{"id":1516,"date":"2012-11-19T17:14:46","date_gmt":"2012-11-19T17:14:46","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1516"},"modified":"2012-11-19T17:40:39","modified_gmt":"2012-11-19T17:40:39","slug":"top-100-malicious-types-of-32-bit-pe-files","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/11\/19\/top-100-malicious-types-of-32-bit-pe-files\/","title":{"rendered":"Top 100+ malicious types of 32-bit PE files"},"content":{"rendered":"<p>Another round of stats &#8211; this time the top 100+ most &#8216;popular&#8217; PE\u00a0i386 file formats used by malware from over 1.2M samples.<\/p>\n<p>Legend:<\/p>\n<ul>\n<li>MZ PE i386 = PE 32 bit<\/li>\n<li>DLL = DLL \ud83d\ude42<\/li>\n<li>Corrupted or Tricky = for some reason parser failed (usually some PE file tricks)<\/li>\n<li>APPDATA xxxxxxxx = appended data followed by first 1-4 characters<\/li>\n<li>SIG = contains directory entry pointing to signature (often it&#8217;s a random garbage though, not stolen certificates)<\/li>\n<li>DEB = contains debugging information<\/li>\n<li>COM = COM library<\/li>\n<li>.NET = .NET PE<\/li>\n<li>and lots of names related to various installers<\/li>\n<\/ul>\n<pre>\u00a0(44.17%)\u00a0\u00a0 \u00a0560067\u00a0\u00a0 \u00a0MZ PE i386\r\n\u00a0 (6.59%)\u00a0\u00a0 \u00a0 83554\u00a0\u00a0 \u00a0MZ PE i386 DLL\r\n\u00a0 (6.16%)\u00a0\u00a0 \u00a0 78149\u00a0\u00a0 \u00a0MZ PE i386 Corrupted Tricky\r\n\u00a0 (4.84%)\u00a0\u00a0 \u00a0 61379\u00a0\u00a0 \u00a0MZ PE i386 DEB\r\n\u00a0 (3.51%)\u00a0\u00a0 \u00a0 44529\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 00000000\r\n\u00a0 (2.99%)\u00a0\u00a0 \u00a0 37871\u00a0\u00a0 \u00a0MZ PE i386 SIG\r\n\u00a0 (2.81%)\u00a0\u00a0 \u00a0 35644\u00a0\u00a0 \u00a0MZ PE i386 Tricky\r\n\u00a0 (2.01%)\u00a0\u00a0 \u00a0 25462\u00a0\u00a0 \u00a0MZ PE i386 DLL COM\r\n\u00a0 (1.30%)\u00a0\u00a0 \u00a0 16478\u00a0\u00a0 \u00a0MZ PE i386 NullSoft 2.46-1 SIG\r\n\u00a0 (1.28%)\u00a0\u00a0 \u00a0 16253\u00a0\u00a0 \u00a0MZ PE i386 DLL DEB\r\n\u00a0 (1.28%)\u00a0\u00a0 \u00a0 16220\u00a0\u00a0 \u00a0MZ PE i386 .NET\r\n\u00a0 (1.04%)\u00a0\u00a0 \u00a0 13128\u00a0\u00a0 \u00a0MZ PE i386 SYS\r\n\u00a0 (0.98%)\u00a0\u00a0 \u00a0 12459\u00a0\u00a0 \u00a0MZ PE i386 Tricky SIG\r\n\u00a0 (0.92%)\u00a0\u00a0 \u00a0 11614\u00a0\u00a0 \u00a0MZ PE i386 NullSoft Unknown\r\n\u00a0 (0.82%)\u00a0\u00a0 \u00a0 10393\u00a0\u00a0 \u00a0MZ PE i386 InnoSetup\r\n\u00a0 (0.78%)\u00a0\u00a0 \u00a0\u00a0 9831\u00a0\u00a0 \u00a0MZ PE i386\u00a0 AutoIt or AutoHotKey\r\n\u00a0 (0.77%)\u00a0\u00a0 \u00a0\u00a0 9709\u00a0\u00a0 \u00a0MZ PE i386 Corrupted Tricky DEB\r\n\u00a0 (0.65%)\u00a0\u00a0 \u00a0\u00a0 8273\u00a0\u00a0 \u00a0MZ PE i386 .NET APPDATA 00000000\r\n\u00a0 (0.65%)\u00a0\u00a0 \u00a0\u00a0 8217\u00a0\u00a0 \u00a0MZ PE i386 DEB SIG\r\n\u00a0 (0.64%)\u00a0\u00a0 \u00a0\u00a0 8166\u00a0\u00a0 \u00a0MZ PE i386 NullSoft 2.46\r\n\u00a0 (0.61%)\u00a0\u00a0 \u00a0\u00a0 7757\u00a0\u00a0 \u00a0MZ PE i386 DLL APPDATA 00000000\r\n\u00a0 (0.54%)\u00a0\u00a0 \u00a0\u00a0 6881\u00a0\u00a0 \u00a0MZ PE i386 .NET DEB\r\n\u00a0 (0.48%)\u00a0\u00a0 \u00a0\u00a0 6131\u00a0\u00a0 \u00a0MZ PE i386 Zip Sfx\r\n\u00a0 (0.48%)\u00a0\u00a0 \u00a0\u00a0 6054\u00a0\u00a0 \u00a0MZ PE i386 Tricky DEB\r\n\u00a0 (0.47%)\u00a0\u00a0 \u00a0\u00a0 5938\u00a0\u00a0 \u00a0MZ PE i386 Rar SFX\r\n\u00a0 (0.46%)\u00a0\u00a0 \u00a0\u00a0 5891\u00a0\u00a0 \u00a0MZ PE i386 NullSoft 2.45\r\n\u00a0 (0.46%)\u00a0\u00a0 \u00a0\u00a0 5836\u00a0\u00a0 \u00a0MZ PE i386 APPDATA B80E0000\r\n\u00a0 (0.44%)\u00a0\u00a0 \u00a0\u00a0 5631\u00a0\u00a0 \u00a0MZ PE i386 DLL Corrupted Tricky\r\n\u00a0 (0.42%)\u00a0\u00a0 \u00a0\u00a0 5318\u00a0\u00a0 \u00a0MZ PE i386 Appended MZ\r\n\u00a0 (0.42%)\u00a0\u00a0 \u00a0\u00a0 5312\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 01000000\r\n\u00a0 (0.42%)\u00a0\u00a0 \u00a0\u00a0 5279\u00a0\u00a0 \u00a0MZ PE i386 InstallAware\r\n\u00a0 (0.41%)\u00a0\u00a0 \u00a0\u00a0 5232\u00a0\u00a0 \u00a0MZ PE i386 Tricky DEB SIG\r\n\u00a0 (0.40%)\u00a0\u00a0 \u00a0\u00a0 5074\u00a0\u00a0 \u00a0MZ PE i386 NullSoft 2.27\r\n\u00a0 (0.37%)\u00a0\u00a0 \u00a0\u00a0 4733\u00a0\u00a0 \u00a0MZ PE i386 Trymedia\r\n\u00a0 (0.36%)\u00a0\u00a0 \u00a0\u00a0 4549\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 00000000 DEB\r\n\u00a0 (0.36%)\u00a0\u00a0 \u00a0\u00a0 4546\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 3C706172\r\n\u00a0 (0.34%)\u00a0\u00a0 \u00a0\u00a0 4336\u00a0\u00a0 \u00a0MZ PE i386 SYS DEB\r\n\u00a0 (0.33%)\u00a0\u00a0 \u00a0\u00a0 4161\u00a0\u00a0 \u00a0MZ PE i386 APPDATA A5B79A82\r\n\u00a0 (0.29%)\u00a0\u00a0 \u00a0\u00a0 3690\u00a0\u00a0 \u00a0MZ PE i386 NullSoft 2.46 SIG\r\n\u00a0 (0.23%)\u00a0\u00a0 \u00a0\u00a0 2973\u00a0\u00a0 \u00a0MZ PE i386 Trymedia SIG\r\n\u00a0 (0.23%)\u00a0\u00a0 \u00a0\u00a0 2925\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 88110000\r\n\u00a0 (0.23%)\u00a0\u00a0 \u00a0\u00a0 2918\u00a0\u00a0 \u00a0MZ PE i386 .file\r\n\u00a0 (0.22%)\u00a0\u00a0 \u00a0\u00a0 2799\u00a0\u00a0 \u00a0MZ PE i386 Rar SFX DEB\r\n\u00a0 (0.22%)\u00a0\u00a0 \u00a0\u00a0 2728\u00a0\u00a0 \u00a0MZ PE i386 APPDATA B00E0000\r\n\u00a0 (0.19%)\u00a0\u00a0 \u00a0\u00a0 2440\u00a0\u00a0 \u00a0MZ PE i386 .NET Tricky\r\n\u00a0 (0.19%)\u00a0\u00a0 \u00a0\u00a0 2422\u00a0\u00a0 \u00a0MZ PE i386 DLL Tricky\r\n\u00a0 (0.19%)\u00a0\u00a0 \u00a0\u00a0 2405\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 31353835\r\n\u00a0 (0.18%)\u00a0\u00a0 \u00a0\u00a0 2255\u00a0\u00a0 \u00a0MZ PE i386 DLL COM APPDATA 00000000\r\n\u00a0 (0.18%)\u00a0\u00a0 \u00a0\u00a0 2234\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 56566245\r\n\u00a0 (0.17%)\u00a0\u00a0 \u00a0\u00a0 2206\u00a0\u00a0 \u00a0MZ PE i386 NullSoft 2.46-5 SIG\r\n\u00a0 (0.16%)\u00a0\u00a0 \u00a0\u00a0 2078\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 08080000\r\n\u00a0 (0.16%)\u00a0\u00a0 \u00a0\u00a0 2036\u00a0\u00a0 \u00a0MZ PE i386 DLL COM DEB\r\n\u00a0 (0.16%)\u00a0\u00a0 \u00a0\u00a0 1990\u00a0\u00a0 \u00a0MZ PE i386 .NET DLL DEB\r\n\u00a0 (0.14%)\u00a0\u00a0 \u00a0\u00a0 1750\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 001F0023\r\n\u00a0 (0.14%)\u00a0\u00a0 \u00a0\u00a0 1750\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 5B424547 SIG\r\n\u00a0 (0.13%)\u00a0\u00a0 \u00a0\u00a0 1706\u00a0\u00a0 \u00a0MZ PE i386 DLL SIG\r\n\u00a0 (0.13%)\u00a0\u00a0 \u00a0\u00a0 1678\u00a0\u00a0 \u00a0MZ PE i386 NullSoft 2.24\r\n\u00a0 (0.13%)\u00a0\u00a0 \u00a0\u00a0 1633\u00a0\u00a0 \u00a0MZ PE i386 NullSoft 2.44\r\n\u00a0 (0.13%)\u00a0\u00a0 \u00a0\u00a0 1597\u00a0\u00a0 \u00a0MZ PE i386 DLL APPDATA 928F8C89\r\n\u00a0 (0.13%)\u00a0\u00a0 \u00a0\u00a0 1585\u00a0\u00a0 \u00a0MZ PE i386 Wise\r\n\u00a0 (0.12%)\u00a0\u00a0 \u00a0\u00a0 1582\u00a0\u00a0 \u00a0MZ PE i386 DEB\r\n\u00a0 (0.12%)\u00a0\u00a0 \u00a0\u00a0 1576\u00a0\u00a0 \u00a0MZ PE i386 DLL APPDATA 861DC8F1\r\n\u00a0 (0.12%)\u00a0\u00a0 \u00a0\u00a0 1545\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 73676567\r\n\u00a0 (0.12%)\u00a0\u00a0 \u00a0\u00a0 1537\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 50415443\r\n\u00a0 (0.12%)\u00a0\u00a0 \u00a0\u00a0 1517\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 5A425245\r\n\u00a0 (0.11%)\u00a0\u00a0 \u00a0\u00a0 1458\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 60170000 DEB\r\n\u00a0 (0.11%)\u00a0\u00a0 \u00a0\u00a0 1417\u00a0\u00a0 \u00a0MZ PE i386 DLL Corrupted Tricky DEB\r\n\u00a0 (0.11%)\u00a0\u00a0 \u00a0\u00a0 1374\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 68480000\r\n\u00a0 (0.11%)\u00a0\u00a0 \u00a0\u00a0 1367\u00a0\u00a0 \u00a0MZ PE i386 NullSoft 25-Apr-2011.cvs\r\n\u00a0 (0.11%)\u00a0\u00a0 \u00a0\u00a0 1359\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 3C62696E\r\n\u00a0 (0.10%)\u00a0\u00a0 \u00a0\u00a0 1288\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 88190000\r\n\u00a0 (0.10%)\u00a0\u00a0 \u00a0\u00a0 1272\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 980E0000\r\n\u00a0 (0.10%)\u00a0\u00a0 \u00a0\u00a0 1219\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 6BD6EB2C\r\n\u00a0 (0.10%)\u00a0\u00a0 \u00a0\u00a0 1213\u00a0\u00a0 \u00a0MZ PE i386 InnoSetup SIG\r\n\u00a0 (0.09%)\u00a0\u00a0 \u00a0\u00a0 1176\u00a0\u00a0 \u00a0MZ PE i386 InstallShield DEB\r\n\u00a0 (0.09%)\u00a0\u00a0 \u00a0\u00a0 1174\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 680C0000\r\n\u00a0 (0.09%)\u00a0\u00a0 \u00a0\u00a0 1159\u00a0\u00a0 \u00a0MZ PE i386 CAB SFX (shifted)\r\n\u00a0 (0.09%)\u00a0\u00a0 \u00a0\u00a0 1137\u00a0\u00a0 \u00a0MZ PE i386 SYS DLL DEB\r\n\u00a0 (0.09%)\u00a0\u00a0 \u00a0\u00a0 1122\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 90909090\r\n\u00a0 (0.09%)\u00a0\u00a0 \u00a0\u00a0 1102\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 00A80000 DEB\r\n\u00a0 (0.09%)\u00a0\u00a0 \u00a0\u00a0 1091\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 05000000\r\n\u00a0 (0.09%)\u00a0\u00a0 \u00a0\u00a0 1087\u00a0\u00a0 \u00a0MZ PE i386 .NET DLL\r\n\u00a0 (0.09%)\u00a0\u00a0 \u00a0\u00a0 1082\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 22A72792\r\n\u00a0 (0.08%)\u00a0\u00a0 \u00a0\u00a0 1048\u00a0\u00a0 \u00a0MZ PE i386 .NET Corrupted Tricky\r\n\u00a0 (0.08%)\u00a0\u00a0 \u00a0\u00a0 1043\u00a0\u00a0 \u00a0MZ PE i386 APPDATA C26402DF\r\n\u00a0 (0.08%)\u00a0\u00a0 \u00a0\u00a0\u00a0 990\u00a0\u00a0 \u00a0MZ PE i386 Rar SFX (shifted) DEB\r\n\u00a0 (0.07%)\u00a0\u00a0 \u00a0\u00a0\u00a0 947\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 3C232440\r\n\u00a0 (0.07%)\u00a0\u00a0 \u00a0\u00a0\u00a0 903\u00a0\u00a0 \u00a0MZ PE i386 DLL COM Appended MZ\r\n\u00a0 (0.07%)\u00a0\u00a0 \u00a0\u00a0\u00a0 896\u00a0\u00a0 \u00a0MZ PE i386 NullSoft 2.14\r\n\u00a0 (0.07%)\u00a0\u00a0 \u00a0\u00a0\u00a0 892\u00a0\u00a0 \u00a0MZ PE i386 Rar SFX (shifted)\r\n\u00a0 (0.07%)\u00a0\u00a0 \u00a0\u00a0\u00a0 885\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 0D0A0D0A\r\n\u00a0 (0.07%)\u00a0\u00a0 \u00a0\u00a0\u00a0 880\u00a0\u00a0 \u00a0MZ PE i386 SYS DLL\r\n\u00a0 (0.07%)\u00a0\u00a0 \u00a0\u00a0\u00a0 877\u00a0\u00a0 \u00a0MZ PE i386 NullSoft 01-Jun-2011.cvs SIG\r\n\u00a0 (0.07%)\u00a0\u00a0 \u00a0\u00a0\u00a0 874\u00a0\u00a0 \u00a0MZ PE i386 SmartInstallMaker v.5.02\r\n\u00a0 (0.06%)\u00a0\u00a0 \u00a0\u00a0\u00a0 808\u00a0\u00a0 \u00a0MZ PE i386 DLL COM SIG\r\n\u00a0 (0.06%)\u00a0\u00a0 \u00a0\u00a0\u00a0 807\u00a0\u00a0 \u00a0MZ PE i386 NullSoft 2.37\r\n\u00a0 (0.06%)\u00a0\u00a0 \u00a0\u00a0\u00a0 802\u00a0\u00a0 \u00a0MZ PE i386 ADAEBOOK\r\n\u00a0 (0.06%)\u00a0\u00a0 \u00a0\u00a0\u00a0 789\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 78766D00\r\n\u00a0 (0.06%)\u00a0\u00a0 \u00a0\u00a0\u00a0 764\u00a0\u00a0 \u00a0MZ PE i386 DLL COM\r\n\u00a0 (0.06%)\u00a0\u00a0 \u00a0\u00a0\u00a0 737\u00a0\u00a0 \u00a0MZ PE i386 Install Creator\r\n\u00a0 (0.06%)\u00a0\u00a0 \u00a0\u00a0\u00a0 719\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 2A2A2A2A\r\n\u00a0 (0.06%)\u00a0\u00a0 \u00a0\u00a0\u00a0 715\u00a0\u00a0 \u00a0MZ PE i386 WebCompiler\r\n\u00a0 (0.06%)\u00a0\u00a0 \u00a0\u00a0\u00a0 707\u00a0 \u00a0 MZ PE i386 APPDATA 00\r\n\u00a0 (0.05%)\u00a0\u00a0 \u00a0\u00a0\u00a0 693\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 08001700\r\n\u00a0 (0.05%)\u00a0\u00a0 \u00a0\u00a0\u00a0 669\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 00000000 SIG\r\n\u00a0 (0.05%)\u00a0\u00a0 \u00a0\u00a0\u00a0 665\u00a0\u00a0 \u00a0MZ PE i386 NullSoft 2.24 SIG\r\n\u00a0 (0.05%)\u00a0\u00a0 \u00a0\u00a0\u00a0 656\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 31353836\r\n\u00a0 (0.05%)\u00a0\u00a0 \u00a0\u00a0\u00a0 651\u00a0\u00a0 \u00a0MZ PE i386 DLL APPDATA 45474645 DEB\r\n\u00a0 (0.05%)\u00a0\u00a0 \u00a0\u00a0\u00a0 628\u00a0\u00a0 \u00a0MZ PE i386 DLL DEB SIG\r\n\u00a0 (0.05%)\u00a0\u00a0 \u00a0\u00a0\u00a0 622\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 43434343\r\n\u00a0 (0.05%)\u00a0\u00a0 \u00a0\u00a0\u00a0 617\u00a0\u00a0 \u00a0MZ PE i386 APPDATA 34120000<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Another round of stats &#8211; this time the top 100+ most &#8216;popular&#8217; PE\u00a0i386 file formats used by malware from over 1.2M samples. Legend: MZ PE i386 = PE 32 bit DLL = DLL \ud83d\ude42 Corrupted or Tricky = for some &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/11\/19\/top-100-malicious-types-of-32-bit-pe-files\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1516"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1516"}],"version-history":[{"count":9,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1516\/revisions"}],"predecessor-version":[{"id":1519,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1516\/revisions\/1519"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}