filename | ddbd1ecfd473ef77ef63b2e94b1c8e44.bender.exe | |
---|---|---|
size | 409042 (0x63dd2) | |
md5 | ddbd1ecfd473ef77ef63b2e94b1c8e44 | |
type | PE32 executable (DLL) (console) Intel 80386, for MS Windows | |
mimetype | application/x-dosexec | |
clamav | Win.Trojan.Agent-474378 FOUND | |
virustotal | → scan with virustotal.com | |
histogram |
MZ Header
signature | MZ |
bytes_in_last_block | 0x90 |
blocks_in_file | 3 |
num_relocs | 0 |
header_paragraphs | 4 |
min_extra_paragraphs | 0 |
max_extra_paragraphs | 0xffff |
ss | 0 |
sp | 0xb8 |
checksum | 0 |
ip | 0 |
cs | 0 |
reloc_table_offset | 0x40 |
overlay_number | 0 |
reserved0 | 0 |
oem_id | 0 |
oem_info | 0 |
reserved2 | 0 |
reserved3 | 0 |
reserved4 | 0 |
reserved5 | 0 |
reserved6 | 0 |
lfanew | 0xf0 |
Rich Header
lib id | version | times used |
---|---|---|
150 | 20413 | 3 |
149 | 30729 | 25 |
132 | 30729 | 70 |
131 | 30729 | 170 |
123 | 50727 | 13 |
1 | 0 | 164 |
138 | 30729 | 49 |
146 | 30729 | 1 |
145 | 30729 | 1 |
DOS stub
00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th| 00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno| 00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS | 00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
PE Header
Packer / Compiler
Sections
Data Directory
module_name | hint | ord | function_name |
---|---|---|---|
KERNEL32.dll | 628 | GetVersion | |
KERNEL32.dll | 292 | FindFirstFileW | |
KERNEL32.dll | 281 | FindClose | |
KERNEL32.dll | 195 | DeleteFileW | |
KERNEL32.dll | 1109 | VirtualAllocEx | |
KERNEL32.dll | 1174 | WriteProcessMemory | |
KERNEL32.dll | 486 | GetLastError | |
KERNEL32.dll | 909 | ResumeThread | |
KERNEL32.dll | 1124 | WaitForSingleObject | |
KERNEL32.dll | 505 | GetModuleHandleW | |
KERNEL32.dll | 504 | GetModuleHandleExW | |
KERNEL32.dll | 544 | GetProcAddress | |
KERNEL32.dll | 501 | GetModuleFileNameW | |
KERNEL32.dll | 172 | CreateToolhelp32Snapshot | |
KERNEL32.dll | 836 | Process32FirstW | |
KERNEL32.dll | 838 | Process32NextW | |
KERNEL32.dll | 101 | CopyFileW | |
KERNEL32.dll | 451 | GetEnvironmentVariableW | |
KERNEL32.dll | 601 | GetTempFileNameW | |
KERNEL32.dll | 327 | FormatMessageA | |
KERNEL32.dll | 765 | LocalFree | |
KERNEL32.dll | 67 | CloseHandle | |
KERNEL32.dll | 1131 | WaitNamedPipeW | |
KERNEL32.dll | 144 | CreateNamedPipeW | |
KERNEL32.dll | 86 | ConnectNamedPipe | |
KERNEL32.dll | 127 | CreateFileW | |
KERNEL32.dll | 872 | ReadFile | |
KERNEL32.dll | 1165 | WriteFile | |
KERNEL32.dll | 152 | CreateRemoteThread | |
KERNEL32.dll | 819 | OpenProcess | |
KERNEL32.dll | 332 | FreeLibrary | |
KERNEL32.dll | 756 | LoadLibraryW | |
KERNEL32.dll | 704 | InterlockedIncrement | |
KERNEL32.dll | 700 | InterlockedDecrement | |
KERNEL32.dll | 1146 | WideCharToMultiByte | |
KERNEL32.dll | 698 | InterlockedCompareExchange | |
KERNEL32.dll | 701 | InterlockedExchange | |
KERNEL32.dll | 794 | MultiByteToWideChar | |
KERNEL32.dll | 692 | InitializeCriticalSection | |
KERNEL32.dll | 190 | DeleteCriticalSection | |
KERNEL32.dll | 217 | EnterCriticalSection | |
KERNEL32.dll | 751 | LeaveCriticalSection | |
KERNEL32.dll | 973 | SetEndOfFile | |
KERNEL32.dll | 304 | FindNextFileW | |
KERNEL32.dll | 163 | CreateThread | |
KERNEL32.dll | 1004 | SetLastError | |
KERNEL32.dll | 502 | GetModuleHandleA | |
KERNEL32.dll | 19 | AreFileApisANSI | |
KERNEL32.dll | 1069 | TerminateProcess | |
KERNEL32.dll | 425 | GetCurrentProcess | |
KERNEL32.dll | 1086 | UnhandledExceptionFilter | |
KERNEL32.dll | 1045 | SetUnhandledExceptionFilter | |
KERNEL32.dll | 721 | IsDebuggerPresent | |
KERNEL32.dll | 429 | GetCurrentThreadId | |
KERNEL32.dll | 367 | GetCommandLineA | |
KERNEL32.dll | 673 | HeapFree | |
KERNEL32.dll | 591 | GetSystemTimeAsFileTime | |
KERNEL32.dll | 669 | HeapAlloc | |
KERNEL32.dll | 260 | ExitProcess | |
KERNEL32.dll | 858 | RaiseException | |
KERNEL32.dll | 914 | RtlUnwind | |
KERNEL32.dll | 576 | GetStringTypeW | |
KERNEL32.dll | 347 | GetCPInfo | |
KERNEL32.dll | 737 | LCMapStringA | |
KERNEL32.dll | 739 | LCMapStringW | |
KERNEL32.dll | 1076 | TlsGetValue | |
KERNEL32.dll | 1074 | TlsAlloc | |
KERNEL32.dll | 1077 | TlsSetValue | |
KERNEL32.dll | 1075 | TlsFree | |
KERNEL32.dll | 1000 | SetHandleCount | |
KERNEL32.dll | 571 | GetStdHandle | |
KERNEL32.dll | 471 | GetFileType | |
KERNEL32.dll | 569 | GetStartupInfoA | |
KERNEL32.dll | 500 | GetModuleFileNameA | |
KERNEL32.dll | 330 | FreeEnvironmentStringsA | |
KERNEL32.dll | 447 | GetEnvironmentStrings | |
KERNEL32.dll | 331 | FreeEnvironmentStringsW | |
KERNEL32.dll | 449 | GetEnvironmentStringsW | |
KERNEL32.dll | 671 | HeapCreate | |
KERNEL32.dll | 672 | HeapDestroy | |
KERNEL32.dll | 1111 | VirtualFree | |
KERNEL32.dll | 852 | QueryPerformanceCounter | |
KERNEL32.dll | 614 | GetTickCount | |
KERNEL32.dll | 426 | GetCurrentProcessId | |
KERNEL32.dll | 1108 | VirtualAlloc | |
KERNEL32.dll | 676 | HeapReAlloc | |
KERNEL32.dll | 387 | GetConsoleCP | |
KERNEL32.dll | 405 | GetConsoleMode | |
KERNEL32.dll | 991 | SetFilePointer | |
KERNEL32.dll | 321 | FlushFileBuffers | |
KERNEL32.dll | 338 | GetACP | |
KERNEL32.dll | 531 | GetOEMCP | |
KERNEL32.dll | 731 | IsValidCodePage | |
KERNEL32.dll | 753 | LoadLibraryA | |
KERNEL32.dll | 693 | InitializeCriticalSectionAndSpinCount | |
KERNEL32.dll | 678 | HeapSize | |
KERNEL32.dll | 616 | GetTimeFormatA | |
KERNEL32.dll | 430 | GetDateFormatA | |
KERNEL32.dll | 621 | GetUserDefaultLCID | |
KERNEL32.dll | 488 | GetLocaleInfoA | |
KERNEL32.dll | 248 | EnumSystemLocalesA | |
KERNEL32.dll | 733 | IsValidLocale | |
KERNEL32.dll | 573 | GetStringTypeA | |
KERNEL32.dll | 490 | GetLocaleInfoW | |
KERNEL32.dll | 1154 | WriteConsoleA | |
KERNEL32.dll | 409 | GetConsoleOutputCP | |
KERNEL32.dll | 1164 | WriteConsoleW | |
KERNEL32.dll | 1020 | SetStdHandle | |
KERNEL32.dll | 120 | CreateFileA | |
KERNEL32.dll | 619 | GetTimeZoneInformation | |
KERNEL32.dll | 547 | GetProcessHeap | |
KERNEL32.dll | 82 | CompareStringA | |
KERNEL32.dll | 85 | CompareStringW | |
KERNEL32.dll | 976 | SetEnvironmentVariableA | |
KERNEL32.dll | 1057 | Sleep | |
WININET.dll | 123 | InternetErrorDlg | |
WININET.dll | 174 | InternetSetOptionW | |
WININET.dll | 157 | InternetQueryOptionW | |
WININET.dll | 106 | InternetCloseHandle | |
WININET.dll | 89 | HttpQueryInfoW | |
WININET.dll | 158 | InternetReadFile | |
WININET.dll | 93 | HttpSendRequestW | |
WININET.dll | 87 | HttpOpenRequestW | |
WININET.dll | 113 | InternetConnectW | |
WININET.dll | 153 | InternetOpenW | |
CRYPT32.dll | 212 | CryptStringToBinaryA | |
CRYPT32.dll | 122 | CryptBinaryToStringA | |
USER32.dll | 341 | GetParent | |
USER32.dll | 543 | PostMessageW | |
USER32.dll | 104 | CreateWindowExW | |
USER32.dll | 160 | DestroyWindow | |
USER32.dll | 235 | EnumWindows | |
ADVAPI32.dll | 563 | RegCreateKeyExW | |
ADVAPI32.dll | 554 | RegCloseKey | |
ADVAPI32.dll | 616 | RegQueryValueExW | |
ADVAPI32.dll | 578 | RegDeleteValueW | |
ADVAPI32.dll | 632 | RegSetValueExW | |
ole32.dll | 15 | CoCreateGuid |
ord | entry_va | function_name | |
---|---|---|---|
1 | 0x12c6 | RunDllEntry |
No certificates in
#<struct PEdump::WIN_CERTIFICATE dwLength=1072, wRevision=512, wCertificateType=2, data="0\x82\x04\"\x06\t*\x86H\x86\xF7\r\x01\a\x02\xA0\x82\x04\x130\x82\x04\x0F\x02\x01\x011\x0E0\f\x06\b*\x86H\x86\xF7\r\x02\x05\x05\x000g\x06\n+\x06\x01\x04\x01\x827\x02\x01\x04\xA0Y0W03\x06\n+\x06\x01\x04\x01\x827\x02\x01\x0F0%\x03\x01\x00\xA0 \xA2\x1E\x80\x1C\x00<\x00<\x00<\x00O\x00b\x00s\x00o\x00l\x00e\x00t\x00e\x00>\x00>\x00>0 0\f\x06\b*\x86H\x86\xF7\r\x02\x05\x05\x00\x04\x10\a\x9A}\xC3\x7F\xFEo\x86-\xDF^I/\xAB\xB1\x9A\xA0\x82\x02N0\x82\x02J0\x82\x01\xB3\xA0\x03\x02\x01\x02\x02\x10\x92#/o\x95\xEC\x8B\x86@\x9C\x96_\x02\xB0\xC6\xDD0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x04\x05\x00001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox0\x1E\x17\r020201200000Z\x17\r190201200000Z001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox0\x81\x9F0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x01\x05\x00\x03\x81\x8D\x000\x81\x89\x02\x81\x81\x00\xDB\x95xH\xF9m\xF6\x8E0}\xFC\x12l\f9\"\xF8\xA2\x81w\xD12\n\xC1\xAE\xA8\x91\x18\xA4\xA7\x8A\xB5\xF3@\xA7\"\x10\xAE\x06\xDA\xF1v\xE0\xE2\xFB\xCDB\xEA\xEF^\x10\xDF$\x00;\x89\xD6\xE6\xA9 \x8D\xB97\x85\x101Ply\x804\xBE!\xFA\x13\xD7/\x7F\xC3\xB1\x9EZ\x8D~Gj\xFD\xBCPgJ`\xD7\xC9hEf\x87\x9E\x17\xCE\xAD\xD9\xDA\xAD\xCD>\xF0BZ\x9AQ\x9D\xDD\x88h\xE9\xD8,\xB8\xB6\xE4\xFDV\xF4np\x7F\x02\x03\x01\x00\x01\xA3e0c0a\x06\x03U\x1D\x01\x04Z0X\x80\x10\x8A\xCD\x00'W}\xB6f\x89JT\xF2\xEC\xF2\xDD2\xA12001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox\x82\x10\x92#/o\x95\xEC\x8B\x86@\x9C\x96_\x02\xB0\xC6\xDD0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x04\x05\x00\x03\x81\x81\x001\x83\x92mq.\x10\x1Fnh\xDB\x8E\x86K \xC3\x19\x18\x10o\xD15\xC5\x919:a\xE5\xB9\xFE\xF8\xA6\xBF\xB2\xEC\xE7M\xD1\x9Cd\x9A\x9E\xFD\xFD\x9Ch\x83 z \xB9\x01\xDA\xE2\xB8E\x93\x8B\x98\x8F]\xC8c\xE8Tg\x96\x95\x15\xF0G6\xAC\x14S\x18\x9E?'\xA6\xE9ay\x89=yeX\xFD\xEB\x02h\xB19\xB7B\x87a1h\xF3\x06\x13BPmM\x9D\x8F\xF71\xF3\x9E\xB9=\x7F\xB5\xABN\x06)I\xBFx\x0Efw\x151\x82\x01=0\x82\x019\x02\x01\x010D001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox\x02\x10\x92#/o\x95\xEC\x8B\x86@\x9C\x96_\x02\xB0\xC6\xDD0\f\x06\b*\x86H\x86\xF7\r\x02\x05\x05\x00\xA0N0\x10\x06\n+\x06\x01\x04\x01\x827\x02\x01\f1\x020\x000\x19\x06\t*\x86H\x86\xF7\r\x01\t\x031\f\x06\n+\x06\x01\x04\x01\x827\x02\x01\x040\x1F\x06\t*\x86H\x86\xF7\r\x01\t\x041\x12\x04\x10\x10\xF9\x8A{\xB1Kl6b\t\xC7\\\xCD\x15gC0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x01\x05\x00\x04\x81\x80\xB7\x01&\xA5\x80=%hiS\xB9\xCE\xED\xB4p\xF7\x9F\xBC\x9F\xDF,\xA0\xAA\xC27\xE2\t\x1E:\xB3Dj\xDF\xE8\xC3\xF6">
Cannot call to_der on
#<struct PEdump::WIN_CERTIFICATE dwLength=1072, wRevision=512, wCertificateType=2, data="0\x82\x04\"\x06\t*\x86H\x86\xF7\r\x01\a\x02\xA0\x82\x04\x130\x82\x04\x0F\x02\x01\x011\x0E0\f\x06\b*\x86H\x86\xF7\r\x02\x05\x05\x000g\x06\n+\x06\x01\x04\x01\x827\x02\x01\x04\xA0Y0W03\x06\n+\x06\x01\x04\x01\x827\x02\x01\x0F0%\x03\x01\x00\xA0 \xA2\x1E\x80\x1C\x00<\x00<\x00<\x00O\x00b\x00s\x00o\x00l\x00e\x00t\x00e\x00>\x00>\x00>0 0\f\x06\b*\x86H\x86\xF7\r\x02\x05\x05\x00\x04\x10\a\x9A}\xC3\x7F\xFEo\x86-\xDF^I/\xAB\xB1\x9A\xA0\x82\x02N0\x82\x02J0\x82\x01\xB3\xA0\x03\x02\x01\x02\x02\x10\x92#/o\x95\xEC\x8B\x86@\x9C\x96_\x02\xB0\xC6\xDD0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x04\x05\x00001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox0\x1E\x17\r020201200000Z\x17\r190201200000Z001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox0\x81\x9F0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x01\x05\x00\x03\x81\x8D\x000\x81\x89\x02\x81\x81\x00\xDB\x95xH\xF9m\xF6\x8E0}\xFC\x12l\f9\"\xF8\xA2\x81w\xD12\n\xC1\xAE\xA8\x91\x18\xA4\xA7\x8A\xB5\xF3@\xA7\"\x10\xAE\x06\xDA\xF1v\xE0\xE2\xFB\xCDB\xEA\xEF^\x10\xDF$\x00;\x89\xD6\xE6\xA9 \x8D\xB97\x85\x101Ply\x804\xBE!\xFA\x13\xD7/\x7F\xC3\xB1\x9EZ\x8D~Gj\xFD\xBCPgJ`\xD7\xC9hEf\x87\x9E\x17\xCE\xAD\xD9\xDA\xAD\xCD>\xF0BZ\x9AQ\x9D\xDD\x88h\xE9\xD8,\xB8\xB6\xE4\xFDV\xF4np\x7F\x02\x03\x01\x00\x01\xA3e0c0a\x06\x03U\x1D\x01\x04Z0X\x80\x10\x8A\xCD\x00'W}\xB6f\x89JT\xF2\xEC\xF2\xDD2\xA12001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox\x82\x10\x92#/o\x95\xEC\x8B\x86@\x9C\x96_\x02\xB0\xC6\xDD0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x04\x05\x00\x03\x81\x81\x001\x83\x92mq.\x10\x1Fnh\xDB\x8E\x86K \xC3\x19\x18\x10o\xD15\xC5\x919:a\xE5\xB9\xFE\xF8\xA6\xBF\xB2\xEC\xE7M\xD1\x9Cd\x9A\x9E\xFD\xFD\x9Ch\x83 z \xB9\x01\xDA\xE2\xB8E\x93\x8B\x98\x8F]\xC8c\xE8Tg\x96\x95\x15\xF0G6\xAC\x14S\x18\x9E?'\xA6\xE9ay\x89=yeX\xFD\xEB\x02h\xB19\xB7B\x87a1h\xF3\x06\x13BPmM\x9D\x8F\xF71\xF3\x9E\xB9=\x7F\xB5\xABN\x06)I\xBFx\x0Efw\x151\x82\x01=0\x82\x019\x02\x01\x010D001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox\x02\x10\x92#/o\x95\xEC\x8B\x86@\x9C\x96_\x02\xB0\xC6\xDD0\f\x06\b*\x86H\x86\xF7\r\x02\x05\x05\x00\xA0N0\x10\x06\n+\x06\x01\x04\x01\x827\x02\x01\f1\x020\x000\x19\x06\t*\x86H\x86\xF7\r\x01\t\x031\f\x06\n+\x06\x01\x04\x01\x827\x02\x01\x040\x1F\x06\t*\x86H\x86\xF7\r\x01\t\x041\x12\x04\x10\x10\xF9\x8A{\xB1Kl6b\t\xC7\\\xCD\x15gC0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x01\x05\x00\x04\x81\x80\xB7\x01&\xA5\x80=%hiS\xB9\xCE\xED\xB4p\xF7\x9F\xBC\x9F\xDF,\xA0\xAA\xC27\xE2\t\x1E:\xB3Dj\xDF\xE8\xC3\xF6">
offset | size | type | comment | |
---|---|---|---|---|
0 | 408064 | DLL | 12/09/2011 10:30:42 | # |
15c1 | 15 | HTM | # | |
63a00 | 1072 | PKCS7 | Authenticode Signature | # |
63a00 | 978 | BIN | overlay data past EOF | # |
Please donate some bucks to keep this site up and running: | |
Ko-fi | |
---|---|
Yandex.Money | |
Thank you! |
[!] Could not parse the PKCS7: not enough data