Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2017-Feb-23 19:28:24 |
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Info | Libraries used to perform cryptographic operations: | Microsoft's Cryptography API |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Suspicious | The file contains overlay data. |
35740 bytes of data starting at offset 0x19000.
The overlay data has an entropy of 7.99449 and is possibly compressed or encrypted. |
Malicious | VirusTotal score: 59/65 (Scanned on 2020-08-22 07:35:01) |
Bkav:
W32.AIDetectVM.malware2
Elastic: malicious (high confidence) MicroWorld-eScan: Gen:Variant.Mikey.60871 FireEye: Generic.mg.5c6c5b00d4cd08cc CAT-QuickHeal: Trojan.Dynamer.S438666 McAfee: GenericRXAY-GP!5C6C5B00D4CD Malwarebytes: Ransom.Satan Zillya: Trojan.Injector.Win32.474808 Sangfor: Malware K7AntiVirus: Trojan ( 005043871 ) Alibaba: Ransom:Win32/Nasan.475ba13b K7GW: Trojan ( 005043871 ) Cybereason: malicious.0d4cd0 Arcabit: Trojan.Mikey.DEDC7 Invincea: heuristic BitDefenderTheta: AI:Packer.026B88071E Cyren: W32/Ransom.Satan.A.gen!Eldorado Symantec: Trojan.Exedapan!gm ESET-NOD32: Win32/Filecoder.Natas.A TrendMicro-HouseCall: Ransom_NATAS.SM1 Paloalto: generic.ml ClamAV: Win.Ransomware.Satan-5713061-0 Kaspersky: HEUR:Trojan-Ransom.Win32.Generic BitDefender: Gen:Variant.Mikey.60871 NANO-Antivirus: Trojan.Win32.DKPS.elolak AegisLab: Trojan.Win32.Generic.4!c Avast: Win32:Ransom-AZF [Trj] Rising: Trojan.Ransom.Satan!1.AEB7 (CLOUD) Ad-Aware: Gen:Variant.Mikey.60871 Comodo: TrojWare.Win32.Lepoh.A@70zinc F-Secure: Trojan.TR/Dropper.Gen2 VIPRE: Trojan.Win32.Generic!BT TrendMicro: Ransom_NATAS.SM1 Sophos: Troj/Ransom-ECZ SentinelOne: DFI - Malicious PE Jiangmin: Trojan.Generic.aslcn Avira: TR/Dropper.Gen2 MAX: malware (ai score=100) Antiy-AVL: Trojan/Win32.AGeneric Microsoft: Ransom:Win32/Nasan.B!bit SUPERAntiSpyware: Ransom.Satan/Variant ZoneAlarm: HEUR:Trojan-Ransom.Win32.Generic GData: Gen:Variant.Mikey.60871 Cynet: Malicious (score: 100) AhnLab-V3: Malware/Win32.Generic.C1768929 Acronis: suspicious ALYac: Gen:Variant.Mikey.60871 VBA32: BScope.TrojanRansom.Shaitan Cylance: Unsafe APEX: Malicious Tencent: Malware.Win32.Gencirc.10b73ee2 Yandex: Trojan.Agent!af0KSSFlz5A Ikarus: Trojan.Kazy eGambit: Unsafe.AI_Score_96% Fortinet: W32/Generic.AC.3D6041!tr AVG: Win32:Ransom-AZF [Trj] Panda: Trj/Genetic.gen CrowdStrike: win/malicious_confidence_100% (W) Qihoo-360: Win32/Trojan.BO.91d |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xd8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2017-Feb-23 19:28:24 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 12.0 |
SizeOfCode | 0x4800 |
SizeOfInitializedData | 0x14c00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000013B9 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x6000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 1.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x1c000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
Process32NextW
CreateToolhelp32Snapshot GetThreadContext RemoveVectoredExceptionHandler SetUnhandledExceptionFilter LoadLibraryW AddVectoredExceptionHandler Process32FirstW TerminateProcess OpenProcess CreateProcessW VirtualQuery GetModuleHandleW GetCurrentProcess GetProcessHeap HeapFree HeapAlloc GetModuleHandleA GetProcAddress GetModuleFileNameW Sleep GetCommandLineW ExitProcess DeleteFileW CloseHandle VirtualAlloc CreateFileW ReadFile VirtualFree GetCurrentThread GetFileSize UnhandledExceptionFilter IsProcessorFeaturePresent IsDebuggerPresent RtlUnwind |
---|---|
USER32.dll |
FindWindowW
|
ADVAPI32.dll |
CryptAcquireContextW
GetUserNameW CryptHashData CryptDestroyHash CryptCreateHash CryptReleaseContext CryptGetHashParam |
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x41a7d0 |
SEHandlerTable | 0 |
SEHandlerCount | 0 |
XOR Key | 0x5920566c |
---|---|
Unmarked objects | 0 |
Unmarked objects (#2) | 1 |
Imports (VS2008 SP1 build 30729) | 11 |
Total imports | 123 |
ASM objects (20806) | 4 |
C objects (20806) | 10 |
229 (VS2013 build 21005) | 17 |
Linker (VS2013 build 21005) | 1 |