Manalyze report for 359a962f1be98d4c102745c07e7af0ae

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Mar-02 23:49:06

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++` `Microsoft Visual C++ v6.0`
Suspicious	PEiD Signature:	`MoleBox v2.0`
Suspicious	The PE is packed or was manually edited.	`Unusual section name found: 0\x00ext` `Section 0\x00ext is both writable and executable.` `Unusual section name found: 1\x00data` `Section 1\x00data is both writable and executable.` `Unusual section name found: 2\x00ata` `Section 2\x00ata is both writable and executable.` `Unusual section name found: 3\x00ext` `Section 3\x00ext is both writable and executable.` `Unusual section name found: 4\x00data` `Section 4\x00data is both writable and executable.` `Unusual section name found: 5\x00ata` `Section 5\x00ata is both writable and executable.` `The number of imports reported in the RICH header is inconsistent.`
Suspicious	The PE contains functions most legitimate programs don't use.	`Manipulates other processes: WriteProcessMemory`
Malicious	VirusTotal score: 53/67 (Scanned on 2018-04-10 17:02:51)	`Bkav: W32.HfsAutoB.DA39` `MicroWorld-eScan: Trojan.GenericKD.12674841` `nProtect: Ransom/W32.Crusis.126464.G` `CAT-QuickHeal: Trojan.Zenshirsh.SL7` `ALYac: Trojan.Ransom.Crysis` `Cylance: Unsafe` `Zillya: Trojan.GenericKD.Win32.98038` `SUPERAntiSpyware: Ransom.Crysis/Variant` `TheHacker: W32/Behav-Heuristic-065` `K7GW: Trojan ( 00519f781 )` `K7AntiVirus: Trojan ( 00519f781 )` `Invincea: heuristic` `Cyren: W32/Trojan.ZYQF-5534` `Symantec: Ransom.Crysis` `TrendMicro-HouseCall: Ransom_WADHRAMA.N` `Paloalto: generic.ml` `ClamAV: Win.Trojan.Agent-6494854-0` `Kaspersky: Trojan-Ransom.Win32.Crusis.to` `BitDefender: Trojan.GenericKD.12674841` `NANO-Antivirus: Trojan.Win32.Crusis.evzldf` `Avast: FileRepMalware` `Tencent: Win32.Trojan.Raas.Auto` `Ad-Aware: Trojan.GenericKD.12674841` `Sophos: Mal/Generic-S` `DrWeb: Trojan.Encoder.3953` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: Ransom_WADHRAMA.N` `McAfee-GW-Edition: BehavesLike.Win32.Generic.cc` `Emsisoft: Trojan.Agent (A)` `SentinelOne: static engine - malicious` `Jiangmin: Trojan.Crusis.mv` `Webroot: W32.Trojan.Gen` `Avira: TR/Crypt.XPACK.Gen` `Endgame: malicious (high confidence)` `Arcabit: Trojan.Generic.DC16719` `AegisLab: Troj.Ransom.W32!c` `ZoneAlarm: Trojan-Ransom.Win32.Crusis.to` `Microsoft: Ransom:Win32/Wadhrama` `AhnLab-V3: Trojan/Win32.Crysis.C2259351` `McAfee: Generic.cwi` `AVware: Trojan.Win32.Generic!BT` `MAX: malware (ai score=100)` `VBA32: TrojanRansom.Crusis` `ESET-NOD32: a variant of Win32/Filecoder.Crysis.P` `Rising: Trojan.Ransom.Crysis!1.A6AA (CLASSIC)` `Yandex: Trojan.Crusis!` `Ikarus: Trojan-Ransom.FileCoder` `GData: Trojan.GenericKD.12674841` `AVG: FileRepMalware` `Cybereason: malicious.f1be98` `Panda: Trj/GdSda.A` `CrowdStrike: malicious_confidence_90% (W)` `Qihoo-360: Win32/Trojan.Ransom.714`

Hashes

MD5	`359a962f1be98d4c102745c07e7af0ae`
SHA1	`40edd311a6b93b03eb42815c4d2cd870e3c5f0b1`
SHA256	`f252d80d6a976641dd4f9010fd1db6e097cd64a37533c6f962ede6a9161d0a82`
SHA3	`e299dd9bae90482498cd7ec84c5fd2d8878dd1c82b0cbfc36436d35382329bd7`
SSDeep	`3072:9c3hICiK1hbQm/RAANlq3yORwFg1s+KOD7xlCrHlAlt9W:oynK7ppNlqHRzC+KKlCpoW`
Imports Hash	`5d129c3b6a642d0c529630f62c156352`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xc8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2017-Mar-02 23:49:06
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0`
SizeOfInitializedData	`0x1ea00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0001AB23 (Section: 3\x00ext)`
BaseOfCode	`0x19000`
BaseOfData	`0xb000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x34000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

0\x00ext

MD5	`85cd2ebe7db24ddf34da2b8adf85fd9d`
SHA1	`140446c732a6af9f33b7d3eb7c06899001a93416`
SHA256	`cc016db688e1913225766eac3a0fae8f6ecb3d0411d5a1913d2dce7c60bc3417`
SHA3	`f8cee020f7cfded7b76bb9c76b0fbe5ba8eae658253c897f5fef89ec831dae8d`
VirtualSize	`0x9c25`
VirtualAddress	`0x1000`
SizeOfRawData	`0x4a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.9803`

1\x00data

MD5	`480259fc3c64a2c52ac168816a0fd757`
SHA1	`702caab39fd88ad156f936da6407e01d6ba208d8`
SHA256	`3d68f123dff220132f1f384d09ab491506e42904638ae4d11f73eb5701c81eeb`
SHA3	`290aab3cf847d5b7d127423ffd2a836aaec29dd1fd2135443840c842aaf563f0`
VirtualSize	`0x2636`
VirtualAddress	`0xb000`
SizeOfRawData	`0x1c00`
PointerToRawData	`0x4e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.97085`

2\x00ata

MD5	`7eab0b1e3490b87a609d998ece4ed6aa`
SHA1	`bb64513c7338ef10e0bfd8e93d3428e63172368b`
SHA256	`70be1669e234bbf74cff59ad0361277bb77cf16e8d9db490406b73bb95b028f9`
SHA3	`bf58435091f27c7551be1a69441496878e75c8f2dfc427c5c7c87f6866767cf7`
VirtualSize	`0xaad5`
VirtualAddress	`0xe000`
SizeOfRawData	`0xa800`
PointerToRawData	`0x6a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99402`

3\x00ext

MD5	`892800823cfb755d7aeafcad19040913`
SHA1	`d0e52f87d6ee2c6cbdf31d4a44647ab761a32753`
SHA256	`ae5c990ec0c38dcef8c502e300b5c7f62171a7203dcf6efc23646e1d41b6479e`
SHA3	`b26d726888d28ec37b01caf4b0b90a29488003be50135e6d64d08493fb874bb8`
VirtualSize	`0x1136f`
VirtualAddress	`0x19000`
SizeOfRawData	`0xb200`
PointerToRawData	`0x11200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.89145`

4\x00data

MD5	`cd1c3d2823ace388f5fd5fda62662591`
SHA1	`2f565a49a7810c41ca5fa6861e17bc093eb60ee7`
SHA256	`70fc2d86cd30f23d566005db71bec6f85c0e73a3fed1229ebd4eb2b4414c30c5`
SHA3	`dec7e0424a5ea9a0fcba25d38b769f3a32945e06951f0455e86a2e744d72cf1e`
VirtualSize	`0xd38`
VirtualAddress	`0x2b000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x1c400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.42944`

5\x00ata

MD5	`c708e1fe015536b009900fb574ab046f`
SHA1	`4cd759f29251e9964a7565e561f5e9e1278688d3`
SHA256	`d8a5fbee5bacb17db476c91c656ad1d0c2a4afcacc9107b0d1b5348e43c0d25d`
SHA3	`3e8abe7173be9930caf1370d37de5d7ac23fe887cf87bae8fc1931e3b53af738`
VirtualSize	`0x70f0`
VirtualAddress	`0x2c000`
SizeOfRawData	`0x1c00`
PointerToRawData	`0x1d200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.97524`

Imports

KERNEL32.dll	`InitializeCriticalSection` `GetProcAddress` `LocalFree` `RaiseException` `LocalAlloc` `GetModuleHandleA` `LeaveCriticalSection` `EnterCriticalSection` `SearchPathA` `ResumeThread` `WriteProcessMemory` `GetPrivateProfileSectionA` `GetStringTypeA` `LCMapStringW` `LCMapStringA` `RtlUnwind` `WideCharToMultiByte` `MultiByteToWideChar` `GetStringTypeW`
USER32.dll	`DefWindowProcA` `AdjustWindowRectEx`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x70f06a4`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`3`
Total imports	`10`
174 (VS2010 SP1 build 40219)	`11`
Linker (VS2010 SP1 build 40219)	`1`

359a962f1be98d4c102745c07e7af0ae

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

0\x00ext

1\x00data

2\x00ata

3\x00ext

4\x00data

5\x00ata

Imports

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors