Manalyze report for 2cc630e080bb8de5faf9f5ae87f43f8b

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2021-May-04 20:37:40

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress LoadLibraryExW` `Possibly launches other programs: WinExec` `Leverages the raw socket API to access the Internet: inet_addr`
Malicious	VirusTotal score: 57/68 (Scanned on 2021-09-10 05:15:34)	`Bkav: W32.AIDetect.malware2` `Lionic: Trojan.Win32.Ryuk.4!c` `Elastic: malicious (high confidence)` `MicroWorld-eScan: Gen:Variant.Mikey.118406` `FireEye: Generic.mg.2cc630e080bb8de5` `ALYac: Trojan.Ransom.Ryuk` `Cylance: Unsafe` `Zillya: Trojan.Filecoder.Win32.19291` `Sangfor: Suspicious.Win32.Save.a` `K7AntiVirus: Trojan ( 0057b87f1 )` `Alibaba: Ransom:Win32/Redcap.9516f4b4` `K7GW: Trojan ( 0057b87f1 )` `Cybereason: malicious.080bb8` `BitDefenderTheta: Gen:NN.ZexaF.34142.iqW@aSPMYel` `Cyren: W32/Ryuk.B.gen!Eldorado` `ESET-NOD32: a variant of Win32/Filecoder.Ryuk.L` `TrendMicro-HouseCall: Ransom.Win32.RYUK.SMYAAL-A` `Paloalto: generic.ml` `ClamAV: Win.Ransomware.Ryuk-9852766-0` `Kaspersky: HEUR:Trojan-Ransom.Win32.Agent.gen` `BitDefender: Gen:Variant.Mikey.118406` `NANO-Antivirus: Trojan.Win32.Redcap.ivvxah` `Avast: Win32:Ryuk-A [Trj]` `Tencent: Win32.Trojan.Agent.Huzu` `Ad-Aware: Gen:Variant.Mikey.118406` `Emsisoft: Gen:Variant.Mikey.118406 (B)` `DrWeb: Trojan.Encoder.30550` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: Ransom.Win32.RYUK.SMYAAL-A` `McAfee-GW-Edition: Ransom-Ryuk!2CC630E080BB` `Sophos: Mal/Generic-R + Troj/Ryuk-BK` `APEX: Malicious` `GData: Gen:Variant.Mikey.118406` `Avira: TR/Redcap.nbsgx` `MAX: malware (ai score=100)` `Antiy-AVL: Trojan/Generic.ASMalwS.3345CC1` `Kingsoft: Win32.Heur.KVMH008.a.(kcloud)` `Gridinsoft: Ransom.Win32.Ransom.oa!s1` `ViRobot: Trojan.Win32.Ransom.134144.F` `ZoneAlarm: HEUR:Trojan-Ransom.Win32.Agent.gen` `Microsoft: Ransom:Win32/Ruyk.A!ibt` `Cynet: Malicious (score: 100)` `AhnLab-V3: Trojan/Win.Ryukran.R374607` `McAfee: Ransom-Ryuk!2CC630E080BB` `TACHYON: Ransom/W32.Ryuk.134144` `VBA32: Trojan.Encoder` `Malwarebytes: Ransom.Ryuk` `Ikarus: Trojan-Ransom.Ryuk` `Rising: Ransom.Ryuk!1.D4D2 (CLASSIC)` `Yandex: Trojan.Filecoder!4OwJKOqrOrk` `SentinelOne: Static AI - Malicious PE` `eGambit: Unsafe.AI_Score_99%` `Fortinet: W32/Ryuk.L!tr.ransom` `Webroot: W32.Malware.Gen` `AVG: Win32:Ryuk-A [Trj]` `Panda: Trj/GdSda.A` `CrowdStrike: win/malicious_confidence_100% (W)`

Hashes

MD5	`2cc630e080bb8de5faf9f5ae87f43f8b`
SHA1	`5a385b8b4b88b6eb93b771b7fbbe190789ef396a`
SHA256	`d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9`
SHA3	`c2f2f6411f21e9cfafe3af938d49ae84832665dc3b3133a75c05955e28e28dd4`
SSDeep	`3072:j06qm9E8obCg2QdgYdrp23suV+eGg21Yg:j06qHnOg3df9eAJ`
Imports Hash	`972d4cfc7d71d3451543278d1175c96c`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2021-May-04 20:37:40
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x16c00`
SizeOfInitializedData	`0x11e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000D023 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x18000`
ImageBase	`0x35000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x2c000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`360e615917d67bdbc9521cf9b0b7169a`
SHA1	`eabc3f8a67e60af6df2ea9c2d0ddc11bf07e48b9`
SHA256	`81be3a17198316b0f79a14ca75efcb50a6f7e8b115f767551491935b1626d760`
SHA3	`f4ce0d5218bc992081dbb644c323797ad9820bd3d946b8a8d72ce3a0ab72e2c8`
VirtualSize	`0x16b77`
VirtualAddress	`0x1000`
SizeOfRawData	`0x16c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.53054`

.rdata

MD5	`242e69a5be2512eb16ca6ba62f4a793b`
SHA1	`e7fb215962bd20dd511c0e39bb4f7b6097357238`
SHA256	`000da21c831bcdaa8de9e458feecd7b536a4efac34ba130e1f6216ea25b3fc59`
SHA3	`77c02ebc157162000358ae83d0b80fbc52e5b847c0e0b725e9c75f5a01c5de8f`
VirtualSize	`0x596a`
VirtualAddress	`0x18000`
SizeOfRawData	`0x5a00`
PointerToRawData	`0x17000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.01935`

.data

MD5	`0ad7f0463a4d72aef5c6c2f0802b6ffd`
SHA1	`98d43d598665a62a342cb8ba2aba991c66a2f429`
SHA256	`b0f07810de413d2d82db0cd5b460195cb44f9ddf304366ea0be017084b0d45e8`
SHA3	`5e9dc0b645f49c01828d240431ad8f52ea538444988a08fe4653d1af0d0d9189`
VirtualSize	`0xc12c`
VirtualAddress	`0x1e000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x1ca00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.74197`

.gfids

MD5	`fa7e07e931451c3b7f0937b6e7b17ab1`
SHA1	`8a567b3932180c5b62b6dc2b4b1f92ea0f4269cb`
SHA256	`0ba7f5b6650dac00f787a26665e31924a3746b1bbdbfb8be8144fcb355f577f0`
SHA3	`55484a1cb6dcc2e99456404b66da265910423e177d98d414d5ab1b7dfe8b01b6`
VirtualSize	`0xac`
VirtualAddress	`0x2b000`
SizeOfRawData	`0x200`
PointerToRawData	`0x20a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.61964`

Imports

KERNEL32.dll	`GetCurrentProcess` `CreateThread` `GetCurrentThread` `GetLastError` `SetLastError` `WaitForMultipleObjects` `Sleep` `SetEndOfFile` `VirtualFree` `WinExec` `GetLocalTime` `GetTickCount` `CreateMutexW` `LoadLibraryA` `GetModuleFileNameW` `GetSystemDirectoryA` `GetFileAttributesW` `CloseHandle` `GetProcAddress` `CreateFileW` `DecodePointer` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetStartupInfoW` `IsProcessorFeaturePresent` `GetModuleHandleW` `TerminateProcess` `RtlUnwind` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `LoadLibraryExW` `ExitProcess` `GetModuleHandleExW` `GetStdHandle` `WriteFile` `MultiByteToWideChar` `WideCharToMultiByte` `GetACP` `HeapFree` `HeapAlloc` `LCMapStringW` `GetStringTypeW` `FindClose` `FindFirstFileExW` `FindNextFileW` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `GetCommandLineA` `GetCommandLineW` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetStdHandle` `GetFileType` `GetProcessHeap` `HeapSize` `HeapReAlloc` `FlushFileBuffers` `GetConsoleCP` `GetConsoleMode` `SetFilePointerEx` `WriteConsoleW` `RaiseException`
ADVAPI32.dll	`GetUserNameW`
WS2_32.dll	`inet_addr`

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2021-May-04 20:37:40
Version	`0.0`
SizeofData	`656`
AddressOfRawData	`0x1cc2c`
PointerToRawData	`0x1bc2c`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2021-May-04 20:37:40
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0x5c`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x350216d8`
SEHandlerTable	`0x3501cc20`
SEHandlerCount	`3`

RICH Header

XOR Key	`0xe7a66ab5`
Unmarked objects	`0`
241 (40116)	`9`
243 (40116)	`121`
242 (40116)	`24`
ASM objects (24237)	`19`
C++ objects (24237)	`29`
C objects (24237)	`18`
Imports (VS2008 SP1 build 30729)	`7`
Total imports	`99`
C++ objects (24245)	`2`
Linker (24245)	`1`

2cc630e080bb8de5faf9f5ae87f43f8b

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.gfids

Imports

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_POGO

IMAGE_DEBUG_TYPE_ILTCG

TLS Callbacks

Load Configuration

RICH Header

Errors