• Home
  • Blog
  • Online Scan
  • Update History
  • ehshell.exe Binary Code Analysis - File Md5: 2f1c7e5e50060f4862521d95f0c9fd49
    File hash value: 2f1c7e5e50060f4862521d95f0c9fd49. This is a 32-bit EXE file, and the file size is 181 K. This page is mainly to analyze the binary code of the file, that is, PE file format. To understand the content here, you need to have a certain computer expertise. The content of this page is mainly provided to people who are engaged in the maintenance of computer security in the industry, in the hope of contributing to the cause of computer security.

    If you are a regular computer user, and do not understand the content, you can click on the following file name, to view the solutions for various problems caused by the file.

    You can also download the repair tool directly to fix your operating system.

    File Binary Code Analysis:

    DOS Stub
    ...
    .text SECTION #1
    .data SECTION #2
    .rsrc SECTION #3
    .reloc SECTION #4
    DOS Header
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • e_magic
  • 0x00005A4D
  • DOS Sign
  • WORD
  • e_cblp
  • 0x00000090
  • Bytes on last page of file
  • WORD
  • e_cp
  • 0x00000003
  • Pages in file
  • WORD
  • e_crlc
  • 0x00000000
  • Relocations
  • WORD
  • e_cparhdr
  • 0x00000004
  • Size of header in paragraphs
  • WORD
  • e_minalloc
  • 0x00000000
  • Minimum extra paragraphs needed
  • WORD
  • e_maxalloc
  • 0x0000FFFF
  • Maximum extra paragraphs needed
  • WORD
  • e_ss
  • 0x00000000
  • Initial (relative) SS value
  • WORD
  • e_sp
  • 0x000000B8
  • Initial SP value
  • WORD
  • e_csum
  • 0x00000000
  • Checksum
  • WORD
  • e_ip
  • 0x00000000
  • Initial IP value
  • WORD
  • e_cs
  • 0x00000000
  • Initial (relative) CS value
  • WORD
  • e_lfarlc
  • 0x00000040
  • File address of relocation table
  • WORD
  • e_ovno
  • 0x00000000
  • Overlay number
  • WORD
  • e_res[4]
  • [0]=0x00000000
    [1]=0x00000000
    [2]=0x00000000
    [3]=0x00000000
  • Reserved words
  • WORD
  • e_oemid
  • 0x00000000
  • OEM identifier (for e_oeminfo)
  • WORD
  • e_oeminfo
  • 0x00000000
  • OEM information; e_oemid specific
  • WORD
  • e_res2[10]
  • [1]=0x00000000
    [2]=0x00000000
    [3]=0x00000000
    [4]=0x00000000
    [5]=0x00000000
    [6]=0x00000000
    [7]=0x00000000
    [8]=0x00000000
    [9]=0x00000000
    [10]=0x00000000
  • Reserved words
  • WORD
  • e_lfanew
  • 0x000000E0
  • PE File Header address
  • NT HEADER - NT File Signature
  • Type
  • Name
  • Value
  • Memo
  • DWORD
  • Signature
  • 0x00004550
  • PE File Sign: "PE"
  • NT HEADER - FILE HEADER
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • Machine
  • 0x0000014C
  • File Bit (32Bit Or 64 Bit)
  • WORD
  • NumberOfSections
  • 0x00000004
  • Number Of Sections
  • DWORD
  • TimeDateStamp
  • 0x43AAC3BF
  • File Create Time
  • DWORD
  • PointerToSymbolTable
  • 0x00000000
  • Pointer To Symbol Table
  • DWORD
  • NumberOfSymbols
  • 0x00000000
  • Number Of Symbols
  • WORD
  • SizeOfOptionalHeader
  • 0x000000E0
  • Size Of Optional Header
  • WORD
  • Characteristics
  • 0x00000102
  • File Type: (EXE or DLL)
  • NT HEADER - OPTIONAL HEADER
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • Magic
  • 0x0000010B
  • Magic
  • BYTE
  • MajorLinkerVersion
  • 0x00000009
  • Major Linker Version
  • BYTE
  • MinorLinkerVersion
  • 0x00000000
  • Minor Linker Version
  • DWORD
  • SizeOfCode
  • 0x00002A00
  • Size Of Code
  • DWORD
  • SizeOfInitializedData
  • 0x00015E00
  • Size Of Initialized Data
  • DWORD
  • SizeOfUninitializedData
  • 0x00000000
  • Size Of Uninitialized Data
  • DWORD
  • AddressOfEntryPoint
  • 0x0002FBA1
  • Address Of Entry Point
  • DWORD
  • BaseOfCode
  • 0x00001000
  • Base Of Code
  • DWORD
  • BaseOfData
  • 0x00004000
  • Base Of Data
  • DWORD
  • ImageBase
  • 0x00400000
  • Image Base
  • DWORD
  • SectionAlignment
  • 0x00001000
  • Section Alignment
  • DWORD
  • FileAlignment
  • 0x00000200
  • File Alignment
  • WORD
  • MajorOperatingSystemVersion
  • 0x00000006
  • Major Operating System Version
  • WORD
  • MinorOperatingSystemVersion
  • 0x00000001
  • Minor Operating System Version
  • WORD
  • MajorImageVersion
  • 0x00000006
  • Major Image Version
  • WORD
  • MinorImageVersion
  • 0x00000001
  • Minor Image Version
  • WORD
  • MajorSubsystemVersion
  • 0x00000006
  • Major Sub system Version
  • WORD
  • MinorSubsystemVersion
  • 0x00000001
  • Minor Sub system Version
  • DWORD
  • Win32VersionValue
  • 0x00000000
  • Win32 Version Value
  • DWORD
  • SizeOfImage
  • 0x00031000
  • Size Of Image
  • DWORD
  • SizeOfHeaders
  • 0x00000400
  • Size Of Headers
  • DWORD
  • CheckSum
  • 0x00000000
  • Check Sum
  • WORD
  • Subsystem
  • 0x00000002
  • Sub system
  • WORD
  • DllCharacteristics
  • 0x00008000
  • Dll Char acteristics
  • DWORD
  • SizeOfStackReserve
  • 0x00040000
  • Size Of Stack Reserve
  • DWORD
  • SizeOfStackCommit
  • 0x00002000
  • Size Of Stack Commit
  • DWORD
  • SizeOfHeapReserve
  • 0x00100000
  • Size Of Heap Reserve
  • DWORD
  • SizeOfHeapCommit
  • 0x00001000
  • Size Of Heap Commit
  • DWORD
  • LoaderFlags
  • 0x00000000
  • Loader Flags
  • DWORD
  • NumberOfRvaAndSizes
  • 0x00000010
  • Number Of Rva And Sizes
  • NT HEADER - OPTIONAL HEADER - Data Directory
  • Type
  • Name
  • Value
  • Memo
  • DWORD
  • DataDirectory[1].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[1].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[2].VirtualAddress
  • 0x00003058
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[2].Size
  • 0x000000A0
  • Data Directory Size
  • DWORD
  • DataDirectory[3].VirtualAddress
  • 0x00005000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[3].Size
  • 0x00015668
  • Data Directory Size
  • DWORD
  • DataDirectory[4].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[4].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[5].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[5].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[6].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[6].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[7].VirtualAddress
  • 0x000037D0
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[7].Size
  • 0x00000038
  • Data Directory Size
  • DWORD
  • DataDirectory[8].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[8].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[9].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[9].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[10].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[10].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[11].VirtualAddress
  • 0x00002CB0
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[11].Size
  • 0x00000040
  • Data Directory Size
  • DWORD
  • DataDirectory[12].VirtualAddress
  • 0x00000278
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[12].Size
  • 0x000000A8
  • Data Directory Size
  • DWORD
  • DataDirectory[13].VirtualAddress
  • 0x00001000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[13].Size
  • 0x00000148
  • Data Directory Size
  • DWORD
  • DataDirectory[14].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[14].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[15].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[15].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[16].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[16].Size
  • 0x00000000
  • Data Directory Size
  • SECTION #1
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .text
  • Section Name
  • DWORD
  • VirtualSize
  • 0x00002830
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00001000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00002A00
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00000400
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0x60000020
  • Section Characteristics
  • SECTION #2
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .data
  • Section Name
  • DWORD
  • VirtualSize
  • 0x000003FC
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00004000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00000200
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00002E00
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xC0000040
  • Section Characteristics
  • SECTION #3
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .rsrc
  • Section Name
  • DWORD
  • VirtualSize
  • 0x00015668
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00005000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00015800
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00003000
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0x40000040
  • Section Characteristics
  • SECTION #4
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .reloc
  • Section Name
  • DWORD
  • VirtualSize
  • 0x00015200
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x0001B000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00014E00
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00018800
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xE0000060
  • Section Characteristics

  • Called external files and functions:
    In general, malicious files will call these types of functions: functions to intercept data, network functions, functions to modify the registry information, access to the browser personal privacy Cookie, and directly bypass the system to read hard disk data (Hint: The files below may be called by malicious files, but these files themselves are not necessarily malicious files. They may be some normal system files)
    Import File - KERNEL32.dll
  • QueryPerformanceCounter
  • GetModuleHandleA
  • SetUnhandledExceptionFilter
  • GetTickCount
  • InterlockedCompareExchange
  • Sleep
  • InterlockedExchange
  • GetCurrentThreadId
  • GetCurrentProcessId
  • GetSystemTimeAsFileTime
  • TerminateProcess
  • GetCurrentProcess
  • UnhandledExceptionFilter
  • GetProcAddress
  • EncodeSystemPointer
  • CloseHandle
  • RaiseException
  • GetModuleFileNameW
  • SetCurrentDirectoryW
  • LoadLibraryW
  • FreeLibrary
  • GetLastError
  • GetStartupInfoW
  •  
  •  
  • Import File - msvcrt.dll
  • _controlfp
  • _except_handler4_common
  • ?terminate@@YAXXZ
  • _onexit
  • _lock
  • __dllonexit
  • ??_U@YAPAXI@Z
  • __set_app_type
  • __p__fmode
  • __p__commode
  • __setusermatherr
  • _amsg_exit
  • _initterm
  • _wcmdln
  • exit
  • _XcptFilter
  • _exit
  • _cexit
  • __wgetmainargs
  • ??3@YAXPAX@Z
  • _unlock
  • memset
  • free
  • ??2@YAPAXI@Z
  • malloc
  • ??_V@YAXPAX@Z
  •  
  •  
  •  
  •  
  • Import File - ole32.dll
  • CoUninitialize
  • CoInitializeEx
  • CoInitializeSecurity
  • CoCreateInstance
  •  
  • Import File - OLEAUT32.dll
  • Function Address
    0x00000006
  • Function Address
    0x00000002
  •  
  •  
  •  
  • Import File - SHLWAPI.dll
  • PathRemoveFileSpecW
  •  
  •  
  •  
  •  
  • Import File - mscoree.dll
  • CorBindToCurrentRuntime
  •  
  •  
  •  
  •  
  • Import File - ADVAPI32.dll
  • SetSecurityDescriptorOwner
  • InitializeAcl
  • AddAccessAllowedAce
  • GetAce
  • AddAce
  • LookupAccountNameW
  • GetTokenInformation
  • SetSecurityDescriptorGroup
  • IsValidSid
  • GetLengthSid
  • CopySid
  • InitializeSecurityDescriptor
  • GetSecurityDescriptorDacl
  • GetAclInformation
  • CreateWellKnownSid
  • LookupAccountSidW
  • OpenProcessToken
  • SetSecurityDescriptorDacl
  •  
  •  

  • This is my analysis results of this malicious file. If you have any questions, or have any problems that cannot be resolved, you can leave a message or email me.

    • You can also use the following online detection function to check the file.
  • • Enter the file name, or file MD5, for the query.
  • • You can also scan a file online. Click the "Upload File" button, and then click the "submit" button, to immediately detect whether the file is a virus. (Tip: The maximum size of the file uploaded cannot exceed 8MB)


  • T21 can detect unknown files online, mainly using "behavior-based" judgment mechanism. It is very simple to use T21.

    1. Click the "Upload File" button, select the file you want to detect, and then click "Submit".
    2. The next step is to wait for the system to check, which may take a little time, so please be patient.
    3. When the T21 scan engine finishes detection, the test results are immediately fed back, as shown below:

    • If you suspect that there are malicious files on your computer, but you cannot find where they are, or if you want to make a thorough check on your computer, you can download the automatic scanning tool.

    If you want to know what kind of T21 system is, you can click here to view the introduction of T21. You can also go to the home page to read the original intention and philosophy of my development of T21 system.

    Other captured malicious files:
    ehprivjob.exe - File Md5: 79d52f5b139b23ed9d3fa93df6d0ec04
    ehrecvr.exe - File Md5: 9d7753f850bd1e7866e6428ccc14c265
    ehsched.exe - File Md5: 1ac85ab660bae1ea6f900d4f922af6ee
    ehtray.exe - File Md5: 8eacd0ab525e353879bbe0775622540a
    loadmxf.exe - File Md5: 80e5c65ca172a2ee2412e1eb13b3183f
    ehvid.exe - File Md5: 5811ba923425f2887f64c519852a751d
    foxitconnectedpdfservice.exe - File Md5: 091f701a17b08912385bc3927403ea82
    msvcr100.dll - File Md5: 02df7a3a6d1e8999abfcdc141430655e
    idman.exe - File Md5: 077f685aea5a3ed2c6972744c9a4d554
    Copyright statement: The above data is obtained by my analysis, and without authorization, you may not copy or reprint it.
    Leave a Reply

    Your email address will not be published. Required fields are marked *
    If you need help, please leave a message, try to match the picture, and I will reply as soon as possible to each question.

    Name *

    Email

      Comment
      ToolBar:
    Preview, Read Only, Click here Edit Post.

    Copyright © 2016-2019 mygoodtools.com All rights reserved.