6ffd90e8b1b4c38f801d2a694cd6c01c
This file seems to be a .NET executable.
Sadly, Manalyzer's analysis techniques were designed for native code, so it's likely that this report won't tell you much.
Sorry!
Sadly, Manalyzer's analysis techniques were designed for native code, so it's likely that this report won't tell you much.
Sorry!
Summary
| Architecture |
IMAGE_FILE_MACHINE_I386
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 2010-Dec-09 18:58:13 |
| Comments | FileLocker |
| CompanyName | system File-Locker Ransomware |
| FileDescription | File-Locker |
| FileVersion | 1.0.0.0 |
| InternalName | File-Locker Ransomware.exe |
| LegalCopyright | Copyright © 2017 |
| LegalTrademarks | www.microsoft.com |
| OriginalFilename | File-Locker Ransomware.exe |
| ProductName | File-Locker |
| ProductVersion | 1.0.0.0 |
| Assembly Version | 1.0.0.0 |
Plugin Output
| Info | Matching compiler(s): |
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual C++ 8.0 .NET executable -> Microsoft |
| Suspicious | The PE is possibly a dropper. | Resources amount for 92.8484% of the executable. |
| Suspicious | The file contains overlay data. |
22788 bytes of data starting at offset 0x5c200.
The overlay data has an entropy of 7.62402 and is possibly compressed or encrypted. |
| Malicious | VirusTotal score: 51/67 (Scanned on 2018-01-18 10:02:46) |
MicroWorld-eScan:
Gen:Heur.Ransom.HiddenTears.1
nProtect: Ransom/W32.HiddenTear.400132 CAT-QuickHeal: Ransom.FileLocker.A3 ALYac: Trojan.Ransom.FileLocker Malwarebytes: Ransom.HiddenTear Zillya: Trojan.Filecoder.Win32.6921 CrowdStrike: malicious_confidence_60% (D) K7GW: Trojan ( 004cd60c1 ) K7AntiVirus: Trojan ( 004cd60c1 ) Invincea: heuristic Cyren: W32/Trojan.CKQY-1380 Symantec: Ransom.HiddenTear!g1 TrendMicro-HouseCall: Ransom_HiddenTear.R039C0DLL17 Avast: FileRepMalware Kaspersky: HEUR:Trojan.Win32.Generic BitDefender: Gen:Heur.Ransom.HiddenTears.1 NANO-Antivirus: Trojan.Win32.Filecoder.ewghqo Paloalto: generic.ml ViRobot: Trojan.Win32.Z.Ransom.400132 Tencent: Win32.Trojan.Generic.Wvbp Ad-Aware: Gen:Heur.Ransom.HiddenTears.1 Emsisoft: Gen:Heur.Ransom.HiddenTears.1 (B) Comodo: UnclassifiedMalware F-Secure: Gen:Heur.Ransom.HiddenTears.1 DrWeb: Trojan.Encoder.24129 VIPRE: Trojan.Win32.Generic!BT TrendMicro: Ransom_HiddenTear.R039C0DLL17 McAfee-GW-Edition: RDN/Ransom SentinelOne: static engine - malicious Jiangmin: Trojan/Jorik.htdp Webroot: W32.Malware.Gen Avira: TR/AD.Ryzerlo.uppvd Fortinet: W32/Generic!tr Antiy-AVL: Trojan[Ransom]/Win32.HiddenTear Arcabit: Trojan.Ransom.HiddenTears.1 AegisLab: Troj.W32.Generic!c ZoneAlarm: HEUR:Trojan.Win32.Generic Microsoft: Ransom:Win32/HiddenTear.gen Sophos: Mal/Generic-S AhnLab-V3: Trojan/Win32.FileCoder.R216331 McAfee: RDN/Ransom AVware: Trojan.Win32.Generic!BT MAX: malware (ai score=99) Cylance: Unsafe ESET-NOD32: a variant of MSIL/Filecoder.Y Ikarus: Trojan-Ransom.FileCoder GData: Gen:Heur.Ransom.HiddenTears.1 AVG: FileRepMalware Cybereason: malicious.1b8fb7 Panda: Trj/CI.A Qihoo-360: Win32/Trojan.Ransom.786 |
Hashes
DOS Header
| e_magic | MZ |
|---|---|
| e_cblp | 0x40 |
| e_cp | 0x1 |
| e_crlc | 0 |
| e_cparhdr | 0x2 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0xb400 |
| e_oeminfo | 0xcd09 |
| e_lfanew | 0x40 |
PE Header
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_I386
|
| NumberofSections | 3 |
| TimeDateStamp | 2010-Dec-09 18:58:13 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xe0 |
| Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Image Optional Header
| Magic | PE32 |
|---|---|
| LinkerVersion | 8.0 |
| SizeOfCode | 0x1000 |
| SizeOfInitializedData | 0x800 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x00002E5E (Section: .text) |
| BaseOfCode | 0x2000 |
| BaseOfData | 0x4000 |
| ImageBase | 0x400000 |
| SectionAlignment | 0x2000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 4.0 |
| ImageVersion | 0.0 |
| SubsystemVersion | 6.0 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x62000 |
| SizeOfHeaders | 0x200 |
| Checksum | 0 |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve | 0x100000 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
.text
.rsrc
.reloc
Imports
| mscoree.dll |
_CorExeMain
|
|---|
Delayed Imports
1
2
3
4
5
6
32512
1 (#2)
1 (#3)
Version Info
| Signature | 0xfeef04bd |
|---|---|
| StructVersion | 0x10000 |
| FileVersion | 1.0.0.0 |
| ProductVersion | 1.0.0.0 |
| FileFlags | (EMPTY) |
| FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
| FileType |
VFT_APP
|
| Language | UNKNOWN |
| Comments | FileLocker |
| CompanyName | system File-Locker Ransomware |
| FileDescription | File-Locker |
| FileVersion (#2) | 1.0.0.0 |
| InternalName | File-Locker Ransomware.exe |
| LegalCopyright | Copyright © 2017 |
| LegalTrademarks | www.microsoft.com |
| OriginalFilename | File-Locker Ransomware.exe |
| ProductName | File-Locker |
| ProductVersion (#2) | 1.0.0.0 |
| Assembly Version | 1.0.0.0 |
| Resource LangID | UNKNOWN |
|---|