.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------. ! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV ! `-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
a5d0cd1bc33f44d25695ebd6530757180f4fc4d87a1658ee2f0d8fc42d09fb80
Date...........: 2018-08-08
Family.........: WinPot
File name......: nine.exe
File size......: 33.30 KB
Type file......: EXE/Windows
Virscan........: VT - HA
Entropy:
Binary Histogram:
=== SCREENSHOT ===
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 144 0x90
blocks_in_file: 3 3
num_relocs: 0 0
header_paragraphs: 4 4
min_extra_paragraphs: 0 0
max_extra_paragraphs: 65535 0xffff
ss: 0 0
sp: 184 0xb8
checksum: 0 0
ip: 0 0
cs: 0 0
reloc_table_offset: 64 0x40
overlay_number: 0 0
reserved0: 0 0
oem_id: 0 0
oem_info: 0 0
reserved2: 0 0
reserved3: 0 0
reserved4: 0 0
reserved5: 0 0
reserved6: 0 0
lfanew: 128 0x80
=== DOS STUB ===
00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 9 9
TimeDateStamp: "2026-01-14 09:44:18"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 783 0x30f RELOCS_STRIPPED, EXECUTABLE_IMAGE
LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED
32BIT_MACHINE, DEBUG_STRIPPED
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 2.24
SizeOfCode: 8192 0x2000
SizeOfInitializedData: 20992 0x5200
SizeOfUninitializedData: 512 0x200
AddressOfEntryPoint: 4768 0x12a0
BaseOfCode: 4096 0x1000
BaseOfData: 12288 0x3000
ImageBase: 4194304 0x400000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 4.0
ImageVersion: 1.0
SubsystemVersion: 4.0
Reserved1: 0 0
SizeOfImage: 49152 0xc000
SizeOfHeaders: 1024 0x400
CheckSum: 83005 0x1443d
Subsystem: 2 2 WINDOWS_GUI
DllCharacteristics: 0 0
SizeOfStackReserve: 2097152 0x200000
SizeOfStackCommit: 4096 0x1000
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x 7000 size:0x 660
RESOURCE rva:0x a000 size:0x 1a18
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x 0 size:0x 0
DEBUG rva:0x 0 size:0x 0
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x 9004 size:0x 18
LOAD_CONFIG rva:0x 0 size:0x 0
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 715c size:0x e4
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
.text 1000 1f14 2000 400 0 0 0 0 60500060 R-X CODE IDATA
.data 3000 28 200 2400 0 0 0 0 c0300040 RW- IDATA
.rdata 4000 27c 400 2600 0 0 0 0 40300040 R-- IDATA
.eh_fram 5000 3f8 400 2a00 0 0 0 0 40300040 R-- IDATA
.bss 6000 f8 0 0 0 0 0 0 c0600080 RW- UDATA
.idata 7000 660 800 2e00 0 0 0 0 c0300040 RW- IDATA
.CRT 8000 18 200 3600 0 0 0 0 c0300040 RW- IDATA
.tls 9000 20 200 3800 0 0 0 0 c0300040 RW- IDATA
.rsrc a000 1a18 1c00 3a00 0 0 0 0 c0300040 RW- IDATA
=== TLS ===
RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS
409001 40901c 4060ac 408004 0 0
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0x3ae8 0 0 5672 ICON #1
0x5110 0 0 754 DIALOG #100
0x5404 0 0 20 GROUP_ICON #102
[?] can't find file_offset of VA 0x60ac
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
COMCTL32.DLL 5e InitCommonControls
KERNEL32.dll 52 CloseHandle
KERNEL32.dll b3 CreateThread
KERNEL32.dll cf DeleteCriticalSection
KERNEL32.dll ec EnterCriticalSection
KERNEL32.dll 117 ExitProcess
KERNEL32.dll 160 FreeLibrary
KERNEL32.dll 184 GetCommandLineA
KERNEL32.dll 1fe GetLastError
KERNEL32.dll 1ff GetLocalTime
KERNEL32.dll 211 GetModuleHandleA
KERNEL32.dll 241 GetProcAddress
KERNEL32.dll 25e GetStartupInfoA
KERNEL32.dll 2de InitializeCriticalSection
KERNEL32.dll 32e LeaveCriticalSection
KERNEL32.dll 331 LoadLibraryA
KERNEL32.dll 474 SetUnhandledExceptionFilter
KERNEL32.dll 48f TerminateThread
KERNEL32.dll 495 TlsGetValue
KERNEL32.dll 4bd VirtualProtect
KERNEL32.dll 4bf VirtualQuery
KERNEL32.dll 4c7 WaitForSingleObject
msvcrt.dll 2b _itoa
msvcrt.dll 50 _strdup
msvcrt.dll 37 __getmainargs
msvcrt.dll 4d __p__environ
msvcrt.dll 4f __p__fmode
msvcrt.dll 63 __set_app_type
msvcrt.dll 93 _cexit
msvcrt.dll 10a _iob
msvcrt.dll 17f _onexit
msvcrt.dll 1aa _setmode
msvcrt.dll 247 abort
msvcrt.dll 24e atexit
msvcrt.dll 250 atoi
msvcrt.dll 253 calloc
msvcrt.dll 271 free
msvcrt.dll 279 fwrite
msvcrt.dll 2aa memcpy
msvcrt.dll 2c2 signal
msvcrt.dll 2c5 sprintf
msvcrt.dll 2c8 sscanf
msvcrt.dll 2da strtok
msvcrt.dll 2ec vfprintf
USER32.dll 93 DialogBoxParamA
USER32.dll b4 EnableWindow
USER32.dll b6 EndDialog
USER32.dll fd GetDlgItem
USER32.dll 19b LoadImageA
USER32.dll 1d4 PostQuitMessage
USER32.dll 1fc SendMessageA
USER32.dll 233 SetTimer
=== Strings ===
File pos Mem pos ID Text
======== ======= == ====
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
000000000178 000000400178 0 .text
0000000001A0 0000004001A0 0 .data
0000000001C8 0000004001C8 0 .rdata
0000000001EE 0000004001EE 0 0@.eh_fram
000000000216 000000400216 0 0@.bss
000000000240 000000400240 0 .idata
0000000002B8 0000004002B8 0 .rsrc
000000002408 000000403008 0 CSCCNG
000000002410 000000403010 0 CSCWCNG
000000002600 000000404000 0 libgcj-16.dll
00000000260E 00000040400E 0 _Jv_RegisterClasses
000000002626 000000404026 0 %1[0-9]NDV=%8[0-9],
00000000263A 00000040403A 0 %1[0-9]NDV=%8[0-9]
00000000264D 00000040404D 0 %1[0-9]VAL=%8[0-9]
000000002660 000000404060 0 CscCngOpen
00000000266B 00000040406B 0 CscCngStatusRead
00000000267C 00000040407C 0 CscCngClose
000000002688 000000404088 0 CscCngDispense
000000002697 000000404097 0 CscCngTransport
0000000026A7 0000004040A7 0 CscCngReset
0000000026B3 0000004040B3 0 Open error: 0x80
0000000026C4 0000004040C4 0 %d,%02d;
0000000026CD 0000004040CD 0 Getting %d note(s) from %d
0000000026E8 0000004040E8 0 Dispense error: 0x80
0000000026FD 0000004040FD 0 Transport
000000002707 000000404107 0 Transport error: 0x80
00000000271D 00000040411D 0 Transport to customer
000000002733 000000404133 0 Transport error: 0x8000
00000000274B 00000040414B 0 Dispence Success
00000000275F 00000040415F 0 Thread error!
00000000276D 00000040416D 0 Thread open.
000000002780 000000404180 0 Mingw runtime failure:
000000002798 000000404198 0 VirtualQuery failed for %d bytes at address %p
0000000027CC 0000004041CC 0 Unknown pseudo relocation protocol version %d.
000000002800 000000404200 0 Unknown pseudo relocation bit size %d.
00000000282C 00000040422C 0 GCC: (tdm-1) 5.1.0
000000002840 000000404240 0 GCC: (tdm-1) 5.1.0
000000002854 000000404254 0 GCC: (tdm-1) 5.1.0
000000002868 000000404268 0 GCC: (tdm-1) 5.1.0
000000003042 000000407242 0 InitCommonControls
000000003058 000000407258 0 CloseHandle
000000003066 000000407266 0 CreateThread
000000003076 000000407276 0 DeleteCriticalSection
00000000308E 00000040728E 0 EnterCriticalSection
0000000030A6 0000004072A6 0 ExitProcess
0000000030B4 0000004072B4 0 FreeLibrary
0000000030C2 0000004072C2 0 GetCommandLineA
0000000030D4 0000004072D4 0 GetLastError
0000000030E4 0000004072E4 0 GetLocalTime
0000000030F4 0000004072F4 0 GetModuleHandleA
000000003108 000000407308 0 GetProcAddress
00000000311A 00000040731A 0 GetStartupInfoA
00000000312C 00000040732C 0 InitializeCriticalSection
000000003148 000000407348 0 LeaveCriticalSection
000000003160 000000407360 0 LoadLibraryA
000000003170 000000407370 0 SetUnhandledExceptionFilter
00000000318E 00000040738E 0 TerminateThread
0000000031A0 0000004073A0 0 TlsGetValue
0000000031AE 0000004073AE 0 VirtualProtect
File pos Mem pos ID Text
======== ======= == ====
0000000031C0 0000004073C0 0 VirtualQuery
0000000031D0 0000004073D0 0 WaitForSingleObject
0000000031E6 0000004073E6 0 _itoa
0000000031EE 0000004073EE 0 _strdup
0000000031F8 0000004073F8 0 __getmainargs
000000003208 000000407408 0 __p__environ
000000003218 000000407418 0 __p__fmode
000000003226 000000407426 0 __set_app_type
000000003238 000000407438 0 _cexit
00000000324A 00000040744A 0 _onexit
000000003254 000000407454 0 _setmode
000000003260 000000407460 0 abort
000000003268 000000407468 0 atexit
00000000327A 00000040747A 0 calloc
00000000328C 00000040748C 0 fwrite
000000003296 000000407496 0 memcpy
0000000032A0 0000004074A0 0 signal
0000000032AA 0000004074AA 0 sprintf
0000000032B4 0000004074B4 0 sscanf
0000000032BE 0000004074BE 0 strtok
0000000032C8 0000004074C8 0 vfprintf
0000000032D4 0000004074D4 0 DialogBoxParamA
0000000032E6 0000004074E6 0 EnableWindow
0000000032F6 0000004074F6 0 EndDialog
000000003302 000000407502 0 GetDlgItem
000000003310 000000407510 0 LoadImageA
00000000331E 00000040751E 0 PostQuitMessage
000000003330 000000407530 0 SendMessageA
000000003340 000000407540 0 SetTimer
000000003350 000000407550 0 COMCTL32.DLL
0000000033B4 0000004075B4 0 KERNEL32.dll
0000000033CC 0000004075CC 0 msvcrt.dll
000000003428 000000407628 0 msvcrt.dll
000000003454 000000407654 0 USER32.dll
000000003F3D 00000040A53D 0 &&&&&&&&&
000000003FA5 00000040A5A5 0 QQQQQ
000000003FBB 00000040A5BB 0 &&&&&&&&&
000000003FDA 00000040A5DA 0 ?????????QQQQ
000000003FFA 00000040A5FA 0 QQQ?????????
000000004023 00000040A623 0 NNNNN:::::::::::::::::::::NNN
000000004059 00000040A659 0 [[[[[
0000000041C1 00000040A7C1 0 =======
000000004210 00000040A810 0 QQQ :
000000004250 00000040A850 0 QQ? :
000000004290 00000040A890 0 QQ? :\
00000000469A 00000040AC9A 0 ]]]]]]]]
0000000046AC 00000040ACAC 0 ]]]]]]]]]
0000000046EB 00000040ACEB 0 LL_____
0000000046F3 00000040ACF3 0 LLLLX
0000000046FC 00000040ACFC 0 VXXXLXXXXXXXV
00000000482B 00000040AE2B 0 '''''''''''''
00000000485A 00000040AE5A 0 YYY::Y:NNNNddcccd
000000004A28 00000040B028 0 #N#ff
000000004BA0 00000040B1A0 0 N*++BBB*
000000004C15 00000040B215 0 iNi##
000000004CA2 00000040B2A2 0 :bgbf
000000004CB1 00000040B2B1 0 iAcfb
000000004CE6 00000040B2E6 0 & Q#
000000004D23 00000040B323 0 bAp88(
000000004D54 00000040B354 0 Ncdc:N
File pos Mem pos ID Text
======== ======= == ====
000000004E23 00000040B423 0 &&&&&
000000004E7F 00000040B47F 0
000000005126 00000040B726 0 WinPot
000000005136 00000040B736 0 Ms Shell Dlg
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
000000000178 000000400178 0 .text
0000000001A0 0000004001A0 0 .data
0000000001C8 0000004001C8 0 .rdata
0000000001EE 0000004001EE 0 0@.eh_fram
000000000216 000000400216 0 0@.bss
000000000240 000000400240 0 .idata
0000000002B8 0000004002B8 0 .rsrc
000000002408 000000403008 0 CSCCNG
000000002410 000000403010 0 CSCWCNG
000000002600 000000404000 0 libgcj-16.dll
00000000260E 00000040400E 0 _Jv_RegisterClasses
000000002626 000000404026 0 %1[0-9]NDV=%8[0-9],
00000000263A 00000040403A 0 %1[0-9]NDV=%8[0-9]
00000000264D 00000040404D 0 %1[0-9]VAL=%8[0-9]
000000002660 000000404060 0 CscCngOpen
00000000266B 00000040406B 0 CscCngStatusRead
00000000267C 00000040407C 0 CscCngClose
000000002688 000000404088 0 CscCngDispense
000000002697 000000404097 0 CscCngTransport
0000000026A7 0000004040A7 0 CscCngReset
0000000026B3 0000004040B3 0 Open error: 0x80
0000000026C4 0000004040C4 0 %d,%02d;
0000000026CD 0000004040CD 0 Getting %d note(s) from %d
0000000026E8 0000004040E8 0 Dispense error: 0x80
0000000026FD 0000004040FD 0 Transport
000000002707 000000404107 0 Transport error: 0x80
00000000271D 00000040411D 0 Transport to customer
000000002733 000000404133 0 Transport error: 0x8000
00000000274B 00000040414B 0 Dispence Success
00000000275F 00000040415F 0 Thread error!
00000000276D 00000040416D 0 Thread open.
000000002780 000000404180 0 Mingw runtime failure:
000000002798 000000404198 0 VirtualQuery failed for %d bytes at address %p
0000000027CC 0000004041CC 0 Unknown pseudo relocation protocol version %d.
000000002800 000000404200 0 Unknown pseudo relocation bit size %d.
00000000282C 00000040422C 0 GCC: (tdm-1) 5.1.0
000000002840 000000404240 0 GCC: (tdm-1) 5.1.0
000000002854 000000404254 0 GCC: (tdm-1) 5.1.0
000000002868 000000404268 0 GCC: (tdm-1) 5.1.0
000000003042 000000407242 0 InitCommonControls
000000003058 000000407258 0 CloseHandle
000000003066 000000407266 0 CreateThread
000000003076 000000407276 0 DeleteCriticalSection
00000000308E 00000040728E 0 EnterCriticalSection
0000000030A6 0000004072A6 0 ExitProcess
0000000030B4 0000004072B4 0 FreeLibrary
0000000030C2 0000004072C2 0 GetCommandLineA
0000000030D4 0000004072D4 0 GetLastError
0000000030E4 0000004072E4 0 GetLocalTime
0000000030F4 0000004072F4 0 GetModuleHandleA
000000003108 000000407308 0 GetProcAddress
00000000311A 00000040731A 0 GetStartupInfoA
00000000312C 00000040732C 0 InitializeCriticalSection
000000003148 000000407348 0 LeaveCriticalSection
000000003160 000000407360 0 LoadLibraryA
File pos Mem pos ID Text
======== ======= == ====
000000003170 000000407370 0 SetUnhandledExceptionFilter
00000000318E 00000040738E 0 TerminateThread
0000000031A0 0000004073A0 0 TlsGetValue
0000000031AE 0000004073AE 0 VirtualProtect
0000000031C0 0000004073C0 0 VirtualQuery
0000000031D0 0000004073D0 0 WaitForSingleObject
0000000031E6 0000004073E6 0 _itoa
0000000031EE 0000004073EE 0 _strdup
0000000031F8 0000004073F8 0 __getmainargs
000000003208 000000407408 0 __p__environ
000000003218 000000407418 0 __p__fmode
000000003226 000000407426 0 __set_app_type
000000003238 000000407438 0 _cexit
00000000324A 00000040744A 0 _onexit
000000003254 000000407454 0 _setmode
000000003260 000000407460 0 abort
000000003268 000000407468 0 atexit
00000000327A 00000040747A 0 calloc
00000000328C 00000040748C 0 fwrite
000000003296 000000407496 0 memcpy
0000000032A0 0000004074A0 0 signal
0000000032AA 0000004074AA 0 sprintf
0000000032B4 0000004074B4 0 sscanf
0000000032BE 0000004074BE 0 strtok
0000000032C8 0000004074C8 0 vfprintf
0000000032D4 0000004074D4 0 DialogBoxParamA
0000000032E6 0000004074E6 0 EnableWindow
0000000032F6 0000004074F6 0 EndDialog
000000003302 000000407502 0 GetDlgItem
000000003310 000000407510 0 LoadImageA
00000000331E 00000040751E 0 PostQuitMessage
000000003330 000000407530 0 SendMessageA
000000003340 000000407540 0 SetTimer
000000003350 000000407550 0 COMCTL32.DLL
0000000033B4 0000004075B4 0 KERNEL32.dll
0000000033CC 0000004075CC 0 msvcrt.dll
000000003428 000000407628 0 msvcrt.dll
000000003454 000000407654 0 USER32.dll
000000003F3D 00000040A53D 0 &&&&&&&&&
000000003FA5 00000040A5A5 0 QQQQQ
000000003FBB 00000040A5BB 0 &&&&&&&&&
000000003FDA 00000040A5DA 0 ?????????QQQQ
000000003FFA 00000040A5FA 0 QQQ?????????
000000004023 00000040A623 0 NNNNN:::::::::::::::::::::NNN
000000004059 00000040A659 0 [[[[[
0000000041C1 00000040A7C1 0 =======
000000004210 00000040A810 0 QQQ :
000000004250 00000040A850 0 QQ? :
000000004290 00000040A890 0 QQ? :\
00000000469A 00000040AC9A 0 ]]]]]]]]
0000000046AC 00000040ACAC 0 ]]]]]]]]]
0000000046EB 00000040ACEB 0 LL_____
0000000046F3 00000040ACF3 0 LLLLX
0000000046FC 00000040ACFC 0 VXXXLXXXXXXXV
00000000482B 00000040AE2B 0 '''''''''''''
00000000485A 00000040AE5A 0 YYY::Y:NNNNddcccd
000000004A28 00000040B028 0 #N#ff
000000004BA0 00000040B1A0 0 N*++BBB*
000000004C15 00000040B215 0 iNi##
000000004CA2 00000040B2A2 0 :bgbf
File pos Mem pos ID Text
======== ======= == ====
000000004CB1 00000040B2B1 0 iAcfb
000000004CE6 00000040B2E6 0 & Q#
000000004D23 00000040B323 0 bAp88(
000000004D54 00000040B354 0 Ncdc:N
000000004E23 00000040B423 0 &&&&&
000000004E7F 00000040B47F 0
000000005126 00000040B726 0 WinPot
000000005136 00000040B736 0 Ms Shell Dlg
=== DOWNLOAD ===
Mirror provided by vx-underground.org, thx!