Malware Archive


Home | Objdump info | Perdr info | Strings info

MD5 : 224b1bccb80fd1f62e53ce1e43eced13
SHA1SUM : a34b104b6343265722cc85df17077c680146678d
Objdump info

architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x0046e03a

Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words

Time/Date Thu Jan 1 01:00:00 1970
Magic 010b (PE32)
MajorLinkerVersion 1
MinorLinkerVersion 51
SizeOfCode 00000000
SizeOfInitializedData 00000000
SizeOfUninitializedData 00000000
AddressOfEntryPoint 000000000006e03a
BaseOfCode 0000000000001000
BaseOfData 000000000000e000
ImageBase 0000000000400000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 1
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 0006f000
SizeOfHeaders 00000200
CheckSum 00006b94
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000100000
SizeOfStackCommit 0000000000001000
SizeOfHeapReserve 0000000000100000
SizeOfHeapCommit 0000000000001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 000000000006e000 0000003a Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved

There is an import table in yNGboj6f at 0x46e000

The Import Tables (interpreted yNGboj6f section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
0006e000 00000000 00000000 00000000 0006e030 0006e028

DLL Name: ntdll.dll

0006e014 00000000 00000000 00000000 00000000 00000000

Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00009200 00401000 00401000 00000200 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
1 yNGboj6f 000006ae 0046e000 0046e000 00009400 2**2
CONTENTS, ALLOC, LOAD, DATA
Perdr info
PeRdr by Frediano Ziglio. Build Dec 27 2007
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 00000000
Subsystem: 2 (Windows GUI)
Image Base: 00400000 Size: 0006F000
Code Base: 00001000 Size: 00000000
Data Base: 0000E000 Size: 00000000
Entry Point: 0006E03A (file offset 0000943A)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .text RVA: 00001000 Offset: 00000200 Size: 00009200 Flags: E00000E0 (CDUERW)
2: yNGboj6f RVA: 0006E000 Offset: 00009400 Size: 000006AE Flags: C0000040 (DRW)

++++++++++++++++++++++++++++++++ IMPORTS +++++++++++++++++++++++++++++++++

DLL: ntdll.dll
Addr: 0006E028 Ord#: 4(0004)

Strings info
.R3Z6+
EeLY
.,**
F+3+
s[H<
JVT_4n
=,*|
*q]I
|%)t
j=.U
:PCE
4Y*~
>l>(
l.UV
'rm`
i8s@
"#p]
NS '
=DOK
#.tr
[$=9
ZiV*
guwP
Wb4,
Xo=`z
[QK<Xh*
6We>&
<mWDC
z"=pS
bd'l
q<,F
%v^/
79g;A
x71L
~D*h
y%dB
nkxM
BtOQ
aXm$(<%
I&f%
5wYl
f@UA
C70
je4.Z
w{Fh
$4U>4]s
h9#%
1#8(
,VN;
^BbI
z|x)
H7Hz
8D;o"
n>]TW
$q4ixX
1<nE
0fK]
6id6N`'c
^9:P
]Y{p
z*R"6<
lAUm
zqt|
#XIZq
B'9|
n_Ug
JR2#J
HFGT
YNd|7cL
C!.,
6oZ9e
I@E2
^x)<B
\}yyP
w]U0
qhZ.
0iW/
gtWbQ
rz!ru
k<TbEJ
gYT[
6YZ<
+) ]`G(
9/dB
Yxd=X
rz$)
C] %oK
2a*s7
.`o8JtI^p.
_r1C
mJ`p
$`~<
Wrc1q?
{Kwbi%
.LHJ
xhR5
(|uD9l{
\':u
yN 3
h!,/
Q=2>/n
ElxH
e&Z)
}^['
?I D
pc<;
O$a6#
772j
|dGB
_y{1
@7$)
YO3X"
^eBm{^
< :[
MGvs
p6#%
9Ja}
)]IY
e?jga
;~cl
'~ZF!v9
T"hs
E(jWI
}xvL.
]3M40
%`N{
6 vcF
17\<~N:fx
3}s"
TLA>6
UqS@Id
V ,6
*ssor
*e1=k
)t@
^fW|u
/@v{
Dio('
`qEg
GR<#
51/e
%W(E
Fe*0
>.~~
AK6
O8$V
:V`,)*>
4v1N
'fVo
Lnka
\bR]
hMOB
3@)^
L^g (^gS#
_;Y%
~LTC
_@G6
x8:)
>R US
[\- /
Y&50
k:c9
De$!
5/zLC
hovP
dC:m c
Bz}c
~.g##
fXDG
OneGg
Rot:Ri_
~)I}
ZRQ<
/nqA
i*#vD
W/aQ
B1u&Y
:A#H
/.km8S
~P?J
U|Yx
fiwL
Z)_f
AL<q
4:mv
9"wg.hO
TF %
FeU'
]F+c
Lj,N
Vsc"\S
4jckM
,0RK
#p->
>g1m?%q
~2~c
AcW2
k~a$
-K[/
Z&6v_dW
~cq1
/,Aq^
eNR4J
JAeb
V]P]
0}/V
0r{4
pXI8 Y
B;<cx
wpbg?EW
ppMB
Ofaa
YY'b
g*F}
V8 &k
.K@6
kg-|
q:'n
a?j{aV
+kch
Vn;fyKr
St,3
2d9v
s6G@<
.Z=E
XLWsRi
iRZf
.hIs
Eo,6V&bN}
tD{E
;7gB
)c#"3:iZ
g|&sZ
m-$f
(.zC!
2:]o
"ix8R
,V=t
rqkBk
Bf~x
PV|L
?oK)B
^|o|K'
3:-?
?\D;
KV:yCx"
!{v'
WZoO
vLW $8t
<rQfS
m6wN#
]i7f
aqa;
KG|#
zin1
N,BT
^ghi
&8n}nr
2wy^H
]UMz
f\$g
LDjSq
2zO7c
I:xm
%[qn"`x$1Z_
e4cj
][x;b
C`1|
CGU:|
/u$-4
cnHD
~FBn
)0f=
S!qC_
UZ{^d\
f>:"
}[2>b
q#:X
T6B{
[3+_
}Y5\
BT#r
FbyB@
fL"m
ZAX.:
^.^%V
mIG&[
"Wu4
tJQE
TJ)Fe
RHCc
H}4{oP
I9p<U
V$JN
B>qn$
7bDYf
kSn4
vZ,
3U>@
"RK@(7m;
#VX=L(Vd
~eq1A
Tt+f
ogNcT-
4sz
c1gF
Z8A
`flZ$k
fk"#
b_E^
R"Z>
}&.oC
0jk0lY
69QR
H0PE:`U
i\5k
CPu-
Y0ml
Iws<
),9D
T)Va
flQv
Td!6
Emb_
")G,
A@ny
BTdN1
3d2
nT21q
G@C(j
|Jq&
pn.`
Ai7A
xl&=
*"m5A
# J'
2BM"IH
[Q'd
RN[@
p{5
{2e5
V1D'
@(_^
lzm
Ck6'
zD5F
Jn$o=
=[]E
#c8n
Bc@&g
h"+;T9
NO|!
$N5|
h@CBc%
5(-\
}\u|
d1/0
_zzl
FUcH
1hwP
i""4
[Rt% F
T#0C
AN^<U
HDMn1
6+iQ#
jO%!/8f
FTn&
^M7%t
A]:vl
afnf
tfAX|b
"&Vl
#hM?M
\n7|
}Gn&
NW@YG,"
b<,<4q
_,x_
(H*a
er'+
vhW\
bsn>
=6ez
GdF}]
58c6>{N
+y}w
TMs7AX
#d<oZ
a3/.
\UCF
^O`e
&AG\
}z/
);3Y
.1V~5
r4s0}
#tA$
G#Ngg
1A w
(2i%
du+k
38[(T
`D~%=
P>Zs
_z1Ff
Fy6}w?"v
./R\
-Bi~?$
[NSlb
-ac@n
xek[
0)8E c
Is4+P
4s{Dn
ufVa
ntdll.dll
t 4Z
:7Kq\
+XIU&{
[*9E
R]2U/
S#blUE
ANSY
.{)eu
-iF{J
EiEs
Ql4C
Rry7
BFl4
q~o@
U!A,
_J?0
YI- &