Manalyze report for 7529e3c83618f5e3a4cc6dbf3a8534a6

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2020-Jan-31 21:36:20
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256` `Uses constants related to SHA512` `Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .keys` `Section .keys is both writable and executable.`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryW GetProcAddress` `Can access the registry: RegQueryValueExW RegOpenKeyExW RegCloseKey` `Possibly launches other programs: CreateProcessW CreateProcessAsUserW` `Uses Microsoft's cryptographic API: CryptGenRandom CryptReleaseContext CryptEncrypt CryptDestroyKey CryptAcquireContextW CryptDecodeObjectEx CryptStringToBinaryW CryptBinaryToStringA CryptImportPublicKeyInfo` `Functions related to the privilege level: DuplicateTokenEx OpenProcessToken` `Interacts with services: QueryServiceStatusEx OpenServiceA OpenSCManagerA EnumServicesStatusA ControlService` `Enumerates local disk drives: GetDriveTypeW GetVolumeInformationA GetVolumeInformationW`
Malicious	VirusTotal score: 64/72 (Scanned on 2020-11-19 13:58:32)	`Bkav: W32.AIDetectVM.malware1` `Elastic: malicious (high confidence)` `MicroWorld-eScan: Generic.Ransom.Ragnar.91E669A1` `FireEye: Generic.mg.7529e3c83618f5e3` `McAfee: Ransomware-GWY!7529E3C83618` `Cylance: Unsafe` `Zillya: Trojan.DelShad.Win32.391` `Sangfor: Malware` `K7AntiVirus: Trojan ( 0055feb81 )` `Alibaba: Ransom:Win32/generic.ali2000027` `K7GW: Trojan ( 0055feb81 )` `Cybereason: malicious.83618f` `Invincea: Mal/Generic-R + Troj/Lothlock-A` `Cyren: W32/Filecoder.AA.gen!Eldorado` `Symantec: Downloader` `APEX: Malicious` `Paloalto: generic.ml` `ClamAV: Win.Exploit.CVE_2017_0213-6306933-0` `Kaspersky: Trojan.Win32.DelShad.clo` `BitDefender: Generic.Ransom.Ragnar.91E669A1` `NANO-Antivirus: Trojan.Win32.Filecoder.gzhwgc` `ViRobot: Trojan.Win32.S.RagnarLocker.40448` `Avast: Win32:RansomX-gen [Ransom]` `Ad-Aware: Generic.Ransom.Ragnar.91E669A1` `TACHYON: Ransom/W32.RagnarLocker.40448` `Sophos: Troj/Lothlock-A` `Comodo: Malware@#2gk64l2oh1fkn` `F-Secure: Heuristic.HEUR/AGEN.1115159` `DrWeb: Trojan.Encoder.31062` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: Ransom.Win32.RAGNAR.THBAABOA` `McAfee-GW-Edition: BehavesLike.Win32.Generic.nh` `Emsisoft: Generic.Ransom.Ragnar.91E669A1 (B)` `Ikarus: Trojan-Ransom.Ragnarlocker` `GData: Win32.Trojan-Ransom.Ragnar.A` `Jiangmin: Trojan.DelShad.se` `eGambit: Unsafe.AI_Score_63%` `Avira: HEUR/AGEN.1115159` `Antiy-AVL: Trojan/Win32.DelShad` `Kingsoft: Win32.Heur.KVMH008.a.(kcloud)` `Gridinsoft: Ransom.Win32.DelShad.oa!s1` `Arcabit: Generic.Ransom.Ragnar.91E669A1` `AegisLab: Trojan.Win32.DelShad.4!c` `ZoneAlarm: Trojan.Win32.DelShad.clo` `Microsoft: Ransom:Win32/RagnarLocker.MK!MTB` `Cynet: Malicious (score: 100)` `AhnLab-V3: Malware/Win32.Ransom.C4006138` `BitDefenderTheta: AI:Packer.F45DCE011F` `ALYac: Trojan.Ransom.Filecoder` `MAX: malware (ai score=100)` `VBA32: Trojan.DelShad` `Malwarebytes: Ransom.Ragnar` `ESET-NOD32: a variant of Win32/Filecoder.RagnarLocker.A` `TrendMicro-HouseCall: Ransom.Win32.RAGNAR.THBAABOA` `Rising: Ransom.Ragnar!1.C24D (CLASSIC)` `Yandex: Trojan.DelShad!7PvUlpeHI84` `SentinelOne: Static AI - Malicious PE` `MaxSecure: Trojan.Malware.74817929.susgen` `Fortinet: W32/Filecoder.94BA!tr.ransom` `Webroot: W32.Ransom.Ragnar` `AVG: Win32:RansomX-gen [Ransom]` `Panda: Trj/Genetic.gen` `CrowdStrike: win/malicious_confidence_100% (W)` `Qihoo-360: Win32/Trojan.640`

Hashes

MD5	`7529e3c83618f5e3a4cc6dbf3a8534a6`
SHA1	`0f944504eebfca5466b6113853b0d83e38cf885a`
SHA256	`ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597`
SHA3	`b5525c7cd48170f6f063507d2afde18b43a8cb5a82d2327b9c2bcaac6a6be843`
SSDeep	`768:spCmKJILjsoq65corBjd/3oqab0k3RLKul1FXI4xyuRe:splco4aFoqaXpTXISR`
Imports Hash	`6a3e7314bd4201552084c30fb976959e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2020-Jan-31 21:36:20
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x6800`
SizeOfInitializedData	`0x3600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000029B0 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0xf000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`23b7e842833d053f7ff0b69af64cd8fe`
SHA1	`4bde58895fd8b7aa322ae5340837fb90dd190045`
SHA256	`b03cdc619e82b038a841112e0555e0b8b81772ef5ade6095cbe51861c09bb828`
SHA3	`0c7c4dd266fccf6989665b0dab3a5fb125b508a58f3e35acd37af177bb5f2cc6`
VirtualSize	`0x66af`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.52068`

.rdata

MD5	`b3dfa8d0f8b070f1707ebac9cebdcb0e`
SHA1	`88379e12f422404c6525effd8cfb2c4cb107c921`
SHA256	`51853029dba82dfe68f33af3ef409923f86eb73c51949c5c62d4f81bc1815189`
SHA3	`056c14c0fdbd5e9515392996168cf7269d36f350d6792adb6f9d6213b6464aff`
VirtualSize	`0x1318`
VirtualAddress	`0x8000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.35369`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x35c`
VirtualAddress	`0xa000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.keys

MD5	`ef3a1406ab1f8448f2cd1cbdb1e1c984`
SHA1	`687ea015f413e3a853e88a91ead5f65714f87407`
SHA256	`fda49533dac1e881db2470b1dc4d37fcf2dd394ff2778e270a9016833155745a`
SHA3	`4b68ffb92b06e9141bae087af5d235b24c1fe72347a2533f45a8c0569305cf12`
VirtualSize	`0x1706`
VirtualAddress	`0xb000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x8000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_SHARED` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.43541`

.rsrc

MD5	`44e3d39532c9319314b3e7669556d25a`
SHA1	`62781e8e72142285145da0e0b84c51e38b6e4cb0`
SHA256	`82734dc2b49e549f19311dc082c046cb8f3d019d2dab2b1b25fac08f4cc1a306`
SHA3	`c34360de44e134e645cca7885573b5550929b45e961557e2956406e27fcd167a`
VirtualSize	`0x1e0`
VirtualAddress	`0xd000`
SizeOfRawData	`0x200`
PointerToRawData	`0x9800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.7015`

.reloc

MD5	`f3fb524979d5de5190ce4b0fcabd0085`
SHA1	`321da77985f4404bdee08b1e0a94e6a1a47a3a9c`
SHA256	`18be67bf40719fe5929bae0a79d47cf80518506645236de1fb46859f2ff81edd`
SHA3	`3985107ae86a8826bf17c976dd4b1689c59d49a3dca426e84424d48239318c48`
VirtualSize	`0x290`
VirtualAddress	`0xe000`
SizeOfRawData	`0x400`
PointerToRawData	`0x9a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.81044`

Imports

KERNEL32.dll	`GetTickCount` `lstrcmpiW` `lstrcpyA` `lstrcpyW` `lstrcatW` `lstrlenA` `lstrlenW` `CreateEventW` `LoadLibraryW` `CreateProcessW` `GetStartupInfoW` `GetDriveTypeW` `GetSystemDirectoryW` `GetWindowsDirectoryW` `GetFullPathNameW` `CreateFileW` `SetFileAttributesW` `CloseHandle` `FindFirstFileW` `FindNextFileW` `CopyFileW` `MoveFileExW` `GetVolumeInformationA` `GetVolumeInformationW` `GetComputerNameW` `FindFirstVolumeA` `FindNextVolumeA` `FindVolumeClose` `SetVolumeMountPointA` `GetVolumePathNamesForVolumeNameA` `WTSGetActiveConsoleSessionId` `MultiByteToWideChar` `GetLocaleInfoW` `GetNativeSystemInfo` `FindClose` `SetFilePointerEx` `ReadFile` `DeviceIoControl` `WriteFile` `GetFileSizeEx` `UnlockFile` `LockFile` `GetLogicalDrives` `Sleep` `WaitForSingleObject` `GetLastError` `TerminateProcess` `ExitProcess` `GetCurrentProcess` `GetProcessHeap` `HeapFree` `HeapAlloc` `VirtualFree` `VirtualAlloc` `LocalFree` `GetFileAttributesW` `GetProcAddress`
USER32.dll	`wsprintfA` `wsprintfW`
ADVAPI32.dll	`CryptGenRandom` `CryptReleaseContext` `QueryServiceStatusEx` `OpenServiceA` `OpenSCManagerA` `EnumServicesStatusA` `EnumDependentServicesA` `ControlService` `CloseServiceHandle` `CryptEncrypt` `CryptDestroyKey` `CryptAcquireContextW` `RegQueryValueExW` `RegOpenKeyExW` `RegCloseKey` `DuplicateTokenEx` `CreateProcessAsUserW` `GetUserNameW` `SetTokenInformation` `OpenProcessToken`
SHELL32.dll	`SHGetSpecialFolderPathW`
SHLWAPI.dll	`StrStrIA` `PathFindExtensionW` `StrToIntA`
CRYPT32.dll	`CryptDecodeObjectEx` `CryptStringToBinaryW` `CryptBinaryToStringA` `CryptImportPublicKeyInfo`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2020-Jan-31 21:36:20
Version	`0.0`
SizeofData	`236`
AddressOfRawData	`0x89a8`
PointerToRawData	`0x75a8`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2020-Jan-31 21:36:20
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x60d13716`
Unmarked objects	`0`
ASM objects (VS 2015/2017 runtime 26706)	`3`
Imports (VS2008 SP1 build 30729)	`15`
Total imports	`99`
C++ objects (VS2017 v15.9.19 compiler 27035)	`4`
Resource objects (VS2017 v15.9.19 compiler 27035)	`1`
Linker (VS2017 v15.9.19 compiler 27035)	`1`

Errors

[*] Warning: Section .data has a size of 0!