5b091ec2338932d7ecfd5bfb4f5a8a7e

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-Jun-18 15:30:08
Detected languages English - United States
Debug artifacts C:\Users\Usuario\Documents\Proyectos\sher.lock\Debug\LooCipher.pdb

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • procexp.exe
Looks for VMWare presence:
  • vmtools
Accesses the WMI:
  • ROOT\wmi
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to SHA1
Uses constants related to SHA256
Microsoft's Cryptography API
Malicious This program contains valid cryptocurrency addresses. Contains a valid Bitcoin address:
  • 19YmdTjw7ZWHEDac8wWzCNdZT8oXsDedtV
  • 1Azfk7fWwCRynRk8p7qupLqqaADsjwFm4N
  • 1CrdZvvtzrZTJ78k92XuPizhhgtDxQ8c4B
  • 1JHEqi4QsTWz4gB9qZTACP7JggJzAmf6eA
  • 1Ps5Vd9dKWuy9FuMDkec9qquCyTLjc2Bxe
Suspicious The PE is possibly packed. Unusual section name found: .textbss
Section .textbss is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryW
Functions which can be used for anti-debugging purposes:
  • SwitchToThread
Possibly launches other programs:
  • CreateProcessA
  • CreateProcessW
Uses Microsoft's cryptographic API:
  • CryptReleaseContext
  • CryptAcquireContextA
  • CryptGenRandom
Can create temporary files:
  • CreateFileW
  • GetTempPathW
Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
Has Internet access capabilities:
  • InternetCloseHandle
  • InternetOpenUrlA
  • InternetReadFile
  • InternetOpenA
Enumerates local disk drives:
  • GetLogicalDriveStringsA
  • GetDriveTypeW
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 5b091ec2338932d7ecfd5bfb4f5a8a7e
SHA1 ee023336503309f99850178a14e1c4bea2330334
SHA256 998efa93f7201bef6a7b068929e6736b214f3e213ccff3e984e9d180ea8a695a
SHA3 de284a7cad8f95afc2c6a0e15ce7c1a32f64ddea5aeb87ef983d5728097e140d
SSDeep 49152:Fs8A5v8jPn/w/L8wLtvoTvBPqFIrQLsfKrdHRn9/rEw1FD2mqY4EeKp4gUCKjl:KJi28wLtvo7BPq6GZzdX
Imports Hash 8c1957dde2f628fdcbe049f10f2266a0

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x108

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 9
TimeDateStamp 2019-Jun-18 15:30:08
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x421600
SizeOfInitializedData 0x156a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x001FB2AC (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1000
ImageBase 0x950000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x771000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.textbss

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x1f31f1
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text

MD5 ba4727a04080758c9ce5f692be4080cf
SHA1 c4bafafc736e80e00f5918f5cd6c2d64641338cf
SHA256 612b34cb633d971e8a44419c455838f4e99e83da4f4c63f9d368be162be5abac
SHA3 71b479f4ee84fb3566384c37c8db5343ac068aa07793efb5c9166adfef927933
VirtualSize 0x421487
VirtualAddress 0x1f5000
SizeOfRawData 0x421600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 4.90425

.rdata

MD5 b3c6497a838dc30ca4d5885c49af1c00
SHA1 82757c95e20e9a9e4adeb22dd16ac377fedab62d
SHA256 9e24dda480e2ff7338c99c6fce56afa5917e15f95599c29a3e58e753bdf23cc3
SHA3 17d73f2288d3dfaa3b5b9e0cf47c2b968624649f5421fe1f2120267775dfe3f3
VirtualSize 0xfe502
VirtualAddress 0x617000
SizeOfRawData 0xfe600
PointerToRawData 0x421a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 0.895663

.data

MD5 5dfcab4ac5a2e991d7b3b02c316d2254
SHA1 5cb2dcdad338a8d076d6aa6092d794167d3d087a
SHA256 265d2baf19bbe76732b75012170cc345a0f0201457a4b31eddadfb912e6f6bd2
SHA3 4320fa462b7133fe87927a863259d7e10a36816e02b97bc587045475b3f17e01
VirtualSize 0x2bd94
VirtualAddress 0x716000
SizeOfRawData 0x14000
PointerToRawData 0x520000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.817597

.idata

MD5 636225032f68c85990da6d01ced79df3
SHA1 a0a324b9ab976006c5c95ce1bf374d3c65477284
SHA256 3a0b88c300663bacd68e3106d0acd4755195a81f38ad64f5235ab47548b68056
SHA3 ba9cf500540c861ad573dfd17c803e408587184f3440a2c6ff6b78662d402b3c
VirtualSize 0x1eff
VirtualAddress 0x742000
SizeOfRawData 0x2000
PointerToRawData 0x534000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.08629

.tls

MD5 c573bd7cea296a9c5d230ca6b5aee1a6
SHA1 04a0b9fde89c71864acaf5e74689fe4c269bd7a8
SHA256 13bde09a110c13b533dc985f3e2c475b6f6bcf514d1a23fce5b784a653548e91
SHA3 3679da6860e8ab20485113de9ac22dfe22ddc29d53f14ddc33a648aa98196361
VirtualSize 0x309
VirtualAddress 0x744000
SizeOfRawData 0x400
PointerToRawData 0x536000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.0111738

.00cfg

MD5 8a79e7a83a1eb71829fa853279dc754b
SHA1 81db185dc5471538a249a314716e0b4e33c164d5
SHA256 bebee9ea2426cce511151600891e84e7553efffa4f0a44e8d46f0f931e12e035
SHA3 295817baf6a3908c5912417fb3b8fb5f0f7524f376f10c6e9e4bdcc3b88a3bde
VirtualSize 0x104
VirtualAddress 0x745000
SizeOfRawData 0x200
PointerToRawData 0x536400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 0.0611629

.rsrc

MD5 bf6f25ea585f2d6ed7064cb206d2af29
SHA1 90d6bfe1cc6469e4e555a8a74cdfcc22f5463257
SHA256 9ce4636532e503dc423b608858c45a03d3a373703638ddf6efa4d2311408add2
SHA3 42dd67ef290b7e7c45a12eb30ccb90157521db1995b34d07993d63a9cde7f71f
VirtualSize 0x43c
VirtualAddress 0x746000
SizeOfRawData 0x600
PointerToRawData 0x536600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.13629

.reloc

MD5 10c3cb6ff724c226fca39bcd1ddca92e
SHA1 9003e5bd061092ba6e6605e6a610ab55f8aad5f5
SHA256 9cb65510f1d425fb8110cc9d7b532b6b2576e7d260884fb24f0827baa6b131ca
SHA3 3f60594ac54ffa288cbc4d576c77bcf121b48511efda893cd49d99b9221139d3
VirtualSize 0x298a8
VirtualAddress 0x747000
SizeOfRawData 0x29a00
PointerToRawData 0x536c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.11746

Imports

KERNEL32.dll GetLocalTime
GetShortPathNameA
GetLogicalDriveStringsA
GetStartupInfoA
WritePrivateProfileStringA
MultiByteToWideChar
IsDebuggerPresent
DebugBreak
GlobalAlloc
GlobalUnlock
GlobalLock
GetPrivateProfileStringA
GetLastError
SetLastError
QueryPerformanceCounter
QueryPerformanceFrequency
GetCurrentThread
GetThreadTimes
ReadConsoleW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
IsValidCodePage
FindNextFileA
FindFirstFileExA
SetStdHandle
CreateProcessA
SetConsoleCtrlHandler
WriteConsoleW
OutputDebugStringA
HeapQueryInformation
HeapReAlloc
HeapSize
ReadFile
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetFileType
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
CreateProcessW
GetExitCodeProcess
GetACP
WriteFile
GetStdHandle
ExitProcess
ResumeThread
ExitThread
DeleteFileW
MoveFileExW
RemoveDirectoryW
GetCurrentDirectoryW
GetCurrentDirectoryA
SetCurrentDirectoryW
TerminateThread
CreateThread
Sleep
CreateEventA
CreateMutexA
ReleaseMutex
WaitForSingleObject
SetEvent
CloseHandle
GetTimeZoneInformation
GetEnvironmentVariableA
SetCurrentDirectoryA
SetEnvironmentVariableW
SetEnvironmentVariableA
GetFullPathNameA
GetFullPathNameW
GetDriveTypeW
GetModuleHandleExW
WideCharToMultiByte
FormatMessageW
CreateDirectoryW
CreateFileW
FindClose
FindFirstFileExW
FindNextFileW
GetDiskFreeSpaceExW
GetFileAttributesExW
GetFileInformationByHandle
SetEndOfFile
SetFileAttributesW
SetFilePointerEx
SetFileTime
GetTempPathW
AreFileApisANSI
CopyFileW
CreateHardLinkW
DuplicateHandle
WaitForSingleObjectEx
GetCurrentProcess
GetCurrentThreadId
GetExitCodeThread
GetNativeSystemInfo
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
EncodePointer
DecodePointer
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetTickCount
GetModuleHandleW
GetProcAddress
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
ResetEvent
InitializeSListHead
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
RaiseException
GetCurrentProcessId
HeapAlloc
HeapFree
GetProcessHeap
VirtualQuery
FreeLibrary
CreateTimerQueue
SignalObjectAndWait
SwitchToThread
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
OutputDebugStringW
FreeLibraryAndExitThread
GetModuleFileNameW
GetModuleHandleA
LoadLibraryExW
GetVersionExW
VirtualAlloc
VirtualProtect
VirtualFree
SetProcessAffinityMask
ReleaseSemaphore
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
WaitForMultipleObjectsEx
LoadLibraryW
RtlUnwind
HeapValidate
GetSystemInfo
GetModuleFileNameA
RtlCaptureStackBackTrace
USER32.dll PeekMessageA
DispatchMessageA
GetMessageA
TrackMouseEvent
LoadCursorA
SetClassLongA
GetClassLongA
MessageBoxW
SetWindowTextA
UpdateWindow
GetSystemMetrics
EnableWindow
KillTimer
SetTimer
EmptyClipboard
SetClipboardData
CloseClipboard
OpenClipboard
GetDlgCtrlID
CreateWindowExW
RegisterClassW
PostQuitMessage
DefWindowProcW
SendMessageA
TranslateMessage
SystemParametersInfoA
EnumDisplaySettingsA
ChangeDisplaySettingsA
SetWindowLongA
GetWindowLongA
ShowCursor
AdjustWindowRect
GetWindowRect
GetDC
SetForegroundWindow
SetWindowPos
ShowWindow
DestroyWindow
CreateWindowExA
DefWindowProcA
GDI32.dll SetBkColor
DeleteObject
CreateSolidBrush
CreateFontA
SetDIBitsToDevice
SetTextColor
ADVAPI32.dll CryptReleaseContext
CryptAcquireContextA
CryptGenRandom
SHELL32.dll SHGetSpecialFolderPathA
WININET.dll InternetCloseHandle
InternetOpenUrlA
InternetReadFile
InternetOpenA

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2019-Jun-14 15:47:16
Version 0.0
SizeofData 91
AddressOfRawData 0x6e5ac4
PointerToRawData 0x4f04c4
Referenced File C:\Users\Usuario\Documents\Proyectos\sher.lock\Debug\LooCipher.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2019-Jun-14 15:47:16
Version 0.0
SizeofData 20
AddressOfRawData 0x6e5b20
PointerToRawData 0x4f0520

TLS Callbacks

StartAddressOfRawData 0x1094000
EndAddressOfRawData 0x1094208
AddressOfIndex 0x1090384
AddressOfCallbacks 0xf67e2c
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x68
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x1066254
SEHandlerTable 0
SEHandlerCount 0

RICH Header

XOR Key 0x1c2e1b8f
Unmarked objects 0
ASM objects (24610) 28
C++ objects (24610) 197
C objects (24610) 26
ASM objects (24723) 23
C++ objects (24723) 132
C objects (24723) 37
Imports (24610) 13
Total imports 227
C++ objects (VS2017 v15.2 compiler 25019) 37
Resource objects (VS2017 v15.2 compiler 25019) 1
Linker (VS2017 v15.2 compiler 25019) 1

Errors

[*] Warning: Section .textbss has a size of 0! [!] Error: Yara error: ERROR_TOO_MANY_MATCHES