Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Report For sample.exe
- *********************
- file size 0x60248b
- full path /home/dreamer/Desktop/work/malware analysers/sample.exe
- Section Table
- *************
- 1. .text 2. .rdata 3. .data 4. .rsrc
- -----------------------------------------------------------------------------------------
- Entropy 6.22 4.98 4.59 6.72
- Pointer To Raw Data 0x400 0x2600 0x3000 0x3c00
- Size Of Raw Data 0x2200 0xa00 0xc00 0x283c00
- Physical End 0x2600 0x3000 0x3c00 0x287800
- Virtual Address 0x1000 0x4000 0x5000 0x7000
- Virtual Size 0x21b4 0x9d2 0x16a8 0x283abc
- -> actual virtual size 0x3000 0x1000 0x2000 0x284000
- Pointer To Relocations 0x0 0x0 0x0 0x0
- Number Of Relocations 0x0 0x0 0x0 0x0
- Pointer To Line Numbers 0x0 0x0 0x0 0x0
- Number Of Line Numbers 0x0 0x0 0x0 0x0
- Code x
- Initialized Data x x x
- Execute x
- Read x x x x
- Write x
- MSDOS Header
- ************
- description value file offset
- ---------------------------------------------------------------------
- signature word 0x5a4d 0x0
- last page size 0x90 0x2
- file pages 0x3 0x4
- relocation items 0x0 0x6
- header paragraphs 0x4 0x8
- minimum number of paragraphs allocated 0x0 0xa
- maximum number of paragraphs allocated 0xffff 0xc
- initial SS value 0x0 0xe
- initial SP value 0xb8 0x10
- complemented checksum 0x0 0x12
- initial IP value 0x0 0x14
- pre-relocated initial CS value 0x0 0x16
- relocation table offset 0x40 0x18
- overlay number 0x0 0x1a
- Reserved word 0x1c 0x0 0x1c
- Reserved word 0x1e 0x0 0x1e
- Reserved word 0x20 0x0 0x20
- Reserved word 0x22 0x0 0x22
- OEM identifier 0x0 0x24
- OEM information 0x0 0x26
- Reserved word 0x28 0x0 0x28
- Reserved word 0x2a 0x0 0x2a
- Reserved word 0x2c 0x0 0x2c
- Reserved word 0x2f 0x0 0x2e
- Reserved word 0x30 0x0 0x30
- Reserved word 0x32 0x0 0x32
- Reserved word 0x34 0x0 0x34
- Reserved word 0x36 0x0 0x36
- Reserved word 0x38 0x0 0x38
- Reserved word 0x3a 0x0 0x3a
- PE signature offset 0xf0 0x3c
- COFF File Header
- ****************
- time date stamp 10 Nov, 2008 3:10:35 PM
- machine type Intel 386 or later processors and compatible processors
- characteristics * Image only, Windows CE, and Windows NT and later.
- * Image only.
- * Machine is based on a 32-bit-word architecture.
- description value file offset
- -------------------------------------------------------------------
- machine type 0x14c 0xf4
- number of sections 0x4 0xf6
- time date stamp 0x49180193 0xf8
- pointer to symbol table (deprecated) 0x0 0xfc
- number of symbols (deprecated) 0x0 0x100
- size of optional header 0xe0 0x104
- characteristics 0x103 0x106
- Optional Header
- ***************
- Magic Number: PE32, normal executable file
- Entry Point is in section 1 with name .text
- DLL Characteristics * Terminal Server aware.
- Subsystem: The Windows graphical user interface (GUI) subsystem
- standard field value file offset
- -----------------------------------------------------------------------
- magic number 0x10b 0x108
- major linker version 0x9 0x10a
- minor linker version 0x0 0x10b
- size of code 0x2200 0x10c
- size of initialized data 0x285200 0x110
- size of unitialized data 0x0 0x114
- address of entry point 0x2c61 0x118
- address of base of code 0x1000 0x11c
- address of base of data 0x4000 0x120
- windows field value file offset
- -----------------------------------------------------------------------
- image base 0x400000 0x124
- section alignment in bytes 0x1000 0x128
- file alignment in bytes 0x200 0x12c
- major operating system version 0x5 0x130
- minor operating system version 0x0 0x132
- major image version 0x0 0x134
- minor image version 0x0 0x136
- major subsystem version 0x5 0x138
- minor subsystem version 0x0 0x13a
- win32 version value (reserved) 0x0 0x13c
- size of image in bytes 0x28b000 0x140
- size of headers 0x400 0x144
- checksum 0x13334 0x148
- subsystem 0x2 0x14c
- dll characteristics 0x8000 0x14e
- size of stack reserve 0x100000 0x150
- size of stack commit 0x1000 0x154
- size of heap reserve 0x100000 0x158
- size of heap commit 0x1000 0x15c
- loader flags (reserved) 0x0 0x160
- number of rva and sizes 0x10 0x164
- data directory rva -> offset size in section file offset
- -------------------------------------------------------------------------------------------------------------
- import table 0x426c 0x286c 0x50 2 .rdata 0x170
- resource table 0x7000 0x3c00 0x283abc 4 .rsrc 0x178
- load config table 0x41a0 0x27a0 0x40 2 .rdata 0x1b8
- IAT 0x4000 0x2600 0x178 2 .rdata 0x1c8
- Imports
- *******
- USER32.dll
- ----------
- [Keyboard Input]
- rva: 0x4428, va: 0x404428, hint: 292, name: GetFocus -> no description
- [Dialog Box]
- rva: 0x442c, va: 0x404428, hint: 504, name: MessageBoxA -> no description
- MSVCR90.dll
- -----------
- [Other]
- rva: 0x4368, va: 0x404368, hint: 796, name: _onexit
- rva: 0x436c, va: 0x404368, hint: 352, name: _decode_pointer
- rva: 0x4370, va: 0x404368, hint: 630, name: _lock
- rva: 0x4374, va: 0x404368, hint: 523, name: _invoke_watson
- rva: 0x4378, va: 0x404368, hint: 918, name: _strdup
- rva: 0x437c, va: 0x404368, hint: 331, name: _crt_debugger_hook
- rva: 0x4380, va: 0x404368, hint: 150, name: __dllonexit
- rva: 0x4384, va: 0x404368, hint: 998, name: _unlock
- rva: 0x4388, va: 0x404368, hint: 67, name: ?terminate@@YAXXZ
- rva: 0x438c, va: 0x404368, hint: 224, name: __set_app_type
- rva: 0x4390, va: 0x404368, hint: 362, name: _encode_pointer
- rva: 0x4394, va: 0x404368, hint: 207, name: __p__fmode
- rva: 0x4398, va: 0x404368, hint: 203, name: __p__commode
- rva: 0x439c, va: 0x404368, hint: 267, name: _adjust_fdiv
- rva: 0x43a0, va: 0x404368, hint: 227, name: __setusermatherr
- rva: 0x43a4, va: 0x404368, hint: 316, name: _configthreadlocale
- rva: 0x43a8, va: 0x404368, hint: 517, name: _initterm_e
- rva: 0x43ac, va: 0x404368, hint: 516, name: _initterm
- rva: 0x43b0, va: 0x404368, hint: 253, name: _acmdln
- rva: 0x43b4, va: 0x404368, hint: 1228, name: exit
- rva: 0x43b8, va: 0x404368, hint: 549, name: _ismbblead
- rva: 0x43bc, va: 0x404368, hint: 102, name: _XcptFilter
- rva: 0x43c0, va: 0x404368, hint: 380, name: _exit
- rva: 0x43c4, va: 0x404368, hint: 300, name: _cexit
- rva: 0x43c8, va: 0x404368, hint: 159, name: __getmainargs
- rva: 0x43cc, va: 0x404368, hint: 277, name: _amsg_exit
- rva: 0x43d0, va: 0x404368, hint: 1338, name: realloc
- rva: 0x43d4, va: 0x404368, hint: 1217, name: bsearch
- rva: 0x43d8, va: 0x404368, hint: 1333, name: qsort
- rva: 0x43dc, va: 0x404368, hint: 1322, name: memset
- rva: 0x43e0, va: 0x404368, hint: 1318, name: memcpy
- rva: 0x43e4, va: 0x404368, hint: 1244, name: fprintf
- rva: 0x43e8, va: 0x404368, hint: 161, name: __iob_func
- rva: 0x43ec, va: 0x404368, hint: 1344, name: setbuf
- rva: 0x43f0, va: 0x404368, hint: 1268, name: getenv
- rva: 0x43f4, va: 0x404368, hint: 1215, name: atoi
- rva: 0x43f8, va: 0x404368, hint: 1307, name: malloc
- rva: 0x43fc, va: 0x404368, hint: 1252, name: free
- rva: 0x4400, va: 0x404368, hint: 1370, name: strncmp
- rva: 0x4404, va: 0x404368, hint: 1375, name: strrchr
- rva: 0x4408, va: 0x404368, hint: 138, name: __argv
- rva: 0x440c, va: 0x404368, hint: 137, name: __argc
- rva: 0x4410, va: 0x404368, hint: 1371, name: strncpy
- rva: 0x4414, va: 0x404368, hint: 873, name: _snprintf
- rva: 0x4418, va: 0x404368, hint: 922, name: _stricmp
- rva: 0x441c, va: 0x404368, hint: 371, name: _except_handler4_common
- rva: 0x4420, va: 0x404368, hint: 319, name: _controlfp_s
- KERNEL32.dll
- ------------
- [Error Handling]
- rva: 0x42f8, va: 0x4042bc, hint: 1012, name: SetLastError -> Sets the last-error code for the calling thread.
- rva: 0x4350, va: 0x4042bc, hint: 487, name: GetLastError -> Retrieves the calling thread's last-error code value.
- rva: 0x4354, va: 0x4042bc, hint: 328, name: FormatMessageA -> Formats a message string.
- [Memory Management] <Virtual Memory>
- rva: 0x4304, va: 0x4042bc, hint: 1121, name: VirtualFree -> Releases or decommits a region of pages within the virtual address space of the calling process.
- rva: 0x4308, va: 0x4042bc, hint: 1124, name: VirtualProtect -> Changes the access protection on a region of committed pages in the virtual address space of the calling process.
- rva: 0x430c, va: 0x4042bc, hint: 1118, name: VirtualAlloc -> Reserves or commits a region of pages in the virtual address space of the calling process.
- [Dynamic-Link Library]
- rva: 0x4310, va: 0x4042bc, hint: 333, name: FreeLibrary -> Decrements the reference count of the loaded DLL. When the reference count reaches zero, the module is unmapped from the address space of the calling process.
- rva: 0x4314, va: 0x4042bc, hint: 503, name: GetModuleHandleA -> Retrieves a module handle for the specified module.
- rva: 0x4320, va: 0x4042bc, hint: 758, name: LoadLibraryA -> Maps the specified executable module into the address space of the calling process.
- rva: 0x4324, va: 0x4042bc, hint: 546, name: GetProcAddress -> Retrieves the address of an exported function or variable from the specified DLL.
- rva: 0x434c, va: 0x4042bc, hint: 501, name: GetModuleFileNameA -> Retrieves the fully qualified path for the file containing the specified module.
- [Synchronization] <Interlocked>
- rva: 0x42e4, va: 0x4042bc, hint: 703, name: InterlockedCompareExchange -> Performs an atomic compare-and-exchange operation on the specified values. The function compares two specified 32-bit values and exchanges with another 32-bit value based on the outcome of the comparison.
- rva: 0x42ec, va: 0x4042bc, hint: 706, name: InterlockedExchange -> Sets a 32-bit variable to the specified value as an atomic operation.
- [Resource]
- rva: 0x4340, va: 0x4042bc, hint: 311, name: FindResourceA -> no description
- rva: 0x4344, va: 0x4042bc, hint: 763, name: LoadResource -> no description
- rva: 0x4348, va: 0x4042bc, hint: 780, name: LockResource -> no description
- [String]
- rva: 0x435c, va: 0x4042bc, hint: 1215, name: lstrlenA -> no description
- [Structured Exception Handling]
- rva: 0x42dc, va: 0x4042bc, hint: 1055, name: SetUnhandledExceptionFilter -> Enables an application to supersede the top-level exception handler of each thread and process.
- rva: 0x4360, va: 0x4042bc, hint: 1096, name: UnhandledExceptionFilter -> Passes unhandled exceptions to the debugger, if the process is being debugged.
- [Debugging]
- rva: 0x42bc, va: 0x4042bc, hint: 726, name: IsDebuggerPresent -> Determines whether the calling process is being debugged by a user-mode debugger.
- rva: 0x4318, va: 0x4042bc, hint: 831, name: OutputDebugStringA -> Sends a string to the debugger for display.
- [Time] <Windows Time>
- rva: 0x42d4, va: 0x4042bc, hint: 618, name: GetTickCount -> Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days.
- [Process and Thread] <Process>
- rva: 0x42c0, va: 0x4042bc, hint: 426, name: GetCurrentProcess -> Retrieves a pseudo handle for the current process.
- rva: 0x42c4, va: 0x4042bc, hint: 1079, name: TerminateProcess -> Terminates the specified process and all of its threads.
- rva: 0x42cc, va: 0x4042bc, hint: 427, name: GetCurrentProcessId -> Retrieves the process identifier of the calling process.
- rva: 0x42e0, va: 0x4042bc, hint: 572, name: GetStartupInfoA -> Retrieves the contents of the STARTUPINFO structure that was specified when the calling process was created.
- [Memory Management] <Heap>
- rva: 0x42f0, va: 0x4042bc, hint: 674, name: HeapAlloc -> Allocates a block of memory from a heap.
- rva: 0x42fc, va: 0x4042bc, hint: 550, name: GetProcessHeap -> Obtains a handle to the heap of the calling process.
- rva: 0x4300, va: 0x4042bc, hint: 678, name: HeapFree -> Frees a memory block allocated from a heap.
- [Memory Management] <Global and Local>
- rva: 0x4358, va: 0x4042bc, hint: 770, name: LocalFree -> no description
- [Process and Thread] <Thread>
- rva: 0x42d0, va: 0x4042bc, hint: 430, name: GetCurrentThreadId -> Retrieves the thread identifier of the calling thread.
- rva: 0x42e8, va: 0x4042bc, hint: 1067, name: Sleep -> Suspends the execution of the current thread for a specified interval.
- [Memory Management] <File Mapping>
- rva: 0x4328, va: 0x4042bc, hint: 1099, name: UnmapViewOfFile -> Unmaps a mapped view of a file from the calling process's address space.
- rva: 0x4334, va: 0x4042bc, hint: 122, name: CreateFileMappingA -> Creates or opens a named or unnamed file mapping object for a specified file.
- rva: 0x433c, va: 0x4042bc, hint: 783, name: MapViewOfFile -> Maps a view of a file mapping into the address space of a calling process.
- [Memory Management] <Obsolete>
- rva: 0x42f4, va: 0x4042bc, hint: 717, name: IsBadReadPtr -> no description
- [File Management]
- rva: 0x431c, va: 0x4042bc, hint: 477, name: GetFullPathNameA -> Retrieves the full path and file name of the specified file.
- rva: 0x432c, va: 0x4042bc, hint: 121, name: CreateFileA -> Creates or opens a file or I/O device. The most commonly used I/O devices are as follows: file, file stream, directory, physical disk, volume, console buffer, tape drive, communications resource, mailslot, and pipe.
- rva: 0x4330, va: 0x4042bc, hint: 469, name: GetFileSize -> Retrieves the size of the specified file, in bytes.
- [Time] <File Time>
- rva: 0x42c8, va: 0x4042bc, hint: 595, name: GetSystemTimeAsFileTime -> Retrieves the current system date and time in UTC format.
- [System Information]
- rva: 0x42d8, va: 0x4042bc, hint: 857, name: QueryPerformanceCounter -> Retrieves the current value of the high-resolution performance counter.
- [Handle and Object]
- rva: 0x4338, va: 0x4042bc, hint: 68, name: CloseHandle -> Closes an open object handle.
- Resources
- *********
- offset: 0x3d64, size: 0x282600, language -> ID: 0, name -> ID: 1, type -> PYTHON27.DLL, signatures: ZoneAlam data file (14 bytes), Acrobat plug-in (8 bytes), DirectShow filter (8 bytes), Audition graphic filter (8 bytes)
- offset: 0x286364, size: 0xef8, language -> ID: 0, name -> ID: 1, type -> PYTHONSCRIPT
- offset: 0x28725c, size: 0x208, language -> ID: 0, name -> ID: 1, type -> ID: RT_VERSION
- offset: 0x287464, size: 0x256, language -> ID: 0, name -> ID: 1, type -> ID: RT_MANIFEST
- Manifest
- ********
- <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
- <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
- <security>
- <requestedPrivileges>
- <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
- </requestedPrivileges>
- </security>
- </trustInfo>
- <dependency>
- <dependentAssembly>
- <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
- </dependentAssembly>
- </dependency>
- </assembly>
- Version Information
- *******************
- VS_FIXEDFILEINFO
- ----------------
- signature: 0xfeef04bd
- binary version: 1.0
- file version: 65536.0
- product version: 65536.1
- file flags mask: 0x3f
- file flags: 0x0
- file OS: Windows NT, 32-bit Windows
- file type: application
- file subtype: 0
- file date: 0.0
- StringFileInfo
- ---------------
- language ID: 0x0409
- code page: 0x04B0
- FileDescription: Totally not bad.
Add Comment
Please, Sign In to add comment