Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2021-May-04 20:37:40 |
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 57/68 (Scanned on 2021-09-10 05:15:34) |
Bkav:
W32.AIDetect.malware2
Lionic: Trojan.Win32.Ryuk.4!c Elastic: malicious (high confidence) MicroWorld-eScan: Gen:Variant.Mikey.118406 FireEye: Generic.mg.2cc630e080bb8de5 ALYac: Trojan.Ransom.Ryuk Cylance: Unsafe Zillya: Trojan.Filecoder.Win32.19291 Sangfor: Suspicious.Win32.Save.a K7AntiVirus: Trojan ( 0057b87f1 ) Alibaba: Ransom:Win32/Redcap.9516f4b4 K7GW: Trojan ( 0057b87f1 ) Cybereason: malicious.080bb8 BitDefenderTheta: Gen:NN.ZexaF.34142.iqW@aSPMYel Cyren: W32/Ryuk.B.gen!Eldorado ESET-NOD32: a variant of Win32/Filecoder.Ryuk.L TrendMicro-HouseCall: Ransom.Win32.RYUK.SMYAAL-A Paloalto: generic.ml ClamAV: Win.Ransomware.Ryuk-9852766-0 Kaspersky: HEUR:Trojan-Ransom.Win32.Agent.gen BitDefender: Gen:Variant.Mikey.118406 NANO-Antivirus: Trojan.Win32.Redcap.ivvxah Avast: Win32:Ryuk-A [Trj] Tencent: Win32.Trojan.Agent.Huzu Ad-Aware: Gen:Variant.Mikey.118406 Emsisoft: Gen:Variant.Mikey.118406 (B) DrWeb: Trojan.Encoder.30550 VIPRE: Trojan.Win32.Generic!BT TrendMicro: Ransom.Win32.RYUK.SMYAAL-A McAfee-GW-Edition: Ransom-Ryuk!2CC630E080BB Sophos: Mal/Generic-R + Troj/Ryuk-BK APEX: Malicious GData: Gen:Variant.Mikey.118406 Avira: TR/Redcap.nbsgx MAX: malware (ai score=100) Antiy-AVL: Trojan/Generic.ASMalwS.3345CC1 Kingsoft: Win32.Heur.KVMH008.a.(kcloud) Gridinsoft: Ransom.Win32.Ransom.oa!s1 ViRobot: Trojan.Win32.Ransom.134144.F ZoneAlarm: HEUR:Trojan-Ransom.Win32.Agent.gen Microsoft: Ransom:Win32/Ruyk.A!ibt Cynet: Malicious (score: 100) AhnLab-V3: Trojan/Win.Ryukran.R374607 McAfee: Ransom-Ryuk!2CC630E080BB TACHYON: Ransom/W32.Ryuk.134144 VBA32: Trojan.Encoder Malwarebytes: Ransom.Ryuk Ikarus: Trojan-Ransom.Ryuk Rising: Ransom.Ryuk!1.D4D2 (CLASSIC) Yandex: Trojan.Filecoder!4OwJKOqrOrk SentinelOne: Static AI - Malicious PE eGambit: Unsafe.AI_Score_99% Fortinet: W32/Ryuk.L!tr.ransom Webroot: W32.Malware.Gen AVG: Win32:Ryuk-A [Trj] Panda: Trj/GdSda.A CrowdStrike: win/malicious_confidence_100% (W) |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2021-May-04 20:37:40 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x16c00 |
SizeOfInitializedData | 0x11e00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000D023 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x18000 |
ImageBase | 0x35000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x2c000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetCurrentProcess
CreateThread GetCurrentThread GetLastError SetLastError WaitForMultipleObjects Sleep SetEndOfFile VirtualFree WinExec GetLocalTime GetTickCount CreateMutexW LoadLibraryA GetModuleFileNameW GetSystemDirectoryA GetFileAttributesW CloseHandle GetProcAddress CreateFileW DecodePointer QueryPerformanceCounter GetCurrentProcessId GetCurrentThreadId GetSystemTimeAsFileTime InitializeSListHead IsDebuggerPresent UnhandledExceptionFilter SetUnhandledExceptionFilter GetStartupInfoW IsProcessorFeaturePresent GetModuleHandleW TerminateProcess RtlUnwind EnterCriticalSection LeaveCriticalSection DeleteCriticalSection InitializeCriticalSectionAndSpinCount TlsAlloc TlsGetValue TlsSetValue TlsFree FreeLibrary LoadLibraryExW ExitProcess GetModuleHandleExW GetStdHandle WriteFile MultiByteToWideChar WideCharToMultiByte GetACP HeapFree HeapAlloc LCMapStringW GetStringTypeW FindClose FindFirstFileExW FindNextFileW IsValidCodePage GetOEMCP GetCPInfo GetCommandLineA GetCommandLineW GetEnvironmentStringsW FreeEnvironmentStringsW SetStdHandle GetFileType GetProcessHeap HeapSize HeapReAlloc FlushFileBuffers GetConsoleCP GetConsoleMode SetFilePointerEx WriteConsoleW RaiseException |
---|---|
ADVAPI32.dll |
GetUserNameW
|
WS2_32.dll |
inet_addr
|
Characteristics |
0
|
---|---|
TimeDateStamp | 2021-May-04 20:37:40 |
Version | 0.0 |
SizeofData | 656 |
AddressOfRawData | 0x1cc2c |
PointerToRawData | 0x1bc2c |
Characteristics |
0
|
---|---|
TimeDateStamp | 2021-May-04 20:37:40 |
Version | 0.0 |
SizeofData | 0 |
AddressOfRawData | 0 |
PointerToRawData | 0 |
Size | 0x5c |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x350216d8 |
SEHandlerTable | 0x3501cc20 |
SEHandlerCount | 3 |
XOR Key | 0xe7a66ab5 |
---|---|
Unmarked objects | 0 |
241 (40116) | 9 |
243 (40116) | 121 |
242 (40116) | 24 |
ASM objects (24237) | 19 |
C++ objects (24237) | 29 |
C objects (24237) | 18 |
Imports (VS2008 SP1 build 30729) | 7 |
Total imports | 99 |
C++ objects (24245) | 2 |
Linker (24245) | 1 |