8819d7f8069d35e71902025d801b44dd

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2018-Aug-14 11:46:26
Detected languages English - United States
Debug artifacts C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to security software:
  • Ntrtscan.exe
 May have dropper capabilities:
  • CurrentVersion\Run
 Miscellaneous malware strings:
  • cmd.exe
Malicious The file headers were tampered with. The RICH header checksum is invalid.
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
  • LoadLibraryExW
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Code injection capabilities:
  • OpenProcess
  • VirtualAllocEx
  • CreateRemoteThread
  • WriteProcessMemory
 Possibly launches other programs:
  • ShellExecuteW
  • ShellExecuteA
 Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
 Manipulates other processes:
  • OpenProcess
  • Process32NextW
  • Process32FirstW
  • WriteProcessMemory
Malicious VirusTotal score: 50/70 (Scanned on 2021-04-03 14:25:22) Elastic: malicious (high confidence)
Cynet: Malicious (score: 100)
CAT-QuickHeal: Trojan.Generic
McAfee: Ransom-Ryuk!8819D7F8069D
Cylance: Unsafe
Zillya: Trojan.Generic.Win32.644133
Sangfor: Win.Ransomware.Ryuk-6688842-0
CrowdStrike: win/malicious_confidence_100% (W)
Alibaba: Ransom:Win32/Genasom.ali1000102
K7GW: Trojan ( 00553fc91 )
K7AntiVirus: Trojan ( 00553fc91 )
Cyren: W64/Ransom.Ryuk.A.gen!Eldorado
Symantec: Ransom.Hermes!gen2
ESET-NOD32: a variant of Win64/Filecoder.T
APEX: Malicious
Paloalto: generic.ml
ClamAV: Win.Ransomware.Ryuk-6688842-0
Kaspersky: HEUR:Trojan.Win32.Generic
BitDefender: Gen:Variant.Ransom.Ryuk.19
MicroWorld-eScan: Gen:Variant.Ransom.Ryuk.19
Avast: Win64:RansomX-gen [Ransom]
Rising: Ransom.Jabaxsta!1.B3AA (CLASSIC)
Ad-Aware: Gen:Variant.Ransom.Ryuk.19
Emsisoft: Gen:Variant.Ransom.Ryuk.19 (B)
DrWeb: Trojan.Inject4.9283
VIPRE: Trojan.Win32.Generic!BT
TrendMicro: Ransom.Win64.RYUK.SM
McAfee-GW-Edition: BehavesLike.Win64.RansomRyuk.ch
MaxSecure: Trojan.Malware.300983.susgen
FireEye: Generic.mg.8819d7f8069d35e7
Sophos: ML/PE-A + Troj/Ransom-FAF
Ikarus: Trojan-Ransom.Ryuk
GData: Win64.Trojan-Ransom.Ryuk.A
Jiangmin: Trojan.Generic.cpxqa
Avira: HEUR/AGEN.1110011
Gridinsoft: Ransom.Win64.AI.sa
Arcabit: Trojan.Ransom.Ryuk.19
AegisLab: Trojan.Win32.Generic.4!c
Microsoft: Ransom:Win64/Jabaxsta.B
AhnLab-V3: Trojan/Win64.Ryukran.R234901
ALYac: Trojan.Ransom.Ryuk
MAX: malware (ai score=86)
Malwarebytes: Malware.AI.218522461
TrendMicro-HouseCall: Ransom.Win64.RYUK.SM
Tencent: Win32.Trojan.Generic.Dyzx
SentinelOne: Static AI - Malicious PE
Fortinet: W64/Ryuk.223E!tr.ransom
AVG: Win64:RansomX-gen [Ransom]
Cybereason: malicious.8069d3
Qihoo-360: Win64/Ransom.Generic.H8oAChsA

Hashes

MD5 8819d7f8069d35e71902025d801b44dd
SHA1 5af393e60df1140193ad172a917508e9682918ab
SHA256 98ece6bcafa296326654db862140520afc19cfa0b4a76a5950deedb2618097ab
SHA3 8afa0b4da8c9f943c50dd5efc22624a3ba9067c3bd0e61d52b36d46ddba5bb14
SSDeep 3072:b+hfiA0PJ/lmL4a17VnAy5jtZXDkIVT49RQwo:i4AK/lmkaFVz7QQw
Imports Hash 3d84250cdbe08a9921b4fb008881914b

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x108

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2018-Aug-14 11:46:26
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x16200
SizeOfInitializedData 0x19a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000008624 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.2
ImageVersion 0.0
SubsystemVersion 5.2
Win32VersionValue 0
SizeOfImage 0x36000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 1d450e0b9a3bd6ec4dd27445ca3b4009
SHA1 a8dfe9f33dbc1971948eca962a17869c1cbfe282
SHA256 85fa7218bdc7b20e5aee0eca125f602191b9e3139a3a78f92414c9b5f5f9ab17
SHA3 8621a6aae1351024747b209af30a1b8b3dd7ea632d276f8b2b18f7e552b74aff
VirtualSize 0x161f0
VirtualAddress 0x1000
SizeOfRawData 0x16200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.44258

.rdata

MD5 e6d779193c8692fb7a36658fbbfa5ce5
SHA1 26e3405ff3427205a35cc42ae76b0732e6c7ea90
SHA256 2ec1b7c26e9f5d85f21dcd6e6e57d1a5e65fd60a50c5931d6e29be8b84427f52
SHA3 44cd6110767f597881e5658ea509e87d516ecbdd3b173aeb1a49bcd6e5102d7c
VirtualSize 0xb700
VirtualAddress 0x18000
SizeOfRawData 0xb800
PointerToRawData 0x16600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.40711

.data

MD5 c8e644378a54cad515e9a273163a2809
SHA1 dafe68979151287065301dbb643e767d89b98452
SHA256 544bbb8b86acf54f059ec67199960958fa17713c362461f87354b741b65a664f
SHA3 80444935f4e166c1f664c6c77e3230f7d7ba6ece35dabfe585110d511c56fc41
VirtualSize 0xc2f8
VirtualAddress 0x24000
SizeOfRawData 0x7200
PointerToRawData 0x21e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.02534

.pdata

MD5 e1df62b9019a7718d9783df22c058a42
SHA1 637c2fac08fafd2e80a161046bdd5fc4f4ab6959
SHA256 826e842c32ca79d58a9100cd5eda2513e48a6fb1c73f7e459a2b22c006db78b0
SHA3 d3708cf048b091243b1e9d2399313a712c1110703f97530ee1e5aba049b1089a
VirtualSize 0x11f4
VirtualAddress 0x31000
SizeOfRawData 0x1200
PointerToRawData 0x29000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.19458

.gfids

MD5 0d8ae4cc74966073a7abac84f43fddd4
SHA1 37f304a22386b5b98b34cb82cf986d75602f2ede
SHA256 076799831fe78bf8115dc55b75204cb082449289238008b36f785391c2603683
SHA3 3153f3db7c21fae521434b2e89dd04d1ce817039ae63f280e792c3b2d6f9ec2a
VirtualSize 0xa8
VirtualAddress 0x33000
SizeOfRawData 0x200
PointerToRawData 0x2a200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.43908

.rsrc

MD5 1b99276507c6356b24a31f63887375df
SHA1 770a7ce5dad244ee5088744680dfadc8e3515886
SHA256 fac8960ce1ae094d50138adc8f1db077f911141ed84fd3bc75f0fc12dbd1bc48
SHA3 038963f7d33bb638839cb839b8cda22ffe1e50899b98cdcf56c6e97ccf80a72e
VirtualSize 0x1e0
VirtualAddress 0x34000
SizeOfRawData 0x200
PointerToRawData 0x2a400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.71768

.reloc

MD5 531e0a90a6501eb254fc829e28598c85
SHA1 ad0b49297842e26acaef8ed04865fe875539bc24
SHA256 8bfe7fb916646e83b888c0f50b4725b210d2c93d633ae0fec11cf8a0120f9d35
SHA3 3910cf92de253dcc868dd1b0c16bcdee684a6ed887562b362ba17805629a3ce3
VirtualSize 0x610
VirtualAddress 0x35000
SizeOfRawData 0x800
PointerToRawData 0x2a600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.74877

Imports

KERNEL32.dll OpenProcess
CreateToolhelp32Snapshot
Sleep
GetLastError
Process32NextW
GetCurrentThread
LoadLibraryA
GlobalAlloc
DeleteFileW
Process32FirstW
GetModuleHandleA
CloseHandle
HeapAlloc
GetWindowsDirectoryW
GetProcAddress
VirtualAllocEx
LocalFree
GetProcessHeap
FreeLibrary
CreateRemoteThread
VirtualFreeEx
GetVersionExW
CreateFileW
GetModuleFileNameW
GetCurrentProcess
GetCommandLineW
SetLastError
HeapFree
GlobalFree
WriteConsoleW
SetFilePointerEx
HeapReAlloc
HeapSize
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwindEx
RaiseException
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
ExitProcess
GetModuleHandleExW
GetStdHandle
WriteFile
GetModuleFileNameA
MultiByteToWideChar
WideCharToMultiByte
GetACP
LCMapStringW
GetFileType
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCPInfo
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
WriteProcessMemory
ADVAPI32.dll SystemFunction036
LookupPrivilegeValueW
AdjustTokenPrivileges
ImpersonateSelf
OpenProcessToken
OpenThreadToken
LookupAccountSidW
GetTokenInformation
SHELL32.dll CommandLineToArgvW
ShellExecuteW
ShellExecuteA

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2018-Aug-14 11:46:26
Version 0.0
SizeofData 145
AddressOfRawData 0x2179c
PointerToRawData 0x1fd9c
Referenced File C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2018-Aug-14 11:46:26
Version 0.0
SizeofData 20
AddressOfRawData 0x21830
PointerToRawData 0x1fe30

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2018-Aug-14 11:46:26
Version 0.0
SizeofData 832
AddressOfRawData 0x21844
PointerToRawData 0x1fe44

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2018-Aug-14 11:46:26
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

Size 0x94
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140024000

RICH Header

XOR Key 0xcb7685ce
Unmarked objects 0
241 (40116) 4
243 (40116) 122
242 (40116) 13
ASM objects (23907) 6
C++ objects (23907) 35
C objects (23907) 18
Imports (VS2008 SP1 build 30729) 7
Total imports 114
265 (VS2015 UPD2 build 23918) 2
Resource objects (VS2015 UPD2 build 23918) 1
Linker (VS2015 UPD2 build 23918) 1

Errors

<-- -->