59fe74c68bbc9e76affdf9f337fb81df

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-Jul-09 14:23:33

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryA
 Possibly launches other programs:
  • CreateProcessW
 Can create temporary files:
  • GetTempPathW
  • CreateFileW
 Leverages the raw socket API to access the Internet:
  • #14
 Enumerates local disk drives:
  • GetDriveTypeW
Suspicious The file contains overlay data. 12227433 bytes of data starting at offset 0x42a00.
The overlay data has an entropy of 7.99833 and is possibly compressed or encrypted.
Overlay data amounts for 97.8169% of the executable.
Malicious VirusTotal score: 46/73 (Scanned on 2020-01-02 00:50:01) MicroWorld-eScan: Trojan.GenericKD.32833226
FireEye: Trojan.GenericKD.32833226
CAT-QuickHeal: Trojanransom.Gen
McAfee: Artemis!59FE74C68BBC
Cylance: Unsafe
Sangfor: Malware
K7AntiVirus: Riskware ( 0040eff71 )
Alibaba: Ransom:Win32/Generic.950198ba
K7GW: Riskware ( 0040eff71 )
Arcabit: Trojan.Generic.D1F4FECA
Invincea: heuristic
Symantec: Ransom.Wannacry
APEX: Malicious
Avast: Win32:Malware-gen
Kaspersky: Trojan-Ransom.Win32.Gen.ueu
BitDefender: Trojan.GenericKD.32833226
NANO-Antivirus: Trojan.Win32.Encoder.gmkabu
Ad-Aware: Trojan.GenericKD.32833226
Emsisoft: Trojan.GenericKD.32833226 (B)
F-Secure: Trojan.TR/Ransom.Gen
DrWeb: Trojan.Encoder.30403
TrendMicro: Ransom_Gen.R032C0WLN19
McAfee-GW-Edition: BehavesLike.Win32.Generic.wc
Fortinet: W32/Gen.UEU!tr
Sophos: Mal/Generic-S
Cyren: W32/Trojan.MZSK-2343
Avira: TR/Ransom.Gen
MAX: malware (ai score=100)
Microsoft: Ransom:Win32/Genasom
AegisLab: Trojan.Win32.Blocker.tq1S
ZoneAlarm: Trojan-Ransom.Win32.Gen.ueu
AhnLab-V3: Malware/Win32.RL_Generic.R304981
VBA32: TrojanRansom.Gen
ALYac: Trojan.Ransom.FileCryptor
Malwarebytes: Ransom.ChernoLocker
ESET-NOD32: a variant of Generik.FANDZXC
TrendMicro-HouseCall: Ransom_Gen.R032C0WLN19
Rising: Trojan.Generic@ML.95 (RDMK:hHLhK02MfBJhiqphYC2u/w)
Ikarus: Trojan-Ransom
eGambit: Trojan.Generic
GData: Trojan.GenericKD.32833226
MaxSecure: Trojan.Malware.74741109.susgen
AVG: Win32:Malware-gen
Panda: Trj/CI.A
CrowdStrike: win/malicious_confidence_60% (W)
Qihoo-360: Win32/Trojan.Ransom.d13

Hashes

MD5 59fe74c68bbc9e76affdf9f337fb81df
SHA1 1aebb30376c1e768e35678b2124d348b2c322168
SHA256 613c8a8b7b723704469e31be829499b7d36b9fdc62b9850f1c6522fd4c81ea3f
SHA3 9e23c95977e88f333d29e269a37c8f19b174449950adb42723df3e4db1fd9ce5
SSDeep 196608:GQ3fOfpVwQsbmo9X2wl/i1tbpSzZTfuf6hc7ro7VEHe/vAYYjlcy5JvCflgxKr:GQmfDwQX4XdJi8zZfQ6hE7+XAPcVflg
Imports Hash 413054e9ce274354a1fe8ae0a92d1aee

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x108

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 6
TimeDateStamp 2019-Jul-09 14:23:33
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x1ee00
SizeOfInitializedData 0x23800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00007B43 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x20000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x55000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 4ade2bca04773f952182e320bf119a44
SHA1 48887d6bd9457f438c98a7c0ca84133c161ae060
SHA256 7c8aef91384611dcb810ebd4dad72dc9cd81e2343db448f55ea6d2be26197776
SHA3 1337e8737e998c444300661c33f9e499b87750c7aba79a699f4e116328776354
VirtualSize 0x1eca4
VirtualAddress 0x1000
SizeOfRawData 0x1ee00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.64533

.rdata

MD5 ec5475b3d80c124faab088a6318411f6
SHA1 2ca65fdda962968ea763dd2703a877207338c875
SHA256 5099f6dfadf8d790291366f706a5c4709f99bc890e4ead0d6a1f337ed1187ca7
SHA3 6ddef4df1a88c0db7b4993b7c8cba791bf21b71856e6ee6b62a18bc2ecd9cd2f
VirtualSize 0xb164
VirtualAddress 0x20000
SizeOfRawData 0xb200
PointerToRawData 0x1f200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.10043

.data

MD5 0a359bf3e4d26b21bd09e8defb96cfda
SHA1 4fe0db425b66d58bf84cdccb3d6c63f16f5d4a84
SHA256 a72186c2f468a74134738e6d80362db4581e7fbb5a65e8ed6cc4c59ce258f141
SHA3 88e46d1b182af692341eb2763b2dc367cacba7df1c2623a043f74e333147f37c
VirtualSize 0xe688
VirtualAddress 0x2c000
SizeOfRawData 0xa00
PointerToRawData 0x2a400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.92387

.gfids

MD5 e6ec6ed11ae6bc8cf76a2ad0518c0fa4
SHA1 d3332c4a1520ba392b44ace3eaf30ccceca23e42
SHA256 5592bd536bbae9954b032c066a7b30eec7192956141a328b18c96c49e9f25979
SHA3 1b1e815e1bb3419fe23e806e1f4aaeef021364f457b539654f7c6b03fc645b31
VirtualSize 0xb8
VirtualAddress 0x3b000
SizeOfRawData 0x200
PointerToRawData 0x2ae00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.85181

.rsrc

MD5 29a341f32db1099bda44544315543858
SHA1 491441887d587e56a9fc31e183f77553fa16371c
SHA256 2f5bd89b3be8e898b13f41878bcc0c6a1639ab8cd7ec4cd631da2149fb746c89
SHA3 08a3277d26cebd0b778e1c838b88f1ad89c22b8aa3bda4b130fa21cde2597f75
VirtualSize 0x16124
VirtualAddress 0x3c000
SizeOfRawData 0x16200
PointerToRawData 0x2b000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.75765

.reloc

MD5 c3b6988d45e77ae79c7976cbb59e7cfc
SHA1 e622e45f7aedb63d6100b542dfc5f247a38286fd
SHA256 68dba170d550822808b0b56c41ec86a8b20d0a8afac9c428915fba091b28ea0c
SHA3 f0d23aabfe3813593f2f7f903d6420f9dadcb9d905f3297db5790b038c4ba687
VirtualSize 0x17b8
VirtualAddress 0x53000
SizeOfRawData 0x1800
PointerToRawData 0x41200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.65903

Imports

USER32.dll MessageBoxW
MessageBoxA
KERNEL32.dll SystemTimeToTzSpecificLocalTime
DecodePointer
GetLastError
SetDllDirectoryW
GetModuleFileNameW
GetProcAddress
GetCommandLineW
GetEnvironmentVariableW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
GetTempPathW
WaitForSingleObject
Sleep
GetExitCodeProcess
CreateProcessW
GetStartupInfoW
LoadLibraryExW
GetShortPathNameW
FormatMessageW
LoadLibraryA
MultiByteToWideChar
WideCharToMultiByte
SetEndOfFile
HeapReAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetModuleHandleW
RtlUnwind
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetCommandLineA
ReadFile
CreateFileW
GetDriveTypeW
GetFileType
CloseHandle
PeekNamedPipe
RaiseException
FileTimeToSystemTime
GetFullPathNameW
GetFullPathNameA
CreateDirectoryW
RemoveDirectoryW
FindClose
FindFirstFileExW
FindNextFileW
SetStdHandle
SetConsoleCtrlHandler
DeleteFileW
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
GetACP
HeapFree
HeapAlloc
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleCP
CompareStringW
LCMapStringW
GetCurrentDirectoryW
FlushFileBuffers
SetEnvironmentVariableA
GetFileAttributesExW
IsValidCodePage
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStringTypeW
GetProcessHeap
WriteConsoleW
GetTimeZoneInformation
HeapSize
WS2_32.dll #14

Delayed Imports

1

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x7b40
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.94816
Detected Filetype PNG graphic file
MD5 56ce17813ecc263829a4e246e173443b
SHA1 70c8e7c85b3a0d03d787677483b270e04142fb60
SHA256 c5add43273e03e61a0dabd2a5ec95eadc1d2626ff4c7a6e159d5a0d38b8103c3
SHA3 c59427ebd4e3c5b729697bb9743ab2edb839980a2462ac128f59f63dd3727efb

2

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.44895
MD5 1c06420cfb94514d35c088699a04774d
SHA1 2c23d7df4bc8ce3fb15f33e78c042b12814aea3b
SHA256 d73c1848a067a0fd094423213dc1e855b5b29b0b441f0bcb315feb90d662972e
SHA3 a630c0bd054ccf853d3673897d2a553e10797d288b3f09898503304ecec7d7f3

3

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x568
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.77742
MD5 db1208cf5d76055be1c3a34567af9f5a
SHA1 c5adcd7407c8b18459e4b4ce96fb70ecf5701a97
SHA256 5a008270f7254f5ca861e9936f4b5b7a23c04d63165895234fd1782bc03ec0e5
SHA3 549076010917e74ff3fe656848779d90468b96740184b07016dbf2833e9abf99

4

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x952c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.95095
Detected Filetype PNG graphic file
MD5 f6fbada22d6a6c07ef8fdaa504f117d5
SHA1 591a723501eff1a4920462f8efcaf3715e829450
SHA256 3919b11194f130d310dfe08bdce2891c5b64f2703107f53a5a1cbc016fdb609f
SHA3 ceca597fff3f436773eb9e48be245ce9d24439b9527a0d3aedaa1469e49d3f5c

5

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.0521
MD5 86ce219c337119fe35646823cb56d091
SHA1 74d3090f01f3128bda93a3a7525f139c495bffbd
SHA256 7ef5a24efde1748c0eb12c5817b14cfe1397ae968489a7824a269d02c8223cee
SHA3 8daaa7aab035df895cb478d3b92385d12aebd96c8bbde3a05a615ff56d41aebf

6

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.15081
MD5 58b7700e8f20d0a3c77021eb7e7019dc
SHA1 87f7668b96ab48bd6ba5c8b9968dbb024a028407
SHA256 c5536b396be6dcfc96f4e4f77cc7007b2a56730ee57598a6979cc1c1c71c920a
SHA3 13bb36cea0c569109ddca6560016003d3ce662f8e0bc189e9750019ccdc7bc72

7

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.39466
MD5 9de69c1c4b3a06597da9c275b38bffb6
SHA1 a4ed3bd1bb4edc0eaa187b68929f596906e9ee87
SHA256 ac2e25dc4a4f7bd96a0bcf3ea63cd1bcf26a6f6a05835e32f96ef99cb4323f30
SHA3 6ff197b54509b5c0fa643d6bdbc756cccec2b5bc8495c770883c021e833f7509

0

Type RT_GROUP_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.51664
Detected Filetype Icon file
MD5 d308cc7c03dbcf24db3c87a956e0a344
SHA1 a29dc7b49814effa7a0bfa66088252586ab81893
SHA256 45fa34cfe67047bddf3f3054b6fcda6ea57425638cc3652356ec9042967d8fb2
SHA3 467f7b1f9d9029aa254ffe9a3bed7ebb858018b3a4197e553c0d7d4603dfa044

101

Type RT_GROUP_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x68
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.71858
Detected Filetype Icon file
MD5 cd3a631eace19041876b4c4c6ec8461a
SHA1 d4b3f99c4d648e3446dc05e7fb6e444e42dfed01
SHA256 f5b94a42f1c77c9eef858a0dfd656419fea900b00318c2c0bf49c2fce345d838
SHA3 b6dcbb1b4c262eb5aee12773a52c29ff20fef809a4e61822700d005457944b9f

1 (#2)

Type RT_MANIFEST
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x53b
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.27802
MD5 add9750377ef109dcd4df4626ca90613
SHA1 f7d23dc382b79408ff31ab91b3d3c978ce18c877
SHA256 07f03ee76c53b7ac569bfea8c9ce1eb7d2d194edd30a6e72d46c278958b773a7
SHA3 d3fe365694aea90c8ec9c0fb3db91e7c8a2f2dbab1c261cb024e142e5ea3bfd6

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2019-Jul-09 14:23:33
Version 0.0
SizeofData 696
AddressOfRawData 0x29f3c
PointerToRawData 0x2913c

TLS Callbacks

Load Configuration

Size 0x5c
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x42c008
SEHandlerTable 0x429f30
SEHandlerCount 3

RICH Header

XOR Key 0x906c598
Unmarked objects 0
241 (40116) 12
243 (40116) 172
242 (40116) 24
ASM objects (VS2015 UPD3 build 24123) 18
C++ objects (VS2015 UPD3 build 24123) 29
C objects (VS2015 UPD3 build 24123) 18
Imports (65501) 7
Total imports 115
C objects (VS2015 UPD3 build 24210) 17
Resource objects (VS2015 UPD3 build 24210) 1
Linker (VS2015 UPD3 build 24210) 1

Errors

<-- -->