filenameddbd1ecfd473ef77ef63b2e94b1c8e44.bender.exe
size409042 (0x63dd2)
md5ddbd1ecfd473ef77ef63b2e94b1c8e44
typePE32 executable (DLL) (console) Intel 80386, for MS Windows
mimetypeapplication/x-dosexec
clamavWin.Trojan.Agent-474378 FOUND
virustotal→ scan with virustotal.com
histogram

MZ Header

signatureMZ
bytes_in_last_block0x90
blocks_in_file3
num_relocs0
header_paragraphs4
min_extra_paragraphs0
max_extra_paragraphs0xffff
ss0
sp0xb8
checksum0
ip0
cs0
reloc_table_offset0x40
overlay_number0
reserved00
oem_id0
oem_info0
reserved20
reserved30
reserved40
reserved50
reserved60
lfanew0xf0

Rich Header

lib idversiontimes used
150204133
1493072925
1323072970
13130729170
1235072713
10164
1383072949
146307291
145307291

DOS stub

00000000: 0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000020: 74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|

PE Header

SignaturePE
Machine0x14c
NumberOfSections5
TimeDateStamp0x4ee1e352
PointerToSymbolTable0
NumberOfSymbols0
SizeOfOptionalHeader0xe0
Characteristics0x2102
Magic0x10b
LinkerVersion9.0
SizeOfCode0x4a600
SizeOfInitializedData0x19000
SizeOfUninitializedData0
AddressOfEntryPoint0x207da
BaseOfCode0x1000
BaseOfData0x4c000
ImageBase0x10000000
SectionAlignment0x1000
FileAlignment0x200
OperatingSystemVersion5.0
ImageVersion0.0
SubsystemVersion5.0
Reserved10
SizeOfImage0x68000
SizeOfHeaders0x400
CheckSum0x67005
Subsystem3
DllCharacteristics0x140
SizeOfStackReserve0x100000
SizeOfStackCommit0x1000
SizeOfHeapReserve0x100000
SizeOfHeapCommit0x1000
LoaderFlags0
NumberOfRvaAndSizes0x10

Packer / Compiler

MS Visual C++ v7.0 DLL

Sections

namevavsizeraw sizeflags
.text0x10000x4a5ca0x4a600R-X CODE
.rdata0x4c0000xeebd0xf000R-- IDATA
.data0x5b0000x5f280x4000RW- IDATA
.rsrc0x610000x1b40x200R-- IDATA
.reloc0x620000x5c760x5e00R-- IDATA DISCARDABLE

Data Directory

typevasize
EXPORT0x5ae700x4d
IMPORT0x5a1580x8c
RESOURCE0x610000x1b4
EXCEPTION00
SECURITY0x63a000x430
BASERELOC0x620000x3fbc
DEBUG00
ARCHITECTURE00
GLOBALPTR00
TLS00
LOAD_CONFIG0x50e700x40
Bound_IAT00
IAT0x4c0000x240
Delay_IAT00
CLR_Header00
typenamesizecp
MANIFEST#23461252
module_namehintordfunction_name
KERNEL32.dll628GetVersion
KERNEL32.dll292FindFirstFileW
KERNEL32.dll281FindClose
KERNEL32.dll195DeleteFileW
KERNEL32.dll1109VirtualAllocEx
KERNEL32.dll1174WriteProcessMemory
KERNEL32.dll486GetLastError
KERNEL32.dll909ResumeThread
KERNEL32.dll1124WaitForSingleObject
KERNEL32.dll505GetModuleHandleW
KERNEL32.dll504GetModuleHandleExW
KERNEL32.dll544GetProcAddress
KERNEL32.dll501GetModuleFileNameW
KERNEL32.dll172CreateToolhelp32Snapshot
KERNEL32.dll836Process32FirstW
KERNEL32.dll838Process32NextW
KERNEL32.dll101CopyFileW
KERNEL32.dll451GetEnvironmentVariableW
KERNEL32.dll601GetTempFileNameW
KERNEL32.dll327FormatMessageA
KERNEL32.dll765LocalFree
KERNEL32.dll67CloseHandle
KERNEL32.dll1131WaitNamedPipeW
KERNEL32.dll144CreateNamedPipeW
KERNEL32.dll86ConnectNamedPipe
KERNEL32.dll127CreateFileW
KERNEL32.dll872ReadFile
KERNEL32.dll1165WriteFile
KERNEL32.dll152CreateRemoteThread
KERNEL32.dll819OpenProcess
KERNEL32.dll332FreeLibrary
KERNEL32.dll756LoadLibraryW
KERNEL32.dll704InterlockedIncrement
KERNEL32.dll700InterlockedDecrement
KERNEL32.dll1146WideCharToMultiByte
KERNEL32.dll698InterlockedCompareExchange
KERNEL32.dll701InterlockedExchange
KERNEL32.dll794MultiByteToWideChar
KERNEL32.dll692InitializeCriticalSection
KERNEL32.dll190DeleteCriticalSection
KERNEL32.dll217EnterCriticalSection
KERNEL32.dll751LeaveCriticalSection
KERNEL32.dll973SetEndOfFile
KERNEL32.dll304FindNextFileW
KERNEL32.dll163CreateThread
KERNEL32.dll1004SetLastError
KERNEL32.dll502GetModuleHandleA
KERNEL32.dll19AreFileApisANSI
KERNEL32.dll1069TerminateProcess
KERNEL32.dll425GetCurrentProcess
KERNEL32.dll1086UnhandledExceptionFilter
KERNEL32.dll1045SetUnhandledExceptionFilter
KERNEL32.dll721IsDebuggerPresent
KERNEL32.dll429GetCurrentThreadId
KERNEL32.dll367GetCommandLineA
KERNEL32.dll673HeapFree
KERNEL32.dll591GetSystemTimeAsFileTime
KERNEL32.dll669HeapAlloc
KERNEL32.dll260ExitProcess
KERNEL32.dll858RaiseException
KERNEL32.dll914RtlUnwind
KERNEL32.dll576GetStringTypeW
KERNEL32.dll347GetCPInfo
KERNEL32.dll737LCMapStringA
KERNEL32.dll739LCMapStringW
KERNEL32.dll1076TlsGetValue
KERNEL32.dll1074TlsAlloc
KERNEL32.dll1077TlsSetValue
KERNEL32.dll1075TlsFree
KERNEL32.dll1000SetHandleCount
KERNEL32.dll571GetStdHandle
KERNEL32.dll471GetFileType
KERNEL32.dll569GetStartupInfoA
KERNEL32.dll500GetModuleFileNameA
KERNEL32.dll330FreeEnvironmentStringsA
KERNEL32.dll447GetEnvironmentStrings
KERNEL32.dll331FreeEnvironmentStringsW
KERNEL32.dll449GetEnvironmentStringsW
KERNEL32.dll671HeapCreate
KERNEL32.dll672HeapDestroy
KERNEL32.dll1111VirtualFree
KERNEL32.dll852QueryPerformanceCounter
KERNEL32.dll614GetTickCount
KERNEL32.dll426GetCurrentProcessId
KERNEL32.dll1108VirtualAlloc
KERNEL32.dll676HeapReAlloc
KERNEL32.dll387GetConsoleCP
KERNEL32.dll405GetConsoleMode
KERNEL32.dll991SetFilePointer
KERNEL32.dll321FlushFileBuffers
KERNEL32.dll338GetACP
KERNEL32.dll531GetOEMCP
KERNEL32.dll731IsValidCodePage
KERNEL32.dll753LoadLibraryA
KERNEL32.dll693InitializeCriticalSectionAndSpinCount
KERNEL32.dll678HeapSize
KERNEL32.dll616GetTimeFormatA
KERNEL32.dll430GetDateFormatA
KERNEL32.dll621GetUserDefaultLCID
KERNEL32.dll488GetLocaleInfoA
KERNEL32.dll248EnumSystemLocalesA
KERNEL32.dll733IsValidLocale
KERNEL32.dll573GetStringTypeA
KERNEL32.dll490GetLocaleInfoW
KERNEL32.dll1154WriteConsoleA
KERNEL32.dll409GetConsoleOutputCP
KERNEL32.dll1164WriteConsoleW
KERNEL32.dll1020SetStdHandle
KERNEL32.dll120CreateFileA
KERNEL32.dll619GetTimeZoneInformation
KERNEL32.dll547GetProcessHeap
KERNEL32.dll82CompareStringA
KERNEL32.dll85CompareStringW
KERNEL32.dll976SetEnvironmentVariableA
KERNEL32.dll1057Sleep
WININET.dll123InternetErrorDlg
WININET.dll174InternetSetOptionW
WININET.dll157InternetQueryOptionW
WININET.dll106InternetCloseHandle
WININET.dll89HttpQueryInfoW
WININET.dll158InternetReadFile
WININET.dll93HttpSendRequestW
WININET.dll87HttpOpenRequestW
WININET.dll113InternetConnectW
WININET.dll153InternetOpenW
CRYPT32.dll212CryptStringToBinaryA
CRYPT32.dll122CryptBinaryToStringA
USER32.dll341GetParent
USER32.dll543PostMessageW
USER32.dll104CreateWindowExW
USER32.dll160DestroyWindow
USER32.dll235EnumWindows
ADVAPI32.dll563RegCreateKeyExW
ADVAPI32.dll554RegCloseKey
ADVAPI32.dll616RegQueryValueExW
ADVAPI32.dll578RegDeleteValueW
ADVAPI32.dll632RegSetValueExW
ole32.dll15CoCreateGuid
ordentry_vafunction_name
10x12c6RunDllEntry
module_nameTmprovider.dll
flags0
timestamp2011-12-09 10:30:35
version0.0
ordinal_base1
nFunctions1
nNames1
Names(1)0x5ae9c
Functions(1)0x5ae98
NameOrdinals(1)0x5aea0

No certificates in

#<struct PEdump::WIN_CERTIFICATE dwLength=1072, wRevision=512, wCertificateType=2, data="0\x82\x04\"\x06\t*\x86H\x86\xF7\r\x01\a\x02\xA0\x82\x04\x130\x82\x04\x0F\x02\x01\x011\x0E0\f\x06\b*\x86H\x86\xF7\r\x02\x05\x05\x000g\x06\n+\x06\x01\x04\x01\x827\x02\x01\x04\xA0Y0W03\x06\n+\x06\x01\x04\x01\x827\x02\x01\x0F0%\x03\x01\x00\xA0 \xA2\x1E\x80\x1C\x00<\x00<\x00<\x00O\x00b\x00s\x00o\x00l\x00e\x00t\x00e\x00>\x00>\x00>0 0\f\x06\b*\x86H\x86\xF7\r\x02\x05\x05\x00\x04\x10\a\x9A}\xC3\x7F\xFEo\x86-\xDF^I/\xAB\xB1\x9A\xA0\x82\x02N0\x82\x02J0\x82\x01\xB3\xA0\x03\x02\x01\x02\x02\x10\x92#/o\x95\xEC\x8B\x86@\x9C\x96_\x02\xB0\xC6\xDD0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x04\x05\x00001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox0\x1E\x17\r020201200000Z\x17\r190201200000Z001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox0\x81\x9F0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x01\x05\x00\x03\x81\x8D\x000\x81\x89\x02\x81\x81\x00\xDB\x95xH\xF9m\xF6\x8E0}\xFC\x12l\f9\"\xF8\xA2\x81w\xD12\n\xC1\xAE\xA8\x91\x18\xA4\xA7\x8A\xB5\xF3@\xA7\"\x10\xAE\x06\xDA\xF1v\xE0\xE2\xFB\xCDB\xEA\xEF^\x10\xDF$\x00;\x89\xD6\xE6\xA9 \x8D\xB97\x85\x101Ply\x804\xBE!\xFA\x13\xD7/\x7F\xC3\xB1\x9EZ\x8D~Gj\xFD\xBCPgJ`\xD7\xC9hEf\x87\x9E\x17\xCE\xAD\xD9\xDA\xAD\xCD>\xF0BZ\x9AQ\x9D\xDD\x88h\xE9\xD8,\xB8\xB6\xE4\xFDV\xF4np\x7F\x02\x03\x01\x00\x01\xA3e0c0a\x06\x03U\x1D\x01\x04Z0X\x80\x10\x8A\xCD\x00'W}\xB6f\x89JT\xF2\xEC\xF2\xDD2\xA12001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox\x82\x10\x92#/o\x95\xEC\x8B\x86@\x9C\x96_\x02\xB0\xC6\xDD0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x04\x05\x00\x03\x81\x81\x001\x83\x92mq.\x10\x1Fnh\xDB\x8E\x86K \xC3\x19\x18\x10o\xD15\xC5\x919:a\xE5\xB9\xFE\xF8\xA6\xBF\xB2\xEC\xE7M\xD1\x9Cd\x9A\x9E\xFD\xFD\x9Ch\x83 z \xB9\x01\xDA\xE2\xB8E\x93\x8B\x98\x8F]\xC8c\xE8Tg\x96\x95\x15\xF0G6\xAC\x14S\x18\x9E?'\xA6\xE9ay\x89=yeX\xFD\xEB\x02h\xB19\xB7B\x87a1h\xF3\x06\x13BPmM\x9D\x8F\xF71\xF3\x9E\xB9=\x7F\xB5\xABN\x06)I\xBFx\x0Efw\x151\x82\x01=0\x82\x019\x02\x01\x010D001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox\x02\x10\x92#/o\x95\xEC\x8B\x86@\x9C\x96_\x02\xB0\xC6\xDD0\f\x06\b*\x86H\x86\xF7\r\x02\x05\x05\x00\xA0N0\x10\x06\n+\x06\x01\x04\x01\x827\x02\x01\f1\x020\x000\x19\x06\t*\x86H\x86\xF7\r\x01\t\x031\f\x06\n+\x06\x01\x04\x01\x827\x02\x01\x040\x1F\x06\t*\x86H\x86\xF7\r\x01\t\x041\x12\x04\x10\x10\xF9\x8A{\xB1Kl6b\t\xC7\\\xCD\x15gC0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x01\x05\x00\x04\x81\x80\xB7\x01&\xA5\x80=%hiS\xB9\xCE\xED\xB4p\xF7\x9F\xBC\x9F\xDF,\xA0\xAA\xC27\xE2\t\x1E:\xB3Dj\xDF\xE8\xC3\xF6">

Cannot call to_der on

#<struct PEdump::WIN_CERTIFICATE dwLength=1072, wRevision=512, wCertificateType=2, data="0\x82\x04\"\x06\t*\x86H\x86\xF7\r\x01\a\x02\xA0\x82\x04\x130\x82\x04\x0F\x02\x01\x011\x0E0\f\x06\b*\x86H\x86\xF7\r\x02\x05\x05\x000g\x06\n+\x06\x01\x04\x01\x827\x02\x01\x04\xA0Y0W03\x06\n+\x06\x01\x04\x01\x827\x02\x01\x0F0%\x03\x01\x00\xA0 \xA2\x1E\x80\x1C\x00<\x00<\x00<\x00O\x00b\x00s\x00o\x00l\x00e\x00t\x00e\x00>\x00>\x00>0 0\f\x06\b*\x86H\x86\xF7\r\x02\x05\x05\x00\x04\x10\a\x9A}\xC3\x7F\xFEo\x86-\xDF^I/\xAB\xB1\x9A\xA0\x82\x02N0\x82\x02J0\x82\x01\xB3\xA0\x03\x02\x01\x02\x02\x10\x92#/o\x95\xEC\x8B\x86@\x9C\x96_\x02\xB0\xC6\xDD0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x04\x05\x00001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox0\x1E\x17\r020201200000Z\x17\r190201200000Z001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox0\x81\x9F0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x01\x05\x00\x03\x81\x8D\x000\x81\x89\x02\x81\x81\x00\xDB\x95xH\xF9m\xF6\x8E0}\xFC\x12l\f9\"\xF8\xA2\x81w\xD12\n\xC1\xAE\xA8\x91\x18\xA4\xA7\x8A\xB5\xF3@\xA7\"\x10\xAE\x06\xDA\xF1v\xE0\xE2\xFB\xCDB\xEA\xEF^\x10\xDF$\x00;\x89\xD6\xE6\xA9 \x8D\xB97\x85\x101Ply\x804\xBE!\xFA\x13\xD7/\x7F\xC3\xB1\x9EZ\x8D~Gj\xFD\xBCPgJ`\xD7\xC9hEf\x87\x9E\x17\xCE\xAD\xD9\xDA\xAD\xCD>\xF0BZ\x9AQ\x9D\xDD\x88h\xE9\xD8,\xB8\xB6\xE4\xFDV\xF4np\x7F\x02\x03\x01\x00\x01\xA3e0c0a\x06\x03U\x1D\x01\x04Z0X\x80\x10\x8A\xCD\x00'W}\xB6f\x89JT\xF2\xEC\xF2\xDD2\xA12001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox\x82\x10\x92#/o\x95\xEC\x8B\x86@\x9C\x96_\x02\xB0\xC6\xDD0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x04\x05\x00\x03\x81\x81\x001\x83\x92mq.\x10\x1Fnh\xDB\x8E\x86K \xC3\x19\x18\x10o\xD15\xC5\x919:a\xE5\xB9\xFE\xF8\xA6\xBF\xB2\xEC\xE7M\xD1\x9Cd\x9A\x9E\xFD\xFD\x9Ch\x83 z \xB9\x01\xDA\xE2\xB8E\x93\x8B\x98\x8F]\xC8c\xE8Tg\x96\x95\x15\xF0G6\xAC\x14S\x18\x9E?'\xA6\xE9ay\x89=yeX\xFD\xEB\x02h\xB19\xB7B\x87a1h\xF3\x06\x13BPmM\x9D\x8F\xF71\xF3\x9E\xB9=\x7F\xB5\xABN\x06)I\xBFx\x0Efw\x151\x82\x01=0\x82\x019\x02\x01\x010D001 0\x1E\x06\t*\x86H\x86\xF7\r\x01\t\x01\x16\x11foxcon@foxcon.com1\f0\n\x06\x03U\x04\x03\x13\x03fox\x02\x10\x92#/o\x95\xEC\x8B\x86@\x9C\x96_\x02\xB0\xC6\xDD0\f\x06\b*\x86H\x86\xF7\r\x02\x05\x05\x00\xA0N0\x10\x06\n+\x06\x01\x04\x01\x827\x02\x01\f1\x020\x000\x19\x06\t*\x86H\x86\xF7\r\x01\t\x031\f\x06\n+\x06\x01\x04\x01\x827\x02\x01\x040\x1F\x06\t*\x86H\x86\xF7\r\x01\t\x041\x12\x04\x10\x10\xF9\x8A{\xB1Kl6b\t\xC7\\\xCD\x15gC0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x01\x05\x00\x04\x81\x80\xB7\x01&\xA5\x80=%hiS\xB9\xCE\xED\xB4p\xF7\x9F\xBC\x9F\xDF,\xA0\xAA\xC27\xE2\t\x1E:\xB3Dj\xDF\xE8\xC3\xF6">
offsetsizetypecomment
0408064DLL12/09/2011 10:30:42#
15c115HTM#
63a001072PKCS7Authenticode Signature#
63a00978BINoverlay data past EOF#
offset:( 0x )size:( 0x )hotkeys:-=[]<>, offset/size fields are also editable







[!] Could not parse the PKCS7: not enough data