Malcat-WTF report - 161ee3cc94b683d301f99f64e7ec1106767b6fc3ebb0b08bef7e22e9096998f5

File Information hashes and primary classification

File name

161ee3cc94b683d301f99f64e7ec1106767b6fc3ebb0b08bef7e22e9096998f5

File size

458.0 KiB

Architecture

X86

MD5: b42f61062674e30f185dcec9a19d2c11
SHA1: 9066494b0c667d16aa80aeffdd0349a18d79d7ae
SHA256: 161ee3cc94b683d301f99f64e7ec1106767b6fc3ebb0b08bef7e22e9096998f5
TLSH: T19fa41215f0a90ad5d849337028ba9c6d123b2ffa2ff8754d6f0ef129bbb16d38160855
Imphash: 2ae7ccd0da151bbb85f6ba52869df357
Rich header: 6905f8c2c8f6182cccccda14862948af

Metadata parser-extracted fields

General:

Compile date:

2013-07-25 18:45:47

VersionInfo:

CompanyName:

Audiovkontake.ru

FileDescription:

VKSaver installation bundle

FileVersion:

3.3.130726.1469

InternalName:

VKSaver-Install.exe

LegalCopyright:

OriginalFilename:

VKSaver-Install.exe

ProductName:

VKSaver

ProductVersion:

3.3.130726.1469

YARA Signatures 9 matching rules

Type.UNCOMMON

lateral movement

Type.INFO

compiler

packer

Kesakode similarity verdict

No Kesakode verdict available.

Anomalies signals worth reviewing

code:

sections:

resources:

entropy:

integrity:

packers:

imports:

Constants identified constants and patterns

guid:

Strings highest-value extracted strings

Kesakode

5306

Malware 0 Library 0 Unknown 5295 Clean 11

Address	String	Refs	Encoding	Score
0x4FA10A	ShellExecuteW	0	ASCII	135
0x4F9C2F	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>\r\n<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifes...	0	ASCII	118
0x4F9FE8	KERNEL32.DLL	1	ASCII	118
0x4FA030	PSAPI.DLL	1	ASCII	116
0x4FA019	ole32.dll	1	ASCII	116
0x4F9FF5	ADVAPI32.dll	1	ASCII	115
0x4FA002	COMCTL32.dll	1	ASCII	115
0x4FA03A	SHELL32.dll	1	ASCII	115
0x4FA05D	WS2_32.dll	1	ASCII	115
0x4FA023	OLEAUT32.dll	1	ASCII	112
0x4FA051	VERSION.dll	1	ASCII	112
0x4FA046	USER32.dll	1	ASCII	112
0x4FA00F	GDI32.dll	1	ASCII	112
0x4F9A80	VKSaver-Install.exe	0	UTF16	94
0x4F9B48	VKSaver-Install.exe	0	UTF16	94
0x4F9ACC	Copyright (C) 2009-2013 Audiovkontake.ru	0	UTF16	88
0x4F99E8	VKSaver installation bundle	0	UTF16	84
0x4F9BC4	3.3.130726.1469	0	UTF16	81
0x4F98EA	VS_VERSION_INFO	0	UTF16	81
0x4F9A40	3.3.130726.1469	0	UTF16	81
0x4F9B26	OriginalFilename	0	UTF16	80
0x48A8EE	A.DHH	0	ASCII	77
0x4F996A	041904b0	0	UTF16	76
0x4F999C	Audiovkontake.ru	0	UTF16	73
0x4F99C6	FileDescription	0	UTF16	73
0x4F9A66	InternalName	0	UTF16	73
0x4F9946	StringFileInfo	0	UTF16	71
0x4F9BA6	ProductVersion	0	UTF16	71
0x4FA0CC	InitCommonControlsEx	0	ASCII	71
-	!This program cannot be run in DOS mode.\r\r\n$	0	ASCII	70
0x4F9C0A	Translation	0	UTF16	70
0x4F9A26	FileVersion	0	UTF16	70
0x4F9982	CompanyName	0	UTF16	70
0x492386	v.l0w	0	ASCII	70
0x4C8DF7	m3.s\n	0	ASCII	70
0x4EBC32	V.OlN	0	ASCII	70
0x4EB5AC	\n---	0	ASCII	70
0x48C603	AAAp	0	ASCII	70
0x4F1CB7	3"""	0	ASCII	70
0x4B8D74	a>>a	0	ASCII	70
0x488323	rSSS	0	ASCII	70
0x4E1AAB	??\r\r	0	ASCII	70
0x4F2D14	k\n\n\n	0	ASCII	70
0x4E7F9D	llww	0	ASCII	70
0x4E070B	gssg	0	ASCII	70
0x4F9AAE	LegalCopyright	0	UTF16	68
0x4E73FA	a0o000@	0	ASCII	68
0x48A187	^^^^	0	ASCII	68
0x4F4FB3	""""	0	ASCII	68
0x4FA122	VerQueryValueW	0	ASCII	67
0x4DDB37	[Zaa^^ZT	0	ASCII	66
0x48D45F	PMM/dd/y	0	ASCII	66
0x4E6D3E	k5@00@X@	0	ASCII	66
0x488CD0	>H3H3	0	ASCII	66
0x4E6FDF	9F22F	0	ASCII	66
0x4DE3AB	moooP	0	ASCII	66
0x4B6137	UI3UU	0	ASCII	66
0x4F1DB9	bvDDD	0	ASCII	66
0x4F4F2F	iDDD1	0	ASCII	66
0x4E09B6	ku_uk	0	ASCII	66
0x4E0498	=B=nB	0	ASCII	66
0x4E0518	>no>n	0	ASCII	66
0x4DC622	d\|OFTWARE\Microsoft\Cryptogr	0	ASCII	65
0x4FA078	GetProcAddress	0	ASCII	65
0x48B83C	DNNNNHLPT	0	ASCII	65
0x48D23A	lIlsAlloc	0	ASCII	65
0x4CDED3	)3T26.s	0	ASCII	65
0x4F9B76	ProductName	0	UTF16	64
0x4F9BEA	VarFileInfo	0	UTF16	64
0x4DC8CA	\ope2refs_fixed.in	0	ASCII	64
0x4EC21A	AddHss	0	ASCII	64
0x4E471E	g:sgVV	0	ASCII	64
0x48E0B1	pp_r/r	0	ASCII	64
0x4FA0E2	BitBlt	0	ASCII	64
0x4E39FF	GNNNiu	0	ASCII	64
0x48CE14	C\r6Ctt	0	ASCII	64
0x4FA06A	LoadLibraryA	0	ASCII	63
0x4DD2EE	\_dev\vksav	0	ASCII	63
0x4E4DE7	;\\;WX6	0	ASCII	63
0x4C0D70	i7q7T1q	0	ASCII	63
0x48E595	ry.nnr[	0	ASCII	63
0x4E0A4E	XF]]]\Y	0	ASCII	63
0x4940BB	NNinij_	0	ASCII	63
0x4FA088	VirtualProtect	0	ASCII	62
0x4FA0EA	CoUninitialize	0	ASCII	62
0x4E4204	7x1<Q7l_..7$31	0	ASCII	62
0x4FA0FA	EnumProcesses	0	ASCII	62
0x4DDB06	WVVX``gfdknnj	0	ASCII	62
0x4F9B90	VKSaver	0	UTF16	61
0x4DCAB8	77"9	0	ASCII	61
0x4A3B2A	j@j_	0	ASCII	61
0x4C57B9	qUOq	0	ASCII	61
0x4CE324	Up@U	0	ASCII	61
0x4C0BF0	kR\n\n	0	ASCII	61
0x4DC68A	w>:w	0	ASCII	61
0x4D949A	ggmC	0	ASCII	61
0x4D8059	FrFN	0	ASCII	61
0x49206C	_N_Q	0	ASCII	61
0x4D7500	q848	0	ASCII	61
0x4D7441	L]L@	0	ASCII	61
0x4A7075	E@@v	0	ASCII	61
0x4A43D1	.>.g	0	ASCII	61
0x4D4A61	C>@>	0	ASCII	61
0x4D48C5	ZEZ:	0	ASCII	61
0x4E8F37	avvw	0	ASCII	61
0x4C5ACF	@2=@	0	ASCII	61
0x4E872F	mmRG	0	ASCII	61
0x4D17F3	AAEK	0	ASCII	61
0x4E79B9	88At	0	ASCII	61
0x4C16BB	@g@0	0	ASCII	61
0x4CD988	da44	0	ASCII	61
0x49BBC1	C:CM	0	ASCII	61
0x4AC991	@Xrr	0	ASCII	61
0x4E78DD	luRl	0	ASCII	61
0x4875AE	Z/PP	0	ASCII	61
0x4BAE7C	IqI<	0	ASCII	61
0x4E76C2	yya/	0	ASCII	61
0x49ECAB	-@[@	0	ASCII	61
0x48C404	ZZ:Y	0	ASCII	61
0x49C0F0	@,@@	0	ASCII	61
0x4B487D	RR=u	0	ASCII	61
0x4939FC	hh]R	0	ASCII	61
0x4D1441	"``e	0	ASCII	61
0x4CC149	n\nL	0	ASCII	61
0x48D92A	9y.9	0	ASCII	61
0x4D1307	oP33	0	ASCII	61
0x4A5AC2	@""c	0	ASCII	61
0x4CB589	jYjm	0	ASCII	61
0x4E70A9	2@2h	0	ASCII	61
0x4E7012	2LLk	0	ASCII	61
0x4AF14F	SPHH	0	ASCII	61
0x48CAA3	KECE	0	ASCII	61
0x4B4D4A	uLNL	0	ASCII	61
0x48CBA0	JDpD	0	ASCII	61
0x4BD90D	oMMY	0	ASCII	61
0x4CB1FB	\ncoc	0	ASCII	61
0x4AF331	CC"7	0	ASCII	61
0x48DC35	hvv\r	0	ASCII	61
0x4E6FA6	;;&;	0	ASCII	61
0x49CC70	TTgH	0	ASCII	61
0x4F5031	>tDD	0	ASCII	61
0x48CDEF	VVhU	0	ASCII	61
0x4C47D7	Z_ZR	0	ASCII	61
0x4E5AF0	pYYb	0	ASCII	61
0x4F3BC3	bNN-	0	ASCII	61
0x4F34D5	hhg\r	0	ASCII	61
0x4F2F68	q\rEE	0	ASCII	61
0x4BC4B2	bhfb	0	ASCII	61
0x4F2948	9bQb	0	ASCII	61
0x4F2173	GAGi	0	ASCII	61
0x4F2076	@ACA	0	ASCII	61
0x4BC75D	3[3\	0	ASCII	61
0x4CEB20	H6i6	0	ASCII	61
0x4F1D68	"""z	0	ASCII	61
0x4E5475	yyC:	0	ASCII	61
0x48D273	eate	0	ASCII	61
0x4B7110	44DJ	0	ASCII	61
0x4EBD14	DPP5	0	ASCII	61
0x4E51AD	>4V>	0	ASCII	61
0x4EBC4F	`K`E	0	ASCII	61
0x4C2AEB	_`_K	0	ASCII	61
0x4EBA95	^ZLZ	0	ASCII	61
0x4EB9F3	4:00	0	ASCII	61
0x4A60AD	t7@7	0	ASCII	61
0x4E4F0B	aa8P	0	ASCII	61
0x4E4E63	?NN-	0	ASCII	61
0x49FF7A	tSwt	0	ASCII	61
0x4A8EE2	d8dT	0	ASCII	61
0x48879B	N4Nt	0	ASCII	61
0x4A8EF4	7dBd	0	ASCII	61
0x48E22E	//sY	0	ASCII	61
0x4E4636	kf[f	0	ASCII	61
0x4E4625	R\\i	0	ASCII	61
0x48E5CB	?kGk	0	ASCII	61
0x4B0071	Z\nJ\n	0	ASCII	61
0x48E602	rjjn	0	ASCII	61
0x4E4022	P.6.	0	ASCII	61
0x4E31F3	nb]n	0	ASCII	61
0x497BFE	\"@"	0	ASCII	61
0x4BED1B	b7rr	0	ASCII	61
0x4E212B	R-pp	0	ASCII	61
0x4E166B	ttFR	0	ASCII	61
0x4E0E80	;v3;	0	ASCII	61
0x4C59C2	VkkX	0	ASCII	61
0x4E0E04	]]Cb	0	ASCII	61
0x4B7F7F	K@@v	0	ASCII	61
0x4B8080	VyVi	0	ASCII	61
0x4E0CD3	[[fW	0	ASCII	61
0x4E0C69	\V\Y	0	ASCII	61
0x4C8A35	ee-"	0	ASCII	61
0x4A9BF6	os4o	0	ASCII	61
0x4E09C8	VV?o	0	ASCII	61
0x4E0924	Tv\nv	0	ASCII	61
0x4E088D	Fs\ns	0	ASCII	61
0x4C8038	nc^c	0	ASCII	61
0x4E0809	37ii	0	ASCII	61
0x4E07A3	L?V?	0	ASCII	61
0x4B861C	?T\r\r	0	ASCII	61
0x4B1651	y@"@	0	ASCII	61
0x48A16A	cVV>	0	ASCII	61
0x4E0223	XNXJ	0	ASCII	61
0x48A2AE	UYYV	0	ASCII	61
0x4AA65B	;Z;h	0	ASCII	61
0x4E00C0	Egxg	0	ASCII	61
0x4DFD3C	5:5a	0	ASCII	61
0x4DFB1C	tXoX	0	ASCII	61
0x4DF348	=E;E	0	ASCII	61
0x48A51A	W7Wd	0	ASCII	61
0x4B1D2E	]0@@	0	ASCII	61
0x4DE883	-nn\r	0	ASCII	61
0x4B1EAA	@7@R	0	ASCII	61
0x4C009C	OnPn	0	ASCII	61
0x4BE5CD	sq>q	0	ASCII	61
0x4DE4DE	6v>>	0	ASCII	61
0x4C1FB6	2VZV	0	ASCII	61
0x4DE35F	YY4m	0	ASCII	61
0x4DE1C8	ILLO	0	ASCII	61
0x490EBB	[[NW	0	ASCII	61
0x4DDDED	od\\	0	ASCII	61
0x490FF5	@PF@	0	ASCII	61
0x4DDB01	S[SR	0	ASCII	61
0x4DDACA	guut	0	ASCII	61
0x4DDAC5	hggk	0	ASCII	61
0x4C650B	IG-I	0	ASCII	61
0x4A3791	7=K=	0	ASCII	61
0x4DD2D3	NSDS	0	ASCII	61
0x4B9812	kWW>	0	ASCII	61
0x4DD1F3	66?G	0	ASCII	61
0x48E6A9	ActiveWindowA	0	ASCII	60
0x4FA098	VirtualAlloc	0	ASCII	60
0x4EB314	,E7WW7r[W6d	0	ASCII	60
0x4FA0A6	VirtualFree	0	ASCII	60
0x4DC900	kontakte.ru	0	ASCII	60
0x4DE38C	___mook nst	0	ASCII	60
0x4DDA5C	4ioostxxyy}	0	ASCII	60
0x4E78F0	Ho A8i HikoAih('	0	ASCII	59
0x48D285	pTh.dStackGuara	0	ASCII	59
0x48D297	5~eW5poolTime>	0	ASCII	59
0x4EB323	W[W.D	0	ASCII	59
-	.rsrc	0	ASCII	59
0x4BC9DE	[9b[/	0	ASCII	59
0x48D2DE	eBuff	0	ASCII	59
0x4ECE4D	.rsrc	0	ASCII	59
0x48D62A	WmWfs	0	ASCII	59
0x4E25FB	gegNd	0	ASCII	59
0x4E4569	3M;-M	0	ASCII	59
0x4E76E1	O?g?X	0	ASCII	59
0x4E7611	HrbdH	0	ASCII	59
0x4C6A2E	Lb2;b	0	ASCII	59
0x4937A5	Acmc@	0	ASCII	59
0x4BD670	auoVu	0	ASCII	59
0x48972C	./^D.	0	ASCII	59
0x49AB9D	m@n@Z	0	ASCII	59
0x4EC45F	<In@n	0	ASCII	59
0x4DE514	<5n><	0	ASCII	59
0x4DF2D6	Z87PZ	0	ASCII	59

Functions high-value functions

Kesakode

Malware 0 Library 0 Unknown 1 Clean 0

Function listings

0x4ECE90 EntryPoint str 0 api 1 imm 21 Unknown

Disassembly C

EntryPoint() {
    pushad       
    mov          esi, 0x487000
    lea          edi, [esi-0x86000]
    push         edi
    or           ebp, 0xFFFFFFFF
    jmp          .3
.1:
    mov          al, [esi]
    inc          esi
    mov          [edi], al
    inc          edi
.2:
    add          ebx, ebx
    jnz          .4
.3:
    mov          ebx, [esi]
    sub          esi, 0xFFFFFFFC
    adc          ebx, ebx
.4:
    jb           .1
    mov          eax, 0x01
.5:
    add          ebx, ebx
    jnz          .6
    mov          ebx, [esi]
    sub          esi, 0xFFFFFFFC
    adc          ebx, ebx
.6:
    adc          eax, eax
    add          ebx, ebx
    jnb          .7
    jnz          .11
    mov          ebx, [esi]
    sub          esi, 0xFFFFFFFC
    adc          ebx, ebx
    jb           .11
.7:
    dec          eax
    add          ebx, ebx
    jnz          .8
    mov          ebx, [esi]
    sub          esi, 0xFFFFFFFC
    adc          ebx, ebx
.8:
    adc          eax, eax
    jmp          .5
.9:
    add          ebx, ebx
    jnz          .10
    mov          ebx, [esi]
    sub          esi, 0xFFFFFFFC
    adc          ebx, ebx
.10:
    adc          ecx, ecx
    jmp          .18
.11:
    xor          ecx, ecx
    sub          eax, 0x03
    jb           .12
    shl          eax, 0x08
    mov          al, [esi]
    inc          esi
    xor          eax, 0xFFFFFFFF
    jz           .21
    sar          eax, 0x01
    mov          ebp, eax
    jmp          .13
.12:
    add          ebx, ebx
    jnz          .13
    mov          ebx, [esi]
    sub          esi, 0xFFFFFFFC
    adc          ebx, ebx
.13:
    jb           .9
    inc          ecx
    add          ebx, ebx
    jnz          .14
    mov          ebx, [esi]
    sub          esi, 0xFFFFFFFC
    adc          ebx, ebx
.14:
    jb           .9
.15:
    add          ebx, ebx
    jnz          .16
    mov          ebx, [esi]
    sub          esi, 0xFFFFFFFC
    adc          ebx, ebx
.16:
    adc          ecx, ecx
    add          ebx, ebx
    jnb          .15
    jnz          .17
    mov          ebx, [esi]
    sub          esi, 0xFFFFFFFC
    adc          ebx, ebx
    jnb          .15
.17:
    add          ecx, 0x02
.18:
    cmp          ebp, 0xFFFFFB00
    adc          ecx, 0x02
    lea          edx, [edi+ebp*1]
    cmp          ebp, 0xFFFFFFFC
    jbe          .20
.19:
    mov          al, [edx]
    inc          edx
    mov          [edi], al
    inc          edi
    dec          ecx
    jnz          .19
    jmp          .2
.20:
    mov          eax, [edx]
    add          edx, 0x04
    mov          [edi], eax
    add          edi, 0x04
    sub          ecx, 0x04
    jnbe         .20
    add          edi, ecx
    jmp          .2
.21:
    pop          esi
    mov          edi, esi
    mov          ecx, 0x3C7
.22:
    mov          al, [edi]
    inc          edi
    sub          al, 0xE8
.23:
    cmp          al, 0x01
    jnbe         .22
    cmp          byte ptr [edi], 0x05
    jnz          .22
    mov          eax, [edi]
    mov          bl, [edi+0x04]
    shr          ax, 0x08
    rol          eax, 0x10
    xchg         ah, al
    sub          eax, edi
    sub          bl, 0xE8
    add          eax, esi
    mov          [edi], eax
    add          edi, 0x05
    mov          al, bl
    loop         .23
    lea          edi, [esi+0xE9000]
.24:
    mov          eax, [edi]
    or           eax, eax
    jz           .29
    mov          ebx, [edi+0x04]
    lea          eax, [eax+esi*1+0xF8E8C]
    add          ebx, esi
    push         eax
    add          edi, 0x08
    call         [esi+0xF8F7C]
    xchg         ebp, eax
.25:
    mov          al, [edi]
    inc          edi
    or           al, al
    jz           .24
    mov          ecx, edi
    jns          .26
    movzx        eax, word ptr [edi]
    inc          edi
    push         eax
    inc          edi
    mov          ecx, 0xAEF24857
.26:
    push         edi
    dec          eax
    repne scasb        
    push         ebp
    call         [esi+0xF8F80]
    or           eax, eax
    jz           .28
    mov          [ebx], eax
    add          ebx, 0x04
    jmp          .25
.28:
    call         [esi+0xF8F90]
.29:
    add          edi, 0x04
    lea          ebx, [esi-0x04]
.30:
    xor          eax, eax
    mov          al, [edi]
    inc          edi
    or           eax, eax
    jz           .33
    cmp          al, 0xEF
    jnbe         .32
.31:
    add          ebx, eax
    mov          eax, [ebx]
    xchg         ah, al
    rol          eax, 0x10
    xchg         ah, al
    add          eax, esi
    mov          [ebx], eax
    jmp          .30
.32:
    and          al, 0x0F
    shl          eax, 0x10
    mov          ax, [edi]
    add          edi, 0x02
    jmp          .31
.33:
    mov          ebp, [esi+0xF8F84]
    lea          edi, [esi-0x1000]
    mov          ebx, 0x1000
    push         eax
    push         esp
    push         0x04
    push         ebx
; listing truncated

EntryPoint {
    // Error while decompiling : not a valid ea
}

No library functions identified.