Malware Archive

Home | Objdump info | Perdr info | Strings info

MD5 : 0c803048e4e4342cb96e62ec9cf844b1
SHA1SUM : 22478f9d75121e30591d060a0435dd01f75e1528

architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x31009200

Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words

Time/Date Sat Jun 5 08:57:20 2004
Magic 010b (PE32)
MajorLinkerVersion 6
MinorLinkerVersion 0
SizeOfCode 00003000
SizeOfInitializedData 00001000
SizeOfUninitializedData 00005000
AddressOfEntryPoint 0000000000009200
BaseOfCode 0000000000006000
BaseOfData 0000000000009000
ImageBase 0000000031000000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 0000b000
SizeOfHeaders 00001000
CheckSum 000144bc
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000100000
SizeOfStackCommit 0000000000001000
SizeOfHeapReserve 0000000000100000
SizeOfHeapCommit 0000000000001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000009000 00000168 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved

There is an import table in UPX2 at 0x31009000

The Import Tables (interpreted UPX2 section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
00009000 00000000 00000000 00000000 000090c4 0000908c

DLL Name: KERNEL32.DLL

00009014 00000000 00000000 00000000 000090d1 0000909c

DLL Name: ADVAPI32.dll

00009028 00000000 00000000 00000000 000090de 000090a4

DLL Name: MSVCRT.dll

0000903c 00000000 00000000 00000000 000090e9 000090ac

DLL Name: USER32.dll

00009050 00000000 00000000 00000000 000090f4 000090b4

DLL Name: WININET.dll

00009064 00000000 00000000 00000000 00009100 000090bc

DLL Name: WS2_32.dll

00009078 00000000 00000000 00000000 00000000 00000000

Sections:
Idx Name Size VMA LMA File off Algn
0 UPX0 00005000 31001000 31001000 00000400 2**2
CONTENTS, ALLOC, CODE
1 UPX1 00002400 31006000 31006000 00000400 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
2 UPX2 00000400 31009000 31009000 00002800 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA

PeRdr by Frediano Ziglio. Build Dec 27 2007
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 40C16ED0 Sat Jun 5 08:57:20 2004
Subsystem: 2 (Windows GUI)
Image Base: 31000000 Size: 0000B000
Code Base: 00006000 Size: 00003000
Data Base: 00009000 Size: 00001000 (plus 00005000 uninitialized)
Entry Point: 00009200 (file offset 00002A00)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: UPX0 RVA: 00001000 Offset: 00000400 Size: 00000000 Flags: E0000080 (UERW)
2: UPX1 RVA: 00006000 Offset: 00000400 Size: 00002400 Flags: E0000060 (CDERW)
3: UPX2 RVA: 00009000 Offset: 00002800 Size: 00000400 Flags: E0000060 (CDERW)

++++++++++++++++++++++++++++++++ IMPORTS +++++++++++++++++++++++++++++++++

DLL: KERNEL32.DLL
Addr: 0000908C hint: 0(0000) Name: LoadLibraryA
Addr: 00009090 hint: 0(0000) Name: GetProcAddress
Addr: 00009094 hint: 0(0000) Name: ExitProcess

DLL: ADVAPI32.dll
Addr: 0000909C hint: 0(0000) Name: RegCloseKey

DLL: MSVCRT.dll
Addr: 000090A4 hint: 0(0000) Name: atoi

DLL: USER32.dll
Addr: 000090AC hint: 0(0000) Name: wsprintfA

DLL: WININET.dll
Addr: 000090B4 hint: 0(0000) Name: InternetOpenA

DLL: WS2_32.dll
Addr: 000090BC Ord#: 19(0013) Name: send

%B:X_\U
&DH|:
&@>`
=;>z
X/-,X
1'#^
$hEX
@mPxv'L5
MMI;
Sut%xO+3
YBxX^:R
:TPW
-] ++9i%%\
'{,<
a5Q%y
~TS%K
Kl p
?K='
@^R[
M1$H$
oB?f~
`fAc
Lq:Y8;ax
poTJ
#"Q4
]Z>(
+R)Q
o:88(
&: z
4X 0
tFPVu8
X?,(|
X[6R*,X
i\J:
` 8<B!
$m 4
]|0O5
Yd}R
1 ,[U*/V
wPXW8
.D:wZt\
Ch|K
sWRM:
6M2N(
=IiM
|pLQ
<Y7r} A
HL93
3lp8
DA;(
.,R $
Ub $
_wHRX?s
-x|I
^HCT
[xve
eL\T
PK(~
ON4XE
ICVOcZ
Ekug
@ O[I
g%Ti
iMl0k
QR $[
\L`^
8[Jw
mP$_
.c';K
B,d~#<@
GC4l-J
%WBzGp
{=RS
X!a{
wYP&W
}dnC
v_xH`d8
6{!y\q|s-K?m
W,oP
-$*MSX
%'p5.
1v s
@B#|if
\,8Jip
chf[:3
A`0G
8@2JH(
Lf?\]i
bW6\
P'kP*
o`$IF<
`O%R/
%Z44
dFl[
]\&V
@]W6]x
t:vF
jUWu
d{S|_
JjNxm
8,~C\l
Tt [<J
O i-X$i8
&8B>
]WW$&K
TnlZ$Tl]O
"Fh
eh7
c83;Lb
SnJJ_i
Ws#P
%ciT0I>*\
C]BM
T&s.
hfbGa{
Tk\@E'f2Q
K{<~ V
HpX]*
Zt *gW*8e
tox:-
~Y`X
v^DakQ6_
Q<^"[Ec
^'w%
hrxl[
rGWP
aPXcQP
VE9g
3?>$
a~257~!
]H%Ss
5@LL[J%
/bbB
6|c!>
)4/"
PG2P
pa~`
O;RZ
9>4?'#
S;7"?% ^c~a1w
`bbbFZ
p`I)
sPTAZ~P3
Pt>P4P?P'P#j$
iPes
}M~WP
@QOE
`u$@7
%`PT
~W=gf"fPh~'`K
4Po34=
P^PF
QRv-
xISA
P3z
UP[SP
Q:xIi\
]W/_
ZHQ
_<_P4?
Qkbw
;lBE%R
9 3t
52%79&9<575
4:%#$
?;5>G#
1<%5
3t#d
14&1 9c
%$5"=
85<<
"51J
5=?U
9"$%
3~;1"~
71# ?45~
*1]~
Cu_c$#;~"!
>~%]5%U1
'7$O4a~O5
<?#}1
5J31p
&20}M#
+6<1^c7"1*~1$
:;<=>? !
#&'()*
phpzpjW]Z
Wde{
6As$
)G2<
= z92 kp
pfEkp
e-yP'o!uk
4|R 8W
,0}aC6$
=#&3
$/G%aaS`i[h_r
G7>$
'&5b
@`5K
G>?)#
pK1%CKQ;
z3t3
?4%<5/{
Q<#$"3F
= 9Z
? )IZ
??<T:
>1 #8?$IDZ
Bb"#_
e|Hq
;54Z3
>SeE
1<56?
1Iys )s
""?"
\j\|DOf
2:~=
y+V5 <
44"_
92"1
Z0A;`
")U;
B1^*96)K
%{f<?1?
n?)|A?8=#7@
3!%9"
KW1n
AE?9O"@N
8WG>r=
`Qa1
[q>`6
^iA>~
XR#i?
[dB\T
FGYR]Q*
|S@C*
P_Q[QV\bBC
`^a[R
wW\ <07>Nd@WV
/{<Gp4
P0kL
PPPPPP
P0Pa
QPPPQ
P0PP
PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WININET.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
atoi
wsprintfA
InternetOpenA