filename | malware.exe | |
---|---|---|
size | 498176 (0x79a00) | |
md5 | a72363c86403f081d45748971afbb22f | |
type | MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS | |
mimetype | application/x-dosexec | |
clamav | Trojan.Zbot-2743 FOUND | |
virustotal | → scan with virustotal.com | |
histogram |
MZ Header
signature | MZ |
bytes_in_last_block | 0x91 |
blocks_in_file | 4 |
num_relocs | 0 |
header_paragraphs | 0 |
min_extra_paragraphs | 0 |
max_extra_paragraphs | 0 |
ss | 0 |
sp | 0xb9 |
checksum | 0 |
ip | 0 |
cs | 0 |
reloc_table_offset | 0 |
overlay_number | 0 |
reserved0 | 0 |
oem_id | 0 |
oem_info | 0 |
reserved2 | 0 |
reserved3 | 0 |
reserved4 | 0 |
reserved5 | 0 |
reserved6 | 0 |
lfanew | 0xfc |
DOS stub
00000000: 4d 5a 91 00 04 00 00 00 00 00 00 00 00 00 00 00 |MZ..............| 00000010: b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 fc 00 00 00 |................| 00000040: 1a 18 12 13 7f 73 7b 80 12 12 12 12 92 00 48 12 |.....s{.......H.| 00000050: d2 39 1b 12 d2 e6 13 12 d2 e6 13 12 d2 39 1b 12 |.9...........9..| 00000060: d2 e6 13 12 39 12 31 12 52 12 12 12 70 8f 78 8f |....9.1.R...p.x.| 00000070: 3a 52 2b 9e 6f a2 22 a1 5f 9a 51 a9 4b aa 51 a1 |:R+.o."._.Q.K.Q.| 00000080: 53 71 4b b9 3f 7a 37 b7 31 c7 46 86 2b c1 2b 8d |SqK.?z7.1.F.+.+.| 00000090: 22 cc 2a 70 8f 78 8f 3a 52 2b 9e 6f a2 22 a2 58 |".*p.x.:R+.o.".X| 000000a0: a2 63 a4 61 a4 54 6d 43 b2 49 76 4b b4 41 bf 3c |.c.a.TmC.IvK.A.<| 000000b0: b8 fb e8 0b a2 dd 2c 3f 06 b1 b0 b3 aa c5 74 67 |......,?......tg| 000000c0: 8e 19 78 5b b2 ad bc 8f 16 81 40 03 ba 95 04 b7 |..x[......@.....| 000000d0: 9e e9 08 ab c2 7d 4c df 26 51 d0 53 ca 65 94 07 |.....}L.&Q.S.e..| 000000e0: ae b9 98 fb d2 4d dc 2f 36 21 60 a3 da 35 24 57 |.....M./6!`..5$W| 000000f0: be 89 28 4b e2 1d 6c 7f 46 f1 f0 f3 |..(K..l.F... |
PE Header
Sections
name | va | vsize | raw size | flags | |
---|---|---|---|---|---|
.olglil | 0x1000 | 0xe38d | 0x9200 | R-- IDATA | |
.vkdaf | 0x10000 | 0x1360 | 0x800 | RWX CODE | |
.jub | 0x12000 | 0x12000 | 0x1600 | R-- IDATA | |
.rsrc | 0x24000 | 0x1000 | 0x400 | R-- IDATA |
Data Directory
type | va | size | |
---|---|---|---|
EXPORT | 0 | 0 | |
IMPORT | 0x131db | 0x262 | |
RESOURCE | 0 | 0 | |
EXCEPTION | 0 | 0 | |
SECURITY | 0 | 0 | |
BASERELOC | 0 | 0 | |
DEBUG | 0 | 0 | |
ARCHITECTURE | 0 | 0 | |
GLOBALPTR | 0 | 0 | |
TLS | 0 | 0 | |
LOAD_CONFIG | 0 | 0 | |
Bound_IAT | 0 | 0 | |
IAT | 0 | 0 | |
Delay_IAT | 0 | 0 | |
CLR_Header | 0 | 0 |
module_name | hint | ord | function_name |
---|---|---|---|
advapi32.dll | CryptGetHashParam | ||
advapi32.dll | DuplicateTokenEx | ||
advapi32.dll | RegCloseKey | ||
advapi32.dll | RegDeleteValueA | ||
advapi32.dll | RegQueryValueExA | ||
advapi32.dll | CryptReleaseContext | ||
advapi32.dll | CryptCreateHash | ||
advapi32.dll | CryptHashData | ||
shlwapi.dll | SHDeleteKeyA | ||
shlwapi.dll | PathCombineW | ||
shlwapi.dll | wnsprintfA | ||
shlwapi.dll | PathRemoveFileSpecW | ||
shlwapi.dll | PathFileExistsW | ||
shlwapi.dll | StrCmpNIW | ||
shlwapi.dll | wvnsprintfA | ||
shlwapi.dll | wvnsprintfW | ||
shlwapi.dll | PathFindFileNameW | ||
shlwapi.dll | StrCmpNIA | ||
shlwapi.dll | wnsprintfW | ||
shlwapi.dll | PathMatchSpecW |
Scanning the drive for archives: 1 file, 498176 bytes (487 KiB) Errors: 1
Please donate some bucks to keep this site up and running: | |
Ko-fi | |
---|---|
Yandex.Money | |
Thank you! |
everything is OK