File identification
Static PE information
Analysis
Layers & regions
VirusTotal scans
Summary
Visibility Public
Main file's SHA256 0003f9248eb242ed9d9921f97055d6093a47e0357625f79d0a9322ed196bc1db
Complexity Type I
Packer identification (signature based) UPX_V2_00_V2_90_Markus_Oberhumer_Laszlo_Molnar_John_Reiser, UPX_2_00_3_0X_Markus_Oberhumer_Laszlo_Molnar_John_Reiser, UPX_v2_0_Markus_Laszlo_Reiser
Number of processes 1
Number of layers 2
Packer analysis graph

File identification

General information
SHA256 0003f9248eb242ed9d9921f97055d6093a47e0357625f79d0a9322ed196bc1db
SHA1 8af418c880ae9f9ee618a9b555e6ac8bb1cbf9e9
MD5 8af826103919486219f9bfb415a02044
ssdeep 384:rxsZyxksU8Uem608hH2aKcXx+1V7276amulKwPKj8uat:F2mm8Ue108hvXxuqea
sdhash sdbf:03:0::23656:sha1:256:5:7ff:160:3:30:kiG6GQEPJIqiA4AJQQV4ZyOgbBAOJseaE6FKEVQJqADpgwAGIFnICEEJokACLABCS5CBMpjAfQ9g7MOIqxW0YpC1DIiAAkKQZiBEASUQCBSQkgKtXAMJXIEFxSAMIWFIBFUrQL6YNBwAwAB1SpL9kADAgAZUEW2YqqGFkDBNNJRGQxAgyIsYQgQszRQmQaIaYKkgBnOhIkIYFKEIAvAEAKKyUhRf8pRAUiAJrFAaE+kcBAhgEo6dGaAsqGDCCCIEA6GNiKTCBYEzPFOwAIgIQMChKsADAAogpAtAAgP+OMEHS+AsUGCj4oZBMADSEwhgXLgQH8Ic6dVFCALAeBRBoUWCwBCQMooRCHQCpDCQhHFwIMCPCkuaMARoCIAGZgw1Qi1wYCmKxYABgYRBgRMJLNAIUKkrJlgXAAoYYEYlhgpg5eDIEIISOEgLkxzAEA3AyiJALACvYAhLcQiEAEEhEBaCwRMgBUQppISQOnYpg8Qp5DRhIgK3SABDnRPCqgI5USxGCiIAFqEbWCEDUIAjw5hhsFoMsCc0LQjEAQgJTGyTczJYkwAGwiAiFGJOTFEEBDMA0oWJggkUQOgAArZKyBI5KRJuYEZYxpPikgqMiEGJwCAnkwwp1awyiTFGSRwQhQGAldzoMxF7gJkBCABVeQU9RPAEKBTAgApDCUOAUgAABAABBAAAAAAAAAIAAAAEAKECAAACgIAAAAAIAAAAAAAAABAAAIIYAQgAAACAAgEIAASAgACIAQAAAAAAAAggACAABAAgAAAAAAAAACCAAgAFiMACACAAAAAAAAGABAAECAEAAgCASBAAQACAAAAAAEAAAAAAAEgAZAAgAAYAABAQAgAAAAIAABQBEAAAAAEAAAAAAKAAAgAgggRAAEQQAAAAAAAAAAAQAAEAAAQABEAIAAAABQAIAQCAogxAAgAFABAAAAAQAAAQAgAABAQAAAAACgkBEAAAAAAAAAAgEAgAIAAQAIAAIAAQCQIAQIIggggAABAIAQAAgAAAAAEA
imphash e7e355ac0da5b0dd6c80ff7cfdae5e4d
authentihash -
File type PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MIME type application/x-dosexec
First seen 2016-05-10 13:39:11
Size 23656
Known names ac.exe
TrID - File Identifier
Percentage Type
8.8% (.DLL) Win32 Dynamic Link Library (generic)
6.0% (.EXE) Win32 Executable (generic)
35.7% (.EXE) Win32 EXE Yoda's Crypter
41.1% (.EXE) UPX compressed Win32 Executable
2.7% (.EXE) Win16/32 Executable Delphi generic

Auxiliary files

Behavioural packer analysis report

Packer analysis
Complexity type Type I
Granularity Not applicable
Execution time 17s
Number of processes 1
Number of layers 2
Number of regions 3
Number of upward transitions 1
Number of downward transitions 0
Number of multiframe layers 1
Number of processes with interprocess communication 0
Number of regions that call special APIs 0
Last executed region
Process 0
Layer number 1
Region number 1
Address 0x408760
Size 216
Memory type Module
Number of functions called 351
Number of different APIs called 75
Calls APIs of GetVersion* family? Yes
Calls APIs of GetCommandLine* family? Yes
Calls APIs of GetModuleHandle* family? Yes
Modified by external process? No
Writes an executed region? Yes

Potential regions with original code

Remote memory writes

Loaded modules
By PID Start address Size Name
1140 0x400000 90112 ac.exe
1140 0x77ef0000 299008 gdi32.dll
1140 0x7c800000 1060864 kernel32.dll
1140 0x7c910000 741376 ntdll.dll
1140 0x7e390000 593920 user32.dll

Layers and regions

Summary
Layer Size Number of regions Number of frames Lowest address Highest address
0 392 KB 1 0 0x413f90 0x413f90
1 23731 KB 2 2 0x401000 0x408760
API calls
Layer Number of API calls
0 441
  Region number Address space Number of API calls
0 0x413f90-0x414118 441
DLL Function/s
ntdll.dll
  1. _stricmp
  2. bsearch
  3. KiFastSystemCall
  4. KiFastSystemCallRet
  5. LdrEnumerateLoadedModules
  6. LdrGetProcedureAddress
  7. LdrLoadDll
  8. LdrLockLoaderLock
  9. LdrUnlockLoaderLock
  10. memmove
  11. RtlAcquirePebLock
  12. RtlAllocateHeap
  13. RtlAnsiStringToUnicodeString
  14. RtlDosApplyFileIsolationRedirection_Ustr
  15. RtlEnterCriticalSection
  16. RtlEqualUnicodeString
  17. RtlFindActivationContextSectionString
  18. RtlFindCharInUnicodeString
  19. RtlFreeHeap
  20. RtlFreeUnicodeString
  21. RtlGetNtGlobalFlags
  22. RtlHashUnicodeString
  23. RtlImageDirectoryEntryToData
  24. RtlInitAnsiString
  25. RtlInitString
  26. RtlInitUnicodeString
  27. RtlLeaveCriticalSection
  28. RtlMultiByteToUnicodeN
  29. RtlQueryEnvironmentVariable_U
  30. RtlReleasePebLock
  31. RtlUpcaseUnicodeChar
  32. RtlValidateUnicodeString
  33. strchr
  34. wcschr
  35. wcslen
  36. wcsncmp
  37. wcsrchr
  38. ZwClose
  39. ZwOpenKey
  40. ZwProtectVirtualMemory
  41. ZwQueryValueKey
KERNEL32.DLL
  1. GetProcAddress
  2. InterlockedCompareExchange
  3. LoadLibraryA
  4. LoadLibraryExA
  5. LoadLibraryExW
  6. VirtualProtect
  7. VirtualProtectEx
1 359
  Region number Address space Number of API calls
0 0x401000-0x406bdb 8
DLL Function/s
ntdll.dll
  1. LdrGetProcedureAddress
  2. RtlEnterCriticalSection
  3. RtlImageDirectoryEntryToData
  4. RtlInitString
  5. RtlLeaveCriticalSection
  6. RtlNtStatusToDosError
  7. RtlNtStatusToDosErrorNoTeb
KERNEL32.DLL
  1. GetProcAddress
1 0x408760-0x408838 351
DLL Function/s
ntdll.dll
  1. bsearch
  2. CsrClientCallServer
  3. KiFastSystemCall
  4. KiFastSystemCallRet
  5. LdrGetDllHandle
  6. LdrGetDllHandleEx
  7. LdrGetProcedureAddress
  8. LdrLockLoaderLock
  9. LdrShutdownProcess
  10. LdrUnlockLoaderLock
  11. memmove
  12. RtlAcquirePebLock
  13. RtlActivateActivationContextUnsafeFast
  14. RtlAllocateHeap
  15. RtlAnsiStringToUnicodeString
  16. RtlDeactivateActivationContextUnsafeFast
  17. RtlDeleteCriticalSection
  18. RtlDosApplyFileIsolationRedirection_Ustr
  19. RtlEnterCriticalSection
  20. RtlEqualUnicodeString
  21. RtlFindActivationContextSectionString
  22. RtlFindCharInUnicodeString
  23. RtlFreeHeap
  24. RtlFreeUnicodeString
  25. RtlGetNtGlobalFlags
  26. RtlGetNtProductType
  27. RtlGetVersion
  28. RtlHashUnicodeString
  29. RtlImageDirectoryEntryToData
  30. RtlImageNtHeader
  31. RtlInitAnsiString
  32. RtlInitString
  33. RtlInitUnicodeString
  34. RtlLeaveCriticalSection
  35. RtlMultiByteToUnicodeN
  36. RtlReleasePebLock
  37. RtlUnicodeStringToAnsiString
  38. RtlUnicodeStringToOemString
  39. RtlUnicodeToMultiByteN
  40. RtlUnicodeToOemN
  41. RtlUpcaseUnicodeChar
  42. RtlValidateUnicodeString
  43. wcslen
  44. wcsncpy
  45. ZwAllocateVirtualMemory
  46. ZwClose
  47. ZwOpenKey
  48. ZwQueryInformationProcess
  49. ZwQuerySystemInformation
  50. ZwQueryValueKey
  51. ZwRequestWaitReplyPort
  52. ZwTerminateProcess
KERNEL32.DLL
  1. ExitProcess
  2. GetACP
  3. GetCommandLineA
  4. GetCPInfo
  5. GetEnvironmentStringsA
  6. GetFileType
  7. GetModuleFileNameA
  8. GetModuleFileNameW
  9. GetModuleHandleA
  10. GetModuleHandleW
  11. GetProcAddress
  12. GetStartupInfoA
  13. GetStdHandle
  14. GetVersionExA
  15. GetVersionExW
  16. GlobalMemoryStatus
  17. SetHandleCount
  18. VerifyConsoleIoHandle
  19. VirtualAlloc
  20. VirtualAllocEx
  21. WriteConsoleA
  22. WriteFile
USER32.DLL
  1. UserClientDllInitialize

Static PE information

General information
Overlay size 1128 KB
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2008-07-22 22:47:45
Entry point 0x13f90
Imports


DLL Function/s
KERNEL32.DLL
  1. ExitProcess
  2. GetProcAddress
  3. LoadLibraryA
  4. VirtualAlloc
  5. VirtualFree
  6. VirtualProtect
USER32.DLL
  1. wsprintfA

Exports

PE resources

Resource #1
Type Size Name
data 16 RT_RCDATA
SHA256 c1edb75ac470b757d29789c7797e31ee795392fd4b44b194bb2e39d6d705a2ce
SHA1 4acc6c3cd9d31239aa82c8f9faddba38460c6950
MD5 503d8b9e2d28a9091390349862a2a00e
ssdeep 3:WpAHoLt:Waq
sdhash Not applicable

PE sections

Section #1: UPX0
Name Type Entropy Raw address Raw size Virtual address Virtual size Flags
UPX0 Data 0.0 0xe000 0 0x1000 57344 0x20000000, 0x7fffffff, 0x80, 0x40000000
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
MD5 d41d8cd98f00b204e9800998ecf8427e
ssdeep 3::
sdhash Not applicable
Section #2: UPX1
Name Type Entropy Raw address Raw size Virtual address Virtual size Flags
UPX1 Data 7.86689 0x6000 20992 0xf000 24576 0x20000000, 0x40, 0x7fffffff, 0x40000000
SHA256 0f574e9dc15c46270b8921e5c5a7ab11d7c05d8adf12abfcc35f75194056d955
SHA1 66bbbf195880c25575013e423807b96b0b5c6404
MD5 551493349a2410e134646e76236fb788
ssdeep 384:hxsZyxksU8Uem608hH2aKcXx+1V7276amulKwPKj:P2mm8Ue108hvXxuqe
sdhash sdbf:03:0::20992:sha1:256:5:7ff:160:2:160:kiGqGQEPJoqiA4AJQQV4ZyOgbBAOJseaE6FKEVRJqCDpgwAmIFnICEEJokECLABCS5CAMpjAeQ9g7MPIqxW0YpCxDIiAAkCQZiBEASUQCFSQsgKtHAMJXIEFxSAMIGFIBFcrQL6YNBwAwAB0TpL9kABAAAZUEW2YqqGFkDBNNJRGQ1AgyIsYQgQozRQmQaIaUKkgBnOhI0A5FKEIAvAEQKKzUhRf8pRAUiAJrFJYE+kcBAhgko6NCaAsqGDCjCAEA6GMiqTCBQEzPFOwCIgIQMChKsADAAMgJAtAAgf6OMEHS8AsUGCj4oYBMADSE0gAXLgQn4Ic+dVFCALAeBRBoUWGwBCQMogRCHQCpDCQhHFwIMKPCkuasARoCIAGZgwVQi1wQAmKx4ABgYRAgRMLLNAIUKkrJlgXAAoYIEYlhgpg5eDIEIISOEgLkxzAEA2AygbA7ACvYAhLcQiEAMElEBaCwRMiBUQppISQKnIpA8Qp5DRhIgK3SABHnRPCqgI5USwGCiIAFqEbWCETUIAjw4hhsFoMsCY0DAjEAQgJTDyTczJYkgAGwiAiFGJMDEEEADsA0gWJggkVQOgCArJKyBM5KRJuYEZYxJPikgKMiEGJwCAnmwwo1awyiTFCSRwQhQGAldzosxF7gJkBCABVeQU9RHAEKAzBgApDCUOAUgA=
Section #3: .rsrc
Name Type Entropy Raw address Raw size Virtual address Virtual size Flags
.rsrc Data 2.70741 0x1000 512 0x15000 4096 0x40, 0x7fffffff, 0x40000000
SHA256 65186b05611b4ff8c61458f9eef646e2b604c852f54c3eb7adb8091b5dae30ef
SHA1 7fd7329730fdb006f4c8e39a2b518cb4231c76ce
MD5 21ca5e16a8ba01631a28f60b834cf256
ssdeep 6:1/k/cd/cclvyJYURM5yCJhllnrJ1zlGSedloBMo:1/k/cd/cUKS7JzRl1gjoB1
sdhash sdbf:03:0::512:sha1:256:5:7ff:160:1:4:AAAAAQAAAAAAAAAAAAAAAACAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAgAAIAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIACAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAIAAIAAAAAAAAAAAAAAAAAA==

Virus Total scans

File: 0003f9248eb242ed9d9921f97055d6093a47e0357625f79d0a9322ed196bc1db

Scan date: 2016-03-07 07:44:14
Antivirus Result Update
Ad-Aware Goodware 20160307
AegisLab Troj.W32.Gen 20160307
Agnitum Goodware 20160306
AhnLab-V3 Goodware 20160307
Alibaba Goodware 20160307
ALYac Goodware 20160305
Antiy-AVL Goodware 20160307
Arcabit Goodware 20160307
Avast Goodware 20160307
AVG Goodware 20160307
AVware Goodware 20160307
Baidu-International Goodware 20160306
BitDefender Goodware 20160307
Bkav Goodware 20160305
ByteHero Goodware 20160307
CAT-QuickHeal Goodware 20160305
ClamAV Goodware 20160306
CMC Goodware 20160303
Comodo Goodware 20160307
Cyren Goodware 20160307
DrWeb Goodware 20160307
Emsisoft Goodware 20160307
ESET-NOD32 Goodware 20160307
F-Prot Goodware 20160307
F-Secure Goodware 20160307
Fortinet Goodware 20160307
GData Goodware 20160307
Ikarus Goodware 20160307
Jiangmin Goodware 20160307
K7AntiVirus Goodware 20160304
K7GW Goodware 20160306
Kaspersky Goodware 20160306
Malwarebytes Goodware 20160307
McAfee Goodware 20160307
McAfee-GW-Edition Goodware 20160307
Microsoft Goodware 20160307
MicroWorld-eScan Goodware 20160307
NANO-Antivirus Goodware 20160307
nProtect Goodware 20160304
Panda Goodware 20160306
Qihoo-360 HEUR/QVM11.1.Malware.Gen 20160307
Rising Goodware 20160307
Sophos Goodware 20160307
SUPERAntiSpyware Goodware 20160306
Symantec Goodware 20160307
Tencent Goodware 20160307
TheHacker Posible_Worm32 20160305
TotalDefense Goodware 20160306
TrendMicro Goodware 20160307
TrendMicro-HouseCall Goodware 20160307
VBA32 Goodware 20160306
VIPRE Goodware 20160307
ViRobot Goodware 20160307
Zillya Goodware 20160306
Zoner Goodware 20160307

Comments