.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ----  -------------.
!  WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS                                                            !
`--------------  - ---  ---------- -------- -------- -------- -------- ----------------- -  ---- ---- --'

                                           ATM MALWARE NOTICE 
                    7bd2c97ac5027c360011dc5aa8f2371cd934f73e885e41f7e80152332b3af1db
 
Date...........: 2018-09-03
Family.........: ATMWizX
File name......: cngtester_without-vmp[...].dll
File size......: 18.22 KB
Type file......: DLL/Windows
Virscan........: VT (FIRST RACE!) - HA
Additional note: Unpacked of a4b42f503090cd3cd53963ddaf0be3e4eeedbd81ff02664668e68612816e727f

Entropy:


Binary Histogram:



=== SCREENSHOT === 



=== PEDUMP REPORT === 
=== MZ Header === signature: "MZ" bytes_in_last_block: 64 0x40 blocks_in_file: 1 1 num_relocs: 0 0 header_paragraphs: 2 2 min_extra_paragraphs: 4 4 max_extra_paragraphs: 65535 0xffff ss: 2 2 sp: 64 0x40 checksum: 0 0 ip: 14 0xe cs: 0 0 reloc_table_offset: 28 0x1c overlay_number: 0 0 reserved0: 3706015365755568128 0x336e695700000000 oem_id: 8242 0x2032 oem_info: 28271 0x6e6f reserved2: 220297580 0xd21796c reserved3: 3020825610 0xb40e240a reserved4: 47625 0xba09 reserved5: 3089222943 0xb821cd1f reserved6: 567102465 0x21cd4c01 lfanew: 64 0x40 === DOS STUB === 00000000: 57 69 6e 33 32 20 6f 6e 6c 79 21 0d 0a 24 0e b4 |Win32 only!..$..| 00000010: 09 ba 00 00 1f cd 21 b8 01 4c cd 21 40 00 00 00 |......!..L.!@...| === PE Header === signature: "PE\x00\x00" # IMAGE_FILE_HEADER: Machine: 332 0x14c x86 NumberOfSections: 12 0xc TimeDateStamp: "1970-01-01 00:00:00" PointerToSymbolTable: 0 0 NumberOfSymbols: 1560281088 0x5d000000 SizeOfOptionalHeader: 224 0xe0 Characteristics: 8974 0x230e EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED LOCAL_SYMS_STRIPPED, 32BIT_MACHINE DEBUG_STRIPPED, DLL # IMAGE_OPTIONAL_HEADER32: Magic: 267 0x10b 32-bit executable LinkerVersion: 2.24 SizeOfCode: 7168 0x1c00 SizeOfInitializedData: 16384 0x4000 SizeOfUninitializedData: 1024 0x400 AddressOfEntryPoint: 4192 0x1060 BaseOfCode: 4096 0x1000 BaseOfData: 12288 0x3000 ImageBase: 1649147904 0x624c0000 SectionAlignment: 4096 0x1000 FileAlignment: 512 0x200 OperatingSystemVersion: 5.0 ImageVersion: 1.0 SubsystemVersion: 5.0 Reserved1: 0 0 SizeOfImage: 3682304 0x383000 SizeOfHeaders: 1024 0x400 CheckSum: 1886369 0x1cc8a1 Subsystem: 3 3 WINDOWS_CUI DllCharacteristics: 0 0 SizeOfStackReserve: 2097152 0x200000 SizeOfStackCommit: 4096 0x1000 SizeOfHeapReserve: 1048576 0x100000 SizeOfHeapCommit: 4096 0x1000 LoaderFlags: 0 0 NumberOfRvaAndSizes: 16 0x10 === DATA DIRECTORY === EXPORT rva:0x 0 size:0x 0 IMPORT rva:0x 382000 size:0x 64 RESOURCE rva:0x 381000 size:0x 536 EXCEPTION rva:0x 0 size:0x 0 SECURITY rva:0x 0 size:0x 0 BASERELOC rva:0x 0 size:0x 0 DEBUG rva:0x 0 size:0x 0 ARCHITECTURE rva:0x 0 size:0x 0 GLOBALPTR rva:0x 0 size:0x 0 TLS rva:0x 0 size:0x 0 LOAD_CONFIG rva:0x 0 size:0x 0 Bound_IAT rva:0x 0 size:0x 0 IAT rva:0x 0 size:0x 0 Delay_IAT rva:0x 0 size:0x 0 CLR_Header rva:0x 0 size:0x 0 rva:0x 0 size:0x 0 === SECTIONS === NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS .text 1000 2000 1a14 400 0 0 0 0 60500060 R-X CODE IDATA .data 3000 1000 1c 2000 0 0 0 0 c0300040 RW- IDATA .rdata 4000 1000 322 2200 0 0 0 0 40300040 R-- IDATA .eh_fram 5000 1000 32c 2600 0 0 0 0 40300040 R-- IDATA .bss 6000 1000 36c 2a00 0 0 0 0 c0600080 RW- UDATA .edata 7000 1000 55a 2e00 0 0 0 0 40300040 R-- IDATA .idata 8000 1000 52f 3400 0 0 0 0 c0300040 RW- IDATA .CRT 9000 1000 14 3a00 0 0 0 0 c0300040 RW- IDATA .tls a000 376000 200 3c00 0 0 0 0 c0300040 RW- IDATA .reloc 380000 1000 11c 3e00 0 0 0 0 40300040 R-- IDATA .rsrc 381000 1000 535 4000 0 0 0 0 c0300040 RW- IDATA 382000 2e0 2e0 4600 0 0 0 0 e0000060 RWX CODE IDATA === RESOURCES === FILE_OFFSET CP LANG SIZE TYPE NAME 0x4368 0 0 462 DIALOG #100 0x40a0 0 0x407 712 VERSION #1 === IMPORTS === MODULE_NAME HINT ORD FUNCTION_NAME kernel32.dll 53 CloseHandle kernel32.dll 89 CreateFileA kernel32.dll 0 DeleteCriticalSection kernel32.dll 0 EnterCriticalSection kernel32.dll 11a ExitProcess kernel32.dll 163 FreeLibrary kernel32.dll 1bf GetCurrentDirectoryA kernel32.dll 1e4 GetFileAttributesA kernel32.dll 201 GetLastError kernel32.dll 214 GetModuleHandleA kernel32.dll 244 GetProcAddress kernel32.dll 0 InitializeCriticalSection kernel32.dll 0 LeaveCriticalSection kernel32.dll 33d LoadLibraryA kernel32.dll 468 SetFilePointer kernel32.dll 4cc TlsGetValue kernel32.dll 4f5 VirtualProtect kernel32.dll 4f7 VirtualQuery kernel32.dll 52b WriteFile msvcrt.dll 27f _mbsdup msvcrt.dll 8d __dllonexit msvcrt.dll 156 _errno msvcrt.dll 1db _iob msvcrt.dll 476 abort msvcrt.dll 485 calloc msvcrt.dll 495 fflush msvcrt.dll 4a6 free msvcrt.dll 4b1 fwrite msvcrt.dll 4de malloc msvcrt.dll 4ea memcpy msvcrt.dll 50b sprintf msvcrt.dll 50f sscanf msvcrt.dll 278 _mbscpy msvcrt.dll 528 strtok msvcrt.dll 534 time msvcrt.dll 540 vfprintf user32.dll ab DialogBoxParamA user32.dll da EndDialog user32.dll 127 GetDlgItem user32.dll 12d GetForegroundWindow user32.dll 1e3 KillTimer user32.dll 277 SendMessageA user32.dll 2bb SetTimer === VERSION INFO === # VS_FIXEDFILEINFO: FileVersion : 1.4.2.6 ProductVersion : 1.4.2.6 StrucVersion : 0x10000 FileFlagsMask : 0x3f FileFlags : 0 FileOS : 0x40004 FileType : 2 FileSubtype : 0 VarFileInfo : [ 0x409, 0x4b0 ] # StringTable 040904B0: CompanyName : "Wincor Nixdorf" FileDescription : "CNG Device Driver" FileVersion : "111021 1426" InternalName : "CSCWCNG.DLL" LegalCopyright : "Copyright \u00A9 Wincor Nixdorf 2019" OriginalFilename : "CSCWCNG.DLL" ProductName : "" ProductVersion : ""
=== Strings ===
File pos Mem pos ID Text ======== ======= == ==== 000000000020 0000624C0020 0 Win32 only! 000000000138 0000624C0138 0 .text 000000000160 0000624C0160 0 .data 000000000188 0000624C0188 0 .rdata 0000000001AE 0000624C01AE 0 0@.eh_fram 0000000001D6 0000624C01D6 0 0@.bss 000000000200 0000624C0200 0 .edata 000000000226 0000624C0226 0 0@.idata 0000000002A0 0000624C02A0 0 .reloc 0000000002C6 0000624C02C6 0 0@.rsrc 000000001626 0000624C2226 0 =XcLb 0000000016E7 0000624C22E7 0 $$BLb 000000001824 0000624C2424 0 $<BLb 000000001841 0000624C2441 0 CLb- CLb 000000001872 0000624C2472 0 5 CLb 00000000190B 0000624C250B 0 CLbs. 000000001939 0000624C2539 0 CLbr 0000000019FA 0000624C25FA 0 $pBLb 000000002200 0000624C4000 0 libgcj-16.dll 00000000220E 0000624C400E 0 _Jv_RegisterClasses 000000002224 0000624C4024 0 _%d-%d.z 00000000222D 0000624C402D 0 zyxwvutsrqponmlkjihgfedcba9876543210123456789abcdefghijklmnopqrstuvwxyz 000000002277 0000624C4077 0 %1[0-4]VAL=%8[0-9] 00000000228A 0000624C408A 0 %1[0-4]ACT=%8[0-9] 00000000229D 0000624C409D 0 %1[0-4]CUR=%3[A-Z] 0000000022B0 0000624C40B0 0 [%i] %s 0000000022B9 0000624C40B9 0 CscCngOpen 0000000022C4 0000624C40C4 0 %d,%02d; 0000000022CD 0000624C40CD 0 No driver found! 0000000022DE 0000624C40DE 0 Session Open Error! [%x] 0000000022F7 0000624C40F7 0 Cassettes Read Error! [%x] 000000002312 0000624C4112 0 %d cassettes found. %d banknotes. 000000002334 0000624C4134 0 Reset Error! [%x] 000000002346 0000624C4146 0 Exc Acc Error! [%x] 00000000235A 0000624C415A 0 [%d] Dispensing %d notes from cassette %d 000000002384 0000624C4184 0 Dispense Error! [%x] 000000002399 0000624C4199 0 Transporting Cash to WaitPos... 0000000023B9 0000624C41B9 0 Transport WaitPos Error! [%x] 0000000023D7 0000624C41D7 0 Transporting Cash to Customer 0000000023F5 0000624C41F5 0 Transport Out Error! [%x] 00000000240F 0000624C420F 0 Success Cash Out 000000002420 0000624C4220 0 "LbMingw runtime failure: 00000000243C 0000624C423C 0 VirtualQuery failed for %d bytes at address %p 000000002470 0000624C4270 0 Unknown pseudo relocation protocol version %d. 0000000024A4 0000624C42A4 0 Unknown pseudo relocation bit size %d. 0000000024D0 0000624C42D0 0 GCC: (tdm-1) 5.1.0 0000000024E4 0000624C42E4 0 GCC: (tdm-1) 5.1.0 0000000024F8 0000624C42F8 0 GCC: (tdm-1) 5.1.0 00000000250C 0000624C430C 0 GCC: (tdm-1) 5.1.0 000000002E40 0000624C7040 0 zC6C4qC 000000002E56 0000624C7056 0 iC [E 000000003030 0000624C7230 0 AS Pi 0000000030B8 0000624C72B8 0 7q-Fa9q 0000000030F0 0000624C72F0 0 Qo4=- 0000000031DA 0000624C73DA 0 PfKUX]7 0000000031E2 0000624C73E2 0 ~XMZ 0000000031EF 0000624C73EF 0 xDMXf 0000000031F8 0000624C73F8 0 $t|XV 000000003226 0000624C7426 0 JX1*m 000000003267 0000624C7467 0 ;CS~_~GS File pos Mem pos ID Text ======== ======= == ==== 000000003283 0000624C7483 0 o,k<U 000000003328 0000624C7528 0 &cF\b 00000000343D 0000624C803D 0 ,c;(5 00000000364B 0000624C824B 0 J,*qHl 0000000036CC 0000624C82CC 0 N:m$| 000000003735 0000624C8335 0 \3V)p 000000003779 0000624C8379 0 yj<Cj. 000000003789 0000624C8389 0 ~/NKu 000000003E5C 00006284005C 0 q50;4;8;<;H;L;P; 000000003EB5 0000628400B5 0 6 6$6(6,6 000000004664 000062842064 0 kernel32.dll 000000004673 000062842073 0 CloseHandle 000000004681 000062842081 0 CreateFileA 00000000468F 00006284208F 0 DeleteCriticalSection 0000000046A7 0000628420A7 0 EnterCriticalSection 0000000046BE 0000628420BE 0 ExitProcess 0000000046CC 0000628420CC 0 FreeLibrary 0000000046DA 0000628420DA 0 GetCurrentDirectoryA 0000000046F1 0000628420F1 0 GetFileAttributesA 000000004706 000062842106 0 GetLastError 000000004715 000062842115 0 GetModuleHandleA 000000004728 000062842128 0 GetProcAddress 000000004739 000062842139 0 InitializeCriticalSection 000000004755 000062842155 0 LeaveCriticalSection 00000000476C 00006284216C 0 LoadLibraryA 00000000477B 00006284217B 0 SetFilePointer 00000000478C 00006284218C 0 TlsGetValue 00000000479A 00006284219A 0 VirtualProtect 0000000047AB 0000628421AB 0 VirtualQuery 0000000047BA 0000628421BA 0 WriteFile 0000000047C4 0000628421C4 0 msvcrt.dll 0000000047D1 0000628421D1 0 _mbsdup 0000000047DB 0000628421DB 0 __dllonexit 0000000047E9 0000628421E9 0 _errno 0000000047F9 0000628421F9 0 abort 000000004801 000062842201 0 calloc 00000000480A 00006284220A 0 fflush 00000000481A 00006284221A 0 fwrite 000000004823 000062842223 0 malloc 00000000482C 00006284222C 0 memcpy 000000004835 000062842235 0 sprintf 00000000483F 00006284223F 0 sscanf 000000004848 000062842248 0 _mbscpy 000000004852 000062842252 0 strtok 000000004862 000062842262 0 vfprintf 00000000486B 00006284226B 0 user32.dll 000000004878 000062842278 0 DialogBoxParamA 00000000488A 00006284228A 0 EndDialog 000000004896 000062842296 0 GetDlgItem 0000000048A3 0000628422A3 0 GetForegroundWindow 0000000048B9 0000628422B9 0 KillTimer 0000000048C5 0000628422C5 0 SendMessageA 0000000048D4 0000628422D4 0 SetTimer 0000000040A6 0000628410A6 0 VS_VERSION_INFO 000000004102 000062841102 0 VarFileInfo 000000004122 000062841122 0 Translation 000000004146 000062841146 0 StringFileInfo 00000000416A 00006284116A 0 040904B0 000000004182 000062841182 0 CompanyName 00000000419C 00006284119C 0 Wincor Nixdorf File pos Mem pos ID Text ======== ======= == ==== 0000000041C2 0000628411C2 0 FileDescription 0000000041E4 0000628411E4 0 CNG Device Driver 00000000420E 00006284120E 0 FileVersion 000000004228 000062841228 0 111021 1426 000000004246 000062841246 0 InternalName 000000004260 000062841260 0 CSCWCNG.DLL 00000000427E 00006284127E 0 LegalCopyright 0000000042B2 0000628412B2 0 Wincor Nixdorf 2019 0000000042E2 0000628412E2 0 OriginalFilename 000000004304 000062841304 0 CSCWCNG.DLL 000000004322 000062841322 0 ProductName 000000004346 000062841346 0 ProductVersion 00000000437E 00006284137E 0 CNGTester 000000004394 000062841394 0 Ms Shell Dlg 000000000020 0000624C0020 0 Win32 only! 000000000138 0000624C0138 0 .text 000000000160 0000624C0160 0 .data 000000000188 0000624C0188 0 .rdata 0000000001AE 0000624C01AE 0 0@.eh_fram 0000000001D6 0000624C01D6 0 0@.bss 000000000200 0000624C0200 0 .edata 000000000226 0000624C0226 0 0@.idata 0000000002A0 0000624C02A0 0 .reloc 0000000002C6 0000624C02C6 0 0@.rsrc 000000001626 0000624C2226 0 =XcLb 0000000016E7 0000624C22E7 0 $$BLb 000000001824 0000624C2424 0 $<BLb 000000001841 0000624C2441 0 CLb- CLb 000000001872 0000624C2472 0 5 CLb 00000000190B 0000624C250B 0 CLbs. 000000001939 0000624C2539 0 CLbr 0000000019FA 0000624C25FA 0 $pBLb 000000002200 0000624C4000 0 libgcj-16.dll 00000000220E 0000624C400E 0 _Jv_RegisterClasses 000000002224 0000624C4024 0 _%d-%d.z 00000000222D 0000624C402D 0 zyxwvutsrqponmlkjihgfedcba9876543210123456789abcdefghijklmnopqrstuvwxyz 000000002277 0000624C4077 0 %1[0-4]VAL=%8[0-9] 00000000228A 0000624C408A 0 %1[0-4]ACT=%8[0-9] 00000000229D 0000624C409D 0 %1[0-4]CUR=%3[A-Z] 0000000022B0 0000624C40B0 0 [%i] %s 0000000022B9 0000624C40B9 0 CscCngOpen 0000000022C4 0000624C40C4 0 %d,%02d; 0000000022CD 0000624C40CD 0 No driver found! 0000000022DE 0000624C40DE 0 Session Open Error! [%x] 0000000022F7 0000624C40F7 0 Cassettes Read Error! [%x] 000000002312 0000624C4112 0 %d cassettes found. %d banknotes. 000000002334 0000624C4134 0 Reset Error! [%x] 000000002346 0000624C4146 0 Exc Acc Error! [%x] 00000000235A 0000624C415A 0 [%d] Dispensing %d notes from cassette %d 000000002384 0000624C4184 0 Dispense Error! [%x] 000000002399 0000624C4199 0 Transporting Cash to WaitPos... 0000000023B9 0000624C41B9 0 Transport WaitPos Error! [%x] 0000000023D7 0000624C41D7 0 Transporting Cash to Customer 0000000023F5 0000624C41F5 0 Transport Out Error! [%x] 00000000240F 0000624C420F 0 Success Cash Out 000000002420 0000624C4220 0 "LbMingw runtime failure: 00000000243C 0000624C423C 0 VirtualQuery failed for %d bytes at address %p 000000002470 0000624C4270 0 Unknown pseudo relocation protocol version %d. 0000000024A4 0000624C42A4 0 Unknown pseudo relocation bit size %d. 0000000024D0 0000624C42D0 0 GCC: (tdm-1) 5.1.0 File pos Mem pos ID Text ======== ======= == ==== 0000000024E4 0000624C42E4 0 GCC: (tdm-1) 5.1.0 0000000024F8 0000624C42F8 0 GCC: (tdm-1) 5.1.0 00000000250C 0000624C430C 0 GCC: (tdm-1) 5.1.0 000000002E40 0000624C7040 0 zC6C4qC 000000002E56 0000624C7056 0 iC [E 000000003030 0000624C7230 0 AS Pi 0000000030B8 0000624C72B8 0 7q-Fa9q 0000000030F0 0000624C72F0 0 Qo4=- 0000000031DA 0000624C73DA 0 PfKUX]7 0000000031E2 0000624C73E2 0 ~XMZ 0000000031EF 0000624C73EF 0 xDMXf 0000000031F8 0000624C73F8 0 $t|XV 000000003226 0000624C7426 0 JX1*m 000000003267 0000624C7467 0 ;CS~_~GS 000000003283 0000624C7483 0 o,k<U 000000003328 0000624C7528 0 &cF\b 00000000343D 0000624C803D 0 ,c;(5 00000000364B 0000624C824B 0 J,*qHl 0000000036CC 0000624C82CC 0 N:m$| 000000003735 0000624C8335 0 \3V)p 000000003779 0000624C8379 0 yj<Cj. 000000003789 0000624C8389 0 ~/NKu 000000003E5C 00006284005C 0 q50;4;8;<;H;L;P; 000000003EB5 0000628400B5 0 6 6$6(6,6 000000004664 000062842064 0 kernel32.dll 000000004673 000062842073 0 CloseHandle 000000004681 000062842081 0 CreateFileA 00000000468F 00006284208F 0 DeleteCriticalSection 0000000046A7 0000628420A7 0 EnterCriticalSection 0000000046BE 0000628420BE 0 ExitProcess 0000000046CC 0000628420CC 0 FreeLibrary 0000000046DA 0000628420DA 0 GetCurrentDirectoryA 0000000046F1 0000628420F1 0 GetFileAttributesA 000000004706 000062842106 0 GetLastError 000000004715 000062842115 0 GetModuleHandleA 000000004728 000062842128 0 GetProcAddress 000000004739 000062842139 0 InitializeCriticalSection 000000004755 000062842155 0 LeaveCriticalSection 00000000476C 00006284216C 0 LoadLibraryA 00000000477B 00006284217B 0 SetFilePointer 00000000478C 00006284218C 0 TlsGetValue 00000000479A 00006284219A 0 VirtualProtect 0000000047AB 0000628421AB 0 VirtualQuery 0000000047BA 0000628421BA 0 WriteFile 0000000047C4 0000628421C4 0 msvcrt.dll 0000000047D1 0000628421D1 0 _mbsdup 0000000047DB 0000628421DB 0 __dllonexit 0000000047E9 0000628421E9 0 _errno 0000000047F9 0000628421F9 0 abort 000000004801 000062842201 0 calloc 00000000480A 00006284220A 0 fflush 00000000481A 00006284221A 0 fwrite 000000004823 000062842223 0 malloc 00000000482C 00006284222C 0 memcpy 000000004835 000062842235 0 sprintf 00000000483F 00006284223F 0 sscanf 000000004848 000062842248 0 _mbscpy 000000004852 000062842252 0 strtok 000000004862 000062842262 0 vfprintf 00000000486B 00006284226B 0 user32.dll File pos Mem pos ID Text ======== ======= == ==== 000000004878 000062842278 0 DialogBoxParamA 00000000488A 00006284228A 0 EndDialog 000000004896 000062842296 0 GetDlgItem 0000000048A3 0000628422A3 0 GetForegroundWindow 0000000048B9 0000628422B9 0 KillTimer 0000000048C5 0000628422C5 0 SendMessageA 0000000048D4 0000628422D4 0 SetTimer 0000000040A6 0000628410A6 0 VS_VERSION_INFO 000000004102 000062841102 0 VarFileInfo 000000004122 000062841122 0 Translation 000000004146 000062841146 0 StringFileInfo 00000000416A 00006284116A 0 040904B0 000000004182 000062841182 0 CompanyName 00000000419C 00006284119C 0 Wincor Nixdorf 0000000041C2 0000628411C2 0 FileDescription 0000000041E4 0000628411E4 0 CNG Device Driver 00000000420E 00006284120E 0 FileVersion 000000004228 000062841228 0 111021 1426 000000004246 000062841246 0 InternalName 000000004260 000062841260 0 CSCWCNG.DLL 00000000427E 00006284127E 0 LegalCopyright 0000000042B2 0000628412B2 0 Wincor Nixdorf 2019 0000000042E2 0000628412E2 0 OriginalFilename 000000004304 000062841304 0 CSCWCNG.DLL 000000004322 000062841322 0 ProductName 000000004346 000062841346 0 ProductVersion 00000000437E 00006284137E 0 CNGTester 000000004394 000062841394 0 Ms Shell Dlg
=== DOWNLOAD ===