Manalyze report for 1d724f95c61f1055f0d02c2154bbccd3

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2017-Oct-22 02:33:41
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: rundll32.exe schtask` `May have dropper capabilities: %ALLUSERSPROFILE% CurrentControlSet\services` `Miscellaneous malware strings: cmd.exe`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress LoadLibraryW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Can access the registry: RegFlushKey RegQueryValueExW RegOpenKeyW RegSetValueExW RegCloseKey RegOpenKeyExW` `Possibly launches other programs: CreateProcessW CreateProcessAsUserW` `Uses Microsoft's cryptographic API: CryptDuplicateKey CryptDuplicateHash CryptEncrypt CryptGenRandom CryptGetKeyParam CryptSetKeyParam CryptDeriveKey CryptHashData CryptDestroyHash CryptDestroyKey CryptCreateHash CryptImportKey CryptReleaseContext CryptAcquireContextW CryptGetHashParam CryptSetHashParam CryptStringToBinaryW CryptImportPublicKeyInfo CryptBinaryToStringW CryptDecodeObjectEx` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Leverages the raw socket API to access the Internet: select ioctlsocket gethostbyname inet_ntoa ntohl WSAStartup connect inet_addr htons socket closesocket send recv __WSAFDIsSet` `Functions related to the privilege level: DuplicateTokenEx DuplicateToken AdjustTokenPrivileges CheckTokenMembership OpenProcessToken` `Interacts with services: OpenSCManagerW QueryServiceStatus DeleteService CreateServiceW` `Enumerates local disk drives: GetDriveTypeW` `Manipulates other processes: OpenProcess Process32FirstW Process32NextW` `Queries user information on remote machines: NetWkstaGetInfo` `Can shut the system down or lock the screen: ExitWindowsEx InitiateSystemShutdownExW`
Suspicious	The PE is possibly a dropper.	`Resource 1 is possibly compressed or encrypted.` `Resource 2 is possibly compressed or encrypted.` `Resource 7 is possibly compressed or encrypted.` `Resource 8 is possibly compressed or encrypted.` `Resource 9 is possibly compressed or encrypted.` `Resources amount for 77.0876% of the executable.`
Malicious	The PE's digital signature is invalid.	`Signer: Symantec Corporation` `Issuer: VeriSign Class 3 Code Signing 2010 CA` `The file was modified after it was signed.`
Malicious	VirusTotal score: 65/72 (Scanned on 2025-01-16 11:46:30)	`ALYac: Trojan.Ransom.BadRabbit` `AVG: Win32:RansomX-gen [Ransom]` `AhnLab-V3: Trojan/Win.Diskcoder.R660164` `Alibaba: Ransom:Win32/Agent.190220` `Antiy-AVL: Trojan[Ransom]/Win32.BadRabbit.b` `Arcabit: Trojan.Ransom.BUZ` `Avast: Win32:RansomX-gen [Ransom]` `Avira: TR/Diskcoder.12352` `BitDefender: Trojan.Ransom.BUZ` `Bkav: W32.RabInND.Worm` `CAT-QuickHeal: Ransom.BadRabbit.A5` `CTX: dll.trojan.badrabbit` `ClamAV: Win.Trojan.Agent-6355731-0` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 99)` `DeepInstinct: MALICIOUS` `DrWeb: Trojan.BadRabbit.3` `ESET-NOD32: Win32/Diskcoder.D` `Elastic: malicious (high confidence)` `Emsisoft: Trojan.Ransom.BUZ (B)` `F-Secure: Trojan:W32/Rabbad.C` `FireEye: Generic.mg.1d724f95c61f1055` `Fortinet: W32/Diskcoder.D!tr.ransom` `GData: Win32.Worm.BadRabbit.D` `Google: Detected` `Gridinsoft: Risk.Win32.Mimikatz.tr` `Ikarus: Trojan.Win32.Diskcoder` `Jiangmin: Trojan.BadRabbit.c` `K7AntiVirus: Ransomware ( 0051a4141 )` `K7GW: Ransomware ( 0051a4141 )` `Kaspersky: Trojan.Win32.Agentb.bxhn` `Kingsoft: Win32.Troj.BadRabbit.ac` `Lionic: Trojan.Win32.BadRabbit.4!c` `Malwarebytes: Malware.AI.4249922356` `McAfee: Generic.adk` `McAfeeD: ti!579FD8A03854` `MicroWorld-eScan: Trojan.Ransom.BUZ` `Microsoft: Ransom:Win32/Tibbar.A` `NANO-Antivirus: Trojan.Win32.Petya.euuhye` `Paloalto: generic.ml` `Panda: W32/Ransom.G.worm` `Rising: Ransom.BadRabbit!1.AC3A (CLASSIC)` `Sangfor: Suspicious.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: Generic.adk` `Sophos: Mal/Ransom-FK` `Symantec: Ransom.BadRabbit` `TACHYON: Ransom/W32.BadRabbit.410760` `Tencent: Malware.Win32.Gencirc.10bdd57b` `Trapmine: malicious.high.ml.score` `TrendMicro: Ransom_BADRABBIT.A` `TrendMicro-HouseCall: Ransom_BADRABBIT.A` `VBA32: Trojan.BadRabbit` `VIPRE: Trojan.Ransom.BUZ` `Varist: W32/BadRabbit.CHEE-5527` `ViRobot: Trojan.Win32.S.Ransom.410760` `VirIT: Trojan.Win32.BadRabbit.A` `Xcitium: Malware@#3gadoxl0j791v` `Yandex: Trojan.GenAsa!mqi6oh25ijQ` `Zillya: Trojan.Diskcoder.Win32.101` `Zoner: Trojan.Win32.63974` `alibabacloud: Trojan:Win/Diskcoder.D` `huorong: Ransom/BadRabbit.a` `tehtris: Generic.Malware`

Hashes

MD5	`1d724f95c61f1055f0d02c2154bbccd3`
SHA1	`79116fe99f2b421c52ef64097f0f39b815b20907`
SHA256	`579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648`
SHA3	`52d60eb937105122d13afb49578450a4e05c9dde72a6c37201a05c930ba5637c`
SSDeep	`12288:GtDjvhNTc/cq4RKZZKfArRuSA80m+/6sXRnfPGp:IjTc/cq4RUZaArbInfPGp`
Imports Hash	`84c07bbbee7d0b5b675b89ce3e4124e7`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2017-Oct-22 02:33:41
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`10.0`
SizeOfCode	`0xc000`
SizeOfInitializedData	`0x54c00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00007938 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xd000`
ImageBase	`0x10000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x68000`
SizeOfHeaders	`0x400`
Checksum	`0x6fcb8`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`f277e74393ce6a5225228d538d794067`
SHA1	`a97060ef99e6515b8caf2b634b2ea1ea33bce3b7`
SHA256	`adde0f3df97fee2a1a18d59f1238c99a812ff3c89461b7f6f3d9310cae928229`
SHA3	`50734e05a030edff59d1f40cc4ddb9fff60973b80590bb110f7a7e84b1339ccc`
VirtualSize	`0xbfd3`
VirtualAddress	`0x1000`
SizeOfRawData	`0xc000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.56895`

.rdata

MD5	`50eb2a2b07fa914ce2e9d3f470796e41`
SHA1	`d1f33866ea77cc158cc324aa2bbd1d13322d3496`
SHA256	`8f201cdd9990f3ec76814877ac260ef7e8d480f99289978f1b0855be0459c9cb`
SHA3	`f6d5fb219945d5cad40d2526e6dc1181aa5d87a4de3d4e96f2e9e683e9fc259e`
VirtualSize	`0x5cfb`
VirtualAddress	`0xd000`
SizeOfRawData	`0x5e00`
PointerToRawData	`0xc400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.33809`

.data

MD5	`14a2ecc6822bbedc01d209e8b3f541c4`
SHA1	`4b3a826ece86db5f8c58f08b760cb4d91d6f5d69`
SHA256	`a888d1ebcfa3e09c479d837e789c75f4bfa35bec057aedefc07a524b7aade3c9`
SHA3	`dbe3e87bc46d731ae744a2d52076f3eff8f4f787d27ea2f033075753f3e9f49c`
VirtualSize	`0x5370`
VirtualAddress	`0x13000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x12200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.30001`

.rsrc

MD5	`49761becfc454de3506c3fa2b11cfbc9`
SHA1	`0bc2e5286057cb9f8e4b7bd6e360c13aa595bc84`
SHA256	`907c20ee93077ebc9aeae757f474049010d52040bf3ef0f6c8cc2f7570a9cdef`
SHA3	`852b9562e179794f376b5de47af072db20c2a5b02592433035650313e8e98cfd`
VirtualSize	`0x4d600`
VirtualAddress	`0x19000`
SizeOfRawData	`0x4d600`
PointerToRawData	`0x12c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.99087`

.reloc

MD5	`0b73b18ff226349be058ad09669b00b0`
SHA1	`4163f3ca708aa3d5d1dc01cc635d321207485f77`
SHA256	`480cbab857acadee22a0875c44f93adc4e3c41f9b62f1a85ff3ae4cc5a0680f7`
SHA3	`8c90df9d6ef288ac0f61055631e832b40fe3c235920180beed56bc431b0bc213`
VirtualSize	`0xd90`
VirtualAddress	`0x67000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x60200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.76853`

Imports

KERNEL32.dll	`InterlockedExchange` `GetTempFileNameW` `PeekNamedPipe` `CreateProcessW` `ConnectNamedPipe` `GetModuleHandleW` `CreateNamedPipeW` `TerminateThread` `DisconnectNamedPipe` `DeleteFileW` `GlobalAlloc` `GetComputerNameExW` `GlobalFree` `ExitProcess` `GetModuleFileNameW` `DisableThreadLibraryCalls` `ResumeThread` `CreateMutexW` `FindResourceW` `FindNextFileW` `GetComputerNameW` `GetCurrentThread` `OpenProcess` `SizeofResource` `TerminateProcess` `GetLocalTime` `Process32FirstW` `LockResource` `Process32NextW` `CreateToolhelp32Snapshot` `GetCurrentProcessId` `LoadLibraryA` `VirtualProtect` `GetSystemTimeAsFileTime` `WideCharToMultiByte` `GetExitCodeProcess` `GetModuleHandleA` `InitializeCriticalSection` `HeapReAlloc` `EnterCriticalSection` `SetLastError` `LeaveCriticalSection` `GetTickCount` `MultiByteToWideChar` `GetSystemInfo` `CreateEventW` `CreateFileMappingW` `FindClose` `GetFileSizeEx` `GetEnvironmentVariableW` `FlushFileBuffers` `FlushViewOfFile` `GetLogicalDrives` `SetEvent` `WaitForSingleObject` `SetFilePointerEx` `SetEndOfFile` `GetDriveTypeW` `UnmapViewOfFile` `MapViewOfFile` `FindFirstFileW` `LocalFree` `LocalAlloc` `GetTimeZoneInformation` `GetSystemDefaultLCID` `HeapAlloc` `VirtualAlloc` `GetProcAddress` `ReadFile` `GetVersionExW` `LoadLibraryW` `WriteFile` `VirtualFree` `GetCurrentProcess` `FreeLibrary` `GetFileSize` `CloseHandle` `CreateFileW` `GetVersion` `GetLastError` `ExpandEnvironmentStringsW` `lstrcatW` `WaitForMultipleObjects` `CreateThread` `Sleep` `GetSystemDirectoryW` `GetProcessHeap` `HeapFree` `LoadResource`
USER32.dll	`ExitWindowsEx` `GetSystemMetrics` `CharUpperW` `wsprintfW` `wsprintfA`
ADVAPI32.dll	`RegFlushKey` `CloseServiceHandle` `OpenSCManagerW` `RegQueryValueExW` `RegOpenKeyW` `QueryServiceStatus` `StartServiceW` `CreateProcessAsUserW` `DeleteService` `InitiateSystemShutdownExW` `DuplicateTokenEx` `SetTokenInformation` `DuplicateToken` `GetTokenInformation` `GetSidSubAuthorityCount` `OpenThreadToken` `GetSidSubAuthority` `SetThreadToken` `CredEnumerateW` `CredFree` `SetSecurityDescriptorDacl` `InitializeSecurityDescriptor` `CryptDuplicateKey` `CryptDuplicateHash` `CryptEncrypt` `CryptGenRandom` `CryptGetKeyParam` `CryptSetKeyParam` `CryptDeriveKey` `CryptHashData` `CryptDestroyHash` `CryptDestroyKey` `CryptCreateHash` `CryptImportKey` `CryptReleaseContext` `CryptAcquireContextW` `CryptGetHashParam` `CryptSetHashParam` `AdjustTokenPrivileges` `CheckTokenMembership` `FreeSid` `AllocateAndInitializeSid` `LookupPrivilegeValueW` `OpenProcessToken` `RegSetValueExW` `RegCloseKey` `RegOpenKeyExW` `CreateServiceW`
SHELL32.dll	`CommandLineToArgvW`
ole32.dll	`CoCreateGuid` `CoTaskMemFree` `StringFromCLSID`
CRYPT32.dll	`CryptStringToBinaryW` `CryptImportPublicKeyInfo` `CryptBinaryToStringW` `CryptDecodeObjectEx`
SHLWAPI.dll	`PathFindFileNameW` `StrChrW` `StrCmpW` `StrCmpIW` `StrToIntW` `PathAppendW` `StrStrW` `PathCombineW` `StrStrIW` `PathFindExtensionW` `StrCatW` `PathFileExistsW`
IPHLPAPI.DLL	`GetAdaptersInfo` `GetIpNetTable`
WS2_32.dll	`select` `ioctlsocket` `gethostbyname` `inet_ntoa` `ntohl` `WSAStartup` `connect` `inet_addr` `htons` `socket` `closesocket` `send` `recv` `__WSAFDIsSet`
MPR.dll	`WNetOpenEnumW` `WNetEnumResourceW` `WNetCancelConnection2W` `WNetAddConnection2W` `WNetCloseEnum`
NETAPI32.dll	`NetApiBufferFree` `NetWkstaGetInfo` `NetServerEnum` `NetServerGetInfo`
DHCPSAPI.DLL	`DhcpEnumSubnetClients` `DhcpEnumSubnets` `DhcpRpcFreeMemory` `DhcpGetSubnetInfo`
msvcrt.dll	`memcpy` `srand` `memset` `memmove` `free` `malloc` `sprintf` `rand`

Delayed Imports

Ordinal	`1`
Address	`0x79d7`

(#2)

Ordinal	`2`
Address	`0x7bf7`

1

Type	`RT_STRING`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x70f4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99178`
MD5	`cd5fd47263d659b0e7e023f7fd1df38d`
SHA1	`faa5f371e723de1f5df27d9765c4a1d0ce1cffbb`
SHA256	`5df402dabf96273f7fabca8fd4e2344827ac04c546ed1f76e38e8d723389a516`
SHA3	`c40fa1cf879554a8a8a3121a1472a29833bc806f3c25d1c0052ad18dc663bdc6`

2

Type	`RT_STRING`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x7a5e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99213`
MD5	`bc879e671128c3a65d5c4bd4ff22a82d`
SHA1	`9fbb55999a24f2e89e5162cc4dd4cd6a985757d2`
SHA256	`eef46f0bd92534f30f7ca73b55d9e16d32568d7800dd184569f28a603eb52240`
SHA3	`ebcb01b465541a03c8fb3f3017e357b254c46eb3ff751c32a00c6cd89ed949b0`

7

Type	`RT_STRING`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15df4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.97869`
MD5	`045da15bc76192a475321f4fb898c7d0`
SHA1	`47f0b0d2b84d706773ceba611b531fc5389a1248`
SHA256	`9cc93f4eebfbe3bad6828176753ad047952bd9943645f7291bc4751031c9884f`
SHA3	`f34db0ca240f6f847489c0a0af5038bf71dbdcb1a3f1ccccecf351fe720c86f2`

8

Type	`RT_STRING`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x18003`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.98356`
MD5	`95d25fdf3eaa874ae5d42bf7ff06bfba`
SHA1	`e64260b3d15187acb76fa98c9584cba3962a5e2e`
SHA256	`f551670073a005d50a6029bd905eff997d380ba17c6bf003cce74848d7156f71`
SHA3	`4b7deee66746a5e9475956fc3c707ff67b30759db49fbbbd354c7d9c9b831de3`

9

Type	`RT_STRING`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x10b9c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99562`
MD5	`912f5c398a63be98a35c76f60d767461`
SHA1	`ae5a854f7c78a6e9bf15daa129877e299dcafdca`
SHA256	`6c997d60528302bf6f75a2fc953a22ff600a35e08fa938108195b74091ddd34e`
SHA3	`84439ca7d046765c8239fe10252a84afdf0a871094d2c817c2f21c9b68c5728e`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x761aa3aa`
Unmarked objects	`0`
ASM objects (VS2008 SP1 build 30729)	`4`
C objects (VS2013 UPD5 build 40629)	`6`
ASM objects (VS2013 UPD5 build 40629)	`1`
Imports (VS2008 SP1 build 30729)	`27`
Total imports	`215`
175 (VS2010 SP1 build 40219)	`29`
Exports (VS2010 SP1 build 40219)	`1`
Linker (VS2010 SP1 build 40219)	`1`

Errors

[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!