6ea5f67548a5449e1d1cba231a104c46

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Mar-02 23:49:06
Debug artifacts C:\crysis\Release\PDB\payload.pdb

Plugin Output

Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to SHA1
Uses constants related to AES
Suspicious The PE is possibly packed. The PE only has 9 import(s).
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Malicious VirusTotal score: 58/66 (Scanned on 2018-03-29 10:43:35) Bkav: W32.RansomeDNZ.Trojan
MicroWorld-eScan: Gen:Variant.Ransom.Crysis.6
nProtect: Ransom/W32.crysis.94720
CAT-QuickHeal: Ransom.Crysis.S162740
McAfee: Ransom-FBV!6EA5F67548A5
Cylance: Unsafe
VIPRE: Trojan.Win32.Generic!BT
TheHacker: Trojan/Filecoder.Crysis.l
K7GW: Trojan ( 005018f51 )
K7AntiVirus: Trojan ( 005018f51 )
TrendMicro: Mal_Crysis
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9991
F-Prot: W32/Wadhrama.B
Symantec: Trojan.Gen.2
ESET-NOD32: a variant of Win32/Filecoder.Crysis.P
TrendMicro-HouseCall: Mal_Crysis
Paloalto: generic.ml
Kaspersky: Trojan-Ransom.Win32.Crusis.to
BitDefender: Gen:Variant.Ransom.Crysis.6
NANO-Antivirus: Trojan.Win32.Filecoder.emdnxn
ViRobot: Trojan.Win32.Ransom.94720.F
SUPERAntiSpyware: Ransom.Crysis/Variant
Avast: Win32:Malware-gen
Tencent: Trojan-Ransom.Win32.Crysis.a
Ad-Aware: Gen:Variant.Ransom.Crysis.6
Sophos: Mal/Criakl-B
Comodo: TrojWare.Win32.Crysis.D
F-Secure: Gen:Variant.Ransom.Crysis.6
DrWeb: Trojan.Encoder.3953
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Ransom.nc
Emsisoft: Gen:Variant.Ransom.Crysis.6 (B)
SentinelOne: static engine - malicious
Cyren: W32/Trojan.ILHO-9216
Jiangmin: Trojan.Crypren.ic
Avira: TR/Dropper.Gen
Antiy-AVL: Trojan/Win32.AGeneric
Microsoft: Ransom:Win32/Wadhrama
Endgame: malicious (high confidence)
Arcabit: Trojan.Ransom.Crysis.6
AegisLab: Troj.Ransom.W32.Crusis.tpcS
ZoneAlarm: Trojan-Ransom.Win32.Crusis.to
GData: Win32.Trojan-Ransom.VirusEncoder.A
AhnLab-V3: Trojan/Win32.Genasom.R213980
ALYac: Trojan.Ransom.Crysis
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=100)
VBA32: TrojanRansom.Crusis
Malwarebytes: Ransom.Crysis.Generic
Rising: Trojan.Ransom.Crysis!1.A6AA (CLASSIC)
Yandex: Trojan.Crusis!
Ikarus: Trojan-Ransom.Crysis
Fortinet: W32/Crysis.L!tr.ransom
AVG: Win32:Malware-gen
Cybereason: malicious.548a54
Panda: Trj/GdSda.A
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.Ransom.f44

Hashes

MD5 6ea5f67548a5449e1d1cba231a104c46
SHA1 485973412f16df981c7409ff5224f2fdefe206a9
SHA256 3dff44944e9ac49c6256c5f4fe1deb97faada948ce36eaa45c4ecb1b9be7645c
SHA3 3189d695fa3f7623abd2db2f1c70824f8b2eb99ae4d03da419be7d456e881962
SSDeep 1536:mBwl+KXpsqN5vlwWYyhY9S4APwSzJVOOQScg40sVYLtslXch:Qw+asqN5aW/hL9F6Bb0sU
Imports Hash f86dec4a80961955a89e7ed62046cc0e

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xc8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2017-Mar-02 23:49:06
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x9e00
SizeOfInitializedData 0xd400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000A9D0 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xb000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x19000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 fbdfbbcd720021a23c9e78b5511496b0
SHA1 5c72be2ee3d19205fa9ff61766ad3f95555b66c0
SHA256 e11cf5407738e542c34408869af06b533085ceaf3b07206fe7acab65d1695381
SHA3 0ffac7c9104c4f77b665ea11b8400816d08c36b8c812808918f2950f7d224ae6
VirtualSize 0x9c25
VirtualAddress 0x1000
SizeOfRawData 0x9e00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.96531

.rdata

MD5 bbeae82a2350eeb7334fa155ebec76d2
SHA1 6dd024c3a83bb3b23509791884386b7052b94f73
SHA256 ef62a9f07c1027610b7f143c15cc0080767610a602ce6545ed265c8d5b1f9dad
SHA3 71568bf51acdceff6afdecd40eca3016cf8a0a882b8a33f8262df8dec7048b23
VirtualSize 0x2636
VirtualAddress 0xb000
SizeOfRawData 0x2800
PointerToRawData 0xa200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.78504

.data

MD5 208fb8a183a9164c3af5f1b0bd8ffa29
SHA1 bef1e517025f8114dc576a94ee054133083b5b3f
SHA256 cc61f8d3b281e7aee8598e29e3fee6c73116eaeaee67bc7949c79fdf64ad435e
SHA3 d3769f178792f1d8de2a3dce3463635d9408b82c445afec4b09ad47fdc1166a4
VirtualSize 0xaad5
VirtualAddress 0xe000
SizeOfRawData 0xa800
PointerToRawData 0xca00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.98259

Imports

KERNEL32.dll GetProcAddress
LoadLibraryA
WaitForSingleObject
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
GetLastError
EnterCriticalSection
ReleaseMutex
CloseHandle

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2017-Mar-02 23:49:06
Version 0.0
SizeofData 58
AddressOfRawData 0xd5fc
PointerToRawData 0xc7fc
Referenced File C:\crysis\Release\PDB\payload.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x70f06a4
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 3
Total imports 10
174 (VS2010 SP1 build 40219) 11
Linker (VS2010 SP1 build 40219) 1

Errors

<-- -->