Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2018-Aug-14 11:46:26 |
Detected languages |
English - United States
|
Debug artifacts |
C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb
|
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to security software:
|
Malicious | The file headers were tampered with. | The RICH header checksum is invalid. |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 50/70 (Scanned on 2021-04-03 14:25:22) |
Elastic:
malicious (high confidence)
Cynet: Malicious (score: 100) CAT-QuickHeal: Trojan.Generic McAfee: Ransom-Ryuk!8819D7F8069D Cylance: Unsafe Zillya: Trojan.Generic.Win32.644133 Sangfor: Win.Ransomware.Ryuk-6688842-0 CrowdStrike: win/malicious_confidence_100% (W) Alibaba: Ransom:Win32/Genasom.ali1000102 K7GW: Trojan ( 00553fc91 ) K7AntiVirus: Trojan ( 00553fc91 ) Cyren: W64/Ransom.Ryuk.A.gen!Eldorado Symantec: Ransom.Hermes!gen2 ESET-NOD32: a variant of Win64/Filecoder.T APEX: Malicious Paloalto: generic.ml ClamAV: Win.Ransomware.Ryuk-6688842-0 Kaspersky: HEUR:Trojan.Win32.Generic BitDefender: Gen:Variant.Ransom.Ryuk.19 MicroWorld-eScan: Gen:Variant.Ransom.Ryuk.19 Avast: Win64:RansomX-gen [Ransom] Rising: Ransom.Jabaxsta!1.B3AA (CLASSIC) Ad-Aware: Gen:Variant.Ransom.Ryuk.19 Emsisoft: Gen:Variant.Ransom.Ryuk.19 (B) DrWeb: Trojan.Inject4.9283 VIPRE: Trojan.Win32.Generic!BT TrendMicro: Ransom.Win64.RYUK.SM McAfee-GW-Edition: BehavesLike.Win64.RansomRyuk.ch MaxSecure: Trojan.Malware.300983.susgen FireEye: Generic.mg.8819d7f8069d35e7 Sophos: ML/PE-A + Troj/Ransom-FAF Ikarus: Trojan-Ransom.Ryuk GData: Win64.Trojan-Ransom.Ryuk.A Jiangmin: Trojan.Generic.cpxqa Avira: HEUR/AGEN.1110011 Gridinsoft: Ransom.Win64.AI.sa Arcabit: Trojan.Ransom.Ryuk.19 AegisLab: Trojan.Win32.Generic.4!c Microsoft: Ransom:Win64/Jabaxsta.B AhnLab-V3: Trojan/Win64.Ryukran.R234901 ALYac: Trojan.Ransom.Ryuk MAX: malware (ai score=86) Malwarebytes: Malware.AI.218522461 TrendMicro-HouseCall: Ransom.Win64.RYUK.SM Tencent: Win32.Trojan.Generic.Dyzx SentinelOne: Static AI - Malicious PE Fortinet: W64/Ryuk.223E!tr.ransom AVG: Win64:RansomX-gen [Ransom] Cybereason: malicious.8069d3 Qihoo-360: Win64/Ransom.Generic.H8oAChsA |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x108 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 7 |
TimeDateStamp | 2018-Aug-14 11:46:26 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x16200 |
SizeOfInitializedData | 0x19a00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000000000008624 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.2 |
ImageVersion | 0.0 |
SubsystemVersion | 5.2 |
Win32VersionValue | 0 |
SizeOfImage | 0x36000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
OpenProcess
CreateToolhelp32Snapshot Sleep GetLastError Process32NextW GetCurrentThread LoadLibraryA GlobalAlloc DeleteFileW Process32FirstW GetModuleHandleA CloseHandle HeapAlloc GetWindowsDirectoryW GetProcAddress VirtualAllocEx LocalFree GetProcessHeap FreeLibrary CreateRemoteThread VirtualFreeEx GetVersionExW CreateFileW GetModuleFileNameW GetCurrentProcess GetCommandLineW SetLastError HeapFree GlobalFree WriteConsoleW SetFilePointerEx HeapReAlloc HeapSize RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind UnhandledExceptionFilter SetUnhandledExceptionFilter TerminateProcess IsProcessorFeaturePresent QueryPerformanceCounter GetCurrentProcessId GetCurrentThreadId GetSystemTimeAsFileTime InitializeSListHead IsDebuggerPresent GetStartupInfoW GetModuleHandleW RtlUnwindEx RaiseException InitializeCriticalSectionAndSpinCount TlsAlloc TlsGetValue TlsSetValue TlsFree LoadLibraryExW EnterCriticalSection LeaveCriticalSection DeleteCriticalSection ExitProcess GetModuleHandleExW GetStdHandle WriteFile GetModuleFileNameA MultiByteToWideChar WideCharToMultiByte GetACP LCMapStringW GetFileType FindClose FindFirstFileExA FindNextFileA IsValidCodePage GetOEMCP GetCPInfo GetCommandLineA GetEnvironmentStringsW FreeEnvironmentStringsW SetStdHandle GetStringTypeW FlushFileBuffers GetConsoleCP GetConsoleMode WriteProcessMemory |
---|---|
ADVAPI32.dll |
SystemFunction036
LookupPrivilegeValueW AdjustTokenPrivileges ImpersonateSelf OpenProcessToken OpenThreadToken LookupAccountSidW GetTokenInformation |
SHELL32.dll |
CommandLineToArgvW
ShellExecuteW ShellExecuteA |
Characteristics |
0
|
---|---|
TimeDateStamp | 2018-Aug-14 11:46:26 |
Version | 0.0 |
SizeofData | 145 |
AddressOfRawData | 0x2179c |
PointerToRawData | 0x1fd9c |
Referenced File | C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2018-Aug-14 11:46:26 |
Version | 0.0 |
SizeofData | 20 |
AddressOfRawData | 0x21830 |
PointerToRawData | 0x1fe30 |
Characteristics |
0
|
---|---|
TimeDateStamp | 2018-Aug-14 11:46:26 |
Version | 0.0 |
SizeofData | 832 |
AddressOfRawData | 0x21844 |
PointerToRawData | 0x1fe44 |
Characteristics |
0
|
---|---|
TimeDateStamp | 2018-Aug-14 11:46:26 |
Version | 0.0 |
SizeofData | 0 |
AddressOfRawData | 0 |
PointerToRawData | 0 |
Size | 0x94 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x140024000 |
XOR Key | 0xcb7685ce |
---|---|
Unmarked objects | 0 |
241 (40116) | 4 |
243 (40116) | 122 |
242 (40116) | 13 |
ASM objects (23907) | 6 |
C++ objects (23907) | 35 |
C objects (23907) | 18 |
Imports (VS2008 SP1 build 30729) | 7 |
Total imports | 114 |
265 (VS2015 UPD2 build 23918) | 2 |
Resource objects (VS2015 UPD2 build 23918) | 1 |
Linker (VS2015 UPD2 build 23918) | 1 |