| filename | malware.exe | |
|---|---|---|
| size | 498176 (0x79a00) | |
| md5 | a72363c86403f081d45748971afbb22f | |
| type | MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS | |
| mimetype | application/x-dosexec | |
| clamav | Trojan.Zbot-2743 FOUND | |
| virustotal | → scan with virustotal.com | |
| histogram | ||
MZ Header
| signature | MZ |
| bytes_in_last_block | 0x91 |
| blocks_in_file | 4 |
| num_relocs | 0 |
| header_paragraphs | 0 |
| min_extra_paragraphs | 0 |
| max_extra_paragraphs | 0 |
| ss | 0 |
| sp | 0xb9 |
| checksum | 0 |
| ip | 0 |
| cs | 0 |
| reloc_table_offset | 0 |
| overlay_number | 0 |
| reserved0 | 0 |
| oem_id | 0 |
| oem_info | 0 |
| reserved2 | 0 |
| reserved3 | 0 |
| reserved4 | 0 |
| reserved5 | 0 |
| reserved6 | 0 |
| lfanew | 0xfc |
DOS stub
00000000: 4d 5a 91 00 04 00 00 00 00 00 00 00 00 00 00 00 |MZ..............|
00000010: b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 fc 00 00 00 |................|
00000040: 1a 18 12 13 7f 73 7b 80 12 12 12 12 92 00 48 12 |.....s{.......H.|
00000050: d2 39 1b 12 d2 e6 13 12 d2 e6 13 12 d2 39 1b 12 |.9...........9..|
00000060: d2 e6 13 12 39 12 31 12 52 12 12 12 70 8f 78 8f |....9.1.R...p.x.|
00000070: 3a 52 2b 9e 6f a2 22 a1 5f 9a 51 a9 4b aa 51 a1 |:R+.o."._.Q.K.Q.|
00000080: 53 71 4b b9 3f 7a 37 b7 31 c7 46 86 2b c1 2b 8d |SqK.?z7.1.F.+.+.|
00000090: 22 cc 2a 70 8f 78 8f 3a 52 2b 9e 6f a2 22 a2 58 |".*p.x.:R+.o.".X|
000000a0: a2 63 a4 61 a4 54 6d 43 b2 49 76 4b b4 41 bf 3c |.c.a.TmC.IvK.A.<|
000000b0: b8 fb e8 0b a2 dd 2c 3f 06 b1 b0 b3 aa c5 74 67 |......,?......tg|
000000c0: 8e 19 78 5b b2 ad bc 8f 16 81 40 03 ba 95 04 b7 |..x[......@.....|
000000d0: 9e e9 08 ab c2 7d 4c df 26 51 d0 53 ca 65 94 07 |.....}L.&Q.S.e..|
000000e0: ae b9 98 fb d2 4d dc 2f 36 21 60 a3 da 35 24 57 |.....M./6!`..5$W|
000000f0: be 89 28 4b e2 1d 6c 7f 46 f1 f0 f3 |..(K..l.F... |
PE Header
Sections
| name | va | vsize | raw size | flags | |
|---|---|---|---|---|---|
| .olglil | 0x1000 | 0xe38d | 0x9200 | R-- IDATA | |
| .vkdaf | 0x10000 | 0x1360 | 0x800 | RWX CODE | |
| .jub | 0x12000 | 0x12000 | 0x1600 | R-- IDATA | |
| .rsrc | 0x24000 | 0x1000 | 0x400 | R-- IDATA |
Data Directory
| type | va | size | |
|---|---|---|---|
| EXPORT | 0 | 0 | |
| IMPORT | 0x131db | 0x262 | |
| RESOURCE | 0 | 0 | |
| EXCEPTION | 0 | 0 | |
| SECURITY | 0 | 0 | |
| BASERELOC | 0 | 0 | |
| DEBUG | 0 | 0 | |
| ARCHITECTURE | 0 | 0 | |
| GLOBALPTR | 0 | 0 | |
| TLS | 0 | 0 | |
| LOAD_CONFIG | 0 | 0 | |
| Bound_IAT | 0 | 0 | |
| IAT | 0 | 0 | |
| Delay_IAT | 0 | 0 | |
| CLR_Header | 0 | 0 |
| module_name | hint | ord | function_name |
|---|---|---|---|
| advapi32.dll | CryptGetHashParam | ||
| advapi32.dll | DuplicateTokenEx | ||
| advapi32.dll | RegCloseKey | ||
| advapi32.dll | RegDeleteValueA | ||
| advapi32.dll | RegQueryValueExA | ||
| advapi32.dll | CryptReleaseContext | ||
| advapi32.dll | CryptCreateHash | ||
| advapi32.dll | CryptHashData | ||
| shlwapi.dll | SHDeleteKeyA | ||
| shlwapi.dll | PathCombineW | ||
| shlwapi.dll | wnsprintfA | ||
| shlwapi.dll | PathRemoveFileSpecW | ||
| shlwapi.dll | PathFileExistsW | ||
| shlwapi.dll | StrCmpNIW | ||
| shlwapi.dll | wvnsprintfA | ||
| shlwapi.dll | wvnsprintfW | ||
| shlwapi.dll | PathFindFileNameW | ||
| shlwapi.dll | StrCmpNIA | ||
| shlwapi.dll | wnsprintfW | ||
| shlwapi.dll | PathMatchSpecW |
Scanning the drive for archives: 1 file, 498176 bytes (487 KiB) Errors: 1
 |
| Please donate some bucks to keep this site up and running: | |
| Ko-fi | |
|---|---|
| Yandex.Money | |
| Thank you! | |
everything is OK