Malaysia Honeynet Project // Malware Database (Beta)

my-honeynet.org / list stats search
Hash c3a11eb4e328c3d1f3363a2ae56b815d
First seen 2007-07-04T17:17:03
Last seen 2007-07-04T17:17:03
Filetype MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
Mimetype application/x-dosexec
Size 184294
Hits 1
Clamav Trojan.Dropper-901 FOUND No Virus Found
F-Prot is a security risk named W32/Spybot.QTG No Virus Found
Antivir TR/Drop.Small.NBV.146 No Virus Found
AVG Trojan.Dropper-901 FOUND No Virus Found
Objdump 
binaries/c3a11eb4e328c3d1f3363a2ae56b815d:     file format efi-app-ia32
binaries/c3a11eb4e328c3d1f3363a2ae56b815d
architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x0000000010001000

Characteristics 0x10f
	relocations stripped
	executable
	line numbers stripped
	symbols stripped
	32 bit words

Time/Date		Sat May  5 00:18:45 2007

ImageBase		0000000010000000
SectionAlignment	0000000000001000
FileAlignment		0000000000000200
MajorOSystemVersion	4
MinorOSystemVersion	0
MajorImageVersion	0
MinorImageVersion	0
MajorSubsystemVersion	4
MinorSubsystemVersion	0
Win32Version		00000000
SizeOfImage		0002f7e6
SizeOfHeaders		00000400
CheckSum		00000000
Subsystem		00000002	(Windows GUI)
DllCharacteristics	00000000
SizeOfStackReserve	0000000000100000
SizeOfStackCommit	0000000000001000
SizeOfHeapReserve	0000000000100000
SizeOfHeapCommit	0000000000001000
LoaderFlags		00000000
NumberOfRvaAndSizes	00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000002048 00000028 Import Directory [parts of .idata]
Entry 2 0000000000004000 0002b7e6 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000002000 00000048 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved

There is an import table in .rdata at 0x10002048

The Import Tables (interpreted .rdata section contents)
 vma:            Hint    Time      Forward  DLL       First
                 Table   Stamp     Chain    Name      Thunk
 00002048	00002070 00000000 00000000 000021da 00002000

	DLL Name: kernel32.dll
	vma:  Hint/Ord Member-Name Bound-To
	20b8	   64  CreateProcessA
	20ca	  128  ExitProcess
	20d8	  162  FindResourceA
	20e8	  263  GetModuleFileNameA
	20fe	  332  GetThreadContext
	2112	  338  GetTickCount
	2122	  425  LoadResource
	2132	  439  LockResource
	2142	  506  ReadProcessMemory
	2156	  519  ResumeThread
	2166	  591  SetThreadContext
	217a	  607  SizeofResource
	218c	  608  Sleep
	2194	  641  VirtualAlloc
	21a4	  642  VirtualAllocEx
	21b6	  643  VirtualFree
	21c4	  679  WriteProcessMemory

 0000205c	00000000 00000000 00000000 00000000 00000000

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .text         00000926  0000000010001000  0000000010001000  00000400  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .rdata        000001e8  0000000010002000  0000000010002000  00000e00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data         000007f8  0000000010003000  0000000010003000  00001000  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  3 .rsrc         0002b7e6  0000000010004000  0000000010004000  00001800  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
SYMBOL TABLE:
no symbols
© 2007 Malaysia Honeynet Project. Data captured using nepenthes. Frontend coded by spoonfork.