xxx_video_48529.avi.exe - Win.Trojan.Delf-25532

info
MZ
PE
resources
strings
imports
foremost
hexdump
disasm
log
discuss
donate

filename	xxx_video_48529.avi.exe
size	52224 (0xcc00)
md5	314373072c134689912cdef38e7dd120

type	PE32 executable (GUI) Intel 80386, for MS Windows
mimetype	application/x-dosexec

clamav	Win.Trojan.Delf-25532 FOUND
virustotal	→ scan with virustotal.com

histogram

MZ Header

signature	MZ
bytes_in_last_block	0x50
blocks_in_file	2
num_relocs	0
header_paragraphs	4
min_extra_paragraphs	0xf
max_extra_paragraphs	0xffff
ss	0
sp	0xb8
checksum	0
ip	0
cs	0
reloc_table_offset	0x40
overlay_number	0x1a
reserved0	0
oem_id	0
oem_info	0
reserved2	0
reserved3	0
reserved4	0
reserved5	0
reserved6	0
lfanew	0x100

DOS stub

00000000: ba 10 00 0e 1f b4 09 cd  21 b8 01 4c cd 21 90 90  |........!..L.!..|
00000010: 54 68 69 73 20 70 72 6f  67 72 61 6d 20 6d 75 73  |This program mus|
00000020: 74 20 62 65 20 72 75 6e  20 75 6e 64 65 72 20 57  |t be run under W|
00000030: 69 6e 33 32 0d 0a 24 37  00 00 00 00 00 00 00 00  |in32..$7........|
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0:

PE Header

Signature	PE
Machine	0x14c
NumberOfSections	0xa
TimeDateStamp	0x2a425e19
PointerToSymbolTable	0
NumberOfSymbols	0
SizeOfOptionalHeader	0xe0
Characteristics	0x818e
Magic	0x10b
LinkerVersion	2.25
SizeOfCode	0x11c00
SizeOfInitializedData	0x5e00
SizeOfUninitializedData	0
AddressOfEntryPoint	0x1e001
BaseOfCode	0x1000
BaseOfData	0x13000
ImageBase	0x400000
SectionAlignment	0x1000
FileAlignment	0x200
OperatingSystemVersion	4.0
ImageVersion	0.0
SubsystemVersion	4.0
Reserved1	0
SizeOfImage	0x22000
SizeOfHeaders	0x400
CheckSum	0x1c877
Subsystem	2
DllCharacteristics	0
SizeOfStackReserve	0x100000
SizeOfStackCommit	0x4000
SizeOfHeapReserve	0x100000
SizeOfHeapCommit	0x1000
LoaderFlags	0
NumberOfRvaAndSizes	0x10

Packer / Compiler

ASPack v2.12

This file is packed with ASPack. Analysis will be incomplete without unpacking.
We can unpack it for you.

»» Analyze unpacked file

Sections

name	va	vsize	raw size	flags
CODE	0x1000	0x12000	0x8400	RWX IDATA
DATA	0x13000	0x1000	0x400	RWX IDATA
BSS	0x14000	0x1000	0	RW-
.idata	0x15000	0x1000	0x400	RWX IDATA
.tls	0x16000	0x1000	0	RW-
.rdata	0x17000	0x1000	0x200	R-- IDATA SHARED
.reloc	0x18000	0x2000	0	RWX IDATA
.rsrc	0x1a000	0x4000	0x1800	RWX IDATA
.aspack	0x1e000	0x3000	0x2200	RWX IDATA
.adata	0x21000	0x1000	0	RWX IDATA

Data Directory

type	va	size
EXPORT	0	0
IMPORT	0x1ef68	0x1bc
RESOURCE	0x1a000	0x3174
EXCEPTION	0	0
SECURITY	0	0
BASERELOC	0x1ef10	8
DEBUG	0	0
ARCHITECTURE	0	0
GLOBALPTR	0	0
TLS	0x1eef8	0x18
LOAD_CONFIG	0	0
Bound_IAT	0	0
IAT	0	0
Delay_IAT	0	0
CLR_Header	0	0
	0	0x100000

TLS

raw start	raw end	index	callbks	zero fill	flags
0x416000	0x416008	0x413098	0x417010	0	0

show previews

type	name	size	cp
ICON	#1	4264	1252
STRING	#4091	488	1252
STRING	#4092	220	1252
STRING	#4093	320	1252
STRING	#4094	948	1252
STRING	#4095	892	1252
STRING	#4096	672	1252
RCDATA	GGGG	4280	1252
GROUP_ICON	#1	20	1252

lang

string

65440

c6 71 91 f9 b8 21 b9 a9  80 4a cc ae b3 89 a6 59  |.q...!...J.....Y|
63 07 30 b2 f3 12 f9 e1  57 e6 5d 3a 7c e0 81 97  |c.0.....W.]:|...|
4a 78 6c 94 c6 79 2d 56  5e e8 b0 19 89 7a f7 8e  |Jxl..y-V^....z..|
15 1b 27 cc 54 27 4b 9b  4f 2d 2f 32 04 e3 27 e5  |..'.T'K.O-/2..'.|
a6 13 32 31 6c e7 36 34  e8 16 e7 06 94 08 55 31  |..21l.64......U1|
a4 dc a8 c8 20 c1 06 34  de 69 2b 24 e5 42 88 79  |.... ..4.i+$.B.y|
8e 71 2a 79 91 a7 00 be  b2 63 21 5c d4 4a 2a 9e  |.q*y.....c!\.J*.|
3c 96 a2 79 2a ed 8f 97  9c 95 50 b0 6e 6b 30 60  |<..y*.....P.nk0`|
a8 72 e4 a6 1b 30 99 71  96 63 ec dc bf 38 36 2b  |.r...0.q.c...86+|
2b e1 b7 31 39 36 9f 33  99 9e b3 c6 96 95 cc f3  |+..196.3........|
79 69 70 62 a0 97 ed b0  b5 ce f0 23 65 e8 b3 8e  |yipb.......#e...|
29 40 93 87 9c e5 a8 aa  32 69 b9 59 69 fa 8e 6a  |)@......2i.Yi..j|
e5 32 22 c9 9c d0 da 8a  b9 5e 50 19 94 fc a8 d3  |.2"......^P.....|
52 f3 53 9a 69 59 99 e1  8d 2a ab 19 54 52 c2 d2  |R.S.iY...*..TR..|
92 b1 74 d5 e2 5b 06 ae  03 27 93 ce ca cc 73 79  |..t..[...'....sy|
80 32 be 04 fc 28 dc bb  1f b3 93 67 06 3a 34 1c  |.2...(.....g.:4.|
30 22 20 e1 20 cf c3 9f  c7 34 21 88 15 52 5b b9  |0" . ....4!..R[.|
85 53 59 a9 9a e4 b5 58  b6 83 c3 3b 5f 38 d1 b3  |.SY....X...;_8..|
48 b3 b2 f3 93 d2 8c ae  50 4a 86 27 cc b2 19 a0  |H.......PJ.'....|
15 8d b7 63 94 56 e5 18  f5 c6 e6 da 21 0e 8d 50  |...c.V......!..P|
5a 80 89 29 3d 2c 99 45  b6 3b af 4a 0b be 76 57  |Z..)=,.E.;.J..vW|
31 d2 f5 f0 4a 04 99 18  d2 5c d4 b4 ac e4 a0 fa  |1...J....\......|
62 bc b2 d9 59 b9 a4 f2  63 f3 79 99 e7 ae 57 4c  |b...Y...c.y...WL|
aa 5a 0a 8a e2 c5 2d 92  8a e5 13 cb 00 a2 79 c4  |.Z....-.......y.|
f3 6e 29 f2 c9 f8 f2 31  25 a8 08 4c be 2e 26 4c  |.n)....1%..L..&L|
db d8 b9 35 98 55 2f f9  a4 db 82 6c c9 e1 a4 49  |...5.U/....l...I|
e7 12 99 b6 72 c9 f9 69  e9 cf 77 44 1a b1 12 ca  |....r..i..wD....|
e5 f5 4a cb b3 bd aa bd  5f 55 a5 55 44 49 a5 69  |..J....._U.UDI.i|
8f ab 9b 97 0d 13 36 6a  70 6c c0 d9 ac c8 92 f9  |......6jpl......|
db 1e 53 55 5a cb 39 34  dc bc bc 9b 45 f6 da 78  |..SUZ.94....E..x|
c2 c0 29 d9 fe 32 bb 4f                           |..)..2.O        |

65456

9b 69 81 7f cd fc f9 2d  38 3f e7 d2 92 cb c4 cd  |.i.....-8?......|
55 02 8c fe aa 0e af e0  51 c1 ad 6d 51 34 dd 36  |U.......Q..mQ4.6|
0f 70 b7 dc a5 a9 e3 14  3f f2 14 a0 a8 ea f6 21  |.p......?......!|
a0 92 ce a3 0f ac 68 04  30 fa c4 16 6a 02 04 80  |......h.0...j...|
1b 47 34 af 9d 0a fc 5b  92 0f 06 4a 50 e1 ec af  |.G4....[...JP...|
b2 81 a7 e5 03 1b 66 70  92 c1 24 36 4c 5c 96 72  |......fp..$6L\.r|
38 3f 9a 5e f3 e1 13 dc  84 78 e2 23 d1 91 4c 0b  |8?.^.....x.#..L.|
58 c8 dd 1d 97 98 15 4a  9b 34 d6 55 aa a9 b4 0a  |X......J.4.U....|
3d 9a e0 cc d0 94 60 13  0d ef 35 60 34 57 db 91  |=.....`...5`4W..|
ce 56 54 83 37 5b 34 db  a5 5a 53 59 ae 3e 06 e8  |.VT.7[4..ZSY.>..|
3b 5e 65 60 04 35 01 3e  a0 ac 9f 43 ac 29 15 a0  |;^e`.5.>...C.)..|
f5 17 e2 41 ac a7 9f 02  b9 d5 60 a5 01 30 06 4b  |...A......`..0.K|
01 65 fa a6 14 92 4b eb  16 8e 4d f7 36 6b a6 80  |.e....K...M.6k..|
c3 6a 47 a3 33 d3 fb 3a  09 a6 ea 4f              |.jG.3..:...O    |

65472

cd 1e cd 54 52 35 d9 6f  22 e9 78 09 a5 74 97 24  |...TR5.o".x..t.$|
60 a7 12 92 da b8 11 15  ad 60 8b 6b ce 59 ec 5f  |`........`.k.Y._|
1e 93 26 40 12 d6 45 56  19 51 49 4a 4a d9 8c 31  |..&@..EV.QIJJ..1|
65 86 41 40 ea 60 0f 8e  cf 98 2c 1b b7 49 4f 4b  |e.A@.`....,..IOK|
53 4c cf 77 3d 55 e4 c4  f5 33 6b 00 c6 9a 96 25  |SL.w=U...3k....%|
03 8f 04 5e 98 14 d2 7a  c0 fe 79 3f 4a b6 c8 89  |...^...z..y?J...|
4a 80 5f eb bf 3e fe fd  70 db c0 53 65 07 f7 dc  |J._..>..p..Se...|
36 1b 89 c4 f1 07 4e ff  17 da 7e 61 4f dd 3f b0  |6.....N...~aO.?.|
2e 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*

module_name	hint	ord	function_name
kernel32.dll			GetProcAddress
kernel32.dll			GetModuleHandleA
kernel32.dll			LoadLibraryA
user32.dll			GetKeyboardType
advapi32.dll			RegQueryValueExA
oleaut32.dll			SysFreeString
user32.dll			MessageBoxA
oleaut32.dll			SafeArrayPtrOfIndex
ole32.dll			CoUninitialize
oleaut32.dll			GetErrorInfo

show previews

offset	size	type	comment
0	52224	EXE	06/19/1992 22:22:17	#
15c1	15	HTM		#

offset:( 0x )size:( 0x )hotkeys:-=[]<>, offset/size fields are also editable

Please donate some bucks to keep this site up and running:
Ko-fi
Yandex.Money
Thank you!

[?] can't find file_offset of VA 0x1ba8c

[?] can't find file_offset of VA 0x1be08

[!] string size(58252) > stringtable size(488). truncated to 486

[!] cannot convert "\x91\xF9\xB8!\xB9\xA9\x80J\xCC\xAE\xB3\x89\xA6Yc\a"... to UTF-16

[!] string size(54070) > stringtable size(220). truncated to 218

[!] cannot convert "\x81\x7F\xCD\xFC\xF9-8?\xE7\xD2\x92\xCB\xC4\xCDU\x02"... to UTF-16

[!] string size(15770) > stringtable size(320). truncated to 318

[!] cannot convert "\xCDTR5\xD9o\"\xE9x\t\xA5t\x97$`\xA7"... to UTF-16

[?] can't find file_offset of VA 0x1c0a8

[?] can't find file_offset of VA 0x0

xxx_video_48529.avi.exe- Win.Trojan.Delf-25532