filename | BH_DUALPEHEADER.exe | |
---|---|---|
size | 4608 (0x1200) | |
md5 | 9288eb0d4813069de20194f2cc9eac97 | |
type | PE32 executable (GUI) Intel 80386, for MS Windows | |
mimetype | application/x-dosexec | |
clamav | OK | |
virustotal | → scan with virustotal.com | |
histogram |
MZ Header
signature | MZ |
bytes_in_last_block | 0x90 |
blocks_in_file | 3 |
num_relocs | 0 |
header_paragraphs | 4 |
min_extra_paragraphs | 0 |
max_extra_paragraphs | 0xffff |
ss | 0 |
sp | 0xb8 |
checksum | 0 |
ip | 0 |
cs | 0 |
reloc_table_offset | 0x40 |
overlay_number | 0 |
reserved0 | 0 |
oem_id | 0 |
oem_info | 0 |
reserved2 | 0 |
reserved3 | 0 |
reserved4 | 0 |
reserved5 | 0 |
reserved6 | 0 |
lfanew | 0xf80 |
DOS stub
00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th| 00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno| 00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS | 00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......| 00000040: 5d cf 9f 87 19 ae f1 d4 19 ae f1 d4 19 ae f1 d4 |]...............| 00000050: 97 b1 e2 d4 13 ae f1 d4 e5 8e e3 d4 18 ae f1 d4 |................| 00000060: 52 69 63 68 19 ae f1 d4 00 00 00 00 00 00 00 00 |Rich............| 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000370: 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |.@..............| 00000380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000003c0: 18 20 00 00 50 00 00 00 00 00 00 00 00 00 00 00 |. ..P...........| 000003d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000410: 00 00 00 00 00 00 00 00 00 20 00 00 18 00 00 00 |......... ......| 00000420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000430: 00 00 00 00 00 00 00 00 2e 74 65 73 74 00 00 00 |.........test...| 00000440: 44 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 |D...............| 00000450: 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 |............ ..`| 00000460: 2e 72 64 61 74 61 00 00 da 00 00 00 00 20 00 00 |.rdata....... ..| 00000470: 00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 |................| 00000480: 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 |....@..@.data...| 00000490: 28 00 00 00 00 30 00 00 00 02 00 00 00 08 00 00 |(....0..........| 000004a0: 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 |............@...| 000004b0: 6a 00 6a 00 68 1f 30 40 00 68 00 30 40 00 6a 00 |j.j.h.0@.h.0@.j.| 000004c0: e8 23 00 00 00 6a 05 6a 00 6a 00 68 1f 30 40 00 |.#...j.j.j.h.0@.| 000004d0: 68 1a 30 40 00 6a 00 e8 12 00 00 00 50 e8 00 00 |h.0@.j......P...| 000004e0: 00 00 ff 25 00 20 40 00 ff 25 10 20 40 00 ff 25 |...%. @..%. @..%| 000004f0: 08 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 |. @.............| 00000500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000005c0: 80 20 00 00 00 00 00 00 be 20 00 00 00 00 00 00 |. ....... ......| 000005d0: 9c 20 00 00 00 00 00 00 68 20 00 00 00 00 00 00 |. ......h ......| 000005e0: 00 00 00 00 8e 20 00 00 00 20 00 00 78 20 00 00 |..... ... ..x ..| 000005f0: 00 00 00 00 00 00 00 00 b2 20 00 00 10 20 00 00 |......... ... ..| 00000600: 70 20 00 00 00 00 00 00 00 00 00 00 ce 20 00 00 |p ........... ..| 00000610: 08 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |. ..............| 00000620: 00 00 00 00 00 00 00 00 80 20 00 00 00 00 00 00 |......... ......| 00000630: be 20 00 00 00 00 00 00 9c 20 00 00 00 00 00 00 |. ....... ......| 00000640: 81 00 45 78 69 74 50 72 6f 63 65 73 73 00 6b 65 |..ExitProcess.ke| 00000650: 72 6e 65 6c 33 32 2e 64 6c 6c 00 00 31 00 55 52 |rnel32.dll..1.UR| 00000660: 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 |LDownloadToFileA| 00000670: 00 00 75 72 6c 6d 6f 6e 2e 64 6c 6c 00 00 67 00 |..urlmon.dll..g.| 00000680: 53 68 65 6c 6c 45 78 65 63 75 74 65 41 00 73 68 |ShellExecuteA.sh| 00000690: 65 6c 6c 33 32 2e 64 6c 6c 00 00 00 00 00 00 00 |ell32.dll.......| 000006a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000006c0: 80 20 00 00 00 00 00 00 be 20 00 00 00 00 00 00 |. ....... ......| 000006d0: 9c 20 00 00 00 00 00 00 68 21 00 00 00 00 00 00 |. ......h!......| 000006e0: 00 00 00 00 8e 21 00 00 00 21 00 00 00 00 00 00 |.....!...!......| 000006f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000700: 00 00 00 00 00 00 00 00 00 00 00 00 ce 21 00 00 |.............!..| 00000710: 08 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |.!..............| 00000720: 00 00 00 00 00 00 00 00 80 21 00 00 00 00 00 00 |.........!......| 00000730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000740: 81 00 45 78 69 74 50 72 6f 63 65 73 73 00 6b 65 |..ExitProcess.ke| 00000750: 72 6e 65 6c 33 32 2e 64 6c 6c 00 00 00 00 00 00 |rnel32.dll......| 00000760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000007c0: 68 74 74 70 3a 2f 2f 6c 6f 63 61 6c 68 6f 73 74 |http://localhost| 000007d0: 2f 74 65 73 74 2e 7a 69 70 00 6f 70 65 6e 00 74 |/test.zip.open.t| 000007e0: 65 73 74 2e 7a 69 70 00 00 00 00 00 00 00 00 00 |est.zip.........| 000007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000f40:
PE Header
Sections
name | va | vsize | raw size | flags | |
---|---|---|---|---|---|
.test | 0x1000 | 0x44 | 0 | R-X CODE | |
.rdata | 0x2000 | 0xda | 0x200 | R-- IDATA | |
.data | 0x3000 | 0x28 | 0x200 | RW- IDATA |
Data Directory
type | va | size | |
---|---|---|---|
EXPORT | 0 | 0 | |
IMPORT | 0x2018 | 0x50 | |
RESOURCE | 0 | 0 | |
EXCEPTION | 0 | 0 | |
SECURITY | 0 | 0 | |
BASERELOC | 0 | 0 | |
DEBUG | 0 | 0 | |
ARCHITECTURE | 0 | 0 | |
GLOBALPTR | 0 | 0 | |
TLS | 0 | 0 | |
LOAD_CONFIG | 0 | 0 | |
Bound_IAT | 0 | 0 | |
IAT | 0x2000 | 0x18 | |
Delay_IAT | 0 | 0 | |
CLR_Header | 0 | 0 |
module_name | hint | ord | function_name |
---|---|---|---|
kernel32.dll | 129 | ExitProcess | |
urlmon.dll | 49 | URLDownloadToFileA | |
shell32.dll | 103 | ShellExecuteA |
offset | size | type | comment | |
---|---|---|---|---|
15c1 | 15 | HTM | # |
Scanning the drive for archives: 1 file, 4608 bytes (5 KiB) Errors: 1
Please donate some bucks to keep this site up and running: | |
Ko-fi | |
---|---|
Yandex.Money | |
Thank you! |
[!] section with va=0x1000 overwrites PE header! trying to rebuild...
[!] non-zero dos stub after rich_hdr: "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00..."
[?] can't find file_offset of VA 0x10f0
[?] can't find EntryPoint RVA (0x10f0) file offset
[?] can't find file_offset of VA 0x10f0
[?] can't find EntryPoint RVA (0x10f0) file offset
[?] can't find file_offset of VA 0x10f0
[?] can't find EntryPoint RVA (0x10f0) file offset