.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------.
! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV !
`-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
5f926e3b173b9bd752b7a132058ed07cd88609bc2cb1d8c17e43fd7c8e7a857e
Date...........: 2018-07-19
Family.........: WinPot
File name......: 999 (2).EXE
File size......: 13.50 KB
Type file......: EXE/Windows
Virscan........: VT - HA
Additional note: Creation timestamp faked
Entropy:
Binary Histogram:
=== SCREENSHOT ===
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 144 0x90
blocks_in_file: 3 3
num_relocs: 0 0
header_paragraphs: 4 4
min_extra_paragraphs: 0 0
max_extra_paragraphs: 65535 0xffff
ss: 0 0
sp: 184 0xb8
checksum: 0 0
ip: 0 0
cs: 0 0
reloc_table_offset: 64 0x40
overlay_number: 0 0
reserved0: 0 0
oem_id: 0 0
oem_info: 0 0
reserved2: 0 0
reserved3: 0 0
reserved4: 0 0
reserved5: 0 0
reserved6: 0 0
lfanew: 128 0x80
=== DOS STUB ===
00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 3 3
TimeDateStamp: "2026-01-14 09:44:18"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 783 0x30f RELOCS_STRIPPED, EXECUTABLE_IMAGE
LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED
32BIT_MACHINE, DEBUG_STRIPPED
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 2.24
SizeOfCode: 8192 0x2000
SizeOfInitializedData: 8192 0x2000
SizeOfUninitializedData: 45056 0xb000
AddressOfEntryPoint: 54976 0xd6c0
BaseOfCode: 49152 0xc000
BaseOfData: 57344 0xe000
ImageBase: 4194304 0x400000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 4.0
ImageVersion: 1.0
SubsystemVersion: 4.0
Reserved1: 0 0
SizeOfImage: 65536 0x10000
SizeOfHeaders: 4096 0x1000
CheckSum: 0 0
Subsystem: 2 2 WINDOWS_GUI
DllCharacteristics: 0 0
SizeOfStackReserve: 2097152 0x200000
SizeOfStackCommit: 4096 0x1000
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x f72c size:0x 124
RESOURCE rva:0x e000 size:0x 172c
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x 0 size:0x 0
DEBUG rva:0x 0 size:0x 0
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x d888 size:0x 18
LOAD_CONFIG rva:0x 0 size:0x 0
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 0 size:0x 0
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
UPX0 1000 b000 0 200 0 0 0 0 e0000080 RWX UDATA
UPX1 c000 2000 1a00 200 0 0 0 0 e0000040 RWX IDATA
.rsrc e000 2000 1a00 1c00 0 0 0 0 c0000040 RW- IDATA
=== TLS ===
RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS
40d8a0 40d8bb 4060ac 40d8bc 0 0
[?] can't find file_offset of VA 0xb710
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0x1cec 0 0 5672 ICON #1
0 0 754 DIALOG #100
0x3318 0 0 20 GROUP_ICON #102
[?] can't find file_offset of VA 0x60ac
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
COMCTL32.DLL 0 InitCommonControls
KERNEL32.DLL 0 LoadLibraryA
KERNEL32.DLL 0 ExitProcess
KERNEL32.DLL 0 GetProcAddress
KERNEL32.DLL 0 VirtualProtect
msvcrt.dll 0 _iob
USER32.dll 0 SetTimer
=== Packer / Compiler ===
UPX v0.89.6 - v1.02 / v1.05 - v1.22
File pos Mem pos ID Text
======== ======= == ====
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
0000000001C8 0000004001C8 0 .rsrc
00000000056E 00000040C36E 0 YkQQZ
000000000619 00000040C419 0 !P%Pp
000000000AA2 00000040C8A2 0 .P.bt
000000000B32 00000040C932 0 \'-=40
000000000BFE 00000040C9FE 0 x"8@t
000000000CFB 00000040CAFB 0 50~~,
000000000E16 00000040CC16 0 Pf@ik
000000001096 00000040CE96 0 <CSCCNGW
0000000010B1 00000040CEB1 0 libgcj-16.dll
0000000010C7 00000040CEC7 0 RegisterClasses,
0000000010D8 00000040CED8 0 %1[0-9]NDV
0000000010F0 00000040CEF0 0 VALCscCngOpen
000000001103 00000040CF03 0 tatusdad
000000001131 00000040CF31 0 : 0x80vd,%
000000001153 00000040CF53 0 (s) f&m
000000001169 00000040CF69 0 to c
000000001178 00000040CF78 0 bcSuc
00000000119D 00000040CF9D 0 w run
0000000011A5 00000040CFA5 0 ailu#
0000000011B1 00000040CFB1 0 ViaualQu<y
0000000011C7 00000040CFC7 0 bys a
0000000011D6 00000040CFD6 0 pN3Unk
0000000011ED 00000040CFED 0 [c&io
0000000011F5 00000040CFF5 0 col v
000000001209 00000040D009 0 rka+zeGCC
00000000121A 00000040D01A 0 m.X5.1.0
000000001223 00000040D023 0 (*@jirA
0000000013BA 00000040D1BA 0 dcdjC*A
0000000013D7 00000040D1D7 0 s3QEE
0000000015EE 00000040D3EE 0 Handle
000000001605 00000040D405 0 teiticavs
00000000162A 00000040D42A 0 F@eLibrary
00000000163B 00000040D43B 0 Commb
000000001645 00000040D445 0 LastE
000000001659 00000040D459 0 Modul
00000000166C 00000040D46C 0 StXtupInfo
000000001692 00000040D492 0 tUnhmd
0000000016D1 00000040D4D1 0 gZObj"w
0000000016F3 00000040D4F3 0 B1yrgs
000000001706 00000040D506 0 f8de(s
000000001781 00000040D581 0 ogBoxP
000000001792 00000040D592 0 W?dow
000000001850 00000040D650 0 @K&'H
000000001A34 00000040D834 0 XPTPSW
000000002141 00000040E541 0 &&&&&&&&&
0000000021A9 00000040E5A9 0 QQQQQ
0000000021BF 00000040E5BF 0 &&&&&&&&&
0000000021DE 00000040E5DE 0 ?????????QQQQ
0000000021FE 00000040E5FE 0 QQQ?????????
000000002227 00000040E627 0 NNNNN:::::::::::::::::::::NNN
00000000225D 00000040E65D 0 [[[[[
0000000023C5 00000040E7C5 0 =======
000000002414 00000040E814 0 QQQ :
000000002454 00000040E854 0 QQ? :
000000002494 00000040E894 0 QQ? :\
00000000289E 00000040EC9E 0 ]]]]]]]]
0000000028B0 00000040ECB0 0 ]]]]]]]]]
0000000028EF 00000040ECEF 0 LL_____
File pos Mem pos ID Text
======== ======= == ====
0000000028F7 00000040ECF7 0 LLLLX
000000002900 00000040ED00 0 VXXXLXXXXXXXV
000000002A2F 00000040EE2F 0 '''''''''''''
000000002A5E 00000040EE5E 0 YYY::Y:NNNNddcccd
000000002C2C 00000040F02C 0 #N#ff
000000002DA4 00000040F1A4 0 N*++BBB*
000000002E19 00000040F219 0 iNi##
000000002EA6 00000040F2A6 0 :bgbf
000000002EB5 00000040F2B5 0 iAcfb
000000002EEA 00000040F2EA 0 & Q#
000000002F27 00000040F327 0 bAp88(
000000002F58 00000040F358 0 Ncdc:N
000000003027 00000040F427 0 &&&&&
000000003083 00000040F483 0
0000000033BC 00000040F7BC 0 COMCTL32.DLL
0000000033C9 00000040F7C9 0 KERNEL32.DLL
0000000033D6 00000040F7D6 0 msvcrt.dll
0000000033E1 00000040F7E1 0 USER32.dll
0000000033EE 00000040F7EE 0 InitCommonControls
000000003402 00000040F802 0 ExitProcess
000000003410 00000040F810 0 GetProcAddress
000000003420 00000040F820 0 LoadLibraryA
00000000342E 00000040F82E 0 VirtualProtect
000000003444 00000040F844 0 SetTimer
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
0000000001C8 0000004001C8 0 .rsrc
00000000056E 00000040C36E 0 YkQQZ
000000000619 00000040C419 0 !P%Pp
000000000AA2 00000040C8A2 0 .P.bt
000000000B32 00000040C932 0 \'-=40
000000000BFE 00000040C9FE 0 x"8@t
000000000CFB 00000040CAFB 0 50~~,
000000000E16 00000040CC16 0 Pf@ik
000000001096 00000040CE96 0 <CSCCNGW
0000000010B1 00000040CEB1 0 libgcj-16.dll
0000000010C7 00000040CEC7 0 RegisterClasses,
0000000010D8 00000040CED8 0 %1[0-9]NDV
0000000010F0 00000040CEF0 0 VALCscCngOpen
000000001103 00000040CF03 0 tatusdad
000000001131 00000040CF31 0 : 0x80vd,%
000000001153 00000040CF53 0 (s) f&m
000000001169 00000040CF69 0 to c
000000001178 00000040CF78 0 bcSuc
00000000119D 00000040CF9D 0 w run
0000000011A5 00000040CFA5 0 ailu#
0000000011B1 00000040CFB1 0 ViaualQu<y
0000000011C7 00000040CFC7 0 bys a
0000000011D6 00000040CFD6 0 pN3Unk
0000000011ED 00000040CFED 0 [c&io
0000000011F5 00000040CFF5 0 col v
000000001209 00000040D009 0 rka+zeGCC
00000000121A 00000040D01A 0 m.X5.1.0
000000001223 00000040D023 0 (*@jirA
0000000013BA 00000040D1BA 0 dcdjC*A
0000000013D7 00000040D1D7 0 s3QEE
0000000015EE 00000040D3EE 0 Handle
000000001605 00000040D405 0 teiticavs
00000000162A 00000040D42A 0 F@eLibrary
00000000163B 00000040D43B 0 Commb
000000001645 00000040D445 0 LastE
File pos Mem pos ID Text
======== ======= == ====
000000001659 00000040D459 0 Modul
00000000166C 00000040D46C 0 StXtupInfo
000000001692 00000040D492 0 tUnhmd
0000000016D1 00000040D4D1 0 gZObj"w
0000000016F3 00000040D4F3 0 B1yrgs
000000001706 00000040D506 0 f8de(s
000000001781 00000040D581 0 ogBoxP
000000001792 00000040D592 0 W?dow
000000001850 00000040D650 0 @K&'H
000000001A34 00000040D834 0 XPTPSW
000000002141 00000040E541 0 &&&&&&&&&
0000000021A9 00000040E5A9 0 QQQQQ
0000000021BF 00000040E5BF 0 &&&&&&&&&
0000000021DE 00000040E5DE 0 ?????????QQQQ
0000000021FE 00000040E5FE 0 QQQ?????????
000000002227 00000040E627 0 NNNNN:::::::::::::::::::::NNN
00000000225D 00000040E65D 0 [[[[[
0000000023C5 00000040E7C5 0 =======
000000002414 00000040E814 0 QQQ :
000000002454 00000040E854 0 QQ? :
000000002494 00000040E894 0 QQ? :\
00000000289E 00000040EC9E 0 ]]]]]]]]
0000000028B0 00000040ECB0 0 ]]]]]]]]]
0000000028EF 00000040ECEF 0 LL_____
0000000028F7 00000040ECF7 0 LLLLX
000000002900 00000040ED00 0 VXXXLXXXXXXXV
000000002A2F 00000040EE2F 0 '''''''''''''
000000002A5E 00000040EE5E 0 YYY::Y:NNNNddcccd
000000002C2C 00000040F02C 0 #N#ff
000000002DA4 00000040F1A4 0 N*++BBB*
000000002E19 00000040F219 0 iNi##
000000002EA6 00000040F2A6 0 :bgbf
000000002EB5 00000040F2B5 0 iAcfb
000000002EEA 00000040F2EA 0 & Q#
000000002F27 00000040F327 0 bAp88(
000000002F58 00000040F358 0 Ncdc:N
000000003027 00000040F427 0 &&&&&
000000003083 00000040F483 0
0000000033BC 00000040F7BC 0 COMCTL32.DLL
0000000033C9 00000040F7C9 0 KERNEL32.DLL
0000000033D6 00000040F7D6 0 msvcrt.dll
0000000033E1 00000040F7E1 0 USER32.dll
0000000033EE 00000040F7EE 0 InitCommonControls
000000003402 00000040F802 0 ExitProcess
000000003410 00000040F810 0 GetProcAddress
000000003420 00000040F820 0 LoadLibraryA
00000000342E 00000040F82E 0 VirtualProtect
000000003444 00000040F844 0 SetTimer