.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ----  -------------.
!  WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV                                                      !
`--------------  - ---  ---------- -------- -------- -------- -------- ----------------- -  ---- ---- --'

                                           ATM MALWARE NOTICE 
                    a5d0cd1bc33f44d25695ebd6530757180f4fc4d87a1658ee2f0d8fc42d09fb80
 
Date...........: 2018-08-08
Family.........: WinPot
File name......: nine.exe
File size......: 33.30 KB
Type file......: EXE/Windows
Virscan........: VT - HA

Entropy:


Binary Histogram:



=== SCREENSHOT === 



=== PEDUMP REPORT === 
=== MZ Header === signature: "MZ" bytes_in_last_block: 144 0x90 blocks_in_file: 3 3 num_relocs: 0 0 header_paragraphs: 4 4 min_extra_paragraphs: 0 0 max_extra_paragraphs: 65535 0xffff ss: 0 0 sp: 184 0xb8 checksum: 0 0 ip: 0 0 cs: 0 0 reloc_table_offset: 64 0x40 overlay_number: 0 0 reserved0: 0 0 oem_id: 0 0 oem_info: 0 0 reserved2: 0 0 reserved3: 0 0 reserved4: 0 0 reserved5: 0 0 reserved6: 0 0 lfanew: 128 0x80 === DOS STUB === 00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th| 00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno| 00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS | 00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......| === PE Header === signature: "PE\x00\x00" # IMAGE_FILE_HEADER: Machine: 332 0x14c x86 NumberOfSections: 9 9 TimeDateStamp: "2026-01-14 09:44:18" PointerToSymbolTable: 0 0 NumberOfSymbols: 0 0 SizeOfOptionalHeader: 224 0xe0 Characteristics: 783 0x30f RELOCS_STRIPPED, EXECUTABLE_IMAGE LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED 32BIT_MACHINE, DEBUG_STRIPPED # IMAGE_OPTIONAL_HEADER32: Magic: 267 0x10b 32-bit executable LinkerVersion: 2.24 SizeOfCode: 8192 0x2000 SizeOfInitializedData: 20992 0x5200 SizeOfUninitializedData: 512 0x200 AddressOfEntryPoint: 4768 0x12a0 BaseOfCode: 4096 0x1000 BaseOfData: 12288 0x3000 ImageBase: 4194304 0x400000 SectionAlignment: 4096 0x1000 FileAlignment: 512 0x200 OperatingSystemVersion: 4.0 ImageVersion: 1.0 SubsystemVersion: 4.0 Reserved1: 0 0 SizeOfImage: 49152 0xc000 SizeOfHeaders: 1024 0x400 CheckSum: 83005 0x1443d Subsystem: 2 2 WINDOWS_GUI DllCharacteristics: 0 0 SizeOfStackReserve: 2097152 0x200000 SizeOfStackCommit: 4096 0x1000 SizeOfHeapReserve: 1048576 0x100000 SizeOfHeapCommit: 4096 0x1000 LoaderFlags: 0 0 NumberOfRvaAndSizes: 16 0x10 === DATA DIRECTORY === EXPORT rva:0x 0 size:0x 0 IMPORT rva:0x 7000 size:0x 660 RESOURCE rva:0x a000 size:0x 1a18 EXCEPTION rva:0x 0 size:0x 0 SECURITY rva:0x 0 size:0x 0 BASERELOC rva:0x 0 size:0x 0 DEBUG rva:0x 0 size:0x 0 ARCHITECTURE rva:0x 0 size:0x 0 GLOBALPTR rva:0x 0 size:0x 0 TLS rva:0x 9004 size:0x 18 LOAD_CONFIG rva:0x 0 size:0x 0 Bound_IAT rva:0x 0 size:0x 0 IAT rva:0x 715c size:0x e4 Delay_IAT rva:0x 0 size:0x 0 CLR_Header rva:0x 0 size:0x 0 rva:0x 0 size:0x 0 === SECTIONS === NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS .text 1000 1f14 2000 400 0 0 0 0 60500060 R-X CODE IDATA .data 3000 28 200 2400 0 0 0 0 c0300040 RW- IDATA .rdata 4000 27c 400 2600 0 0 0 0 40300040 R-- IDATA .eh_fram 5000 3f8 400 2a00 0 0 0 0 40300040 R-- IDATA .bss 6000 f8 0 0 0 0 0 0 c0600080 RW- UDATA .idata 7000 660 800 2e00 0 0 0 0 c0300040 RW- IDATA .CRT 8000 18 200 3600 0 0 0 0 c0300040 RW- IDATA .tls 9000 20 200 3800 0 0 0 0 c0300040 RW- IDATA .rsrc a000 1a18 1c00 3a00 0 0 0 0 c0300040 RW- IDATA === TLS === RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS 409001 40901c 4060ac 408004 0 0 === RESOURCES === FILE_OFFSET CP LANG SIZE TYPE NAME 0x3ae8 0 0 5672 ICON #1 0x5110 0 0 754 DIALOG #100 0x5404 0 0 20 GROUP_ICON #102 [?] can't find file_offset of VA 0x60ac === IMPORTS === MODULE_NAME HINT ORD FUNCTION_NAME COMCTL32.DLL 5e InitCommonControls KERNEL32.dll 52 CloseHandle KERNEL32.dll b3 CreateThread KERNEL32.dll cf DeleteCriticalSection KERNEL32.dll ec EnterCriticalSection KERNEL32.dll 117 ExitProcess KERNEL32.dll 160 FreeLibrary KERNEL32.dll 184 GetCommandLineA KERNEL32.dll 1fe GetLastError KERNEL32.dll 1ff GetLocalTime KERNEL32.dll 211 GetModuleHandleA KERNEL32.dll 241 GetProcAddress KERNEL32.dll 25e GetStartupInfoA KERNEL32.dll 2de InitializeCriticalSection KERNEL32.dll 32e LeaveCriticalSection KERNEL32.dll 331 LoadLibraryA KERNEL32.dll 474 SetUnhandledExceptionFilter KERNEL32.dll 48f TerminateThread KERNEL32.dll 495 TlsGetValue KERNEL32.dll 4bd VirtualProtect KERNEL32.dll 4bf VirtualQuery KERNEL32.dll 4c7 WaitForSingleObject msvcrt.dll 2b _itoa msvcrt.dll 50 _strdup msvcrt.dll 37 __getmainargs msvcrt.dll 4d __p__environ msvcrt.dll 4f __p__fmode msvcrt.dll 63 __set_app_type msvcrt.dll 93 _cexit msvcrt.dll 10a _iob msvcrt.dll 17f _onexit msvcrt.dll 1aa _setmode msvcrt.dll 247 abort msvcrt.dll 24e atexit msvcrt.dll 250 atoi msvcrt.dll 253 calloc msvcrt.dll 271 free msvcrt.dll 279 fwrite msvcrt.dll 2aa memcpy msvcrt.dll 2c2 signal msvcrt.dll 2c5 sprintf msvcrt.dll 2c8 sscanf msvcrt.dll 2da strtok msvcrt.dll 2ec vfprintf USER32.dll 93 DialogBoxParamA USER32.dll b4 EnableWindow USER32.dll b6 EndDialog USER32.dll fd GetDlgItem USER32.dll 19b LoadImageA USER32.dll 1d4 PostQuitMessage USER32.dll 1fc SendMessageA USER32.dll 233 SetTimer
=== Strings ===
File pos Mem pos ID Text ======== ======= == ==== 00000000004D 00000040004D 0 !This program cannot be run in DOS mode. 000000000178 000000400178 0 .text 0000000001A0 0000004001A0 0 .data 0000000001C8 0000004001C8 0 .rdata 0000000001EE 0000004001EE 0 0@.eh_fram 000000000216 000000400216 0 0@.bss 000000000240 000000400240 0 .idata 0000000002B8 0000004002B8 0 .rsrc 000000002408 000000403008 0 CSCCNG 000000002410 000000403010 0 CSCWCNG 000000002600 000000404000 0 libgcj-16.dll 00000000260E 00000040400E 0 _Jv_RegisterClasses 000000002626 000000404026 0 %1[0-9]NDV=%8[0-9], 00000000263A 00000040403A 0 %1[0-9]NDV=%8[0-9] 00000000264D 00000040404D 0 %1[0-9]VAL=%8[0-9] 000000002660 000000404060 0 CscCngOpen 00000000266B 00000040406B 0 CscCngStatusRead 00000000267C 00000040407C 0 CscCngClose 000000002688 000000404088 0 CscCngDispense 000000002697 000000404097 0 CscCngTransport 0000000026A7 0000004040A7 0 CscCngReset 0000000026B3 0000004040B3 0 Open error: 0x80 0000000026C4 0000004040C4 0 %d,%02d; 0000000026CD 0000004040CD 0 Getting %d note(s) from %d 0000000026E8 0000004040E8 0 Dispense error: 0x80 0000000026FD 0000004040FD 0 Transport 000000002707 000000404107 0 Transport error: 0x80 00000000271D 00000040411D 0 Transport to customer 000000002733 000000404133 0 Transport error: 0x8000 00000000274B 00000040414B 0 Dispence Success 00000000275F 00000040415F 0 Thread error! 00000000276D 00000040416D 0 Thread open. 000000002780 000000404180 0 Mingw runtime failure: 000000002798 000000404198 0 VirtualQuery failed for %d bytes at address %p 0000000027CC 0000004041CC 0 Unknown pseudo relocation protocol version %d. 000000002800 000000404200 0 Unknown pseudo relocation bit size %d. 00000000282C 00000040422C 0 GCC: (tdm-1) 5.1.0 000000002840 000000404240 0 GCC: (tdm-1) 5.1.0 000000002854 000000404254 0 GCC: (tdm-1) 5.1.0 000000002868 000000404268 0 GCC: (tdm-1) 5.1.0 000000003042 000000407242 0 InitCommonControls 000000003058 000000407258 0 CloseHandle 000000003066 000000407266 0 CreateThread 000000003076 000000407276 0 DeleteCriticalSection 00000000308E 00000040728E 0 EnterCriticalSection 0000000030A6 0000004072A6 0 ExitProcess 0000000030B4 0000004072B4 0 FreeLibrary 0000000030C2 0000004072C2 0 GetCommandLineA 0000000030D4 0000004072D4 0 GetLastError 0000000030E4 0000004072E4 0 GetLocalTime 0000000030F4 0000004072F4 0 GetModuleHandleA 000000003108 000000407308 0 GetProcAddress 00000000311A 00000040731A 0 GetStartupInfoA 00000000312C 00000040732C 0 InitializeCriticalSection 000000003148 000000407348 0 LeaveCriticalSection 000000003160 000000407360 0 LoadLibraryA 000000003170 000000407370 0 SetUnhandledExceptionFilter 00000000318E 00000040738E 0 TerminateThread 0000000031A0 0000004073A0 0 TlsGetValue 0000000031AE 0000004073AE 0 VirtualProtect File pos Mem pos ID Text ======== ======= == ==== 0000000031C0 0000004073C0 0 VirtualQuery 0000000031D0 0000004073D0 0 WaitForSingleObject 0000000031E6 0000004073E6 0 _itoa 0000000031EE 0000004073EE 0 _strdup 0000000031F8 0000004073F8 0 __getmainargs 000000003208 000000407408 0 __p__environ 000000003218 000000407418 0 __p__fmode 000000003226 000000407426 0 __set_app_type 000000003238 000000407438 0 _cexit 00000000324A 00000040744A 0 _onexit 000000003254 000000407454 0 _setmode 000000003260 000000407460 0 abort 000000003268 000000407468 0 atexit 00000000327A 00000040747A 0 calloc 00000000328C 00000040748C 0 fwrite 000000003296 000000407496 0 memcpy 0000000032A0 0000004074A0 0 signal 0000000032AA 0000004074AA 0 sprintf 0000000032B4 0000004074B4 0 sscanf 0000000032BE 0000004074BE 0 strtok 0000000032C8 0000004074C8 0 vfprintf 0000000032D4 0000004074D4 0 DialogBoxParamA 0000000032E6 0000004074E6 0 EnableWindow 0000000032F6 0000004074F6 0 EndDialog 000000003302 000000407502 0 GetDlgItem 000000003310 000000407510 0 LoadImageA 00000000331E 00000040751E 0 PostQuitMessage 000000003330 000000407530 0 SendMessageA 000000003340 000000407540 0 SetTimer 000000003350 000000407550 0 COMCTL32.DLL 0000000033B4 0000004075B4 0 KERNEL32.dll 0000000033CC 0000004075CC 0 msvcrt.dll 000000003428 000000407628 0 msvcrt.dll 000000003454 000000407654 0 USER32.dll 000000003F3D 00000040A53D 0 &&&&&&&&& 000000003FA5 00000040A5A5 0 QQQQQ 000000003FBB 00000040A5BB 0 &&&&&&&&& 000000003FDA 00000040A5DA 0 ?????????QQQQ 000000003FFA 00000040A5FA 0 QQQ????????? 000000004023 00000040A623 0 NNNNN:::::::::::::::::::::NNN 000000004059 00000040A659 0 [[[[[ 0000000041C1 00000040A7C1 0 ======= 000000004210 00000040A810 0 QQQ : 000000004250 00000040A850 0 QQ? : 000000004290 00000040A890 0 QQ? :\ 00000000469A 00000040AC9A 0 ]]]]]]]] 0000000046AC 00000040ACAC 0 ]]]]]]]]] 0000000046EB 00000040ACEB 0 LL_____ 0000000046F3 00000040ACF3 0 LLLLX 0000000046FC 00000040ACFC 0 VXXXLXXXXXXXV 00000000482B 00000040AE2B 0 ''''''''''''' 00000000485A 00000040AE5A 0 YYY::Y:NNNNddcccd 000000004A28 00000040B028 0 #N#ff 000000004BA0 00000040B1A0 0 N*++BBB* 000000004C15 00000040B215 0 iNi## 000000004CA2 00000040B2A2 0 :bgbf 000000004CB1 00000040B2B1 0 iAcfb 000000004CE6 00000040B2E6 0 & Q# 000000004D23 00000040B323 0 bAp88( 000000004D54 00000040B354 0 Ncdc:N File pos Mem pos ID Text ======== ======= == ==== 000000004E23 00000040B423 0 &&&&& 000000004E7F 00000040B47F 0 000000005126 00000040B726 0 WinPot 000000005136 00000040B736 0 Ms Shell Dlg 00000000004D 00000040004D 0 !This program cannot be run in DOS mode. 000000000178 000000400178 0 .text 0000000001A0 0000004001A0 0 .data 0000000001C8 0000004001C8 0 .rdata 0000000001EE 0000004001EE 0 0@.eh_fram 000000000216 000000400216 0 0@.bss 000000000240 000000400240 0 .idata 0000000002B8 0000004002B8 0 .rsrc 000000002408 000000403008 0 CSCCNG 000000002410 000000403010 0 CSCWCNG 000000002600 000000404000 0 libgcj-16.dll 00000000260E 00000040400E 0 _Jv_RegisterClasses 000000002626 000000404026 0 %1[0-9]NDV=%8[0-9], 00000000263A 00000040403A 0 %1[0-9]NDV=%8[0-9] 00000000264D 00000040404D 0 %1[0-9]VAL=%8[0-9] 000000002660 000000404060 0 CscCngOpen 00000000266B 00000040406B 0 CscCngStatusRead 00000000267C 00000040407C 0 CscCngClose 000000002688 000000404088 0 CscCngDispense 000000002697 000000404097 0 CscCngTransport 0000000026A7 0000004040A7 0 CscCngReset 0000000026B3 0000004040B3 0 Open error: 0x80 0000000026C4 0000004040C4 0 %d,%02d; 0000000026CD 0000004040CD 0 Getting %d note(s) from %d 0000000026E8 0000004040E8 0 Dispense error: 0x80 0000000026FD 0000004040FD 0 Transport 000000002707 000000404107 0 Transport error: 0x80 00000000271D 00000040411D 0 Transport to customer 000000002733 000000404133 0 Transport error: 0x8000 00000000274B 00000040414B 0 Dispence Success 00000000275F 00000040415F 0 Thread error! 00000000276D 00000040416D 0 Thread open. 000000002780 000000404180 0 Mingw runtime failure: 000000002798 000000404198 0 VirtualQuery failed for %d bytes at address %p 0000000027CC 0000004041CC 0 Unknown pseudo relocation protocol version %d. 000000002800 000000404200 0 Unknown pseudo relocation bit size %d. 00000000282C 00000040422C 0 GCC: (tdm-1) 5.1.0 000000002840 000000404240 0 GCC: (tdm-1) 5.1.0 000000002854 000000404254 0 GCC: (tdm-1) 5.1.0 000000002868 000000404268 0 GCC: (tdm-1) 5.1.0 000000003042 000000407242 0 InitCommonControls 000000003058 000000407258 0 CloseHandle 000000003066 000000407266 0 CreateThread 000000003076 000000407276 0 DeleteCriticalSection 00000000308E 00000040728E 0 EnterCriticalSection 0000000030A6 0000004072A6 0 ExitProcess 0000000030B4 0000004072B4 0 FreeLibrary 0000000030C2 0000004072C2 0 GetCommandLineA 0000000030D4 0000004072D4 0 GetLastError 0000000030E4 0000004072E4 0 GetLocalTime 0000000030F4 0000004072F4 0 GetModuleHandleA 000000003108 000000407308 0 GetProcAddress 00000000311A 00000040731A 0 GetStartupInfoA 00000000312C 00000040732C 0 InitializeCriticalSection 000000003148 000000407348 0 LeaveCriticalSection 000000003160 000000407360 0 LoadLibraryA File pos Mem pos ID Text ======== ======= == ==== 000000003170 000000407370 0 SetUnhandledExceptionFilter 00000000318E 00000040738E 0 TerminateThread 0000000031A0 0000004073A0 0 TlsGetValue 0000000031AE 0000004073AE 0 VirtualProtect 0000000031C0 0000004073C0 0 VirtualQuery 0000000031D0 0000004073D0 0 WaitForSingleObject 0000000031E6 0000004073E6 0 _itoa 0000000031EE 0000004073EE 0 _strdup 0000000031F8 0000004073F8 0 __getmainargs 000000003208 000000407408 0 __p__environ 000000003218 000000407418 0 __p__fmode 000000003226 000000407426 0 __set_app_type 000000003238 000000407438 0 _cexit 00000000324A 00000040744A 0 _onexit 000000003254 000000407454 0 _setmode 000000003260 000000407460 0 abort 000000003268 000000407468 0 atexit 00000000327A 00000040747A 0 calloc 00000000328C 00000040748C 0 fwrite 000000003296 000000407496 0 memcpy 0000000032A0 0000004074A0 0 signal 0000000032AA 0000004074AA 0 sprintf 0000000032B4 0000004074B4 0 sscanf 0000000032BE 0000004074BE 0 strtok 0000000032C8 0000004074C8 0 vfprintf 0000000032D4 0000004074D4 0 DialogBoxParamA 0000000032E6 0000004074E6 0 EnableWindow 0000000032F6 0000004074F6 0 EndDialog 000000003302 000000407502 0 GetDlgItem 000000003310 000000407510 0 LoadImageA 00000000331E 00000040751E 0 PostQuitMessage 000000003330 000000407530 0 SendMessageA 000000003340 000000407540 0 SetTimer 000000003350 000000407550 0 COMCTL32.DLL 0000000033B4 0000004075B4 0 KERNEL32.dll 0000000033CC 0000004075CC 0 msvcrt.dll 000000003428 000000407628 0 msvcrt.dll 000000003454 000000407654 0 USER32.dll 000000003F3D 00000040A53D 0 &&&&&&&&& 000000003FA5 00000040A5A5 0 QQQQQ 000000003FBB 00000040A5BB 0 &&&&&&&&& 000000003FDA 00000040A5DA 0 ?????????QQQQ 000000003FFA 00000040A5FA 0 QQQ????????? 000000004023 00000040A623 0 NNNNN:::::::::::::::::::::NNN 000000004059 00000040A659 0 [[[[[ 0000000041C1 00000040A7C1 0 ======= 000000004210 00000040A810 0 QQQ : 000000004250 00000040A850 0 QQ? : 000000004290 00000040A890 0 QQ? :\ 00000000469A 00000040AC9A 0 ]]]]]]]] 0000000046AC 00000040ACAC 0 ]]]]]]]]] 0000000046EB 00000040ACEB 0 LL_____ 0000000046F3 00000040ACF3 0 LLLLX 0000000046FC 00000040ACFC 0 VXXXLXXXXXXXV 00000000482B 00000040AE2B 0 ''''''''''''' 00000000485A 00000040AE5A 0 YYY::Y:NNNNddcccd 000000004A28 00000040B028 0 #N#ff 000000004BA0 00000040B1A0 0 N*++BBB* 000000004C15 00000040B215 0 iNi## 000000004CA2 00000040B2A2 0 :bgbf File pos Mem pos ID Text ======== ======= == ==== 000000004CB1 00000040B2B1 0 iAcfb 000000004CE6 00000040B2E6 0 & Q# 000000004D23 00000040B323 0 bAp88( 000000004D54 00000040B354 0 Ncdc:N 000000004E23 00000040B423 0 &&&&& 000000004E7F 00000040B47F 0 000000005126 00000040B726 0 WinPot 000000005136 00000040B736 0 Ms Shell Dlg
=== DOWNLOAD === Mirror provided by vx-underground.org, thx!