Malware Archive

Home | Objdump info | Perdr info | Strings info

MD5 : 13d7a8e6db6fc85432d4f3f9d61a815e
SHA1SUM : 88b0087e1b547e9c3f32ceb6e6d5788b67220173

architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x0042ab9a

Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words

Time/Date Sun Aug 19 01:14:41 2007
Magic 010b (PE32)
MajorLinkerVersion 5
MinorLinkerVersion 12
SizeOfCode 00000000
SizeOfInitializedData 00000000
SizeOfUninitializedData 00000000
AddressOfEntryPoint 000000000002ab9a
BaseOfCode 0000000000000000
BaseOfData 0000000000000000
ImageBase 0000000000400000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 0002bb46
SizeOfHeaders 00000200
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000100000
SizeOfStackCommit 0000000000001000
SizeOfHeapReserve 0000000000100000
SizeOfHeapCommit 0000000000001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 000000000002b63d 00000028 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved

There is an import table in .RLPack at 0x42b63d

The Import Tables (interpreted .RLPack section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
0002b63d 00000000 00000000 00000000 0002b665 0002b672

DLL Name: kernel32.dll

0002b651 00000000 00000000 00000000 00000000 00000000

Sections:
Idx Name Size VMA LMA File off Algn
0 .packed 00000000 00401000 00401000 00000000 2**2
ALLOC, LOAD, READONLY, CODE
1 .RLPack 0000ab46 00421000 00421000 00000200 2**2
CONTENTS, ALLOC, LOAD, CODE

PeRdr by Frediano Ziglio. Build Dec 27 2007
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 46C77D61 Sun Aug 19 01:14:41 2007
Subsystem: 2 (Windows GUI)
Image Base: 00400000 Size: 0002BB46
Code Base: 00000000 Size: 00000000
Data Base: 00000000 Size: 00000000
Entry Point: 0002AB9A (file offset 00009D9A)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .packed RVA: 00001000 Offset: 00000000 Size: 00000000 Flags: 60000020 (CER)
2: .RLPack RVA: 00021000 Offset: 00000200 Size: 0000AB46 Flags: E0000020 (CERW)

++++++++++++++++++++++++++++++++ IMPORTS +++++++++++++++++++++++++++++++++

DLL: kernel32.dll
Addr: 0002B672 hint: 0(0000) Name: LoadLibraryA
Addr: 0002B676 hint: 0(0000) Name: GetProcAddress
Addr: 0002B67A hint: 0(0000) Name: VirtualAlloc
Addr: 0002B67E hint: 0(0000) Name: VirtualFree
Addr: 0002B682 hint: 0(0000) Name: VirtualProtect

=L_)f
<9>c
U*,/
geSFT
o9sy
#F\W4
`HC
9ddb
iFRF
M|<"x
g RpW.
&4$,
4@"C`
!S=Pm
$cgf
V#1*
b'95F
%&j5
c/hiz!v
W@ nqU,8Ntx
JY(,
On`R
5hab
g5y)
xC]R
m6g*[
+n9Ad$
}uu
47E.=K
7WBY
a1zw
UfpR
z;Hhx"t
]1P9
I d/5}
<t&;
N,Vi>
KxZv;
A+Ho
#sL'
}EL/
Y`d?
)W!<
t,:s
7l(0
E/"k
#~wg
/2!e
#t dL
YRv,
^i "
b'l#
o{r-
Kf)el
4[;~pp{!
an2y?O
mW%Ko
k|0p
cK`([
>%Sg
r}CS
FH 4wz
*fVm
DTqZ
bY/Ah
#U^g
qCs2
\!)D<=
x-U1W
~-A/,
$|J,H=&
qPY-i
!6V"
&|d{
|pv.
`-dq
7|bWQ
!?>
;{jx
$/t*
gtz'
,jrU
CL/%J
,zu|k
hyx;P
S|'s
LE%.
+4Z4
8'~S
cefQ
C3?!fb]
M!og
HTp{:K
QouH
1^(J
'L4\
h6Ua
v&Je
PBVb#
c SJ
_7<6
Y&&rI
zbXO4
*4p&4]
>*Ym
~'2|
"cfQ
2Yl[h
Y|fUC
4,ZZ
,,| "
7J;Q
~}+:y
TDg^
&O'L
E\hw
~r8c
Bq&X
%Ozx
#uB~
2tL?
DAn>
^JuMv
T&$t
{aC
n0)YFj..
IeTtu
[ %H
zB(4
Iri5
e+_>
)PNO
,#-(
5=G^
b0w}w{a
>:",
]@C~0
F6N&
lNt7
mpmar<
&=<3
F[/n
P,$a
Knv0
PTy@_{=X
$EF
-B]CL
+Xs`
sq,p@A
V@+7
]H{Y
dP;
dv3sw
;nO$
!p'@p
>4_>
Z%>Sw
e;Yd
y^Fc
l,M[
c7)$
FvQ
tj,18
LlC6@
w{+t
^'S3
IB5b
KZq2
+El4
o+{2
1bud
tJ.^
m~Te
b`z]
ZI hd
q-M\O
Vx|yT
$/#~]
UL@R
4;MD
aeze
H8:F
_7W2>l
c$\(
6XEaZ$
x@^ j
uTDX?F
_b(U8
PJ"WD
)q~r
P(7U
$zIQ
N,6$
K;6
@3Auf
^*!)
K'iX
%LPs
jR}A
Q>VC
Eq24l
>OLS@
_r @a
P|5B&
Jw|^
U(k@I
=Rtnk3)
:i*!
~J}It
)MgX
~@=f
"Q{>N
R]&m
w)}bW(a<
^514
v cJ
k&:]
EObp
;wZ|
hd'O
3,AG
F\G9(
JP;q
h5Z\
AIq_wf
^!z6m
"h[v
W-H}e
w7>s
(,wo
*V8E
') u
H3LC
LR;>
h[)k
-h(?)
,l%~
z.U|
B(&{
.uVEf
d7e\
eH%,
0''t
o> `)8
NZVE
0Ui0dJD
z.8Y
os(0
DD&'v$
A3b
[%aTq9r
Aj2pZ
[;9=
xrtEl
*$("
4cM
"KU}?
_{0j-
VMwG@
CZaf
<^O#
yyB=b
Z+7:
ji_8
u5gm
so!7I'
$haT
HJmf7
9|:x/
WXu&Y
]Bi n
k5'I_
4*h
\81@Ob
G(IM}>L
eE0*
g2x~~2
KQsCU
@f8t
B&kT
a|k_
e,KU!L!
X L)
QFN{
3){}
=|gA
`rq?
6=b9
Dm8u+j
N@6Q=)Kv
_jve#F
qa0-
&-TQa
Ke62\
|+|_
ew}6
5-vv6
l #oEnr
?0eU
d'uP9zMD<;+}
stY*
LyBl
+12i
7+Y{
w5~B
riA$@ny
dsUk
_0`?Z
4W^}
Z<DU
S|"i
)1<{j
=c +
qFP:
m>S-oq
}s@Y
8?S0
v\^w
2d1q
HO|1`
IE75
T:f
{D+V;L)
Qq^nM
qT,-
Q$htu
CGwk
KT {
sBpnD
f-B*
oB~)
r/>`
*2LA
}\(G
S)My
{'4)
'gc.&
u[E"
"}\^
bO[`G
'$ouQ9
e>w"VKn
['q'6Oj1
#vHRi
e8*Q4U
03l&U
<O,}
W c"
oS8>!X<c
']Eg
!5X
#R1Y
d<X}x
l3)RW
RZ`\L
A>wwgP
}8Vsh
t!{S
8egc[O
=):,OL
a_W&
jH3`~z8$
]@11YW
P0A*
]@"h+"
-q2K
INp<a
fib82W
+\bH
|Ydw
zyVJ{
dq
N?Qd
5($!
Xzx`o
PZD[*
k;9(cx
2GOO
Dssw
EA-G
m#q6
{P-<
ZKiX
f\tu
92,z{
VNFi
Y$uCX
v#&@
!{MX{s
xs#b`}
wk8D
SQkj$
ld"x
{4_dV
M%KR
H/VT
sux5
C0c32
Q9BTY.
uv8(
s*,T
,h0G
38ra
37U?rP
25SW0
Jg.k
r4Fyttp
B%nyk{
D3M`
<not
Bb|\
i[/q'
w9MT
uW=,
S ?V[
);Dz+Y
i$7b
VH[h
!o@
kcos
hTV@
^twW
p1eif
P.yTz
)%qE
O@C(
sLLi
U_$-
< s)
<m0D$
ouKp
^VE#
m3Xq$6
UA,b4
'iSOR
bMXz
n,M{
|lM3
EI
63Hfr
Sj@h
Pj@QS
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
VirtualProtect
VWHc
lIcx6
,a;-n*
T7q^
H(gBC
w%|O
p+b[
1@|w
y-0=
6>f}
o8(m%
cxq3u
VV }en\l=
W;:cq
3ZGd:
m;ra
&:p,O-
o()'
lh1Q
Ws1q