4e93c194b641d9b849f270531ec14d20

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2020-Mar-31 14:17:25

Plugin Output

Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to SHA256
Suspicious The PE is possibly packed. Unusual section name found: .cdata
Malicious The PE contains functions mostly used by malware. Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Can access the registry:
  • RegSetValueExW
  • RegCloseKey
  • RegOpenKeyExW
  • RegQueryValueExW
 Possibly launches other programs:
  • CreateProcessW
 Has Internet access capabilities:
  • WinHttpReceiveResponse
  • WinHttpOpenRequest
  • WinHttpConnect
  • WinHttpCloseHandle
  • WinHttpOpen
  • WinHttpSendRequest
 Leverages the raw socket API to access the Internet:
  • ioctlsocket
  • getpeername
  • ntohl
  • select
  • WSAGetLastError
  • htons
  • recv
  • socket
  • closesocket
  • getsockopt
  • WSAAddressToStringW
  • htonl
  • connect
 Functions related to the privilege level:
  • OpenProcessToken
  • AdjustTokenPrivileges
  • DuplicateTokenEx
 Enumerates local disk drives:
  • GetVolumeInformationW
 Manipulates other processes:
  • OpenProcess
  • ReadProcessMemory
  • Process32FirstW
  • Process32NextW
Malicious VirusTotal score: 66/72 (Scanned on 2024-05-12 00:01:13) ALYac: Trojan.Ransom.Phobos
APEX: Malicious
AVG: Win32:Phobos-D [Ransom]
Acronis: suspicious
AhnLab-V3: Ransomware/Win.Phobos.R363595
Alibaba: Ransom:Win32/Phobos.665
Antiy-AVL: Trojan[Ransom]/Win32.Phobos
Arcabit: Trojan.Ransom.PHU
Avast: Win32:Phobos-D [Ransom]
Avira: TR/Crypt.XPACK.Gen
BitDefender: Trojan.Ransom.PHU
BitDefenderTheta: Gen:NN.ZexaF.36804.duW@aKMzb6e
Bkav: W32.RansomBeadsBH.Trojan
CAT-QuickHeal: Ransom.Phobos.S11618290
ClamAV: Win.Ransomware.Ulise-7594403-0
Cylance: unsafe
Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
DrWeb: Trojan.Encoder.31543
ESET-NOD32: a variant of Win32/Filecoder.Phobos.C
Elastic: Windows.Ransomware.Phobos
Emsisoft: Trojan.Ransom.PHU (B)
F-Secure: Trojan.TR/Crypt.XPACK.Gen
FireEye: Generic.mg.4e93c194b641d9b8
Fortinet: W32/FilecoderPhobos.C!tr.ransom
GData: Win32.Trojan-Ransom.Phobos.C
Google: Detected
Gridinsoft: Ransom.Win32.Phobos.ko!s1
Ikarus: Trojan-Ransom.Phobos
Jiangmin: Trojan.Generic.ervnl
K7AntiVirus: Trojan ( 0055119f1 )
K7GW: Trojan ( 0055119f1 )
Kaspersky: HEUR:Trojan-Ransom.Win32.Phobos.vho
Kingsoft: Win32.Trojan-Ransom.Phobos.vho
MAX: malware (ai score=100)
Malwarebytes: Generic.Malware.AI.DDS
MaxSecure: Trojan.Malware.7164915.susgen
McAfee: Ransom-Phobos!4E93C194B641
MicroWorld-eScan: Trojan.Ransom.PHU
Microsoft: Ransom:Win32/Phobos.PC!MTB
NANO-Antivirus: Trojan.Win32.Filecoder.himsij
Paloalto: generic.ml
Panda: Trj/Genetic.gen
Rising: Ransom.Phobos!1.C277 (CLASSIC)
SUPERAntiSpyware: Trojan.Agent/Gen-Urelas
Sangfor: Ransom.Win32.Phobos_1.se2
SentinelOne: Static AI - Malicious PE
Skyhigh: BehavesLike.Win32.RansomPhobos.qc
Sophos: Troj/Phobos-B
Symantec: Downloader
TACHYON: Ransom/W32.Dharma.56832
Tencent: Trojan-Ransom.Win32.Phobos.fa
Trapmine: malicious.moderate.ml.score
TrendMicro: Ransom.Win32.CRYSIS.TIBGHC
TrendMicro-HouseCall: Ransom.Win32.CRYSIS.TIBGHC
VBA32: BScope.Trojan.MulDrop
VIPRE: Trojan.Ransom.PHU
Varist: W32/Ransom.NA.gen!Eldorado
ViRobot: Trojan.Win32.Ransom.56832.K
VirIT: Ransom.Win32.Phobos.GEN
Webroot: W32.Trojan.Gen
Xcitium: Malware@#336ob2kjvbgw8
Yandex: Trojan.GenAsa!oSQlCZwLKgc
Zillya: Trojan.Filecoder.Win32.20527
ZoneAlarm: HEUR:Trojan-Ransom.Win32.Phobos.vho
alibabacloud: RansomWare:Win/Phobos

Hashes

MD5 4e93c194b641d9b849f270531ec14d20
SHA1 8b5a21254a0c10e3ca2570eeba490755197b544e
SHA256 43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc
SHA3 442283f298483c6a924219df641c03085e5ca0790485d71a65871797a249c518
SSDeep 1536:YNeRBl5PT/rx1mzwRMSTdLpJZtqoQOcO:YQRrmzwR5JAOF
Imports Hash 851a0ba8fbb71710075bdfe6dcef92eb

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2020-Mar-31 14:17:25
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x8600
SizeOfInitializedData 0x3e00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00002FA7 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xa000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x13000
SizeOfHeaders 0x400
Checksum 0x1556d
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 a491c4d91a4b5889442e891da7aad09f
SHA1 fb01cf295659de04b42430a2046701c69a6ff3bb
SHA256 9651e8d2844245abbf58abd4ab2d7074ce9981002c6734fdff29cc69fb261cc7
SHA3 daecf8375e8246f5e4dadf9fff1f5968322d02571b40faee57f940b82991f706
VirtualSize 0x8598
VirtualAddress 0x1000
SizeOfRawData 0x8600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.58755

.rdata

MD5 a73fadb324bbeec4e8315214d839bd02
SHA1 36aa963222549e326cf6ed473d5782cd119835fb
SHA256 4bcccfed2dad97690fe867ee571784648a125debdc51feea9af02d74dfc645bb
SHA3 bc5066d7fc3604c6dfae50f322852b203dded6a294b748cd96ebeb497a24fb36
VirtualSize 0xe7c
VirtualAddress 0xa000
SizeOfRawData 0x1000
PointerToRawData 0x8a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.27783

.data

MD5 f685505ea497ceed6c5b609804c0b7ce
SHA1 f307e044da7d670ed695d6a3fa156db2108b55f1
SHA256 03025aaf474ed7bc4e45f4a1a79b985aab9e030e8a51bff269c884c86509d3a5
SHA3 7af927e259f5cebd53b0b5747d6845286c472d03fa606f711f698d09dfb41776
VirtualSize 0x26b9
VirtualAddress 0xb000
SizeOfRawData 0x600
PointerToRawData 0x9a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.17726

.reloc

MD5 63531957a01468434c794b6b08c13046
SHA1 0014124cc11bf30944fec8fb713134f72886051b
SHA256 1c6ca143ae0aad0a683ab07f7080f88858d1c25743350ba9257c302912d2924a
SHA3 9b10b6c87b93187487da696a3dbd64fef2a9d4ce6e236e107e0ad972f02993ad
VirtualSize 0x5ee
VirtualAddress 0xe000
SizeOfRawData 0x600
PointerToRawData 0xa000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.69613

.cdata

MD5 f59bc105d9a6d408e6af586d5d33ee52
SHA1 65231cd26cd7b04a353e9378f6fce564be9509fd
SHA256 9bb5c05adf47c739f26e714e59128def735329bb23365b8733f4d13414b9a403
SHA3 398f793c5f1cc1e148e8402bca2dcc8175bd29773a3fb85bf20232d9cc89a839
VirtualSize 0x36d8
VirtualAddress 0xf000
SizeOfRawData 0x3800
PointerToRawData 0xa600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.82362

Imports

MPR.dll WNetEnumResourceW
WNetUseConnectionW
WNetOpenEnumW
WNetCloseEnum
WS2_32.dll ioctlsocket
getpeername
ntohl
select
WSAGetLastError
htons
recv
socket
closesocket
getsockopt
WSAAddressToStringW
htonl
connect
IPHLPAPI.DLL GetIpAddrTable
WINHTTP.dll WinHttpReceiveResponse
WinHttpOpenRequest
WinHttpConnect
WinHttpCloseHandle
WinHttpOpen
WinHttpSendRequest
KERNEL32.dll FindClose
FindNextFileW
SystemTimeToFileTime
OpenProcess
FindFirstFileW
MoveFileW
GetFileSizeEx
SetFilePointerEx
SetEndOfFile
GetCurrentThreadId
GetLocalTime
ExitProcess
SetFilePointer
WaitForSingleObject
GetComputerNameW
SetEvent
GetLogicalDrives
GetTickCount
Sleep
CopyFileW
GetFileAttributesW
ReadFile
CreateFileW
MultiByteToWideChar
CreateEventW
WaitForMultipleObjects
CloseHandle
SetFileAttributesW
CreateThread
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
ResetEvent
DeleteCriticalSection
AllocConsole
WriteFile
WideCharToMultiByte
WriteConsoleW
GetStdHandle
CreateMutexW
CreateProcessW
GetCurrentProcess
SetHandleInformation
HeapFree
GetLocaleInfoW
ReadProcessMemory
TerminateProcess
GetModuleFileNameW
FlushFileBuffers
OpenMutexW
GetLastError
GetProcAddress
Process32FirstW
GetExitCodeThread
CreatePipe
Process32NextW
GetModuleHandleA
CreateToolhelp32Snapshot
ReleaseMutex
GetVersion
DeleteFileW
GetCurrentProcessId
GetVolumeInformationW
ExpandEnvironmentStringsW
HeapAlloc
GetProcessHeap
HeapReAlloc
QueryPerformanceCounter
USER32.dll GetWindowThreadProcessId
GetShellWindow
ADVAPI32.dll FreeSid
LookupPrivilegeValueW
OpenProcessToken
GetTokenInformation
EqualSid
RegSetValueExW
RegCloseKey
AdjustTokenPrivileges
RegOpenKeyExW
LookupAccountSidW
AllocateAndInitializeSid
DuplicateTokenEx
RegQueryValueExW
SHELL32.dll ShellExecuteExW
ole32.dll CoGetObject
CoInitializeEx
CoUninitialize

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x41d7da2a
Unmarked objects 0
C objects (VS2008 SP1 build 30729) 1
Imports (VS2008 SP1 build 30729) 19
Total imports 111
ASM objects (VS2010 SP1 build 40219) 1
C objects (VS2010 SP1 build 40219) 1
174 (VS2010 SP1 build 40219) 18
Linker (VS2010 SP1 build 40219) 1

Errors

<-- -->