Static | ZeroBOX

PE Compile Time

2016-06-24 01:04:21

PE Imphash

0239fd611af3d0e9b0c46c5837c80e09

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x000136f5 0x00013800 6.49204829439
.rdata 0x00015000 0x00004060 0x00004200 4.25599948305
.data 0x0001a000 0x00085e24 0x00000200 0.321716074313
.x 0x000a0000 0x00002000 0x00002000 0.209428040689

Imports

Library WS2_32.dll:
0x415028 getaddrinfo
0x41502c freeaddrinfo
0x415030 closesocket
0x415034 WSAStartup
0x415038 socket
0x41503c send
0x415040 recv
0x415044 connect
Library KERNEL32.dll:
0x415000 GetProcessHeap
0x415004 HeapFree
0x415008 HeapAlloc
0x41500c SetLastError
0x415010 GetLastError
Library ole32.dll:
0x41504c CoCreateInstance
0x415050 CoInitialize
0x415054 CoUninitialize
Library OLEAUT32.dll:
0x415018 VariantInit
0x41501c SysFreeString
0x415020 SysAllocString

!This program cannot be run in DOS mode.
`.rdata
@.data
9D$(ub
L$(9L$@
v89l$D|0
uM9l$D}G
D$0;D$(
9|$4r4
9|$4r4
+L$PRQW
+D$P][_^
AP32uS
L$<+L$
L$<+L$
L$<+L$
XjTZj3f
XjNYjEf
Xjr^jlf
ZjPXjIf
Xj2_jSf
je[j3f
ZjHXjEf
WWhM8g
t8VVh@
QVVVWVV
tCVVh[
YYGt]h
WWhQ]V
QSSSSSSh
WWh_*y
WWh_*y
SWh0QA
uiSShx
t{;Atsv
u.hpSA
QQQQQQRP
uWSVW3
u.hTSA
[Sh@TA
>versu
VVVQPR
thPZA
u8hXaA
tOWVhPeA
t-Sh,dA
tOSVWh
tOSVWh
t3hPdA
tOSVWh
tOSVWh
tOSVWh
tJSVWh
t3hPdA
_PSh\QA
t2Wh@?
QWWWVWWW
uVhpiA
WVhTlA
j*XjMf
XjiYjlf
HSVWjAXjcYjof
Xjt[j*f
Xjf_j%f
Yj\ZjDf
Xje^jkf
YjSXjof
HSVWj%Xjsf
Xji[jlf
Xjo^jt_jfZjef
XjrYjPf
jmXjlf
pSVWj%ZjS^jYXjTf
XjEYjMf
ZjoXjff
Xja[jrf
Xje_jnf
ji^jlZjgf
Yj\XjD_jtf
_jmXj.f
SVWjSXjof
Xjr[je^j\ZjWf
XjiYjn_jCf
YjUXjAf
DSVWj%Xjsf
Xje[jr_jaf
Xj ^jMZjiYjlf
WVh`sA
0SVWj%Xjs[j\Zj._jpYju^jrf
YjeXjaf
4SVWj%Xjsf
Xj\^jPf
Xjo_jcZjmf
XjaYji[jlf
SVWjSXjOf
XjE[j\Yjf_jl^jaf
XjkZjaf
jmZVXjp^j.f
^juYjhf
YjaXjpf
YjaXjpf
js[jmXjaYj.f
YjtZjp^jaf
[jmXjaf
ZjpXjhf
ju^jhXjef
^jpXjof
VjaXjdf
PSVWj%Xjsf
Xj\[jTf
Xju^jlYjyf
XjaZji_jDf
SVWj%Xjsf
Xj\Yjyf
Xj2ZjPf
YjOXj3f
Xj.[jx^jm_jlf
j\XjSf
Yj%Xjsf
j\XjyZjMf
XjiYj\f
VShLwA
VShhwA
7PSh|wA
umj1Xf
u.hpiA
<0u8Wh
t]VWh0
Vj*Xj.f
SVWj*Xj.f
XjnYjff
Xjs[j\_jNf
Xjo^jtZjef
YjFXjlf
HSVWj%Xjsf
XjoYjnf
Xje[jpf
Xjt_jwf
XjlZjd^j\f
YjoXjzf
j8Xj.f
SVWj*Xj.Zjpf
XjgYj%f
Zj\Xjtf
Xjc[jk_je^j\f
j%Xjsf
TSVWj%Xjs^j\[jMf
XjiZjcYjrf
XjS_jkf
j*Xj.f
8VWj%Xjs_j\^jTf
XjoZj-f
XjDYj f
YjLXjif
j%XjsYj\f
j*Xj.f
XjsYj\f
$SVWj*[j._jk^jdZjbYjxXf
(j%Xjsf
Xj ZjRf
XjoYjbf
,VWj*Xj.f
Xjb_jMf
Xji^jkYjrf
XjoZjtf
@SVWjSXjof
Xjt^jwf
Xjr[je_jFf
XjlZj YjTf
8VWjPXja^jsYjwf
XjrZjdf
jSXjof
SjcXj:f
jSXjoZjf
Xjr[jef
XjB_j Yjaf
XjiYjnf
Xjs[j\f
ZjtXjaf
YjeXjAf
VjPXjof
XjrYjSf
Sj%XjsYj\f
u@h(mA
uLh(mA
j.Xjzf
(Vj*Xj.f
XjmZjsYjc^jwf
WWh_*y
QQSVWh
tqNt*Nt
PWh\QA
jOXjLf
Xj3[j2_j.ZjdYjl^f
PPhM8g
t:WPVh
$@0123456789ABCDEF
UNIQUE
SQLite format 3
DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
http://
https://
MachineGuid
SOFTWARE\Microsoft\Cryptography
LdrGetProcedureAddress
RtlNtStatusToDosError
RtlSetLastWin32Error
ZwQueryInformationProcess
RtlCreateUserThread
ZwAllocateVirtualMemory
NtFreeVirtualMemory
NtWriteVirtualMemory
ZwReadVirtualMemory
ZwResumeThread
last_compatible_version
password_value
username_value
origin_url
logins
VaultEnumerateItems
VaultEnumerateVaults
VaultFree
VaultGetItem
VaultOpenVault
VaultCloseVault
SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins
hostname
encryptedUsername
encryptedPassword
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
PK11_CheckUserPassword
SECITEM_FreeItem
sqlite3_finalize
sqlite3_step
sqlite3_close
sqlite3_column_text
sqlite3_open16
sqlite3_prepare_v2
sqlite3_prepare
ffffff
CloseHandle
CreateFileW
WriteFile
ExitProcess
CryptStringToBinaryA
StrStrA
GetProcAddress
LoadLibraryW
X!2$6*9(SKiasb+!v<.qF58_qwe~QsRTYvdeTYb
string
Server
settings
server
username
protocol
LsaICryptUnprotectData
UserName
Password
MAC=%02X%02X%02XINSTALL=%08X%08Xk
Fuckav.ru
aPLib v1.01 - the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
Qkkbal
getaddrinfo
freeaddrinfo
WS2_32.dll
GetLastError
SetLastError
HeapAlloc
HeapFree
GetProcessHeap
KERNEL32.dll
CoInitialize
CoUninitialize
CoCreateInstance
ole32.dll
OLEAUT32.dll
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Windows
Program Files
%s\%s\%s%s
%s\%s%s
U2XpekVvtYq0fwsx7EDuZjrCo9GcF1B6Hl358mbznyLWdMANa4TSKJhIiOPgQR
ySeDebugPrivilege
ntdll.dll
%s\%s\User Data\Default\Login Data
%s\%s\User Data\Default\Web Data
%s%s\Login Data
%s%s\Default\Login Data
Comodo\Dragon
MapleStudio\ChromePlus
Google\Chrome
Nichrome
RockMelt
Chromium
Titan Browser
Yandex\YandexBrowser
Epic Privacy Browser
CocCoc\Browser
Vivaldi
Comodo\Chromodo
Superbird
Coowon\Coowon
Mustang Browser
360Browser\Browser
CatalinaGroup\Citrio
Google\Chrome SxS
Orbitum
Iridium
\Opera\Opera Next\data
\Opera Software\Opera Stable
\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer
\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
vaultcli.dll
tSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2
%s%02X
file:///
Software\Microsoft\Internet Explorer\TypedURLs
%s\logins.json
%s\prefs.js
%s\signons.sqlite
signons.txt
signons2.txt
signons3.txt
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\Profiles\%s
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\Profiles\%s
%s\Flock\Browser\profiles.ini
%s\Flock\Browser\Profiles\%s
%s\Thunderbird\profiles.ini
%s\Thunderbird\Profiles\%s
%s\K-Meleon\profiles.ini
%s\K-Meleon\%s
%s\Comodo\IceDragon\profiles.ini
%s\Comodo\IceDragon\Profiles\%s
%s\NETGATE Technologies\BlackHawk\profiles.ini
%s\NETGATE Technologies\BlackHawk\Profiles\%s
%s\Postbox\profiles.ini
%s\Postbox\Profiles\%s
%s\8pecxstudios\Cyberfox\profiles.ini
%s\8pecxstudios\Cyberfox\Profiles\%s
%s\Moonchild Productions\Pale Moon\profiles.ini
%s\Moonchild Productions\Pale Moon\Profiles\%s
%s\FossaMail\profiles.ini
%s\FossaMail\Profiles\%s
%s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\data
Profile%i
Profiles/
%s\nss3.dll
sqlite3.dll
mozsqlite3.dll
nss3.dll
eCurrentVersion
SOFTWARE\Mozilla\Mozilla Firefox
%s\%s\Main
Install Directory
PathToExe
SOFTWARE\Mozilla\Mozilla Thunderbird
SOFTWARE\Mozilla\FossaMail
SOFTWARE\Postbox\Postbox
SOFTWARE\Mozilla\Flock
SOFTWARE\Flock\Flock
%ProgramW6432%
%s\NETGATE\Black Hawk
SOFTWARE\Mozilla\Pale Moon
%s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}
SOFTWARE\K-Meleon
SetupPath
SOFTWARE\ComodoGroup\IceDragon\Setup
RootDir
SOFTWARE\8pecxstudios\Cyberfox86
SOFTWARE\8pecxstudios\Cyberfox
SOFTWARE\mozilla.org\SeaMonkey
%s\Mozilla\Profiles
SOFTWARE\Mozilla\SeaMonkey
SOFTWARE\Mozilla\Waterfox
firefox.exe
kernel32.dll
sCrypt32.dll
Shlwapi.dll
%s\Opera
wand.dat
bform_password_control
form_username_control
Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
%s\QupZilla\profiles\default\browsedata.db
InstallDir
SOFTWARE\Apple Computer, Inc.\Safari
%s\Apple Computer\Preferences\keychain.plist
%s\Apple Application Support\plutil.exe
-convert xml1 -s -o %s "%s"
%s\Data\AccCfg\Accounts.tdat
%s\Storage
Account.rec0
%s\Foxmail\mail
%SYSTEMDRIVE%
Foxmail*
EmailAddress
Technology
PopServer
PopPort
PopAccount
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
Software\IncrediMail\Identities
UserName
Passwd
POP3Server
POP3Port
SMTP Email Address
SMTP Server
SMTP User Name
SMTP User
POP3 Server
POP3 User Name
POP3 User
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
IMAP User
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTP Password
SMTP Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
%s\32BitFtp.TMP
%s\32BitFtp.ini
%s\Estsoft\ALFTP\ESTdb2.dat
%s\site.xml
%s\BitKinex\bitkinex.ds
*.bscp
LastUsedProfile
Software\Bitvise\BvSshClient
%s\BlazeFtp\site.dat
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastUser
LastAddress
LastPort
Server
Password
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
%s\Cyberduck
user.config
%s\iterate_GmbH
%s\EasyFTP\data
%s\ExpanDrive
*favorites.js
drives.js
HostName
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
%s\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
%s\FileZilla\Filezilla.xml
%s\FileZilla\filezilla.xml
%s\FileZilla\recentservers.xml
%s\FileZilla\sitemanager.xml
%s\FlashFXP
*Sites.dat
*quick.dat
FtpServer
FtpUserName
FtpPassword
_FtpPassword
Software\NCH Software\Fling\Accounts
%s\FreshWebmaster\FreshFTP\FtpSites.SMF
%s\FTPBox\profiles.conf
%s\FTPGetter\Profile\servers.xml
%s\FTPGetter\servers.xml
%s\FTPInfo\ServerList.xml
%s\FTPInfo\ServerList.cfg
%s\FTP Navigator\Ftplist.txt
%s\FTP Now\sites.xml
%s\FTPShell\ftpshell.fsi
%s\.config\fullsync\profiles.xml
%s\DeluxeFTP\sites.xml
%s\GoFTP\settings\Connections.txt
JaSFtp
AbleFTP
Automize
%s\%s%i\encPwd.jsd
%s\%s%i\data\settings\sshProfiles-j.jsd
%s\%s%i\data\settings\ftpProfiles-j.jsd
Software\LinasFTP\Site Manager
%s\oZone3D\MyFTP\myftp.ini
%s\NetDrive\NDSites.ini
%s\NetDrive2\drives.dat
%s\Fastream NETFile\My FTP Links
%s\NexusFile\userdata\ftpsite.ini
%s\NexusFile\ftpsite.ini
%s\INSoftware\NovaFTP\NovaFTP.db
%s\Notepad++\plugins\config\NppFTP\NppFTP.xml
%s\Odin Secure FTP Expert\QFDefault.QFQ
%s\Odin Secure FTP Expert\SiteInfo.QFP
PublicKeyFile
TerminalType
PortNumber
Software\9bis.com\KiTTY\Sessions
Software\SimonTatham\PuTTY\Sessions
%s_dec
lsasrv.dll
lsass.exe
%s\Microsoft\Credentials
Config Path
Software\VanDyke\SecureFX
%s\Sessions
%s\SftpNetDrive
%s\Sherrod Computers\sherrod FTP\favorites
#document.favoriteManager*
%s\SmartFTP
{*.xml
%s\Staff-FTP\sites.ini
%s\Steed\bookmarks.txt
%s\SuperPutty
Sessions*
sftp://
ftp://
ftps://
http://
https://
{.:CRED:.}
{CREN}
{CRDB}
Profiles
%s\Syncovery
Syncovery.ini
%s\wcx_ftp.ini
%s\GHISLER\wcx_ftp.ini
FtpIniName
Software\Ghisler\Total Commander
%s\UltraFXP\sites.xml
%s\WinFtp Client\Favorites.dat
FSProtocol
Software\Martin Prikryl
%s\WS_FTP\WS_FTP.INI
%s\WS_FTP.INI
%s\Ipswitch
ws_ftp.ini
%s\NetSarang\Xftp\Sessions
%s\%s\%s.exe
%s\%s.%s
Antivirus Signature
Bkav W32.AIDetect.malware1
Lionic Clean
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.PWS.ZKD
FireEye Generic.mg.e8ff2b3aaa1cbbb7
CAT-QuickHeal Trojan.Mauvaise.SL1
McAfee LokiBot!E8FF2B3AAA1C
Cylance Unsafe
VIPRE Clean
Sangfor Trojan.Win32.Save.a
K7AntiVirus Password-Stealer ( 004d88671 )
BitDefender Trojan.PWS.ZKD
K7GW Password-Stealer ( 004d88671 )
Cybereason malicious.aaa1cb
BitDefenderTheta Gen:NN.ZexaF.34058.gqW@aOzWOyp
Cyren W32/S-f2ff7de9!Eldorado
Symantec Infostealer.Lokibot!gm
ESET-NOD32 Win32/PSW.Fareit.L
Baidu Clean
APEX Malicious
Paloalto Clean
ClamAV Win.Trojan.Autoit-7057849-0
Kaspersky Trojan.Win32.Agentb.bvrg
Alibaba Clean
NANO-Antivirus Trojan.Win32.Stealer.eshrhl
ViRobot Trojan.Win32.Agent.106496.HD
Tencent Malware.Win32.Gencirc.10b3c757
Ad-Aware Trojan.PWS.ZKD
TACHYON Trojan/W32.naKocTb.106496
Emsisoft Trojan-PSW.Fareit (A)
Comodo TrojWare.Win32.Fareit.LB@7pzcfo
F-Secure Clean
DrWeb Trojan.PWS.Siggen2.59088
Zillya Trojan.naKocTb.Win32.12
TrendMicro TSPY_LOKI.SMA
McAfee-GW-Edition BehavesLike.Win32.LokiBot.ch
CMC Clean
Sophos ML/PE-A + Troj/Fareit-CHG
Ikarus Trojan-Spy.LokiBot
GData Trojan.PWS.ZKD
Jiangmin Trojan.naKocTb.l
Webroot Clean
Avira TR/Crypt.XPACK.Gen
Antiy-AVL Trojan/Generic.ASMalwS.1B6B4C6
Kingsoft Clean
Gridinsoft Malware.Win32.Gen.bot!se39734
Arcabit Trojan.PWS.ZKD
SUPERAntiSpyware Trojan.Agent/Gen-PasswordStealer
ZoneAlarm Clean
Microsoft PWS:Win32/PrimaryPass.AD!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Lokibot.R270234
Acronis suspicious
VBA32 BScope.Trojan.Agentb
MAX malware (ai score=81)
Malwarebytes Spyware.LokiBot
Panda Trj/GdSda.A
Zoner Trojan.Win32.77501
TrendMicro-HouseCall TSPY_LOKI.SMA
Rising Trojan.Lokibot!1.B343 (CLASSIC)
Yandex Trojan.GenAsa!SBszS2bfSB0
SentinelOne Static AI - Suspicious PE
eGambit Unsafe.AI_Score_99%
Fortinet W32/Generic.AC.359BF1!tr
MaxSecure Trojan.Malware.300983.susgen
AVG Win32:LokiBot-A [Trj]
Avast Win32:LokiBot-A [Trj]
CrowdStrike win/malicious_confidence_100% (D)
Qihoo-360 HEUR/QVM20.1.08E5.Malware.Gen
No IRMA results available.