Manalyze report for 1f0a89360bb9471af8b2b1136eafd65f

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2021-Aug-19 21:26:57
Detected languages	English - United States

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA1` `Uses constants related to SHA256`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `The PE only has 8 import(s).`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Functions related to the privilege level: OpenProcessToken`
Malicious	VirusTotal score: 54/68 (Scanned on 2021-10-29 10:15:42)	`Lionic: Trojan.Win32.Crypren.j!c` `Cynet: Malicious (score: 100)` `CAT-QuickHeal: Trojan.Win32` `McAfee: Ransom-lockfile.a` `Malwarebytes: Ransom.Crysis` `Zillya: Trojan.Generic.Win32.1565894` `Sangfor: Suspicious.Win32.Save.a` `CrowdStrike: win/malicious_confidence_100% (W)` `Alibaba: RiskWare:Win32/LockFile.87e752f2` `K7GW: Trojan ( 005814c51 )` `K7AntiVirus: Trojan ( 005814c51 )` `Cyren: W64/Trojan2.QYEB` `Symantec: Ransom.Lockfile!gm1` `ESET-NOD32: a variant of Win64/Filecoder.LockFile.A` `APEX: Malicious` `Avast: Win64:MalwareX-gen [Trj]` `Kaspersky: Trojan-Ransom.Win32.GenericCryptor.lii` `BitDefender: Trojan.GenericKD.37463406` `NANO-Antivirus: Trojan.Win64.GenericCryptor.iztztz` `ViRobot: Trojan.Win64.S.Ransom.256000` `MicroWorld-eScan: Trojan.GenericKD.37463406` `Tencent: Win32.Trojan.Genericcryptor.Dyqs` `Ad-Aware: Trojan.GenericKD.37463406` `Sophos: Mal/Generic-R + Troj/Ransom-GJQ` `Comodo: Malware@#lkppoo1x2f1q` `DrWeb: Trojan.Encoder.34299` `TrendMicro: Ransom.Win64.LOCKFILE.B` `McAfee-GW-Edition: BehavesLike.Win64.Dropper.dc` `FireEye: Generic.mg.1f0a89360bb9471a` `Emsisoft: Trojan.GenericKD.37463406 (B)` `Ikarus: Trojan-Ransom.Lockfile` `GData: Trojan.GenericKD.37463406` `Jiangmin: Trojan.GenericCryptor.gn` `Avira: HEUR/AGEN.1140227` `Antiy-AVL: Trojan/Generic.ASMalwS.3487A0B` `Kingsoft: Win32.Troj.Undef.(kcloud)` `Gridinsoft: Ransom.Win64.Gen.sa` `Arcabit: Trojan.Generic.D23BA56E` `ZoneAlarm: Trojan-Ransom.Win32.GenericCryptor.lii` `Microsoft: Trojan:MSIL/Cryptor` `TACHYON: Ransom/W64.LockFile.830464` `AhnLab-V3: Ransomware/Win.LOCKFILE.C4607022` `ALYac: Trojan.Ransom.Filecoder` `MAX: malware (ai score=85)` `VBA32: TrojanRansom.Crypren` `Cylance: Unsafe` `TrendMicro-HouseCall: Ransom.Win64.LOCKFILE.B` `Yandex: Trojan.AgentCryptor!hBE+7jLrfe4` `SentinelOne: Static AI - Suspicious PE` `MaxSecure: Trojan.Malware.300983.susgen` `Fortinet: W64/Lockfile.D65F!tr.ransom` `Webroot: W32.Ransomware.Lockfile` `AVG: Win64:MalwareX-gen [Trj]` `Cybereason: malicious.2ff31c`

Hashes

MD5	`1f0a89360bb9471af8b2b1136eafd65f`
SHA1	`a7bd3592ff31c5c659cda9810936ddce842d6590`
SHA256	`2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a`
SHA3	`7dbd7a422b9b4b3a8b1bc923154dd785f20af1520bff9c840f700368662fea2a`
SSDeep	`6144:bAr3VCaIjpP65V3Q400RwDym6flM5OPh2r:bAr3VCMP00RwDymd5Uh2r`
Imports Hash	`07a0cdd4807510f9323ce2fd61059e50`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x118`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`3`
TimeDateStamp	2021-Aug-19 21:26:57
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x3e000`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0x99000`
AddressOfEntryPoint	`0x00000000000D7A90 (Section: UPX1)`
BaseOfCode	`0x9a000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0xd9000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x99000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`756ed749f56a8d69d758652cf52151d6`
SHA1	`e32029900c10dd2d25ca7cebef39c6decbf4a400`
SHA256	`0383436aae33474c9d9bb413bf7a4987b2efa1b49e48d37ddb1bf8232a30333d`
SHA3	`bc244f42ab103a4d3324263421099fdcced14dd334367fcd8f912f6cee611dc8`
VirtualSize	`0x3e000`
VirtualAddress	`0x9a000`
SizeOfRawData	`0x3e000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.9234`

.rsrc

MD5	`3b0997948af4a7a7a06225e685843524`
SHA1	`300fc2e816b0a1c871cda0abf95d243cd6bc02b0`
SHA256	`b7c524797c0cde7e3f9315a52558a17bd40d881f0c385c5462b3a8be0c6f6074`
SHA3	`c6200ac9c1005c718548dc8b90e456dd33b79fef16aed774073d54f17cc3ff1f`
VirtualSize	`0x1000`
VirtualAddress	`0xd8000`
SizeOfRawData	`0x400`
PointerToRawData	`0x3e400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.68615`

Imports

ADVAPI32.dll	`OpenProcessToken`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
USER32.dll	`wsprintfA`
USERENV.dll	`CreateEnvironmentBlock`
WTSAPI32.dll	`WTSQueryUserToken`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

TLS Callbacks

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1400881a8`

RICH Header

XOR Key	`0x48225b0f`
Unmarked objects	`0`
241 (40116)	`12`
243 (40116)	`152`
242 (40116)	`25`
253 (28518)	`1`
C objects (30034)	`18`
ASM objects (30034)	`10`
C++ objects (30038)	`39`
ASM objects (30038)	`1`
C++ objects (30034)	`87`
Imports (VS2008 SP1 build 30729)	`13`
Total imports	`176`
265 (30038)	`2`
Resource objects (30038)	`1`
Linker (30038)	`1`

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section UPX0 has a size of 0!