.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------. ! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV ! `-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
acc9be34ac6effb6a87cd5110f68e7c59a982f44fa53619a07e5c67da1b99a53
Date...........: 2020-02-21
Family.........: WinPotv3
File name......: showme.exe
File size......: 48.00 KB
Type file......: EXE/Windows
Virscan........: VT - HA
Additional note: Not packed.
Entropy:
Binary Histogram:
=== SCREENSHOT ===
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 144 0x90
blocks_in_file: 3 3
num_relocs: 0 0
header_paragraphs: 4 4
min_extra_paragraphs: 0 0
max_extra_paragraphs: 65535 0xffff
ss: 0 0
sp: 184 0xb8
checksum: 0 0
ip: 0 0
cs: 0 0
reloc_table_offset: 64 0x40
overlay_number: 0 0
reserved0: 0 0
oem_id: 0 0
oem_info: 0 0
reserved2: 0 0
reserved3: 0 0
reserved4: 0 0
reserved5: 0 0
reserved6: 0 0
lfanew: 128 0x80
=== DOS STUB ===
00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 9 9
TimeDateStamp: "2026-01-14 09:44:18"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 783 0x30f RELOCS_STRIPPED, EXECUTABLE_IMAGE
LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED
32BIT_MACHINE, DEBUG_STRIPPED
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 2.24
SizeOfCode: 6656 0x1a00
SizeOfInitializedData: 48128 0xbc00
SizeOfUninitializedData: 1024 0x400
AddressOfEntryPoint: 4768 0x12a0
BaseOfCode: 4096 0x1000
BaseOfData: 12288 0x3000
ImageBase: 4194304 0x400000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 4.0
ImageVersion: 1.0
SubsystemVersion: 4.0
Reserved1: 0 0
SizeOfImage: 77824 0x13000
SizeOfHeaders: 1024 0x400
CheckSum: 59839 0xe9bf
Subsystem: 2 2 WINDOWS_GUI
DllCharacteristics: 0 0
SizeOfStackReserve: 2097152 0x200000
SizeOfStackCommit: 4096 0x1000
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x 7000 size:0x 5ec
RESOURCE rva:0x a000 size:0x 8c7c
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x 0 size:0x 0
DEBUG rva:0x 0 size:0x 0
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x 9004 size:0x 18
LOAD_CONFIG rva:0x 0 size:0x 0
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 715c size:0x d0
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
.text 1000 1894 1a00 400 0 0 0 0 60500060 R-X CODE IDATA
.data 3000 20 200 1e00 0 0 0 0 c0300040 RW- IDATA
.rdata 4000 238 400 2000 0 0 0 0 40300040 R-- IDATA
.eh_fram 5000 3f8 400 2400 0 0 0 0 40300040 R-- IDATA
.bss 6000 398 0 0 0 0 0 0 c0600080 RW- UDATA
.idata 7000 5ec 600 2800 0 0 0 0 c0300040 RW- IDATA
.CRT 8000 18 200 2e00 0 0 0 0 c0300040 RW- IDATA
.tls 9000 20 200 3000 0 0 0 0 c0300040 RW- IDATA
.rsrc a000 8c7c 8e00 3200 0 0 0 0 c0300040 RW- IDATA
=== TLS ===
RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS
409001 40901c 40634c 408004 0 0
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0x33a8 0 0 1384 ICON #1
0x3910 0 0 9640 ICON #2
0x5eb8 0 0 4264 ICON #3
0x6f60 0 0 16936 ICON #4
0xb188 0 0 2440 ICON #5
0xbb10 0 0 798 DIALOG #100
0xbe30 0 0 76 GROUP_ICON #102
[?] can't find file_offset of VA 0x634c
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
ADVAPI32.DLL f5 GetUserNameA
COMCTL32.DLL 5e InitCommonControls
KERNEL32.dll cf DeleteCriticalSection
KERNEL32.dll ec EnterCriticalSection
KERNEL32.dll 117 ExitProcess
KERNEL32.dll 160 FreeLibrary
KERNEL32.dll 184 GetCommandLineA
KERNEL32.dll 18a GetComputerNameA
KERNEL32.dll 1fe GetLastError
KERNEL32.dll 1ff GetLocalTime
KERNEL32.dll 211 GetModuleHandleA
KERNEL32.dll 241 GetProcAddress
KERNEL32.dll 25e GetStartupInfoA
KERNEL32.dll 2de InitializeCriticalSection
KERNEL32.dll 32e LeaveCriticalSection
KERNEL32.dll 331 LoadLibraryA
KERNEL32.dll 474 SetUnhandledExceptionFilter
KERNEL32.dll 495 TlsGetValue
KERNEL32.dll 4bd VirtualProtect
KERNEL32.dll 4bf VirtualQuery
msvcrt.dll 50 _strdup
msvcrt.dll 37 __getmainargs
msvcrt.dll 4d __p__environ
msvcrt.dll 4f __p__fmode
msvcrt.dll 63 __set_app_type
msvcrt.dll 93 _cexit
msvcrt.dll 10a _iob
msvcrt.dll 17f _onexit
msvcrt.dll 1aa _setmode
msvcrt.dll 247 abort
msvcrt.dll 24e atexit
msvcrt.dll 253 calloc
msvcrt.dll 271 free
msvcrt.dll 279 fwrite
msvcrt.dll 2aa memcpy
msvcrt.dll 2c2 signal
msvcrt.dll 2c5 sprintf
msvcrt.dll 2c8 sscanf
msvcrt.dll 2cd strcpy
msvcrt.dll 2da strtok
msvcrt.dll 2ec vfprintf
USER32.dll 93 DialogBoxParamA
USER32.dll b6 EndDialog
USER32.dll fd GetDlgItem
USER32.dll 19b LoadImageA
USER32.dll 1fc SendMessageA
=== Strings ===
File pos Mem pos ID Text
======== ======= == ====
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
000000000178 000000400178 0 .text
0000000001A0 0000004001A0 0 .data
0000000001C8 0000004001C8 0 .rdata
0000000001EE 0000004001EE 0 0@.eh_fram
000000000216 000000400216 0 0@.bss
000000000240 000000400240 0 .idata
0000000002B8 0000004002B8 0 .rsrc
000000002000 000000404000 0 libgcj-16.dll
00000000200E 00000040400E 0 _Jv_RegisterClasses
000000002024 000000404024 0 zyxwvutsrqponmlkjihgfedcba9876543210123456789abcdefghijklmnopqrstuvwxyz
00000000206E 00000040406E 0 %1[0-9]NDV=%8[0-9],
000000002082 000000404082 0 %1[0-9]VAL=%8[0-9]
000000002095 000000404095 0 %1[0-9]NDV=%8[0-9]
0000000020A8 0000004040A8 0 %1[0-9]ACT=%8[0-9]
0000000020BB 0000004040BB 0 %1[0-9]CUR=%3[A-Z]
0000000020CE 0000004040CE 0 No Library found!
0000000020E0 0000004040E0 0 %04d-%02d-%02d %02d:%02d
0000000020F9 0000004040F9 0 Open Session error!
00000000210D 00000040410D 0 Read Status error!
000000002120 000000404120 0 Close Session error!
00000000213C 00000040413C 0 Mingw runtime failure:
000000002154 000000404154 0 VirtualQuery failed for %d bytes at address %p
000000002188 000000404188 0 Unknown pseudo relocation protocol version %d.
0000000021BC 0000004041BC 0 Unknown pseudo relocation bit size %d.
0000000021E8 0000004041E8 0 GCC: (tdm-1) 5.1.0
0000000021FC 0000004041FC 0 GCC: (tdm-1) 5.1.0
000000002210 000000404210 0 GCC: (tdm-1) 5.1.0
000000002224 000000404224 0 GCC: (tdm-1) 5.1.0
000000002A2E 00000040722E 0 GetUserNameA
000000002A3E 00000040723E 0 InitCommonControls
000000002A54 000000407254 0 DeleteCriticalSection
000000002A6C 00000040726C 0 EnterCriticalSection
000000002A84 000000407284 0 ExitProcess
000000002A92 000000407292 0 FreeLibrary
000000002AA0 0000004072A0 0 GetCommandLineA
000000002AB2 0000004072B2 0 GetComputerNameA
000000002AC6 0000004072C6 0 GetLastError
000000002AD6 0000004072D6 0 GetLocalTime
000000002AE6 0000004072E6 0 GetModuleHandleA
000000002AFA 0000004072FA 0 GetProcAddress
000000002B0C 00000040730C 0 GetStartupInfoA
000000002B1E 00000040731E 0 InitializeCriticalSection
000000002B3A 00000040733A 0 LeaveCriticalSection
000000002B52 000000407352 0 LoadLibraryA
000000002B62 000000407362 0 SetUnhandledExceptionFilter
000000002B80 000000407380 0 TlsGetValue
000000002B8E 00000040738E 0 VirtualProtect
000000002BA0 0000004073A0 0 VirtualQuery
000000002BB0 0000004073B0 0 _strdup
000000002BBA 0000004073BA 0 __getmainargs
000000002BCA 0000004073CA 0 __p__environ
000000002BDA 0000004073DA 0 __p__fmode
000000002BE8 0000004073E8 0 __set_app_type
000000002BFA 0000004073FA 0 _cexit
000000002C0C 00000040740C 0 _onexit
000000002C16 000000407416 0 _setmode
000000002C22 000000407422 0 abort
000000002C2A 00000040742A 0 atexit
000000002C34 000000407434 0 calloc
File pos Mem pos ID Text
======== ======= == ====
000000002C46 000000407446 0 fwrite
000000002C50 000000407450 0 memcpy
000000002C5A 00000040745A 0 signal
000000002C64 000000407464 0 sprintf
000000002C6E 00000040746E 0 sscanf
000000002C78 000000407478 0 strcpy
000000002C82 000000407482 0 strtok
000000002C8C 00000040748C 0 vfprintf
000000002C98 000000407498 0 DialogBoxParamA
000000002CAA 0000004074AA 0 EndDialog
000000002CB6 0000004074B6 0 GetDlgItem
000000002CC4 0000004074C4 0 LoadImageA
000000002CD2 0000004074D2 0 SendMessageA
000000002CE4 0000004074E4 0 ADVAPI32.DLL
000000002CF8 0000004074F8 0 COMCTL32.DLL
000000002D50 000000407550 0 KERNEL32.dll
000000002D64 000000407564 0 msvcrt.dll
000000002DC0 0000004075C0 0 msvcrt.dll
000000002DE0 0000004075E0 0 USER32.dll
000000003821 00000040A621 0 nopqrstuvwxyz{
000000003832 00000040A632 0 abcdefghijklm
000000003841 00000040A641 0 RSTUVWXYZ[\]
000000003851 00000040A651 0 DEFGHIJKLMNOPQ
000000003861 00000040A661 0 6789:;<=>?@ABC
000000003871 00000040A671 0 ()*+,-./012345
000000003886 00000040A686 0 !"#$%&'
000000006858 00000040D658 0 KR}vRW
00000000B7A8 0000004125A8 0 >Gq=;A
00000000BB26 000000412926 0 ShowMeMoney
00000000BB40 000000412940 0 Ms Shell Dlg
00000000BB72 000000412972 0 CLOSE
00000000BB96 000000412996 0 RE-SCAN
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
000000000178 000000400178 0 .text
0000000001A0 0000004001A0 0 .data
0000000001C8 0000004001C8 0 .rdata
0000000001EE 0000004001EE 0 0@.eh_fram
000000000216 000000400216 0 0@.bss
000000000240 000000400240 0 .idata
0000000002B8 0000004002B8 0 .rsrc
000000002000 000000404000 0 libgcj-16.dll
00000000200E 00000040400E 0 _Jv_RegisterClasses
000000002024 000000404024 0 zyxwvutsrqponmlkjihgfedcba9876543210123456789abcdefghijklmnopqrstuvwxyz
00000000206E 00000040406E 0 %1[0-9]NDV=%8[0-9],
000000002082 000000404082 0 %1[0-9]VAL=%8[0-9]
000000002095 000000404095 0 %1[0-9]NDV=%8[0-9]
0000000020A8 0000004040A8 0 %1[0-9]ACT=%8[0-9]
0000000020BB 0000004040BB 0 %1[0-9]CUR=%3[A-Z]
0000000020CE 0000004040CE 0 No Library found!
0000000020E0 0000004040E0 0 %04d-%02d-%02d %02d:%02d
0000000020F9 0000004040F9 0 Open Session error!
00000000210D 00000040410D 0 Read Status error!
000000002120 000000404120 0 Close Session error!
00000000213C 00000040413C 0 Mingw runtime failure:
000000002154 000000404154 0 VirtualQuery failed for %d bytes at address %p
000000002188 000000404188 0 Unknown pseudo relocation protocol version %d.
0000000021BC 0000004041BC 0 Unknown pseudo relocation bit size %d.
0000000021E8 0000004041E8 0 GCC: (tdm-1) 5.1.0
0000000021FC 0000004041FC 0 GCC: (tdm-1) 5.1.0
000000002210 000000404210 0 GCC: (tdm-1) 5.1.0
File pos Mem pos ID Text
======== ======= == ====
000000002224 000000404224 0 GCC: (tdm-1) 5.1.0
000000002A2E 00000040722E 0 GetUserNameA
000000002A3E 00000040723E 0 InitCommonControls
000000002A54 000000407254 0 DeleteCriticalSection
000000002A6C 00000040726C 0 EnterCriticalSection
000000002A84 000000407284 0 ExitProcess
000000002A92 000000407292 0 FreeLibrary
000000002AA0 0000004072A0 0 GetCommandLineA
000000002AB2 0000004072B2 0 GetComputerNameA
000000002AC6 0000004072C6 0 GetLastError
000000002AD6 0000004072D6 0 GetLocalTime
000000002AE6 0000004072E6 0 GetModuleHandleA
000000002AFA 0000004072FA 0 GetProcAddress
000000002B0C 00000040730C 0 GetStartupInfoA
000000002B1E 00000040731E 0 InitializeCriticalSection
000000002B3A 00000040733A 0 LeaveCriticalSection
000000002B52 000000407352 0 LoadLibraryA
000000002B62 000000407362 0 SetUnhandledExceptionFilter
000000002B80 000000407380 0 TlsGetValue
000000002B8E 00000040738E 0 VirtualProtect
000000002BA0 0000004073A0 0 VirtualQuery
000000002BB0 0000004073B0 0 _strdup
000000002BBA 0000004073BA 0 __getmainargs
000000002BCA 0000004073CA 0 __p__environ
000000002BDA 0000004073DA 0 __p__fmode
000000002BE8 0000004073E8 0 __set_app_type
000000002BFA 0000004073FA 0 _cexit
000000002C0C 00000040740C 0 _onexit
000000002C16 000000407416 0 _setmode
000000002C22 000000407422 0 abort
000000002C2A 00000040742A 0 atexit
000000002C34 000000407434 0 calloc
000000002C46 000000407446 0 fwrite
000000002C50 000000407450 0 memcpy
000000002C5A 00000040745A 0 signal
000000002C64 000000407464 0 sprintf
000000002C6E 00000040746E 0 sscanf
000000002C78 000000407478 0 strcpy
000000002C82 000000407482 0 strtok
000000002C8C 00000040748C 0 vfprintf
000000002C98 000000407498 0 DialogBoxParamA
000000002CAA 0000004074AA 0 EndDialog
000000002CB6 0000004074B6 0 GetDlgItem
000000002CC4 0000004074C4 0 LoadImageA
000000002CD2 0000004074D2 0 SendMessageA
000000002CE4 0000004074E4 0 ADVAPI32.DLL
000000002CF8 0000004074F8 0 COMCTL32.DLL
000000002D50 000000407550 0 KERNEL32.dll
000000002D64 000000407564 0 msvcrt.dll
000000002DC0 0000004075C0 0 msvcrt.dll
000000002DE0 0000004075E0 0 USER32.dll
000000003821 00000040A621 0 nopqrstuvwxyz{
000000003832 00000040A632 0 abcdefghijklm
000000003841 00000040A641 0 RSTUVWXYZ[\]
000000003851 00000040A651 0 DEFGHIJKLMNOPQ
000000003861 00000040A661 0 6789:;<=>?@ABC
000000003871 00000040A671 0 ()*+,-./012345
000000003886 00000040A686 0 !"#$%&'
000000006858 00000040D658 0 KR}vRW
00000000B7A8 0000004125A8 0 >Gq=;A
File pos Mem pos ID Text
======== ======= == ====
00000000BB26 000000412926 0 ShowMeMoney
00000000BB40 000000412940 0 Ms Shell Dlg
00000000BB72 000000412972 0 CLOSE
00000000BB96 000000412996 0 RE-SCAN
=== DOWNLOAD ===
Mirror provided by vx-underground.org, thx!