Static Analysis

PE Compile Time

2011-07-06 16:24:15

PE Imphash

913cedd60e40282bc82499aa56a78fd2

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x0000134c 0x00001400 5.84435829484
.data 0x00003000 0x00000010 0x00000200 0.143458825305
.rdata 0x00004000 0x00000520 0x00000600 2.95751713433
.bss 0x00005000 0x00000060 0x00000000 0.0
.idata 0x00006000 0x00000614 0x00000800 3.81531807057
.rsrc 0x00007000 0x0000ccf0 0x0000ce00 5.81074892566

Resources

Name Offset Size Language Sub-language File type
JPEG 0x0000e04c 0x00003400 LANG_ENGLISH SUBLANG_ENGLISH_US data
JPEG 0x0000e04c 0x00003400 LANG_ENGLISH SUBLANG_ENGLISH_US data
RT_ICON 0x0001144c 0x000025a8 LANG_ENGLISH SUBLANG_ENGLISH_US Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_GROUP_ICON 0x000139f4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US data
RT_VERSION 0x00013a08 0x000002e8 LANG_ENGLISH SUBLANG_ENGLISH_US data

Imports

Library ADVAPI32.DLL:
0x406150 RegCloseKey
0x406154 RegOpenKeyExW
0x406158 RegQueryValueExW
Library KERNEL32.dll:
0x406164 AddAtomA
0x406168 CloseHandle
0x40616c CopyFileW
0x406170 CreateFileW
0x406174 DeleteFileW
0x406178 ExitProcess
0x40617c FindAtomA
0x406180 FindResourceW
0x406184 GetAtomNameA
0x406188 GetDateFormatW
0x40618c GetFileAttributesW
0x406190 GetModuleFileNameW
0x406194 GetModuleHandleA
0x406198 GetProcAddress
0x40619c GetShortPathNameW
0x4061a0 GetTempPathW
0x4061a4 GetTimeFormatW
0x4061a8 LoadResource
0x4061ac OutputDebugStringW
0x4061b0 SetFileAttributesW
0x4061b4 SetFilePointer
0x4061bc SizeofResource
0x4061c0 Sleep
0x4061c4 VirtualProtect
0x4061c8 VirtualQuery
0x4061cc WriteFile
Library msvcrt.dll:
0x4061d8 __getmainargs
0x4061dc __p__environ
0x4061e0 __p__fmode
0x4061e4 __set_app_type
0x4061e8 _assert
0x4061ec _cexit
0x4061f0 _iob
0x4061f4 _onexit
0x4061f8 _setmode
0x4061fc abort
0x406200 atexit
0x406204 free
0x406208 malloc
0x40620c memcpy
0x406210 signal
0x406214 wcscat
0x406218 wcslen
0x40621c wcsncat
0x406220 wcsncpy
Library SHELL32.DLL:
0x40622c ShellExecuteW
!This program cannot be run in DOS mode.
P`.data
.rdata
`@.bss
.idata
libgcj_s.dll
_Jv_RegisterClasses
../../runtime/pseudo-reloc.c
VirtualQuery (addr, &b, sizeof(b))
../../../../gcc-4.4.1/libgcc/../gcc/config/i386/cygming-shared-data.c
0 && "Couldn't retrieve name of GCClib shared data atom"
ret->size == sizeof(__cygming_shared) && "GCClib shared data size mismatch"
0 && "Couldn't add GCClib shared data atom"
-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
AddAtomA
CloseHandle
CopyFileW
CreateFileW
DeleteFileW
ExitProcess
FindAtomA
FindResourceW
GetAtomNameA
GetDateFormatW
GetFileAttributesW
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetShortPathNameW
GetTempPathW
GetTimeFormatW
LoadResource
OutputDebugStringW
SetFileAttributesW
SetFilePointer
SetUnhandledExceptionFilter
SizeofResource
VirtualProtect
VirtualQuery
WriteFile
__getmainargs
__p__environ
__p__fmode
__set_app_type
_assert
_cexit
_onexit
_setmode
atexit
malloc
memcpy
signal
wcscat
wcslen
wcsncat
wcsncpy
ShellExecuteW
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL
!This program cannot be run in DOS mode.
P`.data
.rdata
`@.bss
.edata
0@.idata
.reloc
}$;] t-
@DCUNG
libgcj_s.dll
_Jv_RegisterClasses
AcsHlpAttemptConnection
AcsHlpNbConnection
AcsHlpNoteNewConnection
WSAttemptAutodialAddr
WSAttemptAutodialName
WSNoteSuccessfulHostentLookup
istd::exception
std::bad_exception
__gnu_cxx::__concurrence_lock_error
__gnu_cxx::__concurrence_unlock_error
pure virtual method called
../../runtime/pseudo-reloc.c
VirtualQuery (addr, &b, sizeof(b))
../../../../gcc-4.4.1/libgcc/../gcc/config/i386/cygming-shared-data.c
0 && "Couldn't retrieve name of GCClib shared data atom"
ret->size == sizeof(__cygming_shared) && "GCClib shared data size mismatch"
0 && "Couldn't add GCClib shared data atom"
-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32
N10__cxxabiv115__forced_unwindE
N10__cxxabiv117__class_type_infoE
N10__cxxabiv119__foreign_exceptionE
N10__cxxabiv120__si_class_type_infoE
N9__gnu_cxx24__concurrence_lock_errorE
N9__gnu_cxx26__concurrence_unlock_errorE
St13bad_exception
St9exception
St9type_info
rasadhlp.dll
AcsHlpAttemptConnection
AcsHlpNbConnection
AcsHlpNoteNewConnection
WSAttemptAutodialAddr
WSAttemptAutodialName
WSNoteSuccessfulHostentLookup
CoInitialize
CoUninitialize
ObjectFromLresult
SysAllocString
SysFreeString
AddAtomA
CloseHandle
CreateSemaphoreA
CreateThread
DisableThreadLibraryCalls
FindAtomA
GetAtomNameA
GetCurrentThreadId
GetLastError
GetModuleHandleA
GetProcAddress
GetSystemDirectoryW
InterlockedDecrement
InterlockedIncrement
LoadLibraryW
ReleaseSemaphore
SetLastError
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
VirtualProtect
VirtualQuery
WaitForSingleObject
_write
__dllonexit
_assert
_errno
fflush
malloc
memcpy
strcmp
wcscmp
wcslen
wcsncat
DispatchMessageW
EnumChildWindows
FindWindowExW
FindWindowW
GetClassNameW
GetCursorPos
GetMessageW
KillTimer
RegisterWindowMessageW
SendMessageTimeoutW
SetTimer
TranslateMessage
WindowFromPoint
OLE32.dll
Oleacc.dll
OLEAUT32.DLL
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
0=0E0i0s0
2!212P2t2
3*3I3e3l3y3
5;5E5X5
707A7w7
9<<C<P<F=a=i=q=
3(383H3X3h3t3
8;8c8}8
8;9T9`9
9-:4:A:U:]:y:
<#<9<@<M<b<k<
=(=G=O=W=
>(>.>9>[>c>k>
?k?p?{?
0:0B0J0
0G1M1X1r1
666;6D6R6Z6d6n6w6
8,8H8T8g8
>)?R?i?
6&6.666>6F6N6V6^6f6n6v6~6
7&7.767>7~7
@:D:H:L:P:T:X:\:`:d:h:l:p:
?$?(?,?0?4?8?<?@?D?H?d?h?l?p?|?
0*1(0&
Alimama.com Corporation Root CA0
101231160000Z
121231160000Z0*1(0&
Alimama.com Corporation Root CA0
,0*1(0&
Alimama.com Corporation Root CA
.E/!_aW&c*0
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA0
070615000000Z
120614235959Z0\1
VeriSign, Inc.1402
+VeriSign Time Stamping Services Signer - G20
6^bMRQ4q
JcEG.k
http://ocsp.verisign.com0
"http://crl.verisign.com/tss-ca.crl0
TSA1-20
Western Cape1
Durbanville1
Thawte1
Thawte Certification10
Thawte Timestamping CA0
031204000000Z
131203235959Z0S1
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA0
http://ocsp.verisign.com0
0http://crl.verisign.com/ThawteTimestampingCA.crl0
TSA2048-1-530
?7!Op1
0>0*1(0&
Alimama.com Corporation Root CA
l7/W
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA
110706131615Z0#
UG<{-sUb
!This program cannot be run in DOS mode.
P`.data
.rdata
`@.bss
.idata
0*1(0&
Alimama.com Corporation Root CA0
101231160000Z
121231160000Z0*1(0&
Alimama.com Corporation Root CA0
,0*1(0&
Alimama.com Corporation Root CA
.E/!_aW&c*
libgcj_s.dll
_Jv_RegisterClasses
../../runtime/pseudo-reloc.c
VirtualQuery (addr, &b, sizeof(b))
../../../../gcc-4.4.1/libgcc/../gcc/config/i386/cygming-shared-data.c
0 && "Couldn't retrieve name of GCClib shared data atom"
ret->size == sizeof(__cygming_shared) && "GCClib shared data size mismatch"
0 && "Couldn't add GCClib shared data atom"
-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32
waveOutGetVolume
waveOutSetVolume
AddAtomA
CloseHandle
CreateFileW
DeleteFileW
ExitProcess
FindAtomA
GetAtomNameA
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetShortPathNameW
GetTempPathW
OutputDebugStringW
SetUnhandledExceptionFilter
VirtualProtect
VirtualQuery
WriteFile
__getmainargs
__p__environ
__p__fmode
__set_app_type
_assert
_cexit
_onexit
_setmode
atexit
malloc
memcpy
signal
wcscat
wcslen
wcsncat
ShellExecuteW
DispatchMessageW
FindWindowExW
FindWindowW
GetMessageW
GetWindowLongW
KillTimer
PostMessageW
SetTimer
TranslateMessage
keybd_event
WINMM.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL
USER32.dll
""r"'"r"!"
r""""""
""""""r"""""" p
r"""""r p
""""""ww"x
'""r"r'"'""r
"'""r"r
wwwwwwwwwwwwwp
H?aUwtlwfr%KnqjxaNsyjwsjy%J}uqtwjwawfxfimqu3iqq
myyuaxmjqqatujsahtrrfsi
awfxfimqu3iqq
cmd.exe
/c del /A
AddCer.exe
8:27:41 AMABCDEF...MainExe...0123456789abcdef....
_6wfxfimqu3oul
http://www.taobao.com/go/chn/tbk_channel/channelcode.php?pid=mm_12285662_0_0&eventid=101329
http://www.taobao.com/
IEFrame
Internet Explorer_Server
WM_HTML_GETOBJECT
interactive
complete
\rasadhlp.dll
VS_VERSION_INFO
StringFileInfo
080404B0
CompanyName
Microsoft Corporation
FileDescription
Remote Access AutoDial Helper
FileVersion
6, 1, 7600, 16388
InternalName
rasadhlp.dll
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
rasadhlp.dll
ProductName
Microsoft Windows Operating System
ProductVersion
6.1.7600.16388
VarFileInfo
Translation
<<<Obsolete>>
cmd.exe
/c del /A
z1yuny4n.cer
rundll32.exe
0123456789ABCDEF...AddCer...0123456789abcdef....
cryptext.dll,CryptExtAddCER
#32770
Button
(&N) >
VS_VERSION_INFO
StringFileInfo
080404B0
CompanyName
Tencent
FileDescription
QQRecycle
FileVersion
1, 61, 2103, 0
InternalName
QQRecycle
LegalCopyright
Copyright 2010 Tencent. All Rights Reserved
OriginalFilename
QQRecycle.exe
ProductName
QQ2011
ProductVersion
1.61.2103.0
VarFileInfo
Translation
VS_VERSION_INFO
StringFileInfo
080404B0
CompanyName
Tencent
FileDescription
QQRecycle
FileVersion
1, 61, 2011, 0
InternalName
QQRecycle
LegalCopyright
Copyright 2010 Tencent. All Rights Reserved
OriginalFilename
QQRecycle.exe
ProductName
QQ2011
ProductVersion
1.61.2011.0
VarFileInfo
Translation
No antivirus signatures available.
IRMA Signature
Trend Micro SProtect (Linux) Clean
Avast Core Security (Linux) Win32:Malware-gen
C4S ClamAV (Linux) Clean
Trellix (Linux) GenericR-OCV
Sophos Anti-Virus (Linux) Clean
Bitdefender Antivirus (Linux) Gen:Variant.Fragtor.784197
G Data Antivirus (Windows) Virus: Gen:Variant.Fragtor.784197 (Engine A)
WithSecure (Linux) Heuristic.HEUR/AGEN.1343123
ESET Security (Windows) a variant of Win32/Agent.AADS trojan
DrWeb Antivirus (Linux) Trojan.MulDrop2.56433
ClamAV (Linux) Clean
eScan Antivirus (Linux) Gen:Variant.Fragtor.784197(DB)
Kaspersky Standard (Windows) Trojan.Win32.Agent.ilaf
Emsisoft Commandline Scanner (Windows) Gen:Variant.Fragtor.784197 (B)
Cuckoo

We're processing your submission... This could take a few seconds.