838cb28b8f3bdf8ca3a4011ff6bc6f6f

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2017-Nov-19 18:49:20
Debug artifacts C:\Users\kagan\Desktop\MBMalwTest\MBMalwTest\obj\Debug\MBMalwTest.pdb
Comments
CompanyName
FileDescription MBMalwTest
FileVersion 1.0.0.0
InternalName MBMalwTest.exe
LegalCopyright Copyright © 2017
LegalTrademarks
OriginalFilename MBMalwTest.exe
ProductName MBMalwTest
ProductVersion 1.0.0.0
Assembly Version 1.0.0.0

Plugin Output

Info Matching compiler(s): .NET executable -> Microsoft
Suspicious Strings found in the binary may indicate undesirable behavior: Looks for Qemu presence:
  • QEMU
  • qEmU
Miscellaneous malware strings:
  • cmd.exe
Malicious VirusTotal score: 15/68 (Scanned on 2017-12-02 01:56:25) Invincea: heuristic
Symantec: Ransom.HiddenTear!g1
TrendMicro-HouseCall: TROJ_GEN.R002H05L117
Avast: FileRepMalware
AegisLab: W32.Malware.Bucaspys!c
Sophos: Mal/Generic-S
McAfee-GW-Edition: Artemis!Trojan
Endgame: malicious (high confidence)
ZoneAlarm: UDS:DangerousObject.Multi.Generic
McAfee: RDN/Generic.dx
ESET-NOD32: a variant of MSIL/Filecoder.AK
Rising: Ransom.FileCryptor!8.1A7 (C64:YzY0OsmwYzDYbbVD)
GData: Win32.Malware.Bucaspys.A
AVG: FileRepMalware
CrowdStrike: malicious_confidence_100% (W)

Hashes

MD5 838cb28b8f3bdf8ca3a4011ff6bc6f6f
SHA1 42550a96f14f60d2dfd8e51c22ffcfca2d14b940
SHA256 f9c918a96b1c4290cf73c1017b70b6f8082f4558f3524a608d13f8dd81646a98
SHA3 787449a38f2b94a5a30fc17742fe577c5077cce2e29c5f7833bea48c7f5a1997
SSDeep 12288:ZRDX4jeK9i5GALeAk7aHsPFe7rcV1IUGvVuqD7bSnJeXKWc0c58kFQ:ZRL4jAtCAk7/2VT
Imports Hash f34d5f2d4577ed6d9ceec516c1f5a744

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2017-Nov-19 18:49:20
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32
LinkerVersion 48.0
SizeOfCode 0x91c00
SizeOfInitializedData 0x800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x93bb6 (Section: .text)
BaseOfCode 0x2000
BaseOfData 0x94000
ImageBase 0x400000
SectionAlignment 0x2000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x98000
SizeOfHeaders 0x200
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 fd2d16c88c34ac894c78938f8f69fd13
SHA1 e0d2b82f27be1781ba2c3fd58f6710cbb977d196
SHA256 458c5b090f4a8a43966989b963e36d0052f1dcd75f4d928d13e29c8532b3079e
SHA3 1f3e3b5a33f856307a5f34def13900c6054983fbb74307a54412c2deaa953478
VirtualSize 0x91bc4
VirtualAddress 0x2000
SizeOfRawData 0x91c00
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.90888

.rsrc

MD5 93991987ed6040c93875da91cb30d6dd
SHA1 c5f295dec35746eb81dbbb56d8edd4942aa5248a
SHA256 5367afca3c6446399e439683a87360a12ff3fb89180653e7900787958844ba2d
SHA3 602261b2fddceb2118da07b15167fbfa2ffffbdf61e10f2a4d3dd8e8b742ff9f
VirtualSize 0x5bc
VirtualAddress 0x94000
SizeOfRawData 0x600
PointerToRawData 0x91e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.12313

.reloc

MD5 684df03599cd7686c193b9465fd10095
SHA1 1ab6828936e3c1a3a8611c47c60ab1eb39093916
SHA256 7a6dd08d3c74feca7d4ac92ce77a11a471cb2ba13f9d52f2c8ca5707cc96634f
SHA3 b3885603dd4f2210e9c163fcfe59dbc2621adc4986c2b905d85be7dbb7f95449
VirtualSize 0xc
VirtualAddress 0x96000
SizeOfRawData 0x200
PointerToRawData 0x92400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0.10191

Imports

mscoree.dll _CorExeMain

Delayed Imports

1

Type RT_VERSION
Language UNKNOWN
Codepage UNKNOWN
Size 0x32c
Entropy 3.28446
MD5 ceca8659ce6369d7b79a27e872d2a253
SHA1 f8a6d02d40f398857ee21b387e3ba79092c40d77
SHA256 f000430dd138efb6936d6125a0f37e18aa37e9a96d0e0d1f38bf86df5e332a23
SHA3 68d7e9d7d292bc7d13b131ac8b1d5ef80ae9495c9546d89fe18f94c8d7294949

1 (#2)

Type RT_MANIFEST
Language UNKNOWN
Codepage UNKNOWN
Size 0x1ea
Entropy 5.00112
MD5 b7db84991f23a680df8e95af8946f9c9
SHA1 cac699787884fb993ced8d7dc47b7c522c7bc734
SHA256 539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a
SHA3 4f064a06b5bd7ab6005fc494d9f0fc8061d891da40dd0c3387a654047c6ff6ee

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.0
ProductVersion 1.0.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
Comments
CompanyName
FileDescription MBMalwTest
FileVersion (#2) 1.0.0.0
InternalName MBMalwTest.exe
LegalCopyright Copyright © 2017
LegalTrademarks
OriginalFilename MBMalwTest.exe
ProductName MBMalwTest
ProductVersion (#2) 1.0.0.0
Assembly Version 1.0.0.0
Resource LangID UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2017-Nov-19 18:49:20
Version 0.0
SizeofData 284
AddressOfRawData 0x93a48
PointerToRawData 0x91c48
Referenced File C:\Users\kagan\Desktop\MBMalwTest\MBMalwTest\obj\Debug\MBMalwTest.pdb

TLS Callbacks

Load Configuration

Errors