 75 e4 fd 72 05 18 ff  |k.k......u..r...|
f2 6b cb a8 0c 0c 1c 0e  e7 b1 2a 28 63 d4 6f f6  |.k........*(c.o.|
e3 05 d5 33 c7 b6 06 77  04 2a 9f a5 01 2d 74 00  |...3...w.*...-t.|
a3 19 2e ff b3 a9 7a f9  f6 49 74 13 08 89 59 f3  |......z..It...Y.|
b1 43 7b 8f 14 18 64 f9  67 90 0d 02 4d 8a c5 bc  |.C{...d.g...M...|

unnamed
- #0
  - CN: CA365 Free Root Certificate
  - O: CA365
  - L: Beijing
  - ST: Beijing
  - DC: http://www.ca365.com
  - C: CN
- 25:B7:4E:F3:E0:B9:9C:19
SHA1: nil

contentType: 1.3.6.1.4.1.311.2.1.4

messageDigest:

82 d5 27 09 43 6e 29 8e  4c a5 56 b1 e2 28 e0 7a  |..'.Cn).L.V..(.z|
9f 8a c1 09                                       |....            |

1.3.6.1.4.1.311.2.1.12
- :
1.3.6.1.4.1.311.2.1.11: msCodeCom

rsaEncryption:

56 22 26 c1 8a e7 c4 82  ef ec e2 5a 9a 02 0c 51  |V"&........Z...Q|
27 93 42 48 0f 1d db 45  4f 64 b1 0b 18 40 6d e6  |'.BH...EOd...@m.|
3a 03 fb 05 c2 82 4e 5d  99 88 83 07 87 06 63 5e  |:.....N]......c^|
9d 9a fc ea ac a3 c5 0c  8a 8f 03 36 a4 80 e9 a4  |...........6....|
96 71 f0 e3 fb 7a 7c 37  46 c3 b4 21 3c 0b 3f b9  |.q...z|7F..!<.?.|
d9 89 47 84 bd 19 f4 59  31 ed d7 6f d0 32 12 7f  |..G....Y1..o.2..|
b7 c3 d4 c0 49 fd 56 e7  24 9d 50 99 ee d8 01 e6  |....I.V.$.P.....|
58 c8 d5 40 8c 2e a1 19  93 f6 f4 7c c2 0b 96 1a  |X..@.......|....|
c9 d5 7d 48 bb 7f 7c e7  75 ca c4 a0 09 2f d0 1b  |..}H..|.u..../..|
76 44 c5 6f 41 fe 79 48  0f 8e 18 0e 95 e6 01 a5  |vD.oA.yH........|
f3 e3 e7 a9 87 a3 7a 2b  64 dd b6 86 a6 59 a3 f1  |......z+d....Y..|
5c 51 c8 e9 7b 8b d7 d5  83 f3 7d 4a 09 53 58 7f  |\Q..{.....}J.SX.|
1f bc 99 b5 2f ae 85 8e  6e f1 ed d9 7b 3d 48 cd  |..../...n...{=H.|
a2 af 74 10 d8 50 fb ae  ba 39 2d d7 4e 08 9b 8e  |..t..P...9-.N...|
6a e4 0f 3b 74 a7 18 a9  a9 2a b7 a9 dd e2 94 88  |j..;t....*......|
fc 15 54 6d 3f ca 07 10  36 7b d5 43 d5 6c 44 a0  |..Tm?...6{.C.lD.|

show previews

offset	size	type	comment
0	37888	EXE	05/09/2014 13:34:06	#
15c1	15	HTM		#
9400	259936	BIN	overlay data past EOF	#

offset:( 0x )size:( 0x )hotkeys:-=[]<>, offset/size fields are also editable

Please donate some bucks to keep this site up and running:
Ko-fi
Yandex.Money
Thank you!

everything is OK

inst.exe- Win.Trojan.Demp-114