Manalyze report for 1974edcb8326835d1ad1ca94d70a914a

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2013-Sep-12 05:23:19

Plugin Output

Suspicious	The PE is possibly packed.	`Section .rdata is both writable and executable.` `Unusual section name found: .dec`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Possibly launches other programs: CreateProcessA` `Enumerates local disk drives: GetLogicalDriveStringsA` `Manipulates other processes: OpenProcess`
Malicious	VirusTotal score: 59/68 (Scanned on 2018-08-20 10:47:11)	`Bkav: W32.RansomeDSB.Trojan` `MicroWorld-eScan: Trojan.GenericKD.12223151` `CAT-QuickHeal: Ransom.Exxroute.A4` `ALYac: Trojan.Ransom.LockyCrypt` `Malwarebytes: Ransom.Locky` `VIPRE: Trojan.Win32.Generic!BT` `K7GW: Trojan ( 0051918c1 )` `K7AntiVirus: Trojan ( 0051918c1 )` `Arcabit: Trojan.Generic.DBA82AF` `TrendMicro: Ransom_LOCKY.DLDTATT` `Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9999` `F-Prot: W32/Ransom.HB.gen!Eldorado` `Symantec: Ransom.Locky.B` `TrendMicro-HouseCall: Ransom_LOCKY.DLDTATT` `Avast: Win32:Malware-gen` `ClamAV: Win.Ransomware.Locky-6336174-0` `Kaspersky: HEUR:Trojan.Win32.Generic` `BitDefender: Trojan.GenericKD.12223151` `NANO-Antivirus: Trojan.Win32.BitCoinMiner.esimrk` `Paloalto: generic.ml` `ViRobot: Trojan.Win32.S.Agent.616960.U` `Tencent: Win32.Trojan.Raas.Auto` `Ad-Aware: Trojan.GenericKD.12223151` `Emsisoft: Trojan.GenericKD.12223151 (B)` `Comodo: TrojWare.Win32.Refinka.A` `F-Secure: Trojan.GenericKD.12223151` `DrWeb: Trojan.Encoder.13570` `Zillya: Trojan.Cryptor.Win32.165` `Invincea: heuristic` `McAfee-GW-Edition: BehavesLike.Win32.Ransomware.jc` `Fortinet: W32/Kryptik.FVZV!tr` `Sophos: Mal/Elenoocka-E` `SentinelOne: static engine - malicious` `Cyren: W32/S-0f0c8790!Eldorado` `Jiangmin: Trojan.Generic.bieyz` `Webroot: W32.Trojan.Gen` `Avira: TR/Crypt.ZPACK.Gen7` `MAX: malware (ai score=100)` `Endgame: malicious (high confidence)` `Microsoft: Ransom:Win32/Locky.A` `AegisLab: Ransom.Cerber.Smaly0!c` `ZoneAlarm: HEUR:Trojan.Win32.Generic` `AhnLab-V3: Win-Trojan/Lukitus3.Exp` `McAfee: Packed-QL!1974EDCB8326` `AVware: Trojan.Win32.Generic!BT` `TACHYON: Ransom/W32.Cryptor.616960` `VBA32: Trojan-Ransom.Cryptor` `Cylance: Unsafe` `Zoner: Trojan.Locky` `ESET-NOD32: Win32/Filecoder.Locky.L` `Rising: Trojan.Kryptik!1.AD50 (CLOUD)` `Yandex: Trojan.Cryptor!N/YA6pPlQr4` `Ikarus: Trojan-Ransom.Locky` `GData: Win32.Trojan.Kryptik.IS` `AVG: Win32:Malware-gen` `Cybereason: malicious.b83268` `Panda: Trj/GdSda.A` `CrowdStrike: malicious_confidence_100% (D)` `Qihoo-360: Trojan.Generic`

Hashes

MD5	`1974edcb8326835d1ad1ca94d70a914a`
SHA1	`a7b42163d1d160e1f40e9578bba81bd933571b1e`
SHA256	`19865bb16f4609b4703eaba1d773d60a85009b715274ad862ca4cbb5772c621a`
SHA3	`14389640dc591e6b626e5baf4dd334fa767bccb32bfd7f10ce55aba7920998da`
SSDeep	`12288:66vrLEshlml1beZXpvurUUUOx76rlq6ja6h7eaPVZbSu:6CrvlaoZmrUHOdCNbdeazS`
Imports Hash	`fcaa27a6289540b1ef0c9d461a81c7ec`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2013-Sep-12 05:23:19
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`12.0`
SizeOfCode	`0xd800`
SizeOfInitializedData	`0x6000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000C0CF (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xf000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x99000`
SizeOfHeaders	`0x400`
Checksum	`0x9e4bc`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`cdca7b3b7abc058aeb707849e011245b`
SHA1	`5210f68e043d16e290102463a71bc7f3d83bfaf2`
SHA256	`73eafb236cf0dacd903893791e739a9e97519e129f0f00bf7121af6c473fb0fd`
SHA3	`5b5123f38d1bebc3d6fba769e0535f9dfca15fa744d44dde0271f071dad7c289`
VirtualSize	`0xd76c`
VirtualAddress	`0x1000`
SizeOfRawData	`0xd800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE`
Entropy	`4.95335`

.rdata

MD5	`ea385cda7782bf5c93e4221b9f1a7a20`
SHA1	`47c3ba3d1744fa4304edff2cef56b342528ff42e`
SHA256	`3e0d718e14210a9bc0bb81acf309de733ad82cbb583f6c3ccb6da40f97f2bc6d`
SHA3	`8910e5872e9dc66907ddd8eb4ece844b1375eaf36479fed95bfdeb02bf8be954`
VirtualSize	`0x51b9`
VirtualAddress	`0xf000`
SizeOfRawData	`0x5200`
PointerToRawData	`0xdc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.213146`

.dec

MD5	`4a9f3ddd3ef36bcb7d09690e42ec7749`
SHA1	`57148cdb84bc5c7a902f8a4ab26fdf1af5a32f89`
SHA256	`eec7764a79118dd7d1ee41844aafb2d99d90664a187e6a8c99a56a586f5e169a`
SHA3	`7c2e4f4178a4e3e19ac2bf70ecb78e5d37d974d7905b9ca1b737a422d4ab35d9`
VirtualSize	`0x82da6`
VirtualAddress	`0x15000`
SizeOfRawData	`0x82e00`
PointerToRawData	`0x12e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99002`

.rsrc

MD5	`5b24d1a25e7388610b6a8e3a0204de52`
SHA1	`efb2e9c3e6f36f432b71c1b0684fb82bea767ead`
SHA256	`eb05eca9ab375c2f58a8586c19bb2ea1c5a30656580e469bebfafc504cbefa8b`
SHA3	`53c40a656829ef34a1df6fcc88991bce1e11d694e7af239553df84bb065ac1dc`
VirtualSize	`0xd70`
VirtualAddress	`0x98000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x95c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0.247233`

Imports

clbcatq.dll	`DowngradeAPL` `SetSetupSave`
cfgmgr32.dll	`CM_Add_Empty_Log_Conf` `CMP_Report_LogOn` `CM_Add_IDA` `CM_Add_Range`
user32.dll	`wsprintfA` `LoadBitmapA` `IsDialogMessageA` `DispatchMessageW` `PostMessageA` `CharToOemA` `LoadIconA` `IsCharLowerA` `DialogBoxParamA` `MessageBoxW` `GetClassLongA` `DrawStateA` `PeekMessageA` `InsertMenuW`
dbnmpntw.dll	`ConnectionClose` `ConnectionWrite`
kernel32.dll	`GetCommandLineA` `InterlockedExchangeAdd` `CreateMutexA` `GetEnvironmentVariableW` `WaitForSingleObject` `SetLocalTime` `CreateProcessA` `GetShortPathNameA` `FindClose` `FindResourceExA` `OpenProcess` `GlobalAddAtomA` `GetConsoleTitleW` `GetPriorityClass` `FindNextFileA` `CreateFileMappingW` `FindFirstFileW` `FormatMessageA` `TlsGetValue` `GetLogicalDriveStringsA` `GetProcAddress` `GetPrivateProfileStringW` `CreateDirectoryW` `CreateSemaphoreW` `LoadLibraryA` `SetEnvironmentVariableA` `GetModuleHandleA`
shlwapi.dll	`UrlGetPartW` `PathCompactPathW` `UrlCreateFromPathW` `UrlCombineA` `UrlEscapeA` `UrlCompareA` `UrlUnescapeW` `PathIsRootW` `UrlHashA` `UrlIsNoHistoryW` `UrlGetLocationA` `PathCommonPrefixW` `UrlIsA` `PathCombineA`
shimeng.dll	`SE_InstallBeforeInit` `SE_IsShimDll`
shell32.dll	`Shell_NotifyIconW` `DllUnregisterServer` `DragQueryFileW` `DllGetClassObject` `SHBrowseForFolderW` `SHGetFolderPathW` `StrChrW` `ExtractIconW` `SHEmptyRecycleBinA` `SHCreateDirectoryExA`

Delayed Imports

1

Type	`OPS`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x200`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`

1 (#2)

Type	`IKQ`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x200`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`

2

Type	`IKQ`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x200`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`

3

Type	`IKQ`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x200`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`

4

Type	`IKQ`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x200`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`

5

Type	`IKQ`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x200`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[!] Error: Could not read PDB file information of invalid magic number.