3520dec68c0a8b28e7cf7b49e90a706e

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 1970-Jan-01 00:00:00

Plugin Output

Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX v2.0 -> Markus, Laszlo & Reiser (h)
UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX -> www.upx.sourceforge.net
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Uses constants related to SHA256
Uses constants related to SHA512
Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
Unusual section name found: UPX2
The PE only has 6 import(s).
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Leverages the raw socket API to access the Internet:
  • WSAGetOverlappedResult
Malicious The PE's digital signature is invalid. Signer: Python Software Foundation
Issuer: DigiCert SHA2 Assured ID Code Signing CA
The file was modified after it was signed.
Malicious VirusTotal score: 31/69 (Scanned on 2019-03-18 04:07:28) MicroWorld-eScan: Trojan.GenericKD.41122654
ALYac: Trojan.Ransom.GoldenAxe
Symantec: ML.Attribute.HighConfidence
ESET-NOD32: a variant of Generik.LTFDZY
Paloalto: generic.ml
Kaspersky: Trojan.Win32.DelShad.as
BitDefender: Trojan.GenericKD.41122654
Avast: Win32:Malware-gen
Rising: Trojan.DelShad!8.107D7 (CLOUD)
Ad-Aware: Trojan.GenericKD.41122654
Sophos: Mal/Generic-S
F-Secure: Trojan.TR/AD.RansomHeur.snani
Invincea: heuristic
McAfee-GW-Edition: Artemis!Trojan
Trapmine: malicious.moderate.ml.score
Emsisoft: Trojan.GenericKD.41122654 (B)
SentinelOne: DFI - Suspicious PE
Avira: TR/AD.RansomHeur.snani
Microsoft: Trojan:Win32/Zpevdo.B
AegisLab: Trojan.Win32.DelShad.4!c
ZoneAlarm: Trojan.Win32.DelShad.as
GData: Win32.Trojan.Agent.WQZKP4
McAfee: Artemis!3520DEC68C0A
MAX: malware (ai score=80)
Arcabit: Trojan.Generic.D2737B5E
Ikarus: Win32.Outbreak
eGambit: PE.Heur.InvalidSig
AVG: Win32:Malware-gen
Panda: Trj/Genetic.gen
CrowdStrike: win/malicious_confidence_80% (W)
Qihoo-360: Win32/Trojan.Ransom.1b4

Hashes

MD5 3520dec68c0a8b28e7cf7b49e90a706e
SHA1 9c2ad3d2983ce8a3cf49ab40cd539e94f9faf229
SHA256 c40ba66fd4c3061429b092d378da5f6a648edc38e8be83992fdb77fb6200dbe2
SHA3 fca17ca5c535de1bd006e02b542a038f4c957aa6d4097c2aa04479ac3d367a4d
SSDeep 49152:33hTo6mOhe/doE5WXzx1KPL7QxTg0RvQxt+S/n:nhTo6/EazeTE5g0Roxt/f
Imports Hash 406f4cbdf82bde91761650ca44a3831a

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0x4
e_cparhdr 0
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0x8b
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 1970-Jan-01 00:00:00
PointerToSymbolTable 0x446400
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 3.0
SizeOfCode 0x19a000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0x2c7000
AddressOfEntryPoint 0x004617F0 (Section: UPX1)
BaseOfCode 0x2c8000
BaseOfData 0x462000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 1.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x463000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x2c7000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 39765515533e72e9ac159ec47e416841
SHA1 ce27f7f7f6b1e172e54efb838d59d0c181d63f57
SHA256 1c6fbd85e5e6945ad35ace6eb7e9396ddf115ab180bff2157753166973e2c759
SHA3 433fa50026e430ad0f0402f181eb053eb05c7bef14452d0ec56b1a00a918da23
VirtualSize 0x19a000
VirtualAddress 0x2c8000
SizeOfRawData 0x199a00
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.92199

UPX2

MD5 19158fcda7fcc8bdd3a0f41f9fc9373e
SHA1 1bc3d1262e02a631a82143a04334bff2bbd0c492
SHA256 fef34e7fa9508ae52618e270c1a07ec56cc1417d550687104ba5e15c79936786
SHA3 155aaf404d7f30939da9c0e08f8b2ed07c121e853fda670c615bd4bad49ff74d
VirtualSize 0x1000
VirtualAddress 0x462000
SizeOfRawData 0x200
PointerToRawData 0x199c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.36796

Imports

KERNEL32.DLL LoadLibraryA
ExitProcess
GetProcAddress
VirtualProtect
winmm.dll timeEndPeriod
ws2_32.dll WSAGetOverlappedResult

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!
<-- -->