3e682a53560a6694ee6bda65182a7e44

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Mar-02 23:49:06
Debug artifacts C:\crysis\Release\PDB\payload.pdb

Plugin Output

Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to SHA1
Uses constants related to AES
Suspicious The PE is possibly packed. The PE only has 9 import(s).
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Malicious VirusTotal score: 53/66 (Scanned on 2018-11-01 01:29:53) Bkav: W32.RansomeDNZ.Trojan
MicroWorld-eScan: Trojan.Ransom.Crysis.E
VBA32: TrojanRansom.Crusis
CAT-QuickHeal: Trojan.Mauvaise.SL1
ALYac: Trojan.Ransom.Crysis
Malwarebytes: Ransom.Crysis.Generic
SUPERAntiSpyware: Ransom.Crysis/Variant
TheHacker: Trojan/Filecoder.Crysis.l
K7GW: Trojan ( 00519f781 )
K7AntiVirus: Trojan ( 00519f781 )
TrendMicro: Mal_Crysis
NANO-Antivirus: Trojan.Win32.Filecoder.emdnxn
F-Prot: W32/Wadhrama.B
Symantec: Ransom.Crysis
Paloalto: generic.ml
ClamAV: Win.Trojan.Dharma-6668198-0
Kaspersky: Trojan-Ransom.Win32.Crusis.to
BitDefender: Trojan.Ransom.Crysis.E
Avast: Win32:Malware-gen
Rising: Trojan.Ransom.Crysis!1.A6AA (CLOUD)
Endgame: malicious (high confidence)
Emsisoft: Trojan.Ransom.Crysis.E (B)
F-Secure: Trojan.Ransom.Crysis.E
DrWeb: Trojan.Encoder.3953
Zillya: Dropper.Crusis.Win32.132
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Ransom.nc
Sophos: Troj/Criakl-G
SentinelOne: static engine - malicious
Cyren: W32/Trojan.ILHO-9216
Jiangmin: Trojan.Crypren.ic
Webroot: W32.Ransom.Gen
Avira: TR/Dropper.Gen
Fortinet: W32/Crysis.L!tr.ransom
Antiy-AVL: Trojan/Win32.AGeneric
Microsoft: Ransom:Win32/Wadhrama
ViRobot: Trojan.Win32.Ransom.94720.F
ZoneAlarm: Trojan-Ransom.Win32.Crusis.to
AhnLab-V3: Trojan/Win32.Genasom.R213980
McAfee: Ransom-WW!3E682A53560A
MAX: malware (ai score=100)
Ad-Aware: Trojan.Ransom.Crysis.E
Cylance: Unsafe
ESET-NOD32: a variant of Win32/Filecoder.Crysis.P
Tencent: Trojan-Ransom.Win32.Crysis.a
Yandex: Trojan.Crusis!
TACHYON: Ransom/W32.crysis.94720
GData: Win32.Trojan-Ransom.VirusEncoder.A
AVG: Win32:Malware-gen
Cybereason: malicious.3560a6
Panda: Trj/GdSda.A
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Malware.Radar01.Gen

Hashes

MD5 3e682a53560a6694ee6bda65182a7e44
SHA1 75f13af0ea2847708826703da8c7a45e3f7dfde9
SHA256 2a247b244687022fb6090c065355c40040494a2dec57c0d9180f948cf3acc8e7
SHA3 bc4dbd00d936df73f63cffdf15a01217838ff99193dfa13de1979ba4be0b3587
SSDeep 1536:mBwl+KXpsqN5vlwWYyhY9S4AmIkiStcR9Slgs8lo2yaWYdZbL:Qw+asqN5aW/hL7k7cR9Sb83P
Imports Hash f86dec4a80961955a89e7ed62046cc0e

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xc8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2017-Mar-02 23:49:06
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x9e00
SizeOfInitializedData 0xd400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000A9D0 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xb000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x19000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 fbdfbbcd720021a23c9e78b5511496b0
SHA1 5c72be2ee3d19205fa9ff61766ad3f95555b66c0
SHA256 e11cf5407738e542c34408869af06b533085ceaf3b07206fe7acab65d1695381
SHA3 0ffac7c9104c4f77b665ea11b8400816d08c36b8c812808918f2950f7d224ae6
VirtualSize 0x9c25
VirtualAddress 0x1000
SizeOfRawData 0x9e00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.96531

.rdata

MD5 bbeae82a2350eeb7334fa155ebec76d2
SHA1 6dd024c3a83bb3b23509791884386b7052b94f73
SHA256 ef62a9f07c1027610b7f143c15cc0080767610a602ce6545ed265c8d5b1f9dad
SHA3 71568bf51acdceff6afdecd40eca3016cf8a0a882b8a33f8262df8dec7048b23
VirtualSize 0x2636
VirtualAddress 0xb000
SizeOfRawData 0x2800
PointerToRawData 0xa200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.78504

.data

MD5 eda103f8966e4f80ad525a262ae19e22
SHA1 a7ed5b568a66a4d7e046f028926eac0c2f422dd7
SHA256 964a6c641ed4b8da3a277da40c773e85789efc93fd7c9d7ee571d396699f2e74
SHA3 6f12145a3c1b56b7bd6778665ee26ebb4e4c4038e056997b6eaa4ef841baf9b6
VirtualSize 0xaad5
VirtualAddress 0xe000
SizeOfRawData 0xa800
PointerToRawData 0xca00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.98254

Imports

KERNEL32.dll GetProcAddress
LoadLibraryA
WaitForSingleObject
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
GetLastError
EnterCriticalSection
ReleaseMutex
CloseHandle

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2017-Mar-02 23:49:06
Version 0.0
SizeofData 58
AddressOfRawData 0xd5fc
PointerToRawData 0xc7fc
Referenced File C:\crysis\Release\PDB\payload.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x70f06a4
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 3
Total imports 10
174 (VS2010 SP1 build 40219) 11
Linker (VS2010 SP1 build 40219) 1

Errors