9cea364f372f26852544a46a0f3a7461

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2018-Oct-26 08:47:08
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to security software:
  • AVP.EXE
  • Mcshield.exe
  • avgnt.exe
  • msmpeng.exe
  • persfw.exe
  • smc.exe
 Tries to detect virtualized environments:
  • HARDWARE\DESCRIPTION\System
 May have dropper capabilities:
  • CurrentControlSet\services
 Contains a XORed PE executable:
  • 4c 70 71 6b 38 68 6a 77 7f 6a 79 75 38 7b 79 76 76 77 6c 38 ...
 Miscellaneous malware strings:
  • cmd.exe
  • exploit
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
  • LoadLibraryW
  • LoadLibraryExW
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Can access the registry:
  • RegSetValueExW
  • RegCloseKey
  • RegOpenKeyExW
  • RegQueryValueExW
  • RegCreateKeyExW
 Possibly launches other programs:
  • ShellExecuteW
 Uses Microsoft's cryptographic API:
  • CryptDestroyKey
  • CryptGenKey
  • CryptEncrypt
  • CryptImportKey
  • CryptReleaseContext
  • CryptGetKeyParam
  • CryptAcquireContextW
  • CryptExportKey
 Can create temporary files:
  • GetTempPathW
  • CreateFileW
 Has Internet access capabilities:
  • InternetOpenW
  • InternetCloseHandle
  • InternetConnectW
 Functions related to the privilege level:
  • OpenProcessToken
 Enumerates local disk drives:
  • GetVolumeInformationW
  • GetDriveTypeW
  • GetDriveTypeA
 Manipulates other processes:
  • Process32FirstW
  • Process32NextW
  • OpenProcess
 Can take screenshots:
  • GetDC
  • CreateCompatibleDC
Malicious VirusTotal score: 57/70 (Scanned on 2019-02-06 05:26:48) MicroWorld-eScan: Trojan.Ransom.GandCrab.W
CAT-QuickHeal: Trojan.Mauvaise.SL1
ALYac: Trojan.Ransom.GandCrab
Malwarebytes: Ransom.GandCrab
SUPERAntiSpyware: Ransom.GandCrab/Variant
K7GW: Trojan ( 00536ba11 )
K7AntiVirus: Trojan ( 00536ba11 )
Invincea: heuristic
NANO-Antivirus: Trojan.Win32.GandCrypt.fjrarj
F-Prot: W32/S-02398261!Eldorado
Symantec: Ransom.GandCrab!g4
TrendMicro-HouseCall: Ransom.Win32.GANDCRAB.SMK
Paloalto: generic.ml
ClamAV: Win.Ransomware.Gandcrab-6667060-0
Kaspersky: Trojan-Ransom.Win32.GandCrypt.fbd
BitDefender: Trojan.Ransom.GandCrab.W
Avast: Win32:RansomX-gen [Ransom]
Tencent: Win32.Trojan.Raas.Auto
Ad-Aware: Trojan.Ransom.GandCrab.W
Emsisoft: Trojan.Ransom.GandCrab.W (B)
Comodo: TrojWare.Win32.Gandcrab.AA@7w10qu
F-Secure: Heuristic.HEUR/AGEN.1036379
DrWeb: Trojan.Encoder.26667
Zillya: Trojan.GandCrypt.Win32.1154
TrendMicro: Ransom.Win32.GANDCRAB.SMK
McAfee-GW-Edition: BehavesLike.Win32.ExploitDcomRpc.ch
Trapmine: suspicious.low.ml.score
SentinelOne: static engine - malicious
Cyren: W32/Trojan.TYMS-0759
Webroot: W32.Malware.gen
Avira: HEUR/AGEN.1036379
Fortinet: W32/GandCrab.D!tr
Antiy-AVL: Trojan[Ransom]/Win32.GandCrypt
Endgame: malicious (high confidence)
Arcabit: Trojan.Ransom.GandCrab.W
ViRobot: Trojan.Win32.Agent.142336.AE
ZoneAlarm: Trojan-Ransom.Win32.GandCrypt.fbd
Microsoft: Ransom:Win32/Gandcrab.AW!bit
TACHYON: Ransom/W32.GandCrab.142336
Sophos: Mal/GandCrab-E
AhnLab-V3: Trojan/Win32.Gandcrab.R247471
Acronis: suspicious
McAfee: Ran-GandCrabv4!9CEA364F372F
MAX: malware (ai score=100)
VBA32: BScope.TrojanRansom.Cryptor
Cylance: Unsafe
Zoner: Trojan.Win32.71452
ESET-NOD32: Win32/Filecoder.GandCrab.D
Rising: Trojan.Filecoder!1.B42B (CLOUD)
Yandex: Trojan.GandCrypt!
Ikarus: Trojan-Ransom.GandCrab
GData: Trojan.Ransom.GandCrab.W
AVG: Win32:RansomX-gen [Ransom]
Cybereason: malicious.f372f2
Panda: Trj/Genetic.gen
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.Ransom.ffd

Hashes

MD5 9cea364f372f26852544a46a0f3a7461
SHA1 cf92860b93ba2191d81b81f29b14994adbbc4095
SHA256 60d2a00005ccfeb478a073ac485a66ebdf8498284f7bc59213251f77932f7306
SHA3 7a19c27eaa08592774abbe8822aaffca7f06e58fa784dbcee8d748ff2081bf3c
SSDeep 1536:JLMVCWvZ8URtqOz3d+1Qs6H9Mk2e3E2avMWC3yMgYxf6+okbdWsWjcdpyCaIxWz:VM9ntZ3s1QJdnU2SQdf64ZZECaIxWec
Imports Hash 34fc9f1d705d6f6d4e6c04b364ef13e0

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2018-Oct-26 08:47:08
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 12.0
SizeOfCode 0x13c00
SizeOfInitializedData 0x10a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00006229 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x15000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x28000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 dbb4f038e14092d15d98ad678387ed9f
SHA1 0b0f699d21396af6294f7c78950c29feadbce39c
SHA256 4d7e61b0775cdb5a38067c606871f7ce743944e0df9240e2c4c9b6da829bb96a
SHA3 1cac0fbb13e4146e82d0381c93638006387c8e651817ae12f2dbede83367d2fd
VirtualSize 0x13be4
VirtualAddress 0x1000
SizeOfRawData 0x13c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.58693

.rdata

MD5 46187ff324fc51ea2e1f81a5ea36d7ee
SHA1 f33ed24ab8ce822c10ce47cf297dcca664e138e9
SHA256 392e7528d6a5a2ffa13f638961da7adcfba7a4733aefcebe85da2a3ad6255dbc
SHA3 969645def72fb9824f99e8aefc53f983d7fbc59cc2e1000a6ec4b7c162f98b63
VirtualSize 0x6b46
VirtualAddress 0x15000
SizeOfRawData 0x6c00
PointerToRawData 0x14000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.59745

.data

MD5 6d9a3b9f0e697d5c541d5bc3f3c6289b
SHA1 27e83489267e6c150eaa1e77fa86c03752a69aab
SHA256 c0449e22d924273fdb2ae62cb882108d5c16a3315ec013da5622bd2847cbf5e7
SHA3 760e312b705c1864d5ec5f09ecb7dc3756566712be1cc9cbd96f84a7912c3760
VirtualSize 0x87f4
VirtualAddress 0x1c000
SizeOfRawData 0x6a00
PointerToRawData 0x1ac00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.15553

.rsrc

MD5 01df312d956eeeb2aaf1b224edd63ce3
SHA1 636f40246f0a01a4303ae1f0a577815ba9496bbe
SHA256 41ef51ef1c31b5760994b26ac024002ed292b7c551fe1db733fbd4467e9f9fdb
SHA3 90dc901e9de1c7118717efa1d231f6362f0079e67814c392ca51f1a01e0c98b4
VirtualSize 0x1e0
VirtualAddress 0x25000
SizeOfRawData 0x200
PointerToRawData 0x21600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.7123

.reloc

MD5 e90270abdaf9b6257dc40481f7dbc631
SHA1 06e80496641d2473f94914a53e9f1cc647f9f17d
SHA256 ea15629ca3d4fe3baa525ead65745938541d54d930851e8734b7c89b09b94817
SHA3 16356e1dc9920b358a93353020ee21abc799f127419415660c7afb812bde8511
VirtualSize 0x13a8
VirtualAddress 0x26000
SizeOfRawData 0x1400
PointerToRawData 0x21800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.64868

Imports

KERNEL32.dll OpenMutexW
GetSystemInfo
WaitForMultipleObjects
lstrcmpiW
GetUserDefaultUILanguage
DeleteCriticalSection
GetShortPathNameW
GetWindowsDirectoryW
GetVolumeInformationW
CreateThread
lstrcpyA
ExpandEnvironmentStringsW
GetTickCount
lstrcmpiA
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
LeaveCriticalSection
EnterCriticalSection
VirtualLock
FindFirstFileW
MoveFileExW
FindFirstFileExW
WideCharToMultiByte
lstrcmpW
FindClose
FindNextFileW
GetSystemTime
GetNativeSystemInfo
GetDriveTypeW
GetDiskFreeSpaceW
VirtualUnlock
VerSetConditionMask
VerifyVersionInfoW
SetLastError
LoadLibraryA
LocalAlloc
GetModuleHandleA
LocalFree
GlobalAlloc
MulDiv
GetTempPathW
GlobalFree
ConnectNamedPipe
CreateNamedPipeW
CreateEventW
GetCurrentProcessId
GetFullPathNameW
SetStdHandle
GetConsoleMode
GetConsoleCP
FlushFileBuffers
OutputDebugStringW
HeapAlloc
RtlUnwind
ExitThread
GetModuleFileNameW
VirtualAlloc
TerminateProcess
OpenProcess
InitializeCriticalSection
GetDriveTypeA
GetCommandLineA
GetProcessHeap
GetComputerNameW
WaitForSingleObject
SetErrorMode
GetSystemDefaultUILanguage
CreateMutexW
ExitProcess
lstrcpyW
lstrcatW
GetProcAddress
GetLastError
LoadLibraryW
GetSystemDirectoryW
GetModuleHandleW
GetCurrentProcess
LoadLibraryExW
VirtualQuery
MultiByteToWideChar
VirtualFree
lstrlenA
lstrlenW
CloseHandle
CreateFileW
ReadFile
Sleep
WriteFile
UnlockFile
SetFilePointerEx
GetStdHandle
LCMapStringW
IsDebuggerPresent
TlsSetValue
TlsGetValue
InitializeCriticalSectionAndSpinCount
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetStringTypeW
HeapFree
GetModuleHandleExW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCurrentThreadId
EncodePointer
DecodePointer
WriteConsoleW
USER32.dll SystemParametersInfoW
ReleaseDC
GetDC
wsprintfA
wsprintfW
CreateWindowStationW
SetProcessWindowStation
DrawTextA
DrawTextW
FillRect
GetForegroundWindow
GDI32.dll SetTextColor
DeleteDC
GetDeviceCaps
GetDIBits
SetBkColor
SetPixel
DeleteObject
SelectObject
CreateCompatibleDC
CreateCompatibleBitmap
CreateFontW
GetObjectW
GetPixel
GetStockObject
SetBitmapBits
CreateBitmap
GetBitmapBits
ADVAPI32.dll GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
OpenProcessToken
GetUserNameW
CryptDestroyKey
CryptGenKey
CryptEncrypt
CryptImportKey
CryptReleaseContext
CryptGetKeyParam
CryptAcquireContextW
CryptExportKey
RegSetValueExW
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
RegCreateKeyExW
SHELL32.dll ShellExecuteW
ShellExecuteExW
SHGetSpecialFolderPathW
ole32.dll CoInitialize
CoCreateInstance
CoUninitialize
MPR.dll WNetEnumResourceW
WNetCloseEnum
WNetOpenEnumW
WININET.dll InternetOpenW
HttpOpenRequestW
HttpSendRequestW
HttpQueryInfoA
InternetCloseHandle
InternetConnectW
RPCRT4.dll NdrClientCall2

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x41ca50
SEHandlerTable 0
SEHandlerCount 0

RICH Header

XOR Key 0x898579ee
Unmarked objects 0
C++ objects (20806) 23
ASM objects (20806) 16
C objects (20806) 97
Imports (VS2008 SP1 build 30729) 19
Total imports 198
229 (VS2013 build 21005) 30
ASM objects (VS2013 build 21005) 3
Resource objects (VS2013 build 21005) 1
Linker (VS2013 build 21005) 1

Errors

<-- -->