84878c171dfdb52dbde5049334c11b3d

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-Jun-18 15:30:08
Detected languages English - United States
Debug artifacts C:\Users\Usuario\Documents\Proyectos\sher.lock\Debug\LooCipher.pdb

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 - 8.0
MASM/TASM - sig1(h)
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to SHA1
Uses constants related to SHA256
Uses constants related to SHA512
Uses constants related to AES
Microsoft's Cryptography API
Malicious This program contains valid cryptocurrency addresses. Contains a valid Bitcoin address:
  • 19YmdTjw7ZWHEDac8wWzCNdZT8oXsDedtV
  • 1Azfk7fWwCRynRk8p7qupLqqaADsjwFm4N
  • 1CrdZvvtzrZTJ78k92XuPizhhgtDxQ8c4B
  • 1JHEqi4QsTWz4gB9qZTACP7JggJzAmf6eA
  • 1Ps5Vd9dKWuy9FuMDkec9qquCyTLjc2Bxe
Suspicious The PE is possibly packed. Unusual section name found: .textbss
Section .textbss is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryW
Functions which can be used for anti-debugging purposes:
  • SwitchToThread
Possibly launches other programs:
  • CreateProcessA
  • CreateProcessW
Uses Microsoft's cryptographic API:
  • CryptReleaseContext
  • CryptAcquireContextA
  • CryptGenRandom
Can create temporary files:
  • CreateFileW
  • GetTempPathW
Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
Has Internet access capabilities:
  • InternetCloseHandle
  • InternetOpenUrlA
  • InternetReadFile
  • InternetOpenA
Enumerates local disk drives:
  • GetLogicalDriveStringsA
  • GetDriveTypeW
Malicious VirusTotal score: 32/65 (Scanned on 2019-07-13 04:53:38) MicroWorld-eScan: Trojan.Ransom.LooCipher.A
FireEye: Generic.mg.84878c171dfdb52d
Malwarebytes: Ransom.LooCipher
K7AntiVirus: Trojan ( 005506811 )
K7GW: Trojan ( 005506811 )
Arcabit: Trojan.Ransom.LooCipher.A
ESET-NOD32: a variant of Win32/Filecoder.NWG
ClamAV: Win.Ransomware.LooCipher-7001151-0
BitDefender: Trojan.Ransom.LooCipher.A
NANO-Antivirus: Trojan.Win32.ULPM.frnkry
ViRobot: Trojan.Win32.Ransom.5637632
Avast: Win32:Malware-gen
Rising: Malware.Undefined!8.C (TFE:5:KZCOBsBjs9P)
Ad-Aware: Trojan.Ransom.LooCipher.A
Sophos: Troj/Ransom-FMJ
DrWeb: Trojan.Siggen8.33057
Emsisoft: Trojan.Ransom.LooCipher.A (B)
SentinelOne: DFI - Suspicious PE
Jiangmin: Trojan.Loo.a
Webroot: W32.Ransom.Gen
Fortinet: W32/Filecoder.NWG!tr
Antiy-AVL: GrayWare/Win32.Generic
Microsoft: Trojan:Win32/Fuerboos.C!cl
Acronis: suspicious
ALYac: Trojan.Ransom.LooCipher.A
MAX: malware (ai score=82)
VBA32: suspected of Trojan.Downloader.gen.h
GData: Trojan.Ransom.LooCipher.A
AVG: Win32:Malware-gen
Cybereason: malicious.71dfdb
Panda: Trj/GdSda.A
Qihoo-360: HEUR/QVM19.1.7D37.Malware.Gen

Hashes

MD5 84878c171dfdb52dbde5049334c11b3d
SHA1 ecbee10531ab298a56606216d5a43078f7537c25
SHA256 ad7eebdf328c7fd273b278b0ec95cb93bb3428d52f5ff3b69522f1f0b7e3e9a1
SHA3 c7c60d48956127da95917f31151bbdb79e5a63fd342c17a54985f70469d1d31e
SSDeep 98304:xY+KQ0CO444hl1p7xFMe7rbbbbt+Gwd57q:xY+KQ0R44Q1rbbbbt+F
Imports Hash 8c1957dde2f628fdcbe049f10f2266a0

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x108

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 8
TimeDateStamp 2019-Jun-18 15:30:08
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x421600
SizeOfInitializedData 0x156a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x001FB2AC (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x747000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.textbss

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x1f31f1
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text

MD5 f2a32dcf1a47a00251716ad2ddfc056d
SHA1 dd4ff132b5f49728772173d0cd0e88e3230a7eb3
SHA256 c782a6934c1bea8da4c5890212144700119ab6ac3a2f7377e56d062316fae145
SHA3 0cfa56b47667fefcafbc2a7b0acee5986b98dcee54d31eae7ebc7c0cef4d09c4
VirtualSize 0x421487
VirtualAddress 0x1f5000
SizeOfRawData 0x421600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.57201

.rdata

MD5 17fd9116196d3cd9a16a927abcaf154b
SHA1 83d7d04b1f3cbf5aceaec71c20cd784875e284d1
SHA256 97908bebfc9a447a0588b615d8499029fc7250c7e57b1e3502dccd9006a9c86c
SHA3 f5b4d29b4138cacff8af5f4ec98ea3e99e84fe540547988a2e2626625e372827
VirtualSize 0xfe502
VirtualAddress 0x617000
SizeOfRawData 0xfe600
PointerToRawData 0x421a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.51215

.data

MD5 af48bd15cb963dccf4304a4f1e531e83
SHA1 0e267b960a4b49a118d410dfdf5d9693a0bcc88c
SHA256 865c87d2c1a423651be28eef2896f7c80cf37f89e827fec577dfc87da9e23f92
SHA3 7f0bfd9242843b076e694d48a5a8b5c9537bcecc2f38a8bd5cb0f7e566bba49c
VirtualSize 0x2bd94
VirtualAddress 0x716000
SizeOfRawData 0x14000
PointerToRawData 0x520000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.62815

.idata

MD5 68a7a78d564f05984c04afef45d17e74
SHA1 8bef23f6d37ff58ea793d97f64e6a27c5667a62f
SHA256 76dd529abb0f123710794bf564dffea3e5636e47173db902bed39326439ff2ed
SHA3 b8ddf63e50aa430e58146000a6a63bc45de79daf44a93c713d811bdadf39df52
VirtualSize 0x1eff
VirtualAddress 0x742000
SizeOfRawData 0x2000
PointerToRawData 0x534000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.74951

.tls

MD5 c573bd7cea296a9c5d230ca6b5aee1a6
SHA1 04a0b9fde89c71864acaf5e74689fe4c269bd7a8
SHA256 13bde09a110c13b533dc985f3e2c475b6f6bcf514d1a23fce5b784a653548e91
SHA3 3679da6860e8ab20485113de9ac22dfe22ddc29d53f14ddc33a648aa98196361
VirtualSize 0x309
VirtualAddress 0x744000
SizeOfRawData 0x400
PointerToRawData 0x536000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.0111738

.00cfg

MD5 e3703138f864923f96b856bde5440d14
SHA1 2bf989888d1c0fda95d09be26243b89fe5af892f
SHA256 9e98381a9eada0b27809e582c7e13aa313dc8bf5f663e3a3e2807e93225d0296
SHA3 b1a8207b3693cda7b949c0992fa17e4b8e4af5f8d25cff3c5c375da0c36bfae3
VirtualSize 0x104
VirtualAddress 0x745000
SizeOfRawData 0x200
PointerToRawData 0x536400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 0.0611629

.rsrc

MD5 bf6f25ea585f2d6ed7064cb206d2af29
SHA1 90d6bfe1cc6469e4e555a8a74cdfcc22f5463257
SHA256 9ce4636532e503dc423b608858c45a03d3a373703638ddf6efa4d2311408add2
SHA3 42dd67ef290b7e7c45a12eb30ccb90157521db1995b34d07993d63a9cde7f71f
VirtualSize 0x43c
VirtualAddress 0x746000
SizeOfRawData 0x600
PointerToRawData 0x536600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.13629

Imports

KERNEL32.dll GetLocalTime
GetShortPathNameA
GetLogicalDriveStringsA
GetStartupInfoA
WritePrivateProfileStringA
MultiByteToWideChar
IsDebuggerPresent
DebugBreak
GlobalAlloc
GlobalUnlock
GlobalLock
GetPrivateProfileStringA
GetLastError
SetLastError
QueryPerformanceCounter
QueryPerformanceFrequency
GetCurrentThread
GetThreadTimes
ReadConsoleW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
IsValidCodePage
FindNextFileA
FindFirstFileExA
SetStdHandle
CreateProcessA
SetConsoleCtrlHandler
WriteConsoleW
OutputDebugStringA
HeapQueryInformation
HeapReAlloc
HeapSize
ReadFile
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetFileType
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
CreateProcessW
GetExitCodeProcess
GetACP
WriteFile
GetStdHandle
ExitProcess
ResumeThread
ExitThread
DeleteFileW
MoveFileExW
RemoveDirectoryW
GetCurrentDirectoryW
GetCurrentDirectoryA
SetCurrentDirectoryW
TerminateThread
CreateThread
Sleep
CreateEventA
CreateMutexA
ReleaseMutex
WaitForSingleObject
SetEvent
CloseHandle
GetTimeZoneInformation
GetEnvironmentVariableA
SetCurrentDirectoryA
SetEnvironmentVariableW
SetEnvironmentVariableA
GetFullPathNameA
GetFullPathNameW
GetDriveTypeW
GetModuleHandleExW
WideCharToMultiByte
FormatMessageW
CreateDirectoryW
CreateFileW
FindClose
FindFirstFileExW
FindNextFileW
GetDiskFreeSpaceExW
GetFileAttributesExW
GetFileInformationByHandle
SetEndOfFile
SetFileAttributesW
SetFilePointerEx
SetFileTime
GetTempPathW
AreFileApisANSI
CopyFileW
CreateHardLinkW
DuplicateHandle
WaitForSingleObjectEx
GetCurrentProcess
GetCurrentThreadId
GetExitCodeThread
GetNativeSystemInfo
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
EncodePointer
DecodePointer
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetTickCount
GetModuleHandleW
GetProcAddress
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
ResetEvent
InitializeSListHead
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
RaiseException
GetCurrentProcessId
HeapAlloc
HeapFree
GetProcessHeap
VirtualQuery
FreeLibrary
CreateTimerQueue
SignalObjectAndWait
SwitchToThread
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
OutputDebugStringW
FreeLibraryAndExitThread
GetModuleFileNameW
GetModuleHandleA
LoadLibraryExW
GetVersionExW
VirtualAlloc
VirtualProtect
VirtualFree
SetProcessAffinityMask
ReleaseSemaphore
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
WaitForMultipleObjectsEx
LoadLibraryW
RtlUnwind
HeapValidate
GetSystemInfo
GetModuleFileNameA
RtlCaptureStackBackTrace
USER32.dll PeekMessageA
DispatchMessageA
GetMessageA
TrackMouseEvent
LoadCursorA
SetClassLongA
GetClassLongA
MessageBoxW
SetWindowTextA
UpdateWindow
GetSystemMetrics
EnableWindow
KillTimer
SetTimer
EmptyClipboard
SetClipboardData
CloseClipboard
OpenClipboard
GetDlgCtrlID
CreateWindowExW
RegisterClassW
PostQuitMessage
DefWindowProcW
SendMessageA
TranslateMessage
SystemParametersInfoA
EnumDisplaySettingsA
ChangeDisplaySettingsA
SetWindowLongA
GetWindowLongA
ShowCursor
AdjustWindowRect
GetWindowRect
GetDC
SetForegroundWindow
SetWindowPos
ShowWindow
DestroyWindow
CreateWindowExA
DefWindowProcA
GDI32.dll SetBkColor
DeleteObject
CreateSolidBrush
CreateFontA
SetDIBitsToDevice
SetTextColor
ADVAPI32.dll CryptReleaseContext
CryptAcquireContextA
CryptGenRandom
SHELL32.dll SHGetSpecialFolderPathA
WININET.dll InternetCloseHandle
InternetOpenUrlA
InternetReadFile
InternetOpenA

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2019-Jun-14 15:47:16
Version 0.0
SizeofData 91
AddressOfRawData 0x6e5ac4
PointerToRawData 0x4f04c4
Referenced File C:\Users\Usuario\Documents\Proyectos\sher.lock\Debug\LooCipher.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2019-Jun-14 15:47:16
Version 0.0
SizeofData 20
AddressOfRawData 0x6e5b20
PointerToRawData 0x4f0520

TLS Callbacks

StartAddressOfRawData 0xb44000
EndAddressOfRawData 0xb44208
AddressOfIndex 0xb40384
AddressOfCallbacks 0xa17e2c
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x68
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0xb16254
SEHandlerTable 0
SEHandlerCount 0

RICH Header

XOR Key 0x1c2e1b8f
Unmarked objects 0
ASM objects (24610) 28
C++ objects (24610) 197
C objects (24610) 26
ASM objects (24723) 23
C++ objects (24723) 132
C objects (24723) 37
Imports (24610) 13
Total imports 227
C++ objects (VS2017 v15.2 compiler 25019) 37
Resource objects (VS2017 v15.2 compiler 25019) 1
Linker (VS2017 v15.2 compiler 25019) 1

Errors

[!] Error: Could not reach the requested directory (offset=0x0). [*] Warning: Section .textbss has a size of 0!