文件名 | kawaks loader |
文件类型 |
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
|
扫描器版本 | 1.0.138.174 |
数据库版本 | 2023-09-12 00:01:43 UTC |
恶意软件家族: Heuristic
哈希类型 | 值 | 操作 |
---|---|---|
MD5 |
3528123f3b8ccb494736b6a038f2011a
|
|
SHA1 |
1f06b821a3edd0fac2ffdb5c0a393af32c35ca4f
|
|
SHA256 |
c084854690cec0474e04e770aa8ba8b7d85d5a75637dea1e30d2e4b9ebe2d126
|
|
SHA512 |
1af2411ef0cb6980d9debf205b973771e0da2ae93c121610f58fd3599c6a5a203bbd395fdac555df646255f2f954b1285dc7206122a1aef14dbcfdfd084a58f9
|
|
ImpHash |
22f878ed56c759e0e52e0b8d783401a6
|
图标 |
哈希: d1b4399ea39bd71db2163d52a903c10b
模糊: ca2f9baed2888a267e3a92ac70e8b255 dHash: 70ec28edb5f4e878 |
映像基址 | 0x00400000 |
入口点 | 0x00413001 |
编译时间 | 1970-01-01 00:00:00 |
校验和 | 0x00000000 (实际: 0x00015cd8) |
操作系统版本 | 4.0 |
PEiD 签名 |
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
|
数字签名 | The PE file does not contain a certificate table. |
导入 |
4 库
kernel32, mfc42, msvcrt, user32 |
导出 | 0 函数 |
资源 | 8 资源 |
节 | 7 节 |
Comments | [email protected]; [email protected] |
CompanyName | |
FileDescription | Loader for WinKawaks 1.55 |
FileVersion | 1, 0, 0, 1 |
InternalName | kawaks loader |
LegalCopyright | Copyright (C) 2006 |
LegalTrademarks | |
OriginalFilename | loader.exe |
PrivateBuild | |
ProductName | |
ProductVersion | 1, 0, 0, 1 |
SpecialBuild | |
Translation | 0x0409 0x04b0 |
名称 | 虚拟地址 | 虚拟大小 | 原始大小 | 熵 | 特征 | MD5 |
---|---|---|---|---|---|---|
UPX0 |
0x00001000 |
32,768 bytes | 7,168 bytes | 7.83 (打包/加密) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
E7F608C3F0051A4A1CCF7028D6233F7F |
UPX1 |
0x00009000 |
8,192 bytes | 7,168 bytes | 7.90 (打包/加密) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
5F051ABBA6A09DB1A383E91A1065B4F2 |
.rsrc |
0x0000b000 |
24,576 bytes | 1,024 bytes | 1.76 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
A150CD13C33E0BC6C48E6053FBC050F0 |
.idata |
0x00011000 |
4,096 bytes | 1,024 bytes | 5.56 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
5DCF0F7E09B638B795D051512B49E9B5 |
.mackt |
0x00012000 |
4,096 bytes | 512 bytes | 7.14 (压缩) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
1352C0442932B24912AE9828F6D3842D |
.aspack |
0x00013000 |
28,672 bytes | 27,648 bytes | 4.60 (正常) |
IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
884643E78D20B7788C7B1CE053F92A08 |
.adata |
0x0001a000 |
38,506 bytes | 38,912 bytes | 0.00 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
31E14C04C60244FDC3737CC73A13AACD |
2 检测到高熵(≥7.5)的节 - 可能存在打包/加密
1 检测到较高熵(≥6.5)的节 - 可能存在压缩
资源类型 | 数量 | 总大小 | 百分比 |
---|---|---|---|
RT_ICON | 6 | 22,384 字节 | |
RT_GROUP_ICON | 1 | 90 字节 | |
RT_VERSION | 1 | 932 字节 |
此文件未进行数字签名。
⚠ 此文件缺少数字签名或证书链无法验证。
执行来自未知来源的未签名文件时请谨慎。
The PE file does not contain a certificate table.
建议: 验证文件来源并确保它来自可信的发布者.
按照以下步骤完全从系统中移除威胁