Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2020-Jan-31 21:36:20 |
Detected languages |
English - United States
|
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to SHA256
Uses constants related to SHA512 Microsoft's Cryptography API |
Suspicious | The PE is possibly packed. |
Unusual section name found: .keys
Section .keys is both writable and executable. |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 64/72 (Scanned on 2020-11-19 13:58:32) |
Bkav:
W32.AIDetectVM.malware1
Elastic: malicious (high confidence) MicroWorld-eScan: Generic.Ransom.Ragnar.91E669A1 FireEye: Generic.mg.7529e3c83618f5e3 McAfee: Ransomware-GWY!7529E3C83618 Cylance: Unsafe Zillya: Trojan.DelShad.Win32.391 Sangfor: Malware K7AntiVirus: Trojan ( 0055feb81 ) Alibaba: Ransom:Win32/generic.ali2000027 K7GW: Trojan ( 0055feb81 ) Cybereason: malicious.83618f Invincea: Mal/Generic-R + Troj/Lothlock-A Cyren: W32/Filecoder.AA.gen!Eldorado Symantec: Downloader APEX: Malicious Paloalto: generic.ml ClamAV: Win.Exploit.CVE_2017_0213-6306933-0 Kaspersky: Trojan.Win32.DelShad.clo BitDefender: Generic.Ransom.Ragnar.91E669A1 NANO-Antivirus: Trojan.Win32.Filecoder.gzhwgc ViRobot: Trojan.Win32.S.RagnarLocker.40448 Avast: Win32:RansomX-gen [Ransom] Ad-Aware: Generic.Ransom.Ragnar.91E669A1 TACHYON: Ransom/W32.RagnarLocker.40448 Sophos: Troj/Lothlock-A Comodo: Malware@#2gk64l2oh1fkn F-Secure: Heuristic.HEUR/AGEN.1115159 DrWeb: Trojan.Encoder.31062 VIPRE: Trojan.Win32.Generic!BT TrendMicro: Ransom.Win32.RAGNAR.THBAABOA McAfee-GW-Edition: BehavesLike.Win32.Generic.nh Emsisoft: Generic.Ransom.Ragnar.91E669A1 (B) Ikarus: Trojan-Ransom.Ragnarlocker GData: Win32.Trojan-Ransom.Ragnar.A Jiangmin: Trojan.DelShad.se eGambit: Unsafe.AI_Score_63% Avira: HEUR/AGEN.1115159 Antiy-AVL: Trojan/Win32.DelShad Kingsoft: Win32.Heur.KVMH008.a.(kcloud) Gridinsoft: Ransom.Win32.DelShad.oa!s1 Arcabit: Generic.Ransom.Ragnar.91E669A1 AegisLab: Trojan.Win32.DelShad.4!c ZoneAlarm: Trojan.Win32.DelShad.clo Microsoft: Ransom:Win32/RagnarLocker.MK!MTB Cynet: Malicious (score: 100) AhnLab-V3: Malware/Win32.Ransom.C4006138 BitDefenderTheta: AI:Packer.F45DCE011F ALYac: Trojan.Ransom.Filecoder MAX: malware (ai score=100) VBA32: Trojan.DelShad Malwarebytes: Ransom.Ragnar ESET-NOD32: a variant of Win32/Filecoder.RagnarLocker.A TrendMicro-HouseCall: Ransom.Win32.RAGNAR.THBAABOA Rising: Ransom.Ragnar!1.C24D (CLASSIC) Yandex: Trojan.DelShad!7PvUlpeHI84 SentinelOne: Static AI - Malicious PE MaxSecure: Trojan.Malware.74817929.susgen Fortinet: W32/Filecoder.94BA!tr.ransom Webroot: W32.Ransom.Ragnar AVG: Win32:RansomX-gen [Ransom] Panda: Trj/Genetic.gen CrowdStrike: win/malicious_confidence_100% (W) Qihoo-360: Win32/Trojan.640 |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xd0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 6 |
TimeDateStamp | 2020-Jan-31 21:36:20 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x6800 |
SizeOfInitializedData | 0x3600 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000029B0 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x8000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0xf000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetTickCount
lstrcmpiW lstrcpyA lstrcpyW lstrcatW lstrlenA lstrlenW CreateEventW LoadLibraryW CreateProcessW GetStartupInfoW GetDriveTypeW GetSystemDirectoryW GetWindowsDirectoryW GetFullPathNameW CreateFileW SetFileAttributesW CloseHandle FindFirstFileW FindNextFileW CopyFileW MoveFileExW GetVolumeInformationA GetVolumeInformationW GetComputerNameW FindFirstVolumeA FindNextVolumeA FindVolumeClose SetVolumeMountPointA GetVolumePathNamesForVolumeNameA WTSGetActiveConsoleSessionId MultiByteToWideChar GetLocaleInfoW GetNativeSystemInfo FindClose SetFilePointerEx ReadFile DeviceIoControl WriteFile GetFileSizeEx UnlockFile LockFile GetLogicalDrives Sleep WaitForSingleObject GetLastError TerminateProcess ExitProcess GetCurrentProcess GetProcessHeap HeapFree HeapAlloc VirtualFree VirtualAlloc LocalFree GetFileAttributesW GetProcAddress |
---|---|
USER32.dll |
wsprintfA
wsprintfW |
ADVAPI32.dll |
CryptGenRandom
CryptReleaseContext QueryServiceStatusEx OpenServiceA OpenSCManagerA EnumServicesStatusA EnumDependentServicesA ControlService CloseServiceHandle CryptEncrypt CryptDestroyKey CryptAcquireContextW RegQueryValueExW RegOpenKeyExW RegCloseKey DuplicateTokenEx CreateProcessAsUserW GetUserNameW SetTokenInformation OpenProcessToken |
SHELL32.dll |
SHGetSpecialFolderPathW
|
SHLWAPI.dll |
StrStrIA
PathFindExtensionW StrToIntA |
CRYPT32.dll |
CryptDecodeObjectEx
CryptStringToBinaryW CryptBinaryToStringA CryptImportPublicKeyInfo |
Characteristics |
0
|
---|---|
TimeDateStamp | 2020-Jan-31 21:36:20 |
Version | 0.0 |
SizeofData | 236 |
AddressOfRawData | 0x89a8 |
PointerToRawData | 0x75a8 |
Characteristics |
0
|
---|---|
TimeDateStamp | 2020-Jan-31 21:36:20 |
Version | 0.0 |
SizeofData | 0 |
AddressOfRawData | 0 |
PointerToRawData | 0 |
XOR Key | 0x60d13716 |
---|---|
Unmarked objects | 0 |
ASM objects (VS 2015/2017 runtime 26706) | 3 |
Imports (VS2008 SP1 build 30729) | 15 |
Total imports | 99 |
C++ objects (VS2017 v15.9.19 compiler 27035) | 4 |
Resource objects (VS2017 v15.9.19 compiler 27035) | 1 |
Linker (VS2017 v15.9.19 compiler 27035) | 1 |