BH_DUALPEHEADER.exe

info
MZ
PE
imports
foremost
7zip
hexdump
disasm
log
discuss
donate

filename	BH_DUALPEHEADER.exe
size	4608 (0x1200)
md5	9288eb0d4813069de20194f2cc9eac97

type	PE32 executable (GUI) Intel 80386, for MS Windows
mimetype	application/x-dosexec

clamav	OK
virustotal	→ scan with virustotal.com

histogram

MZ Header

signature	MZ
bytes_in_last_block	0x90
blocks_in_file	3
num_relocs	0
header_paragraphs	4
min_extra_paragraphs	0
max_extra_paragraphs	0xffff
ss	0
sp	0xb8
checksum	0
ip	0
cs	0
reloc_table_offset	0x40
overlay_number	0
reserved0	0
oem_id	0
oem_info	0
reserved2	0
reserved3	0
reserved4	0
reserved5	0
reserved6	0
lfanew	0xf80

DOS stub

00000000: 0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000020: 74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
00000040: 5d cf 9f 87 19 ae f1 d4  19 ae f1 d4 19 ae f1 d4  |]...............|
00000050: 97 b1 e2 d4 13 ae f1 d4  e5 8e e3 d4 18 ae f1 d4  |................|
00000060: 52 69 63 68 19 ae f1 d4  00 00 00 00 00 00 00 00  |Rich............|
00000070: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000370: 00 40 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.@..............|
00000380: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000003c0: 18 20 00 00 50 00 00 00  00 00 00 00 00 00 00 00  |. ..P...........|
000003d0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000410: 00 00 00 00 00 00 00 00  00 20 00 00 18 00 00 00  |......... ......|
00000420: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000430: 00 00 00 00 00 00 00 00  2e 74 65 73 74 00 00 00  |.........test...|
00000440: 44 00 00 00 00 10 00 00  00 00 00 00 00 00 00 00  |D...............|
00000450: 00 00 00 00 00 00 00 00  00 00 00 00 20 00 00 60  |............ ..`|
00000460: 2e 72 64 61 74 61 00 00  da 00 00 00 00 20 00 00  |.rdata....... ..|
00000470: 00 02 00 00 00 06 00 00  00 00 00 00 00 00 00 00  |................|
00000480: 00 00 00 00 40 00 00 40  2e 64 61 74 61 00 00 00  |....@..@.data...|
00000490: 28 00 00 00 00 30 00 00  00 02 00 00 00 08 00 00  |(....0..........|
000004a0: 00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 c0  |............@...|
000004b0: 6a 00 6a 00 68 1f 30 40  00 68 00 30 40 00 6a 00  |j.j.h.0@.h.0@.j.|
000004c0: e8 23 00 00 00 6a 05 6a  00 6a 00 68 1f 30 40 00  |.#...j.j.j.h.0@.|
000004d0: 68 1a 30 40 00 6a 00 e8  12 00 00 00 50 e8 00 00  |h.0@.j......P...|
000004e0: 00 00 ff 25 00 20 40 00  ff 25 10 20 40 00 ff 25  |...%. @..%. @..%|
000004f0: 08 20 40 00 00 00 00 00  00 00 00 00 00 00 00 00  |. @.............|
00000500: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000005c0: 80 20 00 00 00 00 00 00  be 20 00 00 00 00 00 00  |. ....... ......|
000005d0: 9c 20 00 00 00 00 00 00  68 20 00 00 00 00 00 00  |. ......h ......|
000005e0: 00 00 00 00 8e 20 00 00  00 20 00 00 78 20 00 00  |..... ... ..x ..|
000005f0: 00 00 00 00 00 00 00 00  b2 20 00 00 10 20 00 00  |......... ... ..|
00000600: 70 20 00 00 00 00 00 00  00 00 00 00 ce 20 00 00  |p ........... ..|
00000610: 08 20 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |. ..............|
00000620: 00 00 00 00 00 00 00 00  80 20 00 00 00 00 00 00  |......... ......|
00000630: be 20 00 00 00 00 00 00  9c 20 00 00 00 00 00 00  |. ....... ......|
00000640: 81 00 45 78 69 74 50 72  6f 63 65 73 73 00 6b 65  |..ExitProcess.ke|
00000650: 72 6e 65 6c 33 32 2e 64  6c 6c 00 00 31 00 55 52  |rnel32.dll..1.UR|
00000660: 4c 44 6f 77 6e 6c 6f 61  64 54 6f 46 69 6c 65 41  |LDownloadToFileA|
00000670: 00 00 75 72 6c 6d 6f 6e  2e 64 6c 6c 00 00 67 00  |..urlmon.dll..g.|
00000680: 53 68 65 6c 6c 45 78 65  63 75 74 65 41 00 73 68  |ShellExecuteA.sh|
00000690: 65 6c 6c 33 32 2e 64 6c  6c 00 00 00 00 00 00 00  |ell32.dll.......|
000006a0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000006c0: 80 20 00 00 00 00 00 00  be 20 00 00 00 00 00 00  |. ....... ......|
000006d0: 9c 20 00 00 00 00 00 00  68 21 00 00 00 00 00 00  |. ......h!......|
000006e0: 00 00 00 00 8e 21 00 00  00 21 00 00 00 00 00 00  |.....!...!......|
000006f0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000700: 00 00 00 00 00 00 00 00  00 00 00 00 ce 21 00 00  |.............!..|
00000710: 08 21 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.!..............|
00000720: 00 00 00 00 00 00 00 00  80 21 00 00 00 00 00 00  |.........!......|
00000730: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000740: 81 00 45 78 69 74 50 72  6f 63 65 73 73 00 6b 65  |..ExitProcess.ke|
00000750: 72 6e 65 6c 33 32 2e 64  6c 6c 00 00 00 00 00 00  |rnel32.dll......|
00000760: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000007c0: 68 74 74 70 3a 2f 2f 6c  6f 63 61 6c 68 6f 73 74  |http://localhost|
000007d0: 2f 74 65 73 74 2e 7a 69  70 00 6f 70 65 6e 00 74  |/test.zip.open.t|
000007e0: 65 73 74 2e 7a 69 70 00  00 00 00 00 00 00 00 00  |est.zip.........|
000007f0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000f40:

PE Header

Signature	PE
Machine	0x14c
NumberOfSections	3
TimeDateStamp	0x4d0a1d66
PointerToSymbolTable	0
NumberOfSymbols	0
SizeOfOptionalHeader	0xe0
Characteristics	0x10f
Magic	0x10b
LinkerVersion	5.12
SizeOfCode	0x200
SizeOfInitializedData	0x400
SizeOfUninitializedData	0
AddressOfEntryPoint	0x10f0
BaseOfCode	0x1000
BaseOfData	0x2000
ImageBase	0x400000
SectionAlignment	0x1000
FileAlignment	0x200
OperatingSystemVersion	4.0
ImageVersion	0.0
SubsystemVersion	4.0
Reserved1	0
SizeOfImage	0x4000
SizeOfHeaders	0x1000
CheckSum	0
Subsystem	2
DllCharacteristics	0
SizeOfStackReserve	0x100000
SizeOfStackCommit	0x1000
SizeOfHeapReserve	0x100000
SizeOfHeapCommit	0x1000
LoaderFlags	0
NumberOfRvaAndSizes	0x10

Sections

name	va	vsize	raw size	flags
.test	0x1000	0x44	0	R-X CODE
.rdata	0x2000	0xda	0x200	R-- IDATA
.data	0x3000	0x28	0x200	RW- IDATA

Data Directory

type	va	size
EXPORT	0	0
IMPORT	0x2018	0x50
RESOURCE	0	0
EXCEPTION	0	0
SECURITY	0	0
BASERELOC	0	0
DEBUG	0	0
ARCHITECTURE	0	0
GLOBALPTR	0	0
TLS	0	0
LOAD_CONFIG	0	0
Bound_IAT	0	0
IAT	0x2000	0x18
Delay_IAT	0	0
CLR_Header	0	0

module_name	hint	function_name
kernel32.dll	129	ExitProcess
urlmon.dll	49	URLDownloadToFileA
shell32.dll	103	ShellExecuteA

show previews

offset	size	type	comment
15c1	15	HTM		#

Scanning the drive for archives:
1 file, 4608 bytes (5 KiB)



Errors: 1

offset:( 0x )size:( 0x )hotkeys:-=[]<>, offset/size fields are also editable

Please donate some bucks to keep this site up and running:
Ko-fi
Yandex.Money
Thank you!

[!] section with va=0x1000 overwrites PE header! trying to rebuild...

[!] non-zero dos stub after rich_hdr: "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00..."

[?] can't find file_offset of VA 0x10f0

[?] can't find EntryPoint RVA (0x10f0) file offset

[?] can't find file_offset of VA 0x10f0

[?] can't find EntryPoint RVA (0x10f0) file offset

[?] can't find file_offset of VA 0x10f0

[?] can't find EntryPoint RVA (0x10f0) file offset