.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------. ! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV ! `-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE fc7fb41d47409efea69ed59c791b7d4144f92f6f3ed9834742db82dd779084e6 Date...........: 2020-02-21 Family.........: WinPot File name......: 555.exe File size......: 21.50 KB Type file......: EXE/Windows Virscan........: VT - HA Entropy: Binary Histogram: === SCREENSHOT === === PEDUMP REPORT ====== Strings ====== MZ Header === signature: "MZ" bytes_in_last_block: 144 0x90 blocks_in_file: 3 3 num_relocs: 0 0 header_paragraphs: 4 4 min_extra_paragraphs: 0 0 max_extra_paragraphs: 65535 0xffff ss: 0 0 sp: 184 0xb8 checksum: 0 0 ip: 0 0 cs: 0 0 reloc_table_offset: 64 0x40 overlay_number: 0 0 reserved0: 0 0 oem_id: 0 0 oem_info: 0 0 reserved2: 0 0 reserved3: 0 0 reserved4: 0 0 reserved5: 0 0 reserved6: 0 0 lfanew: 128 0x80 === DOS STUB === 00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th| 00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno| 00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS | 00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......| === PE Header === signature: "PE\x00\x00" # IMAGE_FILE_HEADER: Machine: 332 0x14c x86 NumberOfSections: 9 9 TimeDateStamp: "2026-01-14 09:44:18" PointerToSymbolTable: 0 0 NumberOfSymbols: 0 0 SizeOfOptionalHeader: 224 0xe0 Characteristics: 783 0x30f RELOCS_STRIPPED, EXECUTABLE_IMAGE LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED 32BIT_MACHINE, DEBUG_STRIPPED # IMAGE_OPTIONAL_HEADER32: Magic: 267 0x10b 32-bit executable LinkerVersion: 2.24 SizeOfCode: 8192 0x2000 SizeOfInitializedData: 20992 0x5200 SizeOfUninitializedData: 1024 0x400 AddressOfEntryPoint: 4768 0x12a0 BaseOfCode: 4096 0x1000 BaseOfData: 12288 0x3000 ImageBase: 4194304 0x400000 SectionAlignment: 4096 0x1000 FileAlignment: 512 0x200 OperatingSystemVersion: 4.0 ImageVersion: 1.0 SubsystemVersion: 4.0 Reserved1: 0 0 SizeOfImage: 49152 0xc000 SizeOfHeaders: 1024 0x400 CheckSum: 80196 0x13944 Subsystem: 2 2 WINDOWS_GUI DllCharacteristics: 0 0 SizeOfStackReserve: 2097152 0x200000 SizeOfStackCommit: 4096 0x1000 SizeOfHeapReserve: 1048576 0x100000 SizeOfHeapCommit: 4096 0x1000 LoaderFlags: 0 0 NumberOfRvaAndSizes: 16 0x10 === DATA DIRECTORY === EXPORT rva:0x 0 size:0x 0 IMPORT rva:0x 7000 size:0x 658 RESOURCE rva:0x a000 size:0x 1a24 EXCEPTION rva:0x 0 size:0x 0 SECURITY rva:0x 0 size:0x 0 BASERELOC rva:0x 0 size:0x 0 DEBUG rva:0x 0 size:0x 0 ARCHITECTURE rva:0x 0 size:0x 0 GLOBALPTR rva:0x 0 size:0x 0 TLS rva:0x 9004 size:0x 18 LOAD_CONFIG rva:0x 0 size:0x 0 Bound_IAT rva:0x 0 size:0x 0 IAT rva:0x 715c size:0x e4 Delay_IAT rva:0x 0 size:0x 0 CLR_Header rva:0x 0 size:0x 0 rva:0x 0 size:0x 0 === SECTIONS === NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS .text 1000 1e84 2000 400 0 0 0 0 60500060 R-X CODE IDATA .data 3000 30 200 2400 0 0 0 0 c0300040 RW- IDATA .rdata 4000 26c 400 2600 0 0 0 0 40300040 R-- IDATA .eh_fram 5000 3f8 400 2a00 0 0 0 0 40300040 R-- IDATA .bss 6000 3d8 0 0 0 0 0 0 c0600080 RW- UDATA .idata 7000 658 800 2e00 0 0 0 0 c0300040 RW- IDATA .CRT 8000 18 200 3600 0 0 0 0 c0300040 RW- IDATA .tls 9000 20 200 3800 0 0 0 0 c0300040 RW- IDATA .rsrc a000 1a24 1c00 3a00 0 0 0 0 c0300040 RW- IDATA === TLS === RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS 409001 40901c 40638c 408004 0 0 === RESOURCES === FILE_OFFSET CP LANG SIZE TYPE NAME 0x3ae8 0 0 5672 ICON #1 0x5110 0 0 766 DIALOG #100 0x5410 0 0 20 GROUP_ICON #102 [?] can't find file_offset of VA 0x638c === IMPORTS === MODULE_NAME HINT ORD FUNCTION_NAME COMCTL32.DLL 5e InitCommonControls KERNEL32.dll 52 CloseHandle KERNEL32.dll b3 CreateThread KERNEL32.dll cf DeleteCriticalSection KERNEL32.dll ec EnterCriticalSection KERNEL32.dll 117 ExitProcess KERNEL32.dll 160 FreeLibrary KERNEL32.dll 184 GetCommandLineA KERNEL32.dll 1fe GetLastError KERNEL32.dll 211 GetModuleHandleA KERNEL32.dll 241 GetProcAddress KERNEL32.dll 25e GetStartupInfoA KERNEL32.dll 2de InitializeCriticalSection KERNEL32.dll 32e LeaveCriticalSection KERNEL32.dll 331 LoadLibraryA KERNEL32.dll 474 SetUnhandledExceptionFilter KERNEL32.dll 48f TerminateThread KERNEL32.dll 495 TlsGetValue KERNEL32.dll 4bd VirtualProtect KERNEL32.dll 4bf VirtualQuery KERNEL32.dll 4c7 WaitForSingleObject msvcrt.dll 2b _itoa msvcrt.dll 50 _strdup msvcrt.dll 37 __getmainargs msvcrt.dll 4d __p__environ msvcrt.dll 4f __p__fmode msvcrt.dll 63 __set_app_type msvcrt.dll 93 _cexit msvcrt.dll 10a _iob msvcrt.dll 17f _onexit msvcrt.dll 1aa _setmode msvcrt.dll 247 abort msvcrt.dll 24e atexit msvcrt.dll 250 atoi msvcrt.dll 253 calloc msvcrt.dll 271 free msvcrt.dll 279 fwrite msvcrt.dll 2aa memcpy msvcrt.dll 2c2 signal msvcrt.dll 2c5 sprintf msvcrt.dll 2c8 sscanf msvcrt.dll 2da strtok msvcrt.dll 2e3 time msvcrt.dll 2ec vfprintf USER32.dll 93 DialogBoxParamA USER32.dll b4 EnableWindow USER32.dll b6 EndDialog USER32.dll fd GetDlgItem USER32.dll 19b LoadImageA USER32.dll 1d4 PostQuitMessage USER32.dll 1fc SendMessageA USER32.dll 233 SetTimer=== DOWNLOAD === Mirror provided by vx-underground.org, thx!File pos Mem pos ID Text ======== ======= == ==== 00000000004D 00000040004D 0 !This program cannot be run in DOS mode. 000000000178 000000400178 0 .text 0000000001A0 0000004001A0 0 .data 0000000001C8 0000004001C8 0 .rdata 0000000001EE 0000004001EE 0 0@.eh_fram 000000000216 000000400216 0 0@.bss 000000000240 000000400240 0 .idata 0000000002B8 0000004002B8 0 .rsrc 000000002600 000000404000 0 libgcj-16.dll 00000000260E 00000040400E 0 _Jv_RegisterClasses 000000002626 000000404026 0 %1[0-9]NDV=%8[0-9] 000000002639 000000404039 0 %1[0-9]VAL=%8[0-9] 00000000264C 00000040404C 0 %1[0-9]NDV=%8[0-9], 000000002660 000000404060 0 CngOpen error! 00000000266F 00000040406F 0 balanceThread error 000000002683 000000404083 0 %d cassettes found. 000000002697 000000404097 0 Thread error! 0000000026A5 0000004040A5 0 Thread open. 0000000026B2 0000004040B2 0 Thread dispense error! 0000000026C9 0000004040C9 0 Thread dispense open. 0000000026DF 0000004040DF 0 CscCngStatusRead error! 0000000026F7 0000004040F7 0 %d,%02d; 000000002700 000000404100 0 CngDispense error! 000000002716 000000404116 0 Cash Dispensed 000000002725 000000404125 0 CngTransport error! 000000002739 000000404139 0 Cash Transport 000000002748 000000404148 0 Success Cash Out 000000002759 000000404159 0 CngReset error! 000000002770 000000404170 0 Mingw runtime failure: 000000002788 000000404188 0 VirtualQuery failed for %d bytes at address %p 0000000027BC 0000004041BC 0 Unknown pseudo relocation protocol version %d. 0000000027F0 0000004041F0 0 Unknown pseudo relocation bit size %d. 00000000281C 00000040421C 0 GCC: (tdm-1) 5.1.0 000000002830 000000404230 0 GCC: (tdm-1) 5.1.0 000000002844 000000404244 0 GCC: (tdm-1) 5.1.0 000000002858 000000404258 0 GCC: (tdm-1) 5.1.0 000000003042 000000407242 0 InitCommonControls 000000003058 000000407258 0 CloseHandle 000000003066 000000407266 0 CreateThread 000000003076 000000407276 0 DeleteCriticalSection 00000000308E 00000040728E 0 EnterCriticalSection 0000000030A6 0000004072A6 0 ExitProcess 0000000030B4 0000004072B4 0 FreeLibrary 0000000030C2 0000004072C2 0 GetCommandLineA 0000000030D4 0000004072D4 0 GetLastError 0000000030E4 0000004072E4 0 GetModuleHandleA 0000000030F8 0000004072F8 0 GetProcAddress 00000000310A 00000040730A 0 GetStartupInfoA 00000000311C 00000040731C 0 InitializeCriticalSection 000000003138 000000407338 0 LeaveCriticalSection 000000003150 000000407350 0 LoadLibraryA 000000003160 000000407360 0 SetUnhandledExceptionFilter 00000000317E 00000040737E 0 TerminateThread 000000003190 000000407390 0 TlsGetValue 00000000319E 00000040739E 0 VirtualProtect 0000000031B0 0000004073B0 0 VirtualQuery 0000000031C0 0000004073C0 0 WaitForSingleObject 0000000031D6 0000004073D6 0 _itoa 0000000031DE 0000004073DE 0 _strdup 0000000031E8 0000004073E8 0 __getmainargs File pos Mem pos ID Text ======== ======= == ==== 0000000031F8 0000004073F8 0 __p__environ 000000003208 000000407408 0 __p__fmode 000000003216 000000407416 0 __set_app_type 000000003228 000000407428 0 _cexit 00000000323A 00000040743A 0 _onexit 000000003244 000000407444 0 _setmode 000000003250 000000407450 0 abort 000000003258 000000407458 0 atexit 00000000326A 00000040746A 0 calloc 00000000327C 00000040747C 0 fwrite 000000003286 000000407486 0 memcpy 000000003290 000000407490 0 signal 00000000329A 00000040749A 0 sprintf 0000000032A4 0000004074A4 0 sscanf 0000000032AE 0000004074AE 0 strtok 0000000032C0 0000004074C0 0 vfprintf 0000000032CC 0000004074CC 0 DialogBoxParamA 0000000032DE 0000004074DE 0 EnableWindow 0000000032EE 0000004074EE 0 EndDialog 0000000032FA 0000004074FA 0 GetDlgItem 000000003308 000000407508 0 LoadImageA 000000003316 000000407516 0 PostQuitMessage 000000003328 000000407528 0 SendMessageA 000000003338 000000407538 0 SetTimer 000000003348 000000407548 0 COMCTL32.DLL 0000000033A8 0000004075A8 0 KERNEL32.dll 0000000033C0 0000004075C0 0 msvcrt.dll 000000003420 000000407620 0 msvcrt.dll 00000000344C 00000040764C 0 USER32.dll 000000003F3D 00000040A53D 0 &&&&&&&&& 000000003FA5 00000040A5A5 0 QQQQQ 000000003FBB 00000040A5BB 0 &&&&&&&&& 000000003FDA 00000040A5DA 0 ?????????QQQQ 000000003FFA 00000040A5FA 0 QQQ????????? 000000004023 00000040A623 0 NNNNN:::::::::::::::::::::NNN 000000004059 00000040A659 0 [[[[[ 0000000041C1 00000040A7C1 0 ======= 000000004210 00000040A810 0 QQQ : 000000004250 00000040A850 0 QQ? : 000000004290 00000040A890 0 QQ? :\ 00000000469A 00000040AC9A 0 ]]]]]]]] 0000000046AC 00000040ACAC 0 ]]]]]]]]] 0000000046EB 00000040ACEB 0 LL_____ 0000000046F3 00000040ACF3 0 LLLLX 0000000046FC 00000040ACFC 0 VXXXLXXXXXXXV 00000000482B 00000040AE2B 0 ''''''''''''' 00000000485A 00000040AE5A 0 YYY::Y:NNNNddcccd 000000004A28 00000040B028 0 #N#ff 000000004BA0 00000040B1A0 0 N*++BBB* 000000004C15 00000040B215 0 iNi## 000000004CA2 00000040B2A2 0 :bgbf 000000004CB1 00000040B2B1 0 iAcfb 000000004CE6 00000040B2E6 0 & Q# 000000004D23 00000040B323 0 bAp88( 000000004D54 00000040B354 0 Ncdc:N 000000004E23 00000040B423 0 &&&&& 000000004E7F 00000040B47F 0 000000005126 00000040B726 0 7-7-7 [0x13] 000000005142 00000040B742 0 Ms Shell Dlg 00000000004D 00000040004D 0 !This program cannot be run in DOS mode. File pos Mem pos ID Text ======== ======= == ==== 000000000178 000000400178 0 .text 0000000001A0 0000004001A0 0 .data 0000000001C8 0000004001C8 0 .rdata 0000000001EE 0000004001EE 0 0@.eh_fram 000000000216 000000400216 0 0@.bss 000000000240 000000400240 0 .idata 0000000002B8 0000004002B8 0 .rsrc 000000002600 000000404000 0 libgcj-16.dll 00000000260E 00000040400E 0 _Jv_RegisterClasses 000000002626 000000404026 0 %1[0-9]NDV=%8[0-9] 000000002639 000000404039 0 %1[0-9]VAL=%8[0-9] 00000000264C 00000040404C 0 %1[0-9]NDV=%8[0-9], 000000002660 000000404060 0 CngOpen error! 00000000266F 00000040406F 0 balanceThread error 000000002683 000000404083 0 %d cassettes found. 000000002697 000000404097 0 Thread error! 0000000026A5 0000004040A5 0 Thread open. 0000000026B2 0000004040B2 0 Thread dispense error! 0000000026C9 0000004040C9 0 Thread dispense open. 0000000026DF 0000004040DF 0 CscCngStatusRead error! 0000000026F7 0000004040F7 0 %d,%02d; 000000002700 000000404100 0 CngDispense error! 000000002716 000000404116 0 Cash Dispensed 000000002725 000000404125 0 CngTransport error! 000000002739 000000404139 0 Cash Transport 000000002748 000000404148 0 Success Cash Out 000000002759 000000404159 0 CngReset error! 000000002770 000000404170 0 Mingw runtime failure: 000000002788 000000404188 0 VirtualQuery failed for %d bytes at address %p 0000000027BC 0000004041BC 0 Unknown pseudo relocation protocol version %d. 0000000027F0 0000004041F0 0 Unknown pseudo relocation bit size %d. 00000000281C 00000040421C 0 GCC: (tdm-1) 5.1.0 000000002830 000000404230 0 GCC: (tdm-1) 5.1.0 000000002844 000000404244 0 GCC: (tdm-1) 5.1.0 000000002858 000000404258 0 GCC: (tdm-1) 5.1.0 000000003042 000000407242 0 InitCommonControls 000000003058 000000407258 0 CloseHandle 000000003066 000000407266 0 CreateThread 000000003076 000000407276 0 DeleteCriticalSection 00000000308E 00000040728E 0 EnterCriticalSection 0000000030A6 0000004072A6 0 ExitProcess 0000000030B4 0000004072B4 0 FreeLibrary 0000000030C2 0000004072C2 0 GetCommandLineA 0000000030D4 0000004072D4 0 GetLastError 0000000030E4 0000004072E4 0 GetModuleHandleA 0000000030F8 0000004072F8 0 GetProcAddress 00000000310A 00000040730A 0 GetStartupInfoA 00000000311C 00000040731C 0 InitializeCriticalSection 000000003138 000000407338 0 LeaveCriticalSection 000000003150 000000407350 0 LoadLibraryA 000000003160 000000407360 0 SetUnhandledExceptionFilter 00000000317E 00000040737E 0 TerminateThread 000000003190 000000407390 0 TlsGetValue 00000000319E 00000040739E 0 VirtualProtect 0000000031B0 0000004073B0 0 VirtualQuery 0000000031C0 0000004073C0 0 WaitForSingleObject 0000000031D6 0000004073D6 0 _itoa 0000000031DE 0000004073DE 0 _strdup 0000000031E8 0000004073E8 0 __getmainargs 0000000031F8 0000004073F8 0 __p__environ File pos Mem pos ID Text ======== ======= == ==== 000000003208 000000407408 0 __p__fmode 000000003216 000000407416 0 __set_app_type 000000003228 000000407428 0 _cexit 00000000323A 00000040743A 0 _onexit 000000003244 000000407444 0 _setmode 000000003250 000000407450 0 abort 000000003258 000000407458 0 atexit 00000000326A 00000040746A 0 calloc 00000000327C 00000040747C 0 fwrite 000000003286 000000407486 0 memcpy 000000003290 000000407490 0 signal 00000000329A 00000040749A 0 sprintf 0000000032A4 0000004074A4 0 sscanf 0000000032AE 0000004074AE 0 strtok 0000000032C0 0000004074C0 0 vfprintf 0000000032CC 0000004074CC 0 DialogBoxParamA 0000000032DE 0000004074DE 0 EnableWindow 0000000032EE 0000004074EE 0 EndDialog 0000000032FA 0000004074FA 0 GetDlgItem 000000003308 000000407508 0 LoadImageA 000000003316 000000407516 0 PostQuitMessage 000000003328 000000407528 0 SendMessageA 000000003338 000000407538 0 SetTimer 000000003348 000000407548 0 COMCTL32.DLL 0000000033A8 0000004075A8 0 KERNEL32.dll 0000000033C0 0000004075C0 0 msvcrt.dll 000000003420 000000407620 0 msvcrt.dll 00000000344C 00000040764C 0 USER32.dll 000000003F3D 00000040A53D 0 &&&&&&&&& 000000003FA5 00000040A5A5 0 QQQQQ 000000003FBB 00000040A5BB 0 &&&&&&&&& 000000003FDA 00000040A5DA 0 ?????????QQQQ 000000003FFA 00000040A5FA 0 QQQ????????? 000000004023 00000040A623 0 NNNNN:::::::::::::::::::::NNN 000000004059 00000040A659 0 [[[[[ 0000000041C1 00000040A7C1 0 ======= 000000004210 00000040A810 0 QQQ : 000000004250 00000040A850 0 QQ? : 000000004290 00000040A890 0 QQ? :\ 00000000469A 00000040AC9A 0 ]]]]]]]] 0000000046AC 00000040ACAC 0 ]]]]]]]]] 0000000046EB 00000040ACEB 0 LL_____ 0000000046F3 00000040ACF3 0 LLLLX 0000000046FC 00000040ACFC 0 VXXXLXXXXXXXV 00000000482B 00000040AE2B 0 ''''''''''''' 00000000485A 00000040AE5A 0 YYY::Y:NNNNddcccd 000000004A28 00000040B028 0 #N#ff 000000004BA0 00000040B1A0 0 N*++BBB* 000000004C15 00000040B215 0 iNi## 000000004CA2 00000040B2A2 0 :bgbf 000000004CB1 00000040B2B1 0 iAcfb 000000004CE6 00000040B2E6 0 & Q# 000000004D23 00000040B323 0 bAp88( 000000004D54 00000040B354 0 Ncdc:N 000000004E23 00000040B423 0 &&&&& 000000004E7F 00000040B47F 0 000000005126 00000040B726 0 7-7-7 [0x13] 000000005142 00000040B742 0 Ms Shell Dlg