0b2673ddf85e093f2c5394b77d3bee7e

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2018-Jan-28 01:40:45
Detected languages Danish - Denmark
InternalName nowuz.exe

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Malicious The file headers were tampered with. Unusual section name found: .mysec2
Unusual section name found: .version
Unusual section name found: .mysec1
Unusual section name found: .mysec3
Unusual section name found: .version
The RICH header checksum is invalid.
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
  • LoadLibraryW
Possibly launches other programs:
  • ShellExecuteW
Has Internet access capabilities:
  • WinHttpConnect
  • WinHttpOpen
  • WinHttpCreateUrl
  • WinHttpReadData
  • WinHttpWriteData
  • WinHttpQueryDataAvailable
Enumerates local disk drives:
  • GetDriveTypeA
Malicious VirusTotal score: 41/69 (Scanned on 2019-02-14 15:10:18) MicroWorld-eScan: Gen:Trojan.Heur.Hype.pK0@ayi3drhG
McAfee: Trojan-FPZV!0B2673DDF85E
Cylance: Unsafe
Invincea: heuristic
Symantec: Packed.Generic.525
ESET-NOD32: a variant of Win32/Kryptik.GOXF
TrendMicro-HouseCall: TrojanSpy.Win32.FAREIT.SMKC1.hp
ClamAV: Win.Packed.Gandcrab-6846115-0
Kaspersky: HEUR:Trojan.Win32.Generic
BitDefender: Gen:Trojan.Heur.Hype.pK0@ayi3drhG
NANO-Antivirus: Trojan.Win32.Kryptik.fmxjap
Rising: Trojan.Kryptik!8.8/N3#100% (RDM+:cmRtazqtG+Z9D4gI3tC7alluBlA3)
Ad-Aware: Gen:Trojan.Heur.Hype.pK0@ayi3drhG
Emsisoft: Gen:Trojan.Heur.Hype.pK0@ayi3drhG (B)
F-Secure: Heuristic.HEUR/AGEN.1038782
DrWeb: Trojan.PWS.Siggen2.9541
TrendMicro: TrojanSpy.Win32.FAREIT.SMKC1.hp
McAfee-GW-Edition: Trojan-FPZV!0B2673DDF85E
Trapmine: malicious.high.ml.score
Ikarus: Trojan-Downloader.Win32.SmokeLoader
Jiangmin: Trojan.Agentb.dzz
Avira: HEUR/AGEN.1038782
Fortinet: W32/Kryptik.GOTY!tr
Endgame: malicious (high confidence)
Arcabit: Trojan.Heur.Hype.E5DB28
ZoneAlarm: HEUR:Trojan.Win32.Generic
Microsoft: Ransom:Win32/GandCrab.BB!bit
AhnLab-V3: Trojan/Win32.Agent.C2952825
Acronis: suspicious
MAX: malware (ai score=82)
VBA32: BScope.Trojan.Chapak
Malwarebytes: Trojan.MalPack.GS.Generic
Panda: Trj/GdSda.A
SentinelOne: static engine - malicious
eGambit: Unsafe.AI_Score_51%
GData: Gen:Trojan.Heur.Hype.pK0@ayi3drhG
AVG: Win32:Evo-gen [Susp]
Cybereason: malicious.df85e0
Avast: Win32:Evo-gen [Susp]
CrowdStrike: malicious_confidence_100% (D)
Qihoo-360: HEUR/QVM10.1.398F.Malware.Gen

Hashes

MD5 0b2673ddf85e093f2c5394b77d3bee7e
SHA1 d0133e828e2f3299f67256d9b8ca99f5df1d1524
SHA256 cc6ccf3c0d57911dc4dc834f5603df6c23614f259d4bf1c4bbb56f25f5d6393b
SHA3 6b059f816549debc38cbbbd5dde68991340c4cfd4a8dfa4e7edfff4bea6792e2
SSDeep 3072:SeybYvuV2f8iOwLGxxVxTBiID4s47OQiAgl2TZJxvzmTQE:7goM2fUwQxVjbUs4yQXgGrvzm
Imports Hash 8afd34e3248c6ed08071ce9288c95a6c

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 9
TimeDateStamp 2018-Jan-28 01:40:45
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x1ce00
SizeOfInitializedData 0x23000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000546F (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1e000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x48000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 d6f1d2aa0fcc7bbe1cde0c2e50fc05a6
SHA1 8ec207cdce8519699226fe19af857a4c4ad105bf
SHA256 9b3c2fbc72b3856f173a155b4fa0765268b5749d7e0c75fd3fd81895c53c9951
SHA3 49162db3612aee4171ddee69b01745f5b0af76822c658099a6dfb2abc46cd722
VirtualSize 0x1cd1a
VirtualAddress 0x1000
SizeOfRawData 0x1ce00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.90481

.data

MD5 a60ed9c95413eed5d71ff1df90a900c8
SHA1 a1f9042dcac5725a5c0f1ab7edc1d0628ba665c7
SHA256 1a78b3ddf8f088332b3675f1ac4a310490dc10506da43fdbe0691ce149fe0206
SHA3 b32305f906aa6a69f59750a81e700d1d0f2fb40f63671097bab22a60729cbb48
VirtualSize 0x12288
VirtualAddress 0x1e000
SizeOfRawData 0x11400
PointerToRawData 0x1d200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.373066

.mysec2

MD5 bf619eac0cdf3f68d496ea9344137e8b
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
SHA3 622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59
VirtualSize 0xa
VirtualAddress 0x31000
SizeOfRawData 0x200
PointerToRawData 0x2e600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.version

MD5 bf619eac0cdf3f68d496ea9344137e8b
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
SHA3 622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59
VirtualSize 0xa
VirtualAddress 0x32000
SizeOfRawData 0x200
PointerToRawData 0x2e800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.mysec1

MD5 bf619eac0cdf3f68d496ea9344137e8b
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
SHA3 622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59
VirtualSize 0xa
VirtualAddress 0x33000
SizeOfRawData 0x200
PointerToRawData 0x2ea00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.mysec3

MD5 bf619eac0cdf3f68d496ea9344137e8b
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
SHA3 622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59
VirtualSize 0xa
VirtualAddress 0x34000
SizeOfRawData 0x200
PointerToRawData 0x2ec00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.version (#2)

MD5 0f343b0931126a20f133d67c2b018a3b
SHA1 60cacbf3d72e1e7834203da608037b1bf83b40e8
SHA256 5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
SHA3 6841b2c10aa6e5f7a384143e4de58fbc9aa28a4b742e9ad4ed14ba148a723a43
VirtualSize 0x1001
VirtualAddress 0x35000
SizeOfRawData 0x400
PointerToRawData 0x2ee00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.rsrc

MD5 62b91ea1e937711ebee3f214d621650c
SHA1 1677e8c098659288172f1aac45079690b71364e7
SHA256 b5c47d3aec288481c2300da2e3a6a8fa88217fd091c01f982d6f77d3ca116838
SHA3 d4d754477cb7b576347f81fded2790f8a0e0392280edb3edb37cbe88c3fc11b1
VirtualSize 0xe738
VirtualAddress 0x37000
SizeOfRawData 0xe800
PointerToRawData 0x2f200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.12632

.reloc

MD5 ff1ce2018aa17fe600fca636b126dbe4
SHA1 c6fff00d41071ff3c363bbeaebd70338a55d1c94
SHA256 fd9243e1ba57263ed469c3bdbd7ade6ec5254e7ed924a9f5737fa44749933cc0
SHA3 30a7216cfe9af912a70d4749615e5c2a7cc5898c6be91c5f58b57140f6d0391f
VirtualSize 0x17aa
VirtualAddress 0x46000
SizeOfRawData 0x1800
PointerToRawData 0x3da00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0

Imports

KERNEL32.DLL GetProcessHandleCount
TerminateProcess
SetComputerNameExW
GetLastError
GetProcAddress
LoadLibraryA
GetProcessWorkingSetSize
LocalAlloc
SetProcessWorkingSetSize
SetCommMask
GetThreadPriority
GetProcessShutdownParameters
GetCommTimeouts
GetProcessAffinityMask
FatalExit
DuplicateHandle
GlobalAlloc
CloseHandle
lstrcpyA
LocalFileTimeToFileTime
GetStringTypeW
MultiByteToWideChar
LCMapStringW
WideCharToMultiByte
HeapReAlloc
IsValidCodePage
GetOEMCP
GetACP
LoadLibraryW
GetProcessTimes
GetDriveTypeA
GetTickCount
GetCurrentProcess
GetCPInfo
GetProcessIoCounters
GetNativeSystemInfo
PulseEvent
_lopen
ExitProcess
HeapSize
Sleep
RtlUnwind
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
GetCommandLineW
HeapSetInformation
GetStartupInfoW
RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapAlloc
HeapFree
IsProcessorFeaturePresent
EncodePointer
DecodePointer
GetModuleHandleW
WriteFile
GetStdHandle
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
DeleteCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
ADVAPI32.dll SetSecurityDescriptorDacl
LookupPrivilegeNameA
ReportEventA
GDI32.dll CreateBrushIndirect
StretchDIBits
RoundRect
AnimatePalette
MSIMG32.dll TransparentBlt
GradientFill
SHELL32.dll ShellAboutA
ShellExecuteW
#179
USER32.dll SetPropA
DlgDirListComboBoxA
GetAltTabInfoA
GetMenuInfo
GetScrollRange
SetWindowTextW
LoadImageW
CopyImage
GetFocus
BeginPaint
SetScrollRange
CreateIconIndirect
WINHTTP.dll WinHttpConnect
WinHttpOpen
WinHttpCreateUrl
WinHttpReadData
WinHttpWriteData
WinHttpQueryDataAvailable

Delayed Imports

MyFunc31

Ordinal 1
Address 0x1ace0

MyFunc32

Ordinal 2
Address 0x1acd0

163

Type RT_BITMAP
Language Danish - Denmark
Codepage UNKNOWN
Size 0x2cb8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.34222
MD5 38a9bd5d03a78d13b1fcf5b17acdac98
SHA1 16d284030cc57bd0f680bce4294607ffad92bd07
SHA256 8424190aa3e227b9eeacc7896a6fbb0945e90cf0a5366028a6d08de4e2946014
SHA3 623507790d84d2bafab9cafd619fac034c15849dc03ac46124f78469e0dbb9a6
Preview

1

Type RT_ICON
Language Danish - Denmark
Codepage UNKNOWN
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.74896
MD5 fdd8c6174fa8d919de6ae74f3eb9b2f7
SHA1 b6b7d11e0c914d8b4fe9a2e06912a10edaf19643
SHA256 d299df144c7d76eb0993b4052a24eba50ee9bb0440e70ffe9d3beed0bc6d1cd7
SHA3 6a82794fac6ec5edc3e7f84ba2b75a82556ddebdf072f13a4e36ff6b0818489e

2

Type RT_ICON
Language Danish - Denmark
Codepage UNKNOWN
Size 0x94a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.30861
MD5 86261da2029e715b48e6e51fa1998513
SHA1 03d317396da2a7eb078946b5c6678fd4db7eee4e
SHA256 7cc07b9e21faa408ef0a8799ac914f8b736d87f207c23ae03d36e666414c1bb6
SHA3 586c2fc4e8d6e62fc667841f892242457880eba95025c1becd0c1f594df597f5

3

Type RT_ICON
Language Danish - Denmark
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.96311
MD5 f9ba8eaf8b2ffc0876acc4298c8bffa7
SHA1 48993462e782acca9578003bd672dd665617d7f5
SHA256 36813a567a25874868e19c909b5cd9c64af96c6b06ceca8f7c3401feab4f6b8e
SHA3 f2f69f5abaaa077ff09eeed18a90f3504aab7ef6513143f2d14f8e31dd38ea07

4

Type RT_ICON
Language Danish - Denmark
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.46077
MD5 df538816f7f36c4408c19c5c7e2cd76c
SHA1 ae74992625c71aecb8ccf9a1c1f304202f717e14
SHA256 fd6c8707f1304d6abb5968c9797e5090fd524df34411829affb461f0b387c288
SHA3 82c10dfab928ce573275c0e887f59f931b7ee27bbc11a3038f905f510bdbd3b1

10

Type RT_STRING
Language Danish - Denmark
Codepage UNKNOWN
Size 0x436
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.30582
MD5 1d926659861e48e6bb230961cf8a4773
SHA1 2996e7f0daea107a0eb7e2e0b92f9802e4a57be0
SHA256 fb1e80328e30894fde8a9f2185d45fb095bdfa2ad48cb564183f7922f6d305ab
SHA3 325b58dfd4ce23a466107192239053ebb1e375dc5b6b481e43eb1f5870ebb2c1

101

Type RT_ACCELERATOR
Language Danish - Denmark
Codepage UNKNOWN
Size 0x48
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.73379
MD5 a952d15376079c040a20c8c60fd3aeb2
SHA1 7e0ead2834d26cb87cb34a57a991b2bbf8d9773e
SHA256 56b4a596124759a1be97cca0a4f9fd6a2a23df170f55a2c2c49e560a50a5be63
SHA3 f975b4b9013233cc0c1f68075a33f40b2c97e9d76db3cefbb40fa0c20567894b

235

Type RT_GROUP_ICON
Language Danish - Denmark
Codepage UNKNOWN
Size 0x3e
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.51184
Detected Filetype Icon file
MD5 22f8e41e1e7153ef02205e1b921ae6d4
SHA1 40c1fc96c9aef5d2bdcea38e01679d7d3d6751be
SHA256 c27a4c138e8a854da6a5c7af3d77a68665bc38e728001b7467449b8ca5838a37
SHA3 def3ef4742c66316f913577c604f51a0e733795ae825527bd1523972ae034778

1 (#2)

Type RT_VERSION
Language Danish - Denmark
Codepage UNKNOWN
Size 0x110
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.01983
MD5 b435710a3183b55803957e767cff7df0
SHA1 fff021206568737aaf0f38c94588a42bbdefc682
SHA256 3c63a0213346e998480480370ba83ae71ebeb33abbcc203bd6e9c73a9c3d8aef
SHA3 a0146996e781d4e61ddb449211e1f350cbd032dbe1234ac0d794676771fab07c

String Table contents

Bivuyodan zabasibetuw gano medajeziret nasisumek
Godotefifipike meloterupirar hodibolu ceya nivupucemo
Putofijijuse cadecodedupo luroyimuvumelef vuhafixami zepazabapol
Pepiyag jona ceheguxepe worugayinero xelerapifucili
Zubajefanexa cuj wigimupifawuwuz hohavoz
Bofapinayo kebuja
Cabugulinopixud juyutocejetub zedusiyihike kicubemov
Jupotigofu jalimiliyuhuy lumuka vaxusupujo givub
Nuwozasabowakiy xasaci vub
Mud lasumey dut camodericisi huguyuf
Pox cigosaz najuwufahu gofegopeduropel desimunexib
Lojahanasotipi yehumawanigisaw xucigep

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.0
ProductVersion 1.0.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
InternalName nowuz.exe
Resource LangID Danish - Denmark

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x41e07c
SEHandlerTable 0x403700
SEHandlerCount 8

RICH Header

XOR Key 0xd5bc5a2d
Unmarked objects 0
ASM objects (VS2010 build 30319) 21
C objects (VS2010 build 30319) 90
C++ objects (VS2010 build 30319) 31
Imports (VS2008 SP1 build 30729) 15
Total imports 120
175 (VS2010 build 30319) 1
34526 (22812) 1
Resource objects (VS2010 build 30319) 1
10080 (46431) 1

Errors

<-- -->