AV results for Etumbot Backdoor (malware -APT):
MD5 ff5a7a610746ab5492cc6ab284138852
SHA-1 34e4692f35e809bb281fa7455f661057c6d5c9e2
SHA-256 89983ea32ba4ddf50ef488653be07d30ed77c09d77b03c5bd3eaac5e8497970e
AVG SHeur4.BSAN 20140613
Ad-Aware Trojan.GenericKD.1597427 20140613
Agnitum Trojan.Agent!Bn8DSJ/FD8s 20140614
AhnLab-V3 Dropper/Win32.Agent 20140613
AntiVir TR/Dropper.Gen 20140613
Antiy-AVL Trojan/Win32.Agent 20140613
Baidu-International Trojan.Win32.Agent.aN 20140613
BitDefender Trojan.GenericKD.1597427 20140613
DrWeb Trojan.DownLoader9.41796 20140613
Emsisoft Trojan.GenericKD.1597427 (B) 20140613
F-Secure Trojan.GenericKD.1597427 20140613
Fortinet W32/Agent.AFSHQ!tr 20140613
GData Trojan.GenericKD.1597427 20140613
Ikarus Trojan.Win32.Agent 20140613
K7AntiVirus Riskware ( 0040eff71 ) 20140613
K7GW Trojan ( 050000001 ) 20140613
Kaspersky Trojan.Win32.Agent.afshq 20140613
McAfee RDN/Generic BackDoor!xi 20140613
McAfee-GW-Edition RDN/Generic BackDoor!xi 20140615
MicroWorld-eScan Trojan.GenericKD.1597427 20140613
Microsoft Trojan:Win32/Dynamer 20140613
NANO-Antivirus Trojan.Win32.Agent.cufuaq 20140613
Norman Obfuscated.W!genr 20140613
Qihoo-360 HEUR/Malware.QVM07.Gen 20140613
Rising PE:Malware.FakeXLS@CV!1.6AC3 20140613
Sophos Troj/Etumbot-B 20140613
TotalDefense Win32/FakeExcel_i 20140613
TrendMicro BKDR_ETUMBOT.UQU 20140613
TrendMicro-HouseCall BKDR_ETUMBOT.UQU 20140613
VIPRE Trojan.Win32.Generic!BT 20140613
nProtect Trojan/W32.Agent.94720.ACP 20140613
Is a Win32 executable
Size of header 00000040h / 64
File size in header 00000490h / 1168
Entrypoint 00000040h / 64
Overlay size 00016D70h / 93552
No relocation entries
PE EXE at offset 000000D0h / 208
Entrypoint 0000258Bh / 9611
Entrypoint RVA 0000318Bh
Entrypoint section .text
Calculated PE EXE size 00017200h / 94720
Image base 00400000h / 4194304
Required CPU type 80386
Required OS 4.00 - Win 95 or NT 4
Subsystem Windows GUI
Linker version 6.00
Stack reserve 00100000h / 1048576
Stack commit 00001000h / 4096
Heap reserve 00100000h / 1048576
Heap commit 00001000h / 4096
Flags:
Relocation info stripped from file
File is executable
Line numbers stripped from file
Local symbols stripped from file
Machine based on 32-bit-word architecture
Sections according to section table (section align: 00001000h):
Name RVA Virt size Phys offs Phys size Phys end Flags
.text 00001000h 00005A94h 00000400h 00005C00h 00006000h 60000020
.rdata 00007000h 00000A1Ah 00006000h 00000C00h 00006C00h 40000040
.data 00008000h 0000F65Ch 00006C00h 00000A00h 00007600h C0000040
.rsrc 00018000h 0000FA98h 00007600h 0000FC00h 00017200h 40000040
Listing of all used data directory entries (used: 3, total: 16):
Name Phys offs RVA Phys size Section
Import Table 000064D4h 000074D4h 0000003Ch .rdata
Ressource Table 00007600h 00018000h 0000FA98h .rsrc
Import Address Table 00006000h 00007000h 000000F4h .rdata
Functions from the following DLLs are imported:
[0] KERNEL32.dll
[1] SHELL32.dll
Resources at offset 00007600h (RVA 00018000h) for 64152 bytes:
Type 80000268h / 2147484264:
ID: 00002AF9h / 11001
RVA: 00018280h; Offset: 00007880h; Size: 35260 bytes
ID: 00002AFAh / 11002
RVA: 00020C40h; Offset: 00010240h; Size: 4699 bytes
Icon:
ID: 00000001h / 1
RVA: 00021EA0h; Offset: 000114A0h; Size: 744 bytes
ID: 00000002h / 2
RVA: 00022188h; Offset: 00011788h; Size: 296 bytes
ID: 00000003h / 3
RVA: 000222B0h; Offset: 000118B0h; Size: 3752 bytes
ID: 00000004h / 4
RVA: 00023158h; Offset: 00012758h; Size: 2216 bytes
ID: 00000005h / 5
RVA: 00023A00h; Offset: 00013000h; Size: 1384 bytes
ID: 00000006h / 6
RVA: 00023F68h; Offset: 00013568h; Size: 9640 bytes
ID: 00000007h / 7
RVA: 00026510h; Offset: 00015B10h; Size: 4264 bytes
ID: 00000008h / 8
RVA: 000275B8h; Offset: 00016BB8h; Size: 1128 bytes
Icon Group:
ID: 00000065h / 101
RVA: 00027A20h; Offset: 00017020h; Size: 118 bytes
Total resource size: 64117 bytes (data: 63501 bytes, TOC: 616 bytes)
Processed/created with:
Found compiler 'Visual C++ 6.0 (EXE) (nodebug)'
PE sections
Name Virtual address Virtual size Raw size Entropy MD5
.text 4096 23188 23552 6.50 b78540e7b33a8d01255c8d2b72037cbf
.rdata 28672 2586 3072 4.77 97b2c12ed2c68162a3e15aa8f77723f3
.data 32768 63068 2560 1.96 59c0be0a6652bb90ca2ec4b18b8fd598
.rsrc 98304 64152 64512 7.26 8894f5928962010ad245a1f61d8a3f60
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-03-04 00:19:59
Link date 1:19 AM 3/4/2014
Entry Point 0x0000318B
Number of sections 4
PE imports:
[+] KERNEL32.dll
GetLastError
HeapFree
GetStdHandle
LCMapStringW
SetHandleCount
WaitForSingleObject
GetOEMCP
LCMapStringA
HeapDestroy
ExitProcess
SetFileTime
GetEnvironmentStringsW
FlushFileBuffers
GetModuleFileNameA
RtlUnwind
LoadLibraryA
FreeEnvironmentStringsA
GetStartupInfoA
SizeofResource
GetFileSize
LockResource
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
UnhandledExceptionFilter
MultiByteToWideChar
FreeEnvironmentStringsW
GetCPInfo
GetCommandLineA
GetProcAddress
SetStdHandle
GetFileTime
SetFilePointer
GetTempPathA
WideCharToMultiByte
GetStringTypeA
GetModuleHandleA
ReadFile
WriteFile
GetCurrentProcess
CloseHandle
GetACP
HeapReAlloc
GetStringTypeW
SetFileAttributesA
TerminateProcess
GetEnvironmentStrings
CreateProcessA
GetEnvironmentVariableA
LoadResource
VirtualFree
GetFileType
CreateFileA
HeapAlloc
GetVersion
FindResourceA
VirtualAlloc
HeapCreate
[+] SHELL32.dll
ShellExecuteA
File Icon:
MD5 ff5a7a610746ab5492cc6ab284138852
SHA-1 34e4692f35e809bb281fa7455f661057c6d5c9e2
SHA-256 89983ea32ba4ddf50ef488653be07d30ed77c09d77b03c5bd3eaac5e8497970e
AVG SHeur4.BSAN 20140613
Ad-Aware Trojan.GenericKD.1597427 20140613
Agnitum Trojan.Agent!Bn8DSJ/FD8s 20140614
AhnLab-V3 Dropper/Win32.Agent 20140613
AntiVir TR/Dropper.Gen 20140613
Antiy-AVL Trojan/Win32.Agent 20140613
Baidu-International Trojan.Win32.Agent.aN 20140613
BitDefender Trojan.GenericKD.1597427 20140613
DrWeb Trojan.DownLoader9.41796 20140613
Emsisoft Trojan.GenericKD.1597427 (B) 20140613
F-Secure Trojan.GenericKD.1597427 20140613
Fortinet W32/Agent.AFSHQ!tr 20140613
GData Trojan.GenericKD.1597427 20140613
Ikarus Trojan.Win32.Agent 20140613
K7AntiVirus Riskware ( 0040eff71 ) 20140613
K7GW Trojan ( 050000001 ) 20140613
Kaspersky Trojan.Win32.Agent.afshq 20140613
McAfee RDN/Generic BackDoor!xi 20140613
McAfee-GW-Edition RDN/Generic BackDoor!xi 20140615
MicroWorld-eScan Trojan.GenericKD.1597427 20140613
Microsoft Trojan:Win32/Dynamer 20140613
NANO-Antivirus Trojan.Win32.Agent.cufuaq 20140613
Norman Obfuscated.W!genr 20140613
Qihoo-360 HEUR/Malware.QVM07.Gen 20140613
Rising PE:Malware.FakeXLS@CV!1.6AC3 20140613
Sophos Troj/Etumbot-B 20140613
TotalDefense Win32/FakeExcel_i 20140613
TrendMicro BKDR_ETUMBOT.UQU 20140613
TrendMicro-HouseCall BKDR_ETUMBOT.UQU 20140613
VIPRE Trojan.Win32.Generic!BT 20140613
nProtect Trojan/W32.Agent.94720.ACP 20140613
Is a Win32 executable
Size of header 00000040h / 64
File size in header 00000490h / 1168
Entrypoint 00000040h / 64
Overlay size 00016D70h / 93552
No relocation entries
PE EXE at offset 000000D0h / 208
Entrypoint 0000258Bh / 9611
Entrypoint RVA 0000318Bh
Entrypoint section .text
Calculated PE EXE size 00017200h / 94720
Image base 00400000h / 4194304
Required CPU type 80386
Required OS 4.00 - Win 95 or NT 4
Subsystem Windows GUI
Linker version 6.00
Stack reserve 00100000h / 1048576
Stack commit 00001000h / 4096
Heap reserve 00100000h / 1048576
Heap commit 00001000h / 4096
Flags:
Relocation info stripped from file
File is executable
Line numbers stripped from file
Local symbols stripped from file
Machine based on 32-bit-word architecture
Sections according to section table (section align: 00001000h):
Name RVA Virt size Phys offs Phys size Phys end Flags
.text 00001000h 00005A94h 00000400h 00005C00h 00006000h 60000020
.rdata 00007000h 00000A1Ah 00006000h 00000C00h 00006C00h 40000040
.data 00008000h 0000F65Ch 00006C00h 00000A00h 00007600h C0000040
.rsrc 00018000h 0000FA98h 00007600h 0000FC00h 00017200h 40000040
Listing of all used data directory entries (used: 3, total: 16):
Name Phys offs RVA Phys size Section
Import Table 000064D4h 000074D4h 0000003Ch .rdata
Ressource Table 00007600h 00018000h 0000FA98h .rsrc
Import Address Table 00006000h 00007000h 000000F4h .rdata
Functions from the following DLLs are imported:
[0] KERNEL32.dll
[1] SHELL32.dll
Resources at offset 00007600h (RVA 00018000h) for 64152 bytes:
Type 80000268h / 2147484264:
ID: 00002AF9h / 11001
RVA: 00018280h; Offset: 00007880h; Size: 35260 bytes
ID: 00002AFAh / 11002
RVA: 00020C40h; Offset: 00010240h; Size: 4699 bytes
Icon:
ID: 00000001h / 1
RVA: 00021EA0h; Offset: 000114A0h; Size: 744 bytes
ID: 00000002h / 2
RVA: 00022188h; Offset: 00011788h; Size: 296 bytes
ID: 00000003h / 3
RVA: 000222B0h; Offset: 000118B0h; Size: 3752 bytes
ID: 00000004h / 4
RVA: 00023158h; Offset: 00012758h; Size: 2216 bytes
ID: 00000005h / 5
RVA: 00023A00h; Offset: 00013000h; Size: 1384 bytes
ID: 00000006h / 6
RVA: 00023F68h; Offset: 00013568h; Size: 9640 bytes
ID: 00000007h / 7
RVA: 00026510h; Offset: 00015B10h; Size: 4264 bytes
ID: 00000008h / 8
RVA: 000275B8h; Offset: 00016BB8h; Size: 1128 bytes
Icon Group:
ID: 00000065h / 101
RVA: 00027A20h; Offset: 00017020h; Size: 118 bytes
Total resource size: 64117 bytes (data: 63501 bytes, TOC: 616 bytes)
Processed/created with:
Found compiler 'Visual C++ 6.0 (EXE) (nodebug)'
PE sections
Name Virtual address Virtual size Raw size Entropy MD5
.text 4096 23188 23552 6.50 b78540e7b33a8d01255c8d2b72037cbf
.rdata 28672 2586 3072 4.77 97b2c12ed2c68162a3e15aa8f77723f3
.data 32768 63068 2560 1.96 59c0be0a6652bb90ca2ec4b18b8fd598
.rsrc 98304 64152 64512 7.26 8894f5928962010ad245a1f61d8a3f60
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-03-04 00:19:59
Link date 1:19 AM 3/4/2014
Entry Point 0x0000318B
Number of sections 4
PE imports:
[+] KERNEL32.dll
GetLastError
HeapFree
GetStdHandle
LCMapStringW
SetHandleCount
WaitForSingleObject
GetOEMCP
LCMapStringA
HeapDestroy
ExitProcess
SetFileTime
GetEnvironmentStringsW
FlushFileBuffers
GetModuleFileNameA
RtlUnwind
LoadLibraryA
FreeEnvironmentStringsA
GetStartupInfoA
SizeofResource
GetFileSize
LockResource
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
UnhandledExceptionFilter
MultiByteToWideChar
FreeEnvironmentStringsW
GetCPInfo
GetCommandLineA
GetProcAddress
SetStdHandle
GetFileTime
SetFilePointer
GetTempPathA
WideCharToMultiByte
GetStringTypeA
GetModuleHandleA
ReadFile
WriteFile
GetCurrentProcess
CloseHandle
GetACP
HeapReAlloc
GetStringTypeW
SetFileAttributesA
TerminateProcess
GetEnvironmentStrings
CreateProcessA
GetEnvironmentVariableA
LoadResource
VirtualFree
GetFileType
CreateFileA
HeapAlloc
GetVersion
FindResourceA
VirtualAlloc
HeapCreate
[+] SHELL32.dll
ShellExecuteA
File Icon:
No comments:
Post a Comment