Static Analysis

PE Compile Time

2009-02-05 09:20:22

PE Imphash

2c26ec4a570a502ed3e8484295581989

PEiD Signatures

Armadillo v1.xx - v2.xx

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00002925 0x00002a00 6.20525797152
.rdata 0x00004000 0x00000950 0x00000a00 4.73081388369
.data 0x00005000 0x0000092c 0x00000800 4.88009778169
.rsrc 0x00006000 0x000003f0 0x00000400 3.41536856592
.reloc 0x00007000 0x000003a8 0x00000400 5.60912703698

Resources

Name Offset Size Language Sub-language File type
RT_VERSION 0x00006060 0x00000390 LANG_ENGLISH SUBLANG_ENGLISH_US data

Imports

Library KERNEL32.dll:
0x10004040 GetExitCodeProcess
0x10004044 CreateProcessA
0x10004048 GetFileAttributesA
0x1000404c GetSystemDirectoryA
0x10004054 SetStdHandle
0x10004058 GetVolumeInformationA
0x1000405c GetDriveTypeA
0x10004060 lstrcatA
0x10004064 PeekNamedPipe
0x10004068 Process32Next
0x1000406c Process32First
0x10004074 OpenProcess
0x10004078 WriteFile
0x1000407c GetFileSize
0x10004080 GetModuleFileNameA
0x10004084 TerminateThread
0x10004088 ReadFile
0x1000408c GetConsoleDisplayMode
0x10004090 AllocConsole
0x10004094 CreateFileA
0x10004098 WriteConsoleInputA
0x1000409c GetComputerNameA
0x100040a0 Sleep
0x100040a4 CreatePipe
0x100040a8 GetWindowsDirectoryA
0x100040ac SetCurrentDirectoryA
0x100040b0 CreateThread
0x100040b4 WaitForSingleObject
0x100040b8 CloseHandle
0x100040bc TerminateProcess
0x100040c0 GetLogicalDrives
0x100040c4 GetLastError
Library MSVCRT.dll:
0x100040cc _adjust_fdiv
0x100040d0 malloc
0x100040d4 _initterm
0x100040d8 free
0x100040dc wcstombs
0x100040e0 atol
0x100040e4 strrchr
0x100040e8 sscanf
0x100040ec __CxxFrameHandler
0x100040f0 _strcmpi
0x100040f4 atoi
0x100040f8 sprintf
0x100040fc ??2@YAPAXI@Z
0x10004100 ??3@YAXPAX@Z
Library WININET.dll:
0x10004110 InternetReadFile
0x10004114 HttpSendRequestA
0x10004118 InternetQueryOptionA
0x1000411c InternetCloseHandle
0x10004120 InternetSetOptionA
0x10004124 InternetConnectA
0x10004128 HttpOpenRequestA
0x1000412c HttpAddRequestHeadersA
0x10004130 InternetOpenA
Library ADVAPI32.dll:
0x10004000 StartServiceA
0x10004004 SetServiceStatus
0x1000400c RegDeleteValueA
0x10004010 RegOpenKeyExA
0x10004014 RegQueryValueExA
0x10004018 RegSetValueExA
0x1000401c RegCloseKey
0x10004020 OpenProcessToken
0x10004024 CreateProcessAsUserA
0x10004028 CloseServiceHandle
0x1000402c EnumServicesStatusExA
0x10004030 OpenSCManagerA
0x10004034 ControlService
0x10004038 OpenServiceA
Library urlmon.dll:
0x10004138 URLDownloadToFileA
Library Secur32.dll:
0x10004108 GetUserNameExA

Exports

Ordinal Address Name
1 0x10003420 ServiceMain
2 0x10003180 install
3 0x10003320 uninstall
!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
\$TUWS
D$\RPjQ
D$4RUP
_^]@[Y
D$,h0S
L$$PhLR
T$ QRj
L$hh\V
T$lh4V
GetLastError
TerminateProcess
CloseHandle
WaitForSingleObject
CreateThread
SetCurrentDirectoryA
GetWindowsDirectoryA
CreatePipe
GetComputerNameA
WriteConsoleInputA
CreateFileA
AllocConsole
GetConsoleDisplayMode
ReadFile
PeekNamedPipe
GetExitCodeProcess
CreateProcessA
GetFileAttributesA
GetSystemDirectoryA
ExpandEnvironmentStringsA
SetStdHandle
GetVolumeInformationA
GetDriveTypeA
lstrcatA
GetLogicalDrives
Process32Next
Process32First
CreateToolhelp32Snapshot
OpenProcess
WriteFile
GetFileSize
GetModuleFileNameA
TerminateThread
KERNEL32.dll
??3@YAXPAX@Z
??2@YAPAXI@Z
sprintf
_strcmpi
__CxxFrameHandler
sscanf
strrchr
wcstombs
MSVCRT.dll
_initterm
malloc
_adjust_fdiv
HttpAddRequestHeadersA
HttpOpenRequestA
InternetConnectA
InternetSetOptionA
InternetOpenA
InternetQueryOptionA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
WININET.dll
CloseServiceHandle
EnumServicesStatusExA
OpenSCManagerA
ControlService
OpenServiceA
StartServiceA
CreateProcessAsUserA
OpenProcessToken
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegDeleteValueA
RegisterServiceCtrlHandlerA
SetServiceStatus
ADVAPI32.dll
URLDownloadToFileA
urlmon.dll
GetUserNameExA
Secur32.dll
NTLMSVC.dll
ServiceMain
install
uninstall
Content-Length: %d
whoami
pidrun
geturl
Sleep Time:
Start shell first.
090205
<h1>Bad Request (Invalid Hostname)</h1>
%s Connected!
\tasks
Computer:
Accept:*/*
Pragma:no-cache
Cache-Control:max-age=0
Cache-Control:no-cache
Proxy-Connection:Keep-Alive
CONIN$
Process cmd.exe exited!
and the PID is %d
Started already,
Shell started fail!
Shell started successfully!
CmdPath=
GetFileAttributes Error code: %d
\cmd.exe
%ComSpec%
Totally %d volumes found.
Ramdisk
CD-ROM
Remote
Removeable
Invalid
Unkown
Volume on this computer:
Volume
Volume Name
%-24s %s
list service failed!
%-26s %5d
list process failed!
Syntax error!
Usage:
list </p|/s|/d>
ControlService failed!
Service doesn't start!
Service stopped!
Service stop pending!
Service still running!
OpenService failed!
Service does not exist!
OpenSCManager failed!
Failed!
Syntax error!
Usage:
kill </p|/s> <pid|ServiceName>
%*[^/]%*[/]%*[^/]%s
FileSize:
Syntax error!
Usage:
getf/putf FileName <N>
Mozilla/5.0
So long!
Shell started,wait to terminate it.....
Service is running already!
Service started!
StartService failed!
CreateProcess failed!
Program started!
Syntax error!
Usage:
start </p|/s> <filename|ServiceName>
OpenT failed with %d!
Create failed with %d!
OpenP failed with %d!
Syntax error!
Syntax error!
Usage:
GetUrl URL FileName
SYSTEM\CurrentControlSet\Services\%s
ServiceDll
DllPath
SYSTEM\CurrentControlSet\Services\%s\Parameters
1a1f1r1
4(4Q4o4}4
767;7o7y7
9#959M9
::M:V:
:$;;;E;N;T;];
;$<(<,<0<4<8<<<@<D<H<L<
=>\>|>
?)?D?J?Q?]?g?l?t?y?
0,010f0q0{0
1!242?2q2
3/3>3i3
3I4Y4_4y4
45,575C5H5O5V5]5d5k5r5
7C7J7P7j7u7|7
8"8)8V8s8
8+909O9
:.:O:^:k:w:
= ='=.=`=w=}=
>.>A>J>R>\>c>
?P?V?x?
1P1a1h1
2/2T2m2
4I4O4U4\4o4
5=5N5W5g5t5}5
72787>7D7J7P7V7\7b7r7x7~7
8 8&8H8Z8
@1P1l1x1
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Microsoft Corporation
FileDescription
Microsoft NTLM Service Holder
FileVersion
5.1.2600.5512(xpsp.080413-2108)
InternalName
NTLMSVC.DLL
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
NTLMSVC.DLL
ProductName
Microsoft
Windows
Operating System
ProductVersion
5.1.2600.5512
VarFileInfo
Translation
Antivirus Signature
Bkav Clean
Lionic Trojan.Win32.Dacic.m!c
Elastic malicious (high confidence)
ClamAV Win.Trojan.Agent-474351
CMC Clean
CAT-QuickHeal Clean
Skyhigh BehavesLike.Win32.Injector.lh
ALYac Generic.Dacic.FF6D009F.A.D9B35A97
Cylance unsafe
Zillya Trojan.Agent.Win32.157776
Sangfor Suspicious.Win32.Save.ins
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Backdoor:Win32/Likseput.afb1173f
K7GW Trojan ( 0055e3dd1 )
K7AntiVirus Trojan ( 0055e3dd1 )
Baidu Clean
VirIT Trojan.Win32.Generic.JNG
Paloalto Clean
Symantec Backdoor.Trojan
tehtris Clean
ESET-NOD32 a variant of Win32/Agent.OIG
APEX Clean
Avast Win32:Trojan-gen
Cynet Malicious (score: 100)
Kaspersky Backdoor.Win32.Likseput.f
BitDefender Generic.Dacic.FF6D009F.A.D9B35A97
NANO-Antivirus Trojan.Win32.Agent.cuclw
ViRobot Trojan.Win32.Z.Agent.18432.TA
MicroWorld-eScan Generic.Dacic.FF6D009F.A.D9B35A97
Tencent Malware.Win32.Gencirc.115d7512
TACHYON Trojan/W32.Small.18432.EE
Sophos Mal/Generic-S
F-Secure Trojan.TR/Spy.Gen
DrWeb Trojan.DownLoad3.30917
VIPRE Generic.Dacic.FF6D009F.A.D9B35A97
TrendMicro TROJ_GEN.R06CC0CBQ24
Trapmine Clean
FireEye Generic.mg.3fb8f4cdcb4d1d48
Emsisoft Generic.Dacic.FF6D009F.A.D9B35A97 (B)
SentinelOne Static AI - Malicious PE
GData Generic.Dacic.FF6D009F.A.D9B35A97
Jiangmin TrojanDownloader.Agent.cmik
Varist W32/Agent.CFQ.gen!Eldorado
Avira TR/Spy.Gen
Antiy-AVL Trojan[Downloader]/Win32.Agent
Kingsoft malware.kb.a.1000
Gridinsoft Clean
Xcitium TrojWare.Win32.Downloader.Agent.eqre@4pwfzp
Arcabit Generic.Dacic.FF6D009F.A.D9B35A97
SUPERAntiSpyware Clean
ZoneAlarm Backdoor.Win32.Likseput.f
Microsoft Backdoor:Win32/Likseput.B
Google Detected
AhnLab-V3 Trojan/Win32.HDC.C106742
Acronis Clean
McAfee BackDoor-FALR!3FB8F4CDCB4D
MAX malware (ai score=100)
VBA32 TrojanDownloader.Agent
Malwarebytes Clean
Panda Trj/Genetic.gen
Zoner Clean
TrendMicro-HouseCall TROJ_GEN.R06CC0CBQ24
Rising Backdoor.Likseput!8.10FC (TFE:5:KHdS5UKR64Q)
Yandex Trojan.GenAsa!gJDYcU/1Fkk
Ikarus Trojan.Win32.Agent
MaxSecure Trojan.Malware.1616660.susgen
Fortinet W32/Agent.A!tr.dldr
BitDefenderTheta Gen:NN.ZedlaF.36802.bu8@ai77Scki
AVG Win32:Trojan-gen
DeepInstinct MALICIOUS
alibabacloud Backdoor:Win/Likseput.f
IRMA Signature
ESET Security (Windows) a variant of Win32/Agent.OIG trojan
Avast Core Security (Linux) Win32:Trojan-gen
C4S ClamAV (Linux) Win.Trojan.Agent-474351
F-Secure Antivirus (Linux) Trojan.TR/Spy.Gen [Aquarius]
Windows Defender (Windows) Backdoor:Win32/Likseput.B
McAfee CLI scanner (Linux) BackDoor-FALR
Microsoft Defender ATP (Linux) Backdoor:Win32/Likseput.B
Forticlient (Linux) Clean
Bitdefender Antivirus (Linux) Generic.Dacic.FF6D009F.A.D9B35A97
G Data Antivirus (Windows) Virus: Generic.Dacic.FF6D009F.A.D9B35A97 (Engine A)
Sophos Anti-Virus (Linux) Mal/Generic-S
DrWeb Antivirus (Linux) Trojan.DownLoad3.30917
Trend Micro SProtect (Linux) Clean
ClamAV (Linux) Win.Trojan.Agent-474351
eScan Antivirus (Linux) Generic.Dacic.FF6D009F.A.D9B35A97(DB)
Kaspersky Standard (Windows) Backdoor.Win32.Likseput.f
Cuckoo

We're processing your submission... This could take a few seconds.