3ba338d8ce6e68cbbde5c3c423c40bd4

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2020-Jan-10 19:56:41

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • vssadmin.exe
 May have dropper capabilities:
  • CurrentVersion\Run
 Miscellaneous malware strings:
  • cmd.exe
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
  • LoadLibraryExW
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Code injection capabilities:
  • WriteProcessMemory
  • CreateRemoteThread
  • OpenProcess
  • VirtualAllocEx
  • VirtualAlloc
 Possibly launches other programs:
  • WinExec
  • ShellExecuteW
 Can create temporary files:
  • GetTempPathW
  • CreateFileW
 Leverages the raw socket API to access the Internet:
  • #23
  • #21
  • #20
  • #115
  • #8
  • #3
  • #2
  • #116
  • #9
  • #11
 Functions related to the privilege level:
  • OpenProcessToken
  • AdjustTokenPrivileges
 Interacts with services:
  • OpenSCManagerW
  • EnumServicesStatusW
 Manipulates other processes:
  • WriteProcessMemory
  • Process32FirstW
  • Process32NextW
  • OpenProcess
Malicious VirusTotal score: 45/73 (Scanned on 2020-01-14 06:06:16) MicroWorld-eScan: Generic.Ransom.Ryuk.6921BED2
FireEye: Generic.mg.3ba338d8ce6e68cb
McAfee: Ransom-Ryuk!3BA338D8CE6E
Cylance: Unsafe
Sangfor: Malware
Alibaba: Ransom:Win32/generic.ali2000010
K7GW: Trojan ( 00558f321 )
Cybereason: malicious.8ce6e6
Arcabit: Generic.Ransom.Ryuk.6921BED2
TrendMicro: Ransom.Win64.RYUK.SM
Symantec: Ransom.Ryuk
APEX: Malicious
Avast: Win64:RansomX-gen [Ransom]
ClamAV: Win.Ransomware.Generic-6545091-0
Kaspersky: HEUR:Backdoor.Win32.Androm.vho
BitDefender: Generic.Ransom.Ryuk.6921BED2
Paloalto: generic.ml
Rising: Ransom.Ryuk!1.B855 (CLOUD)
Ad-Aware: Generic.Ransom.Ryuk.6921BED2
Sophos: Troj/Ryuk-G
F-Secure: Heuristic.HEUR/AGEN.1043293
Invincea: heuristic
McAfee-GW-Edition: Ransom-Ryuk!3BA338D8CE6E
Fortinet: W64/Filecoder.AC!tr
Trapmine: malicious.high.ml.score
Emsisoft: Generic.Ransom.Ryuk.6921BED2 (B)
Webroot: W32.Trojan.Gen
Avira: HEUR/AGEN.1043293
MAX: malware (ai score=89)
Endgame: malicious (high confidence)
Microsoft: Ransom:Win64/Ryuk.PA!MTB
AegisLab: Trojan.Win32.Encoder.tqSm
ZoneAlarm: HEUR:Backdoor.Win32.Androm.vho
AhnLab-V3: Malware/Win64.Ransom.C3520810
Acronis: suspicious
ALYac: Generic.Ransom.Ryuk.6921BED2
Malwarebytes: Ransom.Ryuk
ESET-NOD32: a variant of Win64/Filecoder.Ryuk.E
TrendMicro-HouseCall: Ransom.Win64.RYUK.SM
Tencent: Win32.Backdoor.Androm.Lmut
Ikarus: Trojan-Ransom.Ryuk
GData: Generic.Ransom.Ryuk.6921BED2
AVG: Win64:RansomX-gen [Ransom]
Panda: Trj/CI.A
CrowdStrike: win/malicious_confidence_80% (W)

Hashes

MD5 3ba338d8ce6e68cbbde5c3c423c40bd4
SHA1 115c41a18b69ef6b0621ead00e4bff0d478ed87b
SHA256 736070c2c29be2246bebc05aee2d48f37db3ce330e7c7ee1f5bdd61250c45de1
SHA3 a700bd907022c07efadf2e966c3b0a79b01fc8ba12438547e6a6827820161305
SSDeep 3072:uA8Pd/5TidEAGioglQXkqD7zI5VVjNJyY4Bi/DLtIoz:V8Pd/eEHioYgXvcNJyTA/DLz
Imports Hash 8579887df7c75c778097c2a702e4e479

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2020-Jan-10 19:56:41
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x14600
SizeOfInitializedData 0x15bc00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000005E78 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.2
ImageVersion 0.0
SubsystemVersion 5.2
Win32VersionValue 0
SizeOfImage 0x175000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 ae4f896e5aed8bc460d8baa5127b3d46
SHA1 3987aa70c9def277dd8c2500c25bf7cc0aa9d528
SHA256 281e381e42c1fc113d7e26c99a049f5fbc0533d639513ca1b2c8e8a49926bd75
SHA3 1630bb39a2e6200b3fccfb06735a7bd1199b3474ff650b1a636226325c562a25
VirtualSize 0x144b0
VirtualAddress 0x1000
SizeOfRawData 0x14600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.46817

.rdata

MD5 3a06f8dcb0f9882e5d5c08865d8b81bb
SHA1 9b44c71e8e24da4189aa0a9eb116621dd8ae4330
SHA256 1f69420cd24352490be5ea4dc4be4938ae9a35ca3687111a17e5d899502f615b
SHA3 d602350fb33b7c9226672ca87b02dba7daef68394e2672cbec6db6d06fc29e55
VirtualSize 0xac0c
VirtualAddress 0x16000
SizeOfRawData 0xae00
PointerToRawData 0x14a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.01648

.data

MD5 fe32818dbe1a8285c22ed84fced5a509
SHA1 dc9f12c3cd86bad28ae42bb3ed050bd0eff3950b
SHA256 2e78a986a474e3fd12ce36aa361762e9486ce81456dd6c729aa75f8fb38254f0
SHA3 89a47c20baf966511add6e47cfd78b0c5b330e13d63f9fa505736ccb55342945
VirtualSize 0x14f120
VirtualAddress 0x21000
SizeOfRawData 0x11200
PointerToRawData 0x1f800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.54957

.pdata

MD5 1305934769061ee1ec3e7aae9cdbe5c0
SHA1 0737484242be0babdc6b274a73f5dd07c356f85f
SHA256 c2030977888068ad0e18588a22ebc3c74985815da27c28be7024e5304622149a
SHA3 d6f1872f38762454770a62d596b841aefb64d5d24690f52e332408be31272199
VirtualSize 0x114c
VirtualAddress 0x171000
SizeOfRawData 0x1200
PointerToRawData 0x30a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.88047

.gfids

MD5 19757e853f07e40127f9631715497b94
SHA1 a41609de07d8f28017dacf7de1ef3bf002dadda4
SHA256 e42462d2bc430d66e5fe3ed1f6ec94543166dbadd5c4b1ffc8087f196b272739
SHA3 161a95f053ffbb4fa23c2e05bbfe211edbe88ca36a76c1b1442bd3d18284fbed
VirtualSize 0xbc
VirtualAddress 0x173000
SizeOfRawData 0x200
PointerToRawData 0x31c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.52876

.reloc

MD5 af41525014bf7d9dae881bf34a5984b9
SHA1 10f6fd20c760aff19e54d12b6a9656d15fc9104e
SHA256 b0de55e1927090e72c65f06bef1f14269253e8f64a58cdb553c01a10fcc36d01
SHA3 c9ec46370732ff4eae41a332d59e5f2e813b7b414cd33df186fcce3e1a50a663
VirtualSize 0x638
VirtualAddress 0x174000
SizeOfRawData 0x800
PointerToRawData 0x31e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.83709

Imports

IPHLPAPI.DLL IcmpCloseHandle
IcmpCreateFile
GetAdaptersAddresses
IcmpSendEcho
GetIpNetTable
KERNEL32.dll SetLastError
WriteProcessMemory
WaitForMultipleObjects
Sleep
GetLogicalDrives
SetFilePointer
CloseHandle
WinExec
GetTickCount
GetLastError
LoadLibraryA
GetModuleFileNameW
GetModuleHandleA
GetCommandLineW
GetTempPathW
GetWindowsDirectoryW
CreateFileW
DeleteFileW
CopyFileW
GetVersionExW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
GetCurrentThread
CreateRemoteThread
CreateThread
ExitProcess
GetCurrentProcess
OpenProcess
GetProcessHeap
HeapFree
HeapAlloc
VirtualFreeEx
VirtualAllocEx
VirtualFree
VirtualAlloc
LocalFree
GlobalFree
GlobalAlloc
GetProcAddress
FreeLibrary
SetFilePointerEx
HeapReAlloc
HeapSize
GetConsoleMode
GetConsoleCP
FlushFileBuffers
WriteConsoleW
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetModuleHandleW
RtlUnwindEx
RtlPcToFileHeader
RaiseException
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
TerminateProcess
GetModuleHandleExW
GetStdHandle
WriteFile
MultiByteToWideChar
WideCharToMultiByte
GetACP
GetStringTypeW
LCMapStringW
GetFileType
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetOEMCP
GetCPInfo
ADVAPI32.dll OpenProcessToken
OpenThreadToken
GetTokenInformation
AdjustTokenPrivileges
LookupAccountSidW
OpenSCManagerW
EnumServicesStatusW
LookupPrivilegeValueW
ImpersonateSelf
SHELL32.dll ShellExecuteW
CommandLineToArgvW
WS2_32.dll #23
#21
#20
#115
#8
#3
#2
#116
#9
#11

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2020-Jan-10 19:56:41
Version 0.0
SizeofData 736
AddressOfRawData 0x1ed2c
PointerToRawData 0x1d72c

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2020-Jan-10 19:56:41
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

Size 0x94
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140031798

RICH Header

XOR Key 0xe301606b
Unmarked objects 0
241 (40116) 6
243 (40116) 126
242 (40116) 13
ASM objects (VS2015 UPD3 build 24123) 6
C++ objects (VS2015 UPD3 build 24123) 34
C objects (VS2015 UPD3 build 24123) 20
Imports (VS2008 SP1 build 30729) 11
Total imports 151
C++ objects (VS2015 UPD3.1 build 24215) 2
Linker (VS2015 UPD3.1 build 24215) 1

Errors

<-- -->