Malaysia Honeynet Project // Malware Database (Beta)

my-honeynet.org / list stats search
Hash e788b05912d65c136f61835d207418b6
First seen 2006-10-19T16:09:57
Last seen 2007-04-15T14:59:52
Filetype MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
Mimetype application/x-dosexec
Size 98304
Hits 425
Clamav Exploit.DCOM.Gen FOUND No Virus Found
F-Prot Infection: Possibly a new variant of W32/IRCBot-based!Maximus No Virus Found
Antivir BDS/VanBot.G.1 No Virus Found
AVG Exploit.DCOM.Gen FOUND No Virus Found
Objdump 
binaries/e788b05912d65c136f61835d207418b6:     file format efi-app-ia32
binaries/e788b05912d65c136f61835d207418b6
architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x00000000004111e8

Characteristics 0x10f
	relocations stripped
	executable
	line numbers stripped
	symbols stripped
	32 bit words

Time/Date		Fri Sep  1 02:50:38 2006

ImageBase		0000000000400000
SectionAlignment	0000000000001000
FileAlignment		0000000000000200
MajorOSystemVersion	4
MinorOSystemVersion	0
MajorImageVersion	0
MinorImageVersion	0
MajorSubsystemVersion	4
MinorSubsystemVersion	0
Win32Version		00000000
SizeOfImage		0001b000
SizeOfHeaders		00000400
CheckSum		00000000
Subsystem		00000002	(Windows GUI)
DllCharacteristics	00000000
SizeOfStackReserve	0000000000100000
SizeOfStackCommit	0000000000001000
SizeOfHeapReserve	0000000000100000
SizeOfHeapCommit	0000000000001000
LoaderFlags		00000000
NumberOfRvaAndSizes	00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 00000000000123d8 000000a0 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000012000 00000280 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved

There is an import table in .rdata at 0x4123d8

The Import Tables (interpreted .rdata section contents)
 vma:            Hint    Time      Forward  DLL       First
                 Table   Stamp     Chain    Name      Thunk
 000123d8	00012590 00000000 00000000 000128c0 00012118

	DLL Name: MSVCRT.dll
	vma:  Hint/Ord Member-Name Bound-To
	12e50	  308  _itoa
	12e58	  453  _strnicmp
	12e64	   65  _CxxThrowException
	12e7a	   14  ??1type_info@@UAE@XZ
	128ac	   73  __CxxFrameHandler
	128a0	  659  mbstowcs
	12896	  703  strncat
	1288c	  739  wcscpy
	12882	  742  wcslen
	126f8	  698  strcpy
	12878	  664  memmove
	12870	  412  _rotr
	12868	  411  _rotl
	1285a	  481  _vsnprintf
	12850	  662  memcmp
	12846	  723  tolower
	1283c	  696  strcmp
	12832	  670  printf
	12822	   15  ??2@YAPAXI@Z
	12812	   16  ??3@YAXPAX@Z
	12806	  732  vsprintf
	127f4	  166  _beginthreadex
	127e0	  202  _except_handler3
	127d8	  577  ceil
	127d0	  241  _ftol
	127c8	  585  exit
	127be	  679  realloc
	127b4	  704  strncmp
	127a8	  430  _snprintf
	1279e	  709  strstr
	12794	  693  sscanf
	1278c	  573  atoi
	12784	  610  fseek
	1277c	  605  fread
	12774	  599  fopen
	1276a	  588  fclose
	12760	  614  fwrite
	12758	  612  ftell
	1274e	  694  strcat
	12744	  665  memset
	1273c	  579  clock
	12732	  690  sprintf
	12728	  705  strncpy
	1271e	  663  memcpy
	12716	  606  free
	1270c	  657  malloc
	12702	  702  strlen
	12e44	  445  _strcmpi

 000123ec	00012680 00000000 00000000 000128d8 00012208

	DLL Name: WS2_32.dll
	vma:  Hint/Ord Member-Name Bound-To
	80000004	    4  
	80000097	  151  
	80000016	   22  
	80000012	   18  
	80000015	   21  
	80000002	    2  
	80000013	   19  
	80000005	    5  
	8000000a	   10  
	80000017	   23  
	8000000c	   12  
	80000033	   51  
	8000006f	  111  
	80000001	    1  
	80000003	    3  
	80000070	  112  
	80000009	    9  
	80000034	   52  
	80000006	    6  
	8000000b	   11  
	80000010	   16  
	80000008	    8  
	80000014	   20  
	80000074	  116  
	80000011	   17  
	128cc	   40  WSAIoctl
	80000039	   57  
	80000073	  115  
	8000000d	   13  

 00012400	000124a8 00000000 00000000 00012cd0 00012030

	DLL Name: KERNEL32.dll
	vma:  Hint/Ord Member-Name Bound-To
	12b26	  268  GetComputerNameA
	12b16	  479  GetVersionExA
	12b04	  364  GetLocaleInfoA
	12aec	  767  SetCurrentDirectoryA
	12ae0	  959  lstrlenA
	12ac8	  489  GetWindowsDirectoryA
	12aba	   77  CreateFileA
	12aac	  349  GetFileTime
	12a9e	  788  SetFileTime
	12a88	  441  GetSystemDirectoryA
	12a72	  619  MultiByteToWideChar
	12a62	  584  LoadLibraryA
	12a50	  408  GetProcAddress
	12a42	  175  ExitProcess
	12a36	   61  CopyFileA
	12a26	  361  GetLastError
	12a1a	  919  WriteFile
	12a0c	  720  SearchPathA
	129fe	   95  CreatePipe
	12b3a	  506  GlobalMemoryStatus
	129d8	  140  DuplicateHandle
	129c6	   96  CreateProcessA
	129b6	  647  PeekNamedPipe
	129a0	  338  GetExitCodeProcess
	12994	  683  ReadFile
	1296a	  375  GetModuleHandleA
	12954	  373  GetModuleFileNameA
	12946	  636  OpenProcess
	12932	  686  ReadProcessMemory
	1292a	  841  Sleep
	12916	  849  TerminateProcess
	12908	   46  CloseHandle
	128f2	  782  SetFileAttributesA
	12e92	  594  LocalFree
	128e4	  124  DeleteFileA
	12c2a	  105  CreateThread
	12c3a	  869  UnmapViewOfFile
	12c4c	  606  MapViewOfFile
	12c5c	   78  CreateFileMappingA
	12b50	  326  GetDiskFreeSpaceExA
	12b66	  331  GetDriveTypeA
	12b76	  469  GetTickCount
	12b86	  666  QueryPerformanceFrequency
	12ba2	  665  QueryPerformanceCounter
	12bbc	  550  IsBadCodePtr
	12bcc	  850  TerminateThread
	12bde	  537  InitializeCriticalSection
	12bfa	  143  EnterCriticalSection
	1297e	  315  GetCurrentProcessId
	12c12	  583  LeaveCriticalSection
	129ea	  314  GetCurrentProcess
	12cc0	  778  SetErrorMode
	12cb0	   90  CreateMutexA
	12ca4	  953  lstrcpyA
	12c98	  956  lstrcpynA
	12c7e	  336  GetEnvironmentVariableA
	12c72	  947  lstrcmpA

 00012414	00012664 00000000 00000000 00012d46 000121ec

	DLL Name: USER32.dll
	vma:  Hint/Ord Member-Name Bound-To
	12cde	  725  wsprintfA
	12cea	  375  GetWindowTextA
	12cfc	  279  GetForegroundWindow
	12d12	  227  FindWindowA
	12d20	  570  SendMessageA
	12d30	  407  IsCharAlphaNumericA

 00012428	00012478 00000000 00000000 00012e1a 00012000

	DLL Name: ADVAPI32.dll
	vma:  Hint/Ord Member-Name Bound-To
	12d72	  482  RegOpenKeyExA
	12d60	  466  RegDeleteValueA
	12d82	  473  RegEnumValueA
	12d92	  492  RegQueryValueExA
	12da6	  505  RegSetValueExA
	12db8	  461  RegCreateKeyExA
	12dca	  291  GetUserNameA
	12dda	  160  CryptReleaseContext
	12df0	  150  CryptGenRandom
	12e02	  133  CryptAcquireContextA
	12d52	  457  RegCloseKey

 0001243c	0001265c 00000000 00000000 00012e38 000121e4

	DLL Name: SHELL32.dll
	vma:  Hint/Ord Member-Name Bound-To
	12e28	  263  ShellExecuteA

 00012450	00012654 00000000 00000000 00012e9e 000121dc

	DLL Name: OLEAUT32.dll
	vma:  Hint/Ord Member-Name Bound-To
	800000c8	  200  

 00012464	00000000 00000000 00000000 00000000 00000000

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .text         0001098a  0000000000401000  0000000000401000  00000400  2**2
                  CONTENTS, ALLOC, LOAD, CODE
  1 .rdata        00000eac  0000000000412000  0000000000412000  00010e00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data         00006200  0000000000413000  0000000000413000  00011e00  2**2
                  CONTENTS, ALLOC, LOAD, DATA
SYMBOL TABLE:
no symbols
© 2007 Malaysia Honeynet Project. Data captured using nepenthes. Frontend coded by spoonfork.