Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2020-Mar-31 14:17:25 |
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to SHA256 |
Suspicious | The PE is possibly packed. | Unusual section name found: .cdata |
Malicious | The PE contains functions mostly used by malware. |
Functions which can be used for anti-debugging purposes:
|
Malicious | VirusTotal score: 66/72 (Scanned on 2024-05-12 00:01:13) |
ALYac:
Trojan.Ransom.Phobos
APEX: Malicious AVG: Win32:Phobos-D [Ransom] Acronis: suspicious AhnLab-V3: Ransomware/Win.Phobos.R363595 Alibaba: Ransom:Win32/Phobos.665 Antiy-AVL: Trojan[Ransom]/Win32.Phobos Arcabit: Trojan.Ransom.PHU Avast: Win32:Phobos-D [Ransom] Avira: TR/Crypt.XPACK.Gen BitDefender: Trojan.Ransom.PHU BitDefenderTheta: Gen:NN.ZexaF.36804.duW@aKMzb6e Bkav: W32.RansomBeadsBH.Trojan CAT-QuickHeal: Ransom.Phobos.S11618290 ClamAV: Win.Ransomware.Ulise-7594403-0 Cylance: unsafe Cynet: Malicious (score: 100) DeepInstinct: MALICIOUS DrWeb: Trojan.Encoder.31543 ESET-NOD32: a variant of Win32/Filecoder.Phobos.C Elastic: Windows.Ransomware.Phobos Emsisoft: Trojan.Ransom.PHU (B) F-Secure: Trojan.TR/Crypt.XPACK.Gen FireEye: Generic.mg.4e93c194b641d9b8 Fortinet: W32/FilecoderPhobos.C!tr.ransom GData: Win32.Trojan-Ransom.Phobos.C Google: Detected Gridinsoft: Ransom.Win32.Phobos.ko!s1 Ikarus: Trojan-Ransom.Phobos Jiangmin: Trojan.Generic.ervnl K7AntiVirus: Trojan ( 0055119f1 ) K7GW: Trojan ( 0055119f1 ) Kaspersky: HEUR:Trojan-Ransom.Win32.Phobos.vho Kingsoft: Win32.Trojan-Ransom.Phobos.vho MAX: malware (ai score=100) Malwarebytes: Generic.Malware.AI.DDS MaxSecure: Trojan.Malware.7164915.susgen McAfee: Ransom-Phobos!4E93C194B641 MicroWorld-eScan: Trojan.Ransom.PHU Microsoft: Ransom:Win32/Phobos.PC!MTB NANO-Antivirus: Trojan.Win32.Filecoder.himsij Paloalto: generic.ml Panda: Trj/Genetic.gen Rising: Ransom.Phobos!1.C277 (CLASSIC) SUPERAntiSpyware: Trojan.Agent/Gen-Urelas Sangfor: Ransom.Win32.Phobos_1.se2 SentinelOne: Static AI - Malicious PE Skyhigh: BehavesLike.Win32.RansomPhobos.qc Sophos: Troj/Phobos-B Symantec: Downloader TACHYON: Ransom/W32.Dharma.56832 Tencent: Trojan-Ransom.Win32.Phobos.fa Trapmine: malicious.moderate.ml.score TrendMicro: Ransom.Win32.CRYSIS.TIBGHC TrendMicro-HouseCall: Ransom.Win32.CRYSIS.TIBGHC VBA32: BScope.Trojan.MulDrop VIPRE: Trojan.Ransom.PHU Varist: W32/Ransom.NA.gen!Eldorado ViRobot: Trojan.Win32.Ransom.56832.K VirIT: Ransom.Win32.Phobos.GEN Webroot: W32.Trojan.Gen Xcitium: Malware@#336ob2kjvbgw8 Yandex: Trojan.GenAsa!oSQlCZwLKgc Zillya: Trojan.Filecoder.Win32.20527 ZoneAlarm: HEUR:Trojan-Ransom.Win32.Phobos.vho alibabacloud: RansomWare:Win/Phobos |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2020-Mar-31 14:17:25 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 10.0 |
SizeOfCode | 0x8600 |
SizeOfInitializedData | 0x3e00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00002FA7 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0xa000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x13000 |
SizeOfHeaders | 0x400 |
Checksum | 0x1556d |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
MPR.dll |
WNetEnumResourceW
WNetUseConnectionW WNetOpenEnumW WNetCloseEnum |
---|---|
WS2_32.dll |
ioctlsocket
getpeername ntohl select WSAGetLastError htons recv socket closesocket getsockopt WSAAddressToStringW htonl connect |
IPHLPAPI.DLL |
GetIpAddrTable
|
WINHTTP.dll |
WinHttpReceiveResponse
WinHttpOpenRequest WinHttpConnect WinHttpCloseHandle WinHttpOpen WinHttpSendRequest |
KERNEL32.dll |
FindClose
FindNextFileW SystemTimeToFileTime OpenProcess FindFirstFileW MoveFileW GetFileSizeEx SetFilePointerEx SetEndOfFile GetCurrentThreadId GetLocalTime ExitProcess SetFilePointer WaitForSingleObject GetComputerNameW SetEvent GetLogicalDrives GetTickCount Sleep CopyFileW GetFileAttributesW ReadFile CreateFileW MultiByteToWideChar CreateEventW WaitForMultipleObjects CloseHandle SetFileAttributesW CreateThread InitializeCriticalSectionAndSpinCount LeaveCriticalSection EnterCriticalSection ResetEvent DeleteCriticalSection AllocConsole WriteFile WideCharToMultiByte WriteConsoleW GetStdHandle CreateMutexW CreateProcessW GetCurrentProcess SetHandleInformation HeapFree GetLocaleInfoW ReadProcessMemory TerminateProcess GetModuleFileNameW FlushFileBuffers OpenMutexW GetLastError GetProcAddress Process32FirstW GetExitCodeThread CreatePipe Process32NextW GetModuleHandleA CreateToolhelp32Snapshot ReleaseMutex GetVersion DeleteFileW GetCurrentProcessId GetVolumeInformationW ExpandEnvironmentStringsW HeapAlloc GetProcessHeap HeapReAlloc QueryPerformanceCounter |
USER32.dll |
GetWindowThreadProcessId
GetShellWindow |
ADVAPI32.dll |
FreeSid
LookupPrivilegeValueW OpenProcessToken GetTokenInformation EqualSid RegSetValueExW RegCloseKey AdjustTokenPrivileges RegOpenKeyExW LookupAccountSidW AllocateAndInitializeSid DuplicateTokenEx RegQueryValueExW |
SHELL32.dll |
ShellExecuteExW
|
ole32.dll |
CoGetObject
CoInitializeEx CoUninitialize |
XOR Key | 0x41d7da2a |
---|---|
Unmarked objects | 0 |
C objects (VS2008 SP1 build 30729) | 1 |
Imports (VS2008 SP1 build 30729) | 19 |
Total imports | 111 |
ASM objects (VS2010 SP1 build 40219) | 1 |
C objects (VS2010 SP1 build 40219) | 1 |
174 (VS2010 SP1 build 40219) | 18 |
Linker (VS2010 SP1 build 40219) | 1 |