3e8d5f0d457f3b22e32e985ca4c14e55

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2019-Sep-27 22:05:56
TLS Callbacks 1 callback(s) detected.

Plugin Output

Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
Unusual section name found: UPX2
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Leverages the raw socket API to access the Internet:
  • bind
 Interacts with the certificate store:
  • CertOpenStore
Suspicious The file contains overlay data. 1169037 bytes of data starting at offset 0x446a00.
The overlay data has an entropy of 7.72902 and is possibly compressed or encrypted.
Malicious VirusTotal score: 42/70 (Scanned on 2019-10-07 18:15:57) MicroWorld-eScan: Gen:Variant.Razy.560742
FireEye: Generic.mg.3e8d5f0d457f3b22
CAT-QuickHeal: Trojan.Smokeloader
McAfee: Artemis!3E8D5F0D457F
Cylance: Unsafe
K7AntiVirus: Trojan ( 005582711 )
K7GW: Trojan ( 005582711 )
Arcabit: Trojan.Razy.D88E66
TrendMicro: Ransom.Win64.PORNOASSET.SM1.hp
F-Prot: W32/Kryptik.AEK.gen!Eldorado
Symantec: Trojan.Gen.MBT
APEX: Malicious
Avast: Win32:ReposFxg-F [Trj]
ClamAV: Win.Malware.Tofsee-6896728-0
BitDefender: Gen:Variant.Razy.560742
NANO-Antivirus: Trojan.Win32.GenKryptik.focjuh
Rising: Ransom.PornoAsset!8.6AA (TFE:5:F5uhVSmJuRJ)
Ad-Aware: Gen:Variant.Razy.560742
Emsisoft: Gen:Variant.Razy.560742 (B)
F-Secure: Trojan.TR/AD.LockyC.lyfhk
DrWeb: Trojan.Siggen8.17135
McAfee-GW-Edition: BehavesLike.Win64.VFlooder.tc
Fortinet: W32/Filecoder.J!tr
Sophos: Mal/Elenoocka-G
SentinelOne: DFI - Suspicious PE
Cyren: W32/Kryptik.AEK.gen!Eldorado
Avira: TR/AD.LockyC.lyfhk
MAX: malware (ai score=82)
Antiy-AVL: Trojan[Backdoor]/Win32.IRCNite
Endgame: malicious (moderate confidence)
Microsoft: Trojan:Win32/Tinba.DSK!MTB
AhnLab-V3: Trojan/Win64.Agent.C3487739
Acronis: suspicious
ALYac: Gen:Variant.Razy.560742
VBA32: BScope.Trojan.Zbot.2312
ESET-NOD32: a variant of Win64/Kryptik.BRW
TrendMicro-HouseCall: Ransom.Win64.PORNOASSET.SM1.hp
Yandex: Trojan.PWS.Emotet!
Ikarus: Trojan.Win32.Trickbot
GData: Gen:Variant.Razy.560742
AVG: Win32:ReposFxg-F [Trj]
Cybereason: malicious.d457f3

Hashes

MD5 3e8d5f0d457f3b22e32e985ca4c14e55
SHA1 8ac56d47a8b7061bb936e17c84a9825faba2fa7b
SHA256 4e7dfc6026e746c69e6673c955546301f95e712446f4a297de7340a32346ff7d
SHA3 a81d42ac55196db8c9ba00f10370f627f3274dff728434005f5811bb590d50ce
SSDeep 98304:It6AVXghXDQySXyjaRIHK4IeLzwuh/6B6:ItzCFQySCjCIRI4zwuhU6
Imports Hash 73db5c9b52201f07943a77eb03757432

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 3
TimeDateStamp 2019-Sep-27 22:05:56
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32+
LinkerVersion 2.0
SizeOfCode 0x447000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0x86d000
AddressOfEntryPoint 0x0000000000CB4100 (Section: UPX1)
BaseOfCode 0x86e000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 5.2
Win32VersionValue 0
SizeOfImage 0xcb6000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
SizeofStackReserve 0x200000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x86d000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 8c559ba728fb30fb4455fae9e4c7aa9c
SHA1 799504fea09a15640a9f89f2ef797be966215bb9
SHA256 d9e549d291c396ce63424387f97ba1da812ba8e7152f6dd3dd9430f2bf22fafb
SHA3 2eab927e8c7eed6184639047432c41b4a49b2c6823b8c0207857bd4dacbbc67f
VirtualSize 0x447000
VirtualAddress 0x86e000
SizeOfRawData 0x446400
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.90319

UPX2

MD5 9e72acb2b81e9fdc2b5c87a30ac63cdd
SHA1 bb4dd46cce50dcd389f3d468c460f72b465cde8f
SHA256 bc12a979f5adfeae1bfc7440ab8a8ad09b4ab5d8b7ba9c8acc341ae97728cf5e
SHA3 72fb8c8394cf9f28131b70330a7e3cb9011e41348f1dcddc2a5f70c645743c05
VirtualSize 0x1000
VirtualAddress 0xcb5000
SizeOfRawData 0x400
PointerToRawData 0x446600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.87908

Imports

ADVAPI32.dll FreeSid
CRYPT32.dll CertOpenStore
IPHLPAPI.DLL GetAdaptersAddresses
KERNEL32.DLL LoadLibraryA
ExitProcess
GetProcAddress
VirtualProtect
msvcrt.dll atof
PSAPI.DLL GetProcessMemoryInfo
USER32.dll GetMessageA
USERENV.dll GetUserProfileDirectoryW
WS2_32.dll bind

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData 0x10b4378
EndAddressOfRawData 0x10b4380
AddressOfIndex 0x10aa37c
AddressOfCallbacks 0x10b4380
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks 0x00000000010B4326

Load Configuration

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!
<-- -->