5c6c5b00d4cd08cc02e76978b0fe5d7b

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Feb-23 19:28:24

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • GetProcAddress
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
  • FindWindowW
Possibly launches other programs:
  • CreateProcessW
Uses Microsoft's cryptographic API:
  • CryptAcquireContextW
  • CryptHashData
  • CryptDestroyHash
  • CryptCreateHash
  • CryptReleaseContext
  • CryptGetHashParam
Manipulates other processes:
  • Process32NextW
  • Process32FirstW
  • OpenProcess
Suspicious The file contains overlay data. 35740 bytes of data starting at offset 0x19000.
The overlay data has an entropy of 7.99449 and is possibly compressed or encrypted.
Malicious VirusTotal score: 59/65 (Scanned on 2020-08-22 07:35:01) Bkav: W32.AIDetectVM.malware2
Elastic: malicious (high confidence)
MicroWorld-eScan: Gen:Variant.Mikey.60871
FireEye: Generic.mg.5c6c5b00d4cd08cc
CAT-QuickHeal: Trojan.Dynamer.S438666
McAfee: GenericRXAY-GP!5C6C5B00D4CD
Malwarebytes: Ransom.Satan
Zillya: Trojan.Injector.Win32.474808
Sangfor: Malware
K7AntiVirus: Trojan ( 005043871 )
Alibaba: Ransom:Win32/Nasan.475ba13b
K7GW: Trojan ( 005043871 )
Cybereason: malicious.0d4cd0
Arcabit: Trojan.Mikey.DEDC7
Invincea: heuristic
BitDefenderTheta: AI:Packer.026B88071E
Cyren: W32/Ransom.Satan.A.gen!Eldorado
Symantec: Trojan.Exedapan!gm
ESET-NOD32: Win32/Filecoder.Natas.A
TrendMicro-HouseCall: Ransom_NATAS.SM1
Paloalto: generic.ml
ClamAV: Win.Ransomware.Satan-5713061-0
Kaspersky: HEUR:Trojan-Ransom.Win32.Generic
BitDefender: Gen:Variant.Mikey.60871
NANO-Antivirus: Trojan.Win32.DKPS.elolak
AegisLab: Trojan.Win32.Generic.4!c
Avast: Win32:Ransom-AZF [Trj]
Rising: Trojan.Ransom.Satan!1.AEB7 (CLOUD)
Ad-Aware: Gen:Variant.Mikey.60871
Comodo: TrojWare.Win32.Lepoh.A@70zinc
F-Secure: Trojan.TR/Dropper.Gen2
VIPRE: Trojan.Win32.Generic!BT
TrendMicro: Ransom_NATAS.SM1
Sophos: Troj/Ransom-ECZ
SentinelOne: DFI - Malicious PE
Jiangmin: Trojan.Generic.aslcn
Avira: TR/Dropper.Gen2
MAX: malware (ai score=100)
Antiy-AVL: Trojan/Win32.AGeneric
Microsoft: Ransom:Win32/Nasan.B!bit
SUPERAntiSpyware: Ransom.Satan/Variant
ZoneAlarm: HEUR:Trojan-Ransom.Win32.Generic
GData: Gen:Variant.Mikey.60871
Cynet: Malicious (score: 100)
AhnLab-V3: Malware/Win32.Generic.C1768929
Acronis: suspicious
ALYac: Gen:Variant.Mikey.60871
VBA32: BScope.TrojanRansom.Shaitan
Cylance: Unsafe
APEX: Malicious
Tencent: Malware.Win32.Gencirc.10b73ee2
Yandex: Trojan.Agent!af0KSSFlz5A
Ikarus: Trojan.Kazy
eGambit: Unsafe.AI_Score_96%
Fortinet: W32/Generic.AC.3D6041!tr
AVG: Win32:Ransom-AZF [Trj]
Panda: Trj/Genetic.gen
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.BO.91d

Hashes

MD5 5c6c5b00d4cd08cc02e76978b0fe5d7b
SHA1 c397c78cb55e4d12a364aa0852f98c03ec9c76b9
SHA256 5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa
SHA3 9dee626ad38b9984aa6008051b2159955105f2de2e63281dc21d7955746e1e06
SSDeep 3072:HmIBtQnE7OhssdWJ5jy392aCmCbBq/eKbgX7MAbgbiyJ+3h:nqvhssdu5jyYaCmCQWx7wbiWO
Imports Hash 65e9607e6f28a7852bb41a6e2e439a92

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2017-Feb-23 19:28:24
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 12.0
SizeOfCode 0x4800
SizeOfInitializedData 0x14c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000013B9 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x6000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 1.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x1c000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 8f06c846c831aec15fc8e887785a52c5
SHA1 87fc89cb3618b48c66b276c2d1f3fffc8e3d6c10
SHA256 6701bc4e7e6dd57746a52aa864a93fd36f864d39962afe889bc279c9cfbf824c
SHA3 01d75b7d838e6c7fb25d2598ac57c26bd5e577c6a27bdf7ef760dbf9109e6be1
VirtualSize 0x46d1
VirtualAddress 0x1000
SizeOfRawData 0x4800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.21022

.rdata

MD5 cde4d4319d9de4231f198d7099139bb1
SHA1 ae8ab046b2f8eeaec24812380d75ff2efc917125
SHA256 1daa496a74e686e5b64339533c7010354c9eea51459a5f1927c901f30da1488e
SHA3 4370bb9b7bdb772280c9b5a4dd23a9977867b4caa10c8aeafa44902c106fec0e
VirtualSize 0x175c
VirtualAddress 0x6000
SizeOfRawData 0x1800
PointerToRawData 0x4c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.08024

.data

MD5 f503082a94c8b900b7d6f46448d6a114
SHA1 25e90d0be0f28dcd989f729f2302e939f1776d9c
SHA256 8f77ba0776c54025a1ab8e0b9c3aaec3ce799f59b75f866a37168d642ebb1c73
SHA3 2f4930bb2a04b5a701e9b54e8e66149daf56679462334ff3e82281f176fedfee
VirtualSize 0x12ff0
VirtualAddress 0x8000
SizeOfRawData 0x12800
PointerToRawData 0x6400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.06315

.reloc

MD5 472b78220b0b88df3d1a5038cfb3f417
SHA1 3ccdfbcccab94f995775fde4ce8f3839f6a6d2fe
SHA256 69c068e331461ebb6e0f1e9bc3c20ded9a1fbfc0d0cebea8a208fbe83cbf189e
SHA3 48f553f6cd9657b01390092033f5531e3e24073899ae9b4a04bde3252e595f2a
VirtualSize 0x300
VirtualAddress 0x1b000
SizeOfRawData 0x400
PointerToRawData 0x18c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.26442

Imports

KERNEL32.dll Process32NextW
CreateToolhelp32Snapshot
GetThreadContext
RemoveVectoredExceptionHandler
SetUnhandledExceptionFilter
LoadLibraryW
AddVectoredExceptionHandler
Process32FirstW
TerminateProcess
OpenProcess
CreateProcessW
VirtualQuery
GetModuleHandleW
GetCurrentProcess
GetProcessHeap
HeapFree
HeapAlloc
GetModuleHandleA
GetProcAddress
GetModuleFileNameW
Sleep
GetCommandLineW
ExitProcess
DeleteFileW
CloseHandle
VirtualAlloc
CreateFileW
ReadFile
VirtualFree
GetCurrentThread
GetFileSize
UnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
RtlUnwind
USER32.dll FindWindowW
ADVAPI32.dll CryptAcquireContextW
GetUserNameW
CryptHashData
CryptDestroyHash
CryptCreateHash
CryptReleaseContext
CryptGetHashParam

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x41a7d0
SEHandlerTable 0
SEHandlerCount 0

RICH Header

XOR Key 0x5920566c
Unmarked objects 0
Unmarked objects (#2) 1
Imports (VS2008 SP1 build 30729) 11
Total imports 123
ASM objects (20806) 4
C objects (20806) 10
229 (VS2013 build 21005) 17
Linker (VS2013 build 21005) 1

Errors