.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------. ! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV ! `-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
fc7fb41d47409efea69ed59c791b7d4144f92f6f3ed9834742db82dd779084e6
Date...........: 2020-02-21
Family.........: WinPot
File name......: 555.exe
File size......: 21.50 KB
Type file......: EXE/Windows
Virscan........: VT - HA
Entropy:
Binary Histogram:
=== SCREENSHOT ===
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 144 0x90
blocks_in_file: 3 3
num_relocs: 0 0
header_paragraphs: 4 4
min_extra_paragraphs: 0 0
max_extra_paragraphs: 65535 0xffff
ss: 0 0
sp: 184 0xb8
checksum: 0 0
ip: 0 0
cs: 0 0
reloc_table_offset: 64 0x40
overlay_number: 0 0
reserved0: 0 0
oem_id: 0 0
oem_info: 0 0
reserved2: 0 0
reserved3: 0 0
reserved4: 0 0
reserved5: 0 0
reserved6: 0 0
lfanew: 128 0x80
=== DOS STUB ===
00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 9 9
TimeDateStamp: "2026-01-14 09:44:18"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 783 0x30f RELOCS_STRIPPED, EXECUTABLE_IMAGE
LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED
32BIT_MACHINE, DEBUG_STRIPPED
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 2.24
SizeOfCode: 8192 0x2000
SizeOfInitializedData: 20992 0x5200
SizeOfUninitializedData: 1024 0x400
AddressOfEntryPoint: 4768 0x12a0
BaseOfCode: 4096 0x1000
BaseOfData: 12288 0x3000
ImageBase: 4194304 0x400000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 4.0
ImageVersion: 1.0
SubsystemVersion: 4.0
Reserved1: 0 0
SizeOfImage: 49152 0xc000
SizeOfHeaders: 1024 0x400
CheckSum: 80196 0x13944
Subsystem: 2 2 WINDOWS_GUI
DllCharacteristics: 0 0
SizeOfStackReserve: 2097152 0x200000
SizeOfStackCommit: 4096 0x1000
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x 7000 size:0x 658
RESOURCE rva:0x a000 size:0x 1a24
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x 0 size:0x 0
DEBUG rva:0x 0 size:0x 0
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x 9004 size:0x 18
LOAD_CONFIG rva:0x 0 size:0x 0
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 715c size:0x e4
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
.text 1000 1e84 2000 400 0 0 0 0 60500060 R-X CODE IDATA
.data 3000 30 200 2400 0 0 0 0 c0300040 RW- IDATA
.rdata 4000 26c 400 2600 0 0 0 0 40300040 R-- IDATA
.eh_fram 5000 3f8 400 2a00 0 0 0 0 40300040 R-- IDATA
.bss 6000 3d8 0 0 0 0 0 0 c0600080 RW- UDATA
.idata 7000 658 800 2e00 0 0 0 0 c0300040 RW- IDATA
.CRT 8000 18 200 3600 0 0 0 0 c0300040 RW- IDATA
.tls 9000 20 200 3800 0 0 0 0 c0300040 RW- IDATA
.rsrc a000 1a24 1c00 3a00 0 0 0 0 c0300040 RW- IDATA
=== TLS ===
RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS
409001 40901c 40638c 408004 0 0
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0x3ae8 0 0 5672 ICON #1
0x5110 0 0 766 DIALOG #100
0x5410 0 0 20 GROUP_ICON #102
[?] can't find file_offset of VA 0x638c
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
COMCTL32.DLL 5e InitCommonControls
KERNEL32.dll 52 CloseHandle
KERNEL32.dll b3 CreateThread
KERNEL32.dll cf DeleteCriticalSection
KERNEL32.dll ec EnterCriticalSection
KERNEL32.dll 117 ExitProcess
KERNEL32.dll 160 FreeLibrary
KERNEL32.dll 184 GetCommandLineA
KERNEL32.dll 1fe GetLastError
KERNEL32.dll 211 GetModuleHandleA
KERNEL32.dll 241 GetProcAddress
KERNEL32.dll 25e GetStartupInfoA
KERNEL32.dll 2de InitializeCriticalSection
KERNEL32.dll 32e LeaveCriticalSection
KERNEL32.dll 331 LoadLibraryA
KERNEL32.dll 474 SetUnhandledExceptionFilter
KERNEL32.dll 48f TerminateThread
KERNEL32.dll 495 TlsGetValue
KERNEL32.dll 4bd VirtualProtect
KERNEL32.dll 4bf VirtualQuery
KERNEL32.dll 4c7 WaitForSingleObject
msvcrt.dll 2b _itoa
msvcrt.dll 50 _strdup
msvcrt.dll 37 __getmainargs
msvcrt.dll 4d __p__environ
msvcrt.dll 4f __p__fmode
msvcrt.dll 63 __set_app_type
msvcrt.dll 93 _cexit
msvcrt.dll 10a _iob
msvcrt.dll 17f _onexit
msvcrt.dll 1aa _setmode
msvcrt.dll 247 abort
msvcrt.dll 24e atexit
msvcrt.dll 250 atoi
msvcrt.dll 253 calloc
msvcrt.dll 271 free
msvcrt.dll 279 fwrite
msvcrt.dll 2aa memcpy
msvcrt.dll 2c2 signal
msvcrt.dll 2c5 sprintf
msvcrt.dll 2c8 sscanf
msvcrt.dll 2da strtok
msvcrt.dll 2e3 time
msvcrt.dll 2ec vfprintf
USER32.dll 93 DialogBoxParamA
USER32.dll b4 EnableWindow
USER32.dll b6 EndDialog
USER32.dll fd GetDlgItem
USER32.dll 19b LoadImageA
USER32.dll 1d4 PostQuitMessage
USER32.dll 1fc SendMessageA
USER32.dll 233 SetTimer
=== Strings ===
File pos Mem pos ID Text
======== ======= == ====
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
000000000178 000000400178 0 .text
0000000001A0 0000004001A0 0 .data
0000000001C8 0000004001C8 0 .rdata
0000000001EE 0000004001EE 0 0@.eh_fram
000000000216 000000400216 0 0@.bss
000000000240 000000400240 0 .idata
0000000002B8 0000004002B8 0 .rsrc
000000002600 000000404000 0 libgcj-16.dll
00000000260E 00000040400E 0 _Jv_RegisterClasses
000000002626 000000404026 0 %1[0-9]NDV=%8[0-9]
000000002639 000000404039 0 %1[0-9]VAL=%8[0-9]
00000000264C 00000040404C 0 %1[0-9]NDV=%8[0-9],
000000002660 000000404060 0 CngOpen error!
00000000266F 00000040406F 0 balanceThread error
000000002683 000000404083 0 %d cassettes found.
000000002697 000000404097 0 Thread error!
0000000026A5 0000004040A5 0 Thread open.
0000000026B2 0000004040B2 0 Thread dispense error!
0000000026C9 0000004040C9 0 Thread dispense open.
0000000026DF 0000004040DF 0 CscCngStatusRead error!
0000000026F7 0000004040F7 0 %d,%02d;
000000002700 000000404100 0 CngDispense error!
000000002716 000000404116 0 Cash Dispensed
000000002725 000000404125 0 CngTransport error!
000000002739 000000404139 0 Cash Transport
000000002748 000000404148 0 Success Cash Out
000000002759 000000404159 0 CngReset error!
000000002770 000000404170 0 Mingw runtime failure:
000000002788 000000404188 0 VirtualQuery failed for %d bytes at address %p
0000000027BC 0000004041BC 0 Unknown pseudo relocation protocol version %d.
0000000027F0 0000004041F0 0 Unknown pseudo relocation bit size %d.
00000000281C 00000040421C 0 GCC: (tdm-1) 5.1.0
000000002830 000000404230 0 GCC: (tdm-1) 5.1.0
000000002844 000000404244 0 GCC: (tdm-1) 5.1.0
000000002858 000000404258 0 GCC: (tdm-1) 5.1.0
000000003042 000000407242 0 InitCommonControls
000000003058 000000407258 0 CloseHandle
000000003066 000000407266 0 CreateThread
000000003076 000000407276 0 DeleteCriticalSection
00000000308E 00000040728E 0 EnterCriticalSection
0000000030A6 0000004072A6 0 ExitProcess
0000000030B4 0000004072B4 0 FreeLibrary
0000000030C2 0000004072C2 0 GetCommandLineA
0000000030D4 0000004072D4 0 GetLastError
0000000030E4 0000004072E4 0 GetModuleHandleA
0000000030F8 0000004072F8 0 GetProcAddress
00000000310A 00000040730A 0 GetStartupInfoA
00000000311C 00000040731C 0 InitializeCriticalSection
000000003138 000000407338 0 LeaveCriticalSection
000000003150 000000407350 0 LoadLibraryA
000000003160 000000407360 0 SetUnhandledExceptionFilter
00000000317E 00000040737E 0 TerminateThread
000000003190 000000407390 0 TlsGetValue
00000000319E 00000040739E 0 VirtualProtect
0000000031B0 0000004073B0 0 VirtualQuery
0000000031C0 0000004073C0 0 WaitForSingleObject
0000000031D6 0000004073D6 0 _itoa
0000000031DE 0000004073DE 0 _strdup
0000000031E8 0000004073E8 0 __getmainargs
File pos Mem pos ID Text
======== ======= == ====
0000000031F8 0000004073F8 0 __p__environ
000000003208 000000407408 0 __p__fmode
000000003216 000000407416 0 __set_app_type
000000003228 000000407428 0 _cexit
00000000323A 00000040743A 0 _onexit
000000003244 000000407444 0 _setmode
000000003250 000000407450 0 abort
000000003258 000000407458 0 atexit
00000000326A 00000040746A 0 calloc
00000000327C 00000040747C 0 fwrite
000000003286 000000407486 0 memcpy
000000003290 000000407490 0 signal
00000000329A 00000040749A 0 sprintf
0000000032A4 0000004074A4 0 sscanf
0000000032AE 0000004074AE 0 strtok
0000000032C0 0000004074C0 0 vfprintf
0000000032CC 0000004074CC 0 DialogBoxParamA
0000000032DE 0000004074DE 0 EnableWindow
0000000032EE 0000004074EE 0 EndDialog
0000000032FA 0000004074FA 0 GetDlgItem
000000003308 000000407508 0 LoadImageA
000000003316 000000407516 0 PostQuitMessage
000000003328 000000407528 0 SendMessageA
000000003338 000000407538 0 SetTimer
000000003348 000000407548 0 COMCTL32.DLL
0000000033A8 0000004075A8 0 KERNEL32.dll
0000000033C0 0000004075C0 0 msvcrt.dll
000000003420 000000407620 0 msvcrt.dll
00000000344C 00000040764C 0 USER32.dll
000000003F3D 00000040A53D 0 &&&&&&&&&
000000003FA5 00000040A5A5 0 QQQQQ
000000003FBB 00000040A5BB 0 &&&&&&&&&
000000003FDA 00000040A5DA 0 ?????????QQQQ
000000003FFA 00000040A5FA 0 QQQ?????????
000000004023 00000040A623 0 NNNNN:::::::::::::::::::::NNN
000000004059 00000040A659 0 [[[[[
0000000041C1 00000040A7C1 0 =======
000000004210 00000040A810 0 QQQ :
000000004250 00000040A850 0 QQ? :
000000004290 00000040A890 0 QQ? :\
00000000469A 00000040AC9A 0 ]]]]]]]]
0000000046AC 00000040ACAC 0 ]]]]]]]]]
0000000046EB 00000040ACEB 0 LL_____
0000000046F3 00000040ACF3 0 LLLLX
0000000046FC 00000040ACFC 0 VXXXLXXXXXXXV
00000000482B 00000040AE2B 0 '''''''''''''
00000000485A 00000040AE5A 0 YYY::Y:NNNNddcccd
000000004A28 00000040B028 0 #N#ff
000000004BA0 00000040B1A0 0 N*++BBB*
000000004C15 00000040B215 0 iNi##
000000004CA2 00000040B2A2 0 :bgbf
000000004CB1 00000040B2B1 0 iAcfb
000000004CE6 00000040B2E6 0 & Q#
000000004D23 00000040B323 0 bAp88(
000000004D54 00000040B354 0 Ncdc:N
000000004E23 00000040B423 0 &&&&&
000000004E7F 00000040B47F 0
000000005126 00000040B726 0 7-7-7 [0x13]
000000005142 00000040B742 0 Ms Shell Dlg
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
File pos Mem pos ID Text
======== ======= == ====
000000000178 000000400178 0 .text
0000000001A0 0000004001A0 0 .data
0000000001C8 0000004001C8 0 .rdata
0000000001EE 0000004001EE 0 0@.eh_fram
000000000216 000000400216 0 0@.bss
000000000240 000000400240 0 .idata
0000000002B8 0000004002B8 0 .rsrc
000000002600 000000404000 0 libgcj-16.dll
00000000260E 00000040400E 0 _Jv_RegisterClasses
000000002626 000000404026 0 %1[0-9]NDV=%8[0-9]
000000002639 000000404039 0 %1[0-9]VAL=%8[0-9]
00000000264C 00000040404C 0 %1[0-9]NDV=%8[0-9],
000000002660 000000404060 0 CngOpen error!
00000000266F 00000040406F 0 balanceThread error
000000002683 000000404083 0 %d cassettes found.
000000002697 000000404097 0 Thread error!
0000000026A5 0000004040A5 0 Thread open.
0000000026B2 0000004040B2 0 Thread dispense error!
0000000026C9 0000004040C9 0 Thread dispense open.
0000000026DF 0000004040DF 0 CscCngStatusRead error!
0000000026F7 0000004040F7 0 %d,%02d;
000000002700 000000404100 0 CngDispense error!
000000002716 000000404116 0 Cash Dispensed
000000002725 000000404125 0 CngTransport error!
000000002739 000000404139 0 Cash Transport
000000002748 000000404148 0 Success Cash Out
000000002759 000000404159 0 CngReset error!
000000002770 000000404170 0 Mingw runtime failure:
000000002788 000000404188 0 VirtualQuery failed for %d bytes at address %p
0000000027BC 0000004041BC 0 Unknown pseudo relocation protocol version %d.
0000000027F0 0000004041F0 0 Unknown pseudo relocation bit size %d.
00000000281C 00000040421C 0 GCC: (tdm-1) 5.1.0
000000002830 000000404230 0 GCC: (tdm-1) 5.1.0
000000002844 000000404244 0 GCC: (tdm-1) 5.1.0
000000002858 000000404258 0 GCC: (tdm-1) 5.1.0
000000003042 000000407242 0 InitCommonControls
000000003058 000000407258 0 CloseHandle
000000003066 000000407266 0 CreateThread
000000003076 000000407276 0 DeleteCriticalSection
00000000308E 00000040728E 0 EnterCriticalSection
0000000030A6 0000004072A6 0 ExitProcess
0000000030B4 0000004072B4 0 FreeLibrary
0000000030C2 0000004072C2 0 GetCommandLineA
0000000030D4 0000004072D4 0 GetLastError
0000000030E4 0000004072E4 0 GetModuleHandleA
0000000030F8 0000004072F8 0 GetProcAddress
00000000310A 00000040730A 0 GetStartupInfoA
00000000311C 00000040731C 0 InitializeCriticalSection
000000003138 000000407338 0 LeaveCriticalSection
000000003150 000000407350 0 LoadLibraryA
000000003160 000000407360 0 SetUnhandledExceptionFilter
00000000317E 00000040737E 0 TerminateThread
000000003190 000000407390 0 TlsGetValue
00000000319E 00000040739E 0 VirtualProtect
0000000031B0 0000004073B0 0 VirtualQuery
0000000031C0 0000004073C0 0 WaitForSingleObject
0000000031D6 0000004073D6 0 _itoa
0000000031DE 0000004073DE 0 _strdup
0000000031E8 0000004073E8 0 __getmainargs
0000000031F8 0000004073F8 0 __p__environ
File pos Mem pos ID Text
======== ======= == ====
000000003208 000000407408 0 __p__fmode
000000003216 000000407416 0 __set_app_type
000000003228 000000407428 0 _cexit
00000000323A 00000040743A 0 _onexit
000000003244 000000407444 0 _setmode
000000003250 000000407450 0 abort
000000003258 000000407458 0 atexit
00000000326A 00000040746A 0 calloc
00000000327C 00000040747C 0 fwrite
000000003286 000000407486 0 memcpy
000000003290 000000407490 0 signal
00000000329A 00000040749A 0 sprintf
0000000032A4 0000004074A4 0 sscanf
0000000032AE 0000004074AE 0 strtok
0000000032C0 0000004074C0 0 vfprintf
0000000032CC 0000004074CC 0 DialogBoxParamA
0000000032DE 0000004074DE 0 EnableWindow
0000000032EE 0000004074EE 0 EndDialog
0000000032FA 0000004074FA 0 GetDlgItem
000000003308 000000407508 0 LoadImageA
000000003316 000000407516 0 PostQuitMessage
000000003328 000000407528 0 SendMessageA
000000003338 000000407538 0 SetTimer
000000003348 000000407548 0 COMCTL32.DLL
0000000033A8 0000004075A8 0 KERNEL32.dll
0000000033C0 0000004075C0 0 msvcrt.dll
000000003420 000000407620 0 msvcrt.dll
00000000344C 00000040764C 0 USER32.dll
000000003F3D 00000040A53D 0 &&&&&&&&&
000000003FA5 00000040A5A5 0 QQQQQ
000000003FBB 00000040A5BB 0 &&&&&&&&&
000000003FDA 00000040A5DA 0 ?????????QQQQ
000000003FFA 00000040A5FA 0 QQQ?????????
000000004023 00000040A623 0 NNNNN:::::::::::::::::::::NNN
000000004059 00000040A659 0 [[[[[
0000000041C1 00000040A7C1 0 =======
000000004210 00000040A810 0 QQQ :
000000004250 00000040A850 0 QQ? :
000000004290 00000040A890 0 QQ? :\
00000000469A 00000040AC9A 0 ]]]]]]]]
0000000046AC 00000040ACAC 0 ]]]]]]]]]
0000000046EB 00000040ACEB 0 LL_____
0000000046F3 00000040ACF3 0 LLLLX
0000000046FC 00000040ACFC 0 VXXXLXXXXXXXV
00000000482B 00000040AE2B 0 '''''''''''''
00000000485A 00000040AE5A 0 YYY::Y:NNNNddcccd
000000004A28 00000040B028 0 #N#ff
000000004BA0 00000040B1A0 0 N*++BBB*
000000004C15 00000040B215 0 iNi##
000000004CA2 00000040B2A2 0 :bgbf
000000004CB1 00000040B2B1 0 iAcfb
000000004CE6 00000040B2E6 0 & Q#
000000004D23 00000040B323 0 bAp88(
000000004D54 00000040B354 0 Ncdc:N
000000004E23 00000040B423 0 &&&&&
000000004E7F 00000040B47F 0
000000005126 00000040B726 0 7-7-7 [0x13]
000000005142 00000040B742 0 Ms Shell Dlg
=== DOWNLOAD ===
Mirror provided by vx-underground.org, thx!