Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2018-Oct-26 08:47:08 |
Detected languages |
English - United States
|
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to security software:
|
Info | Libraries used to perform cryptographic operations: | Microsoft's Cryptography API |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 57/70 (Scanned on 2019-02-06 05:26:48) |
MicroWorld-eScan:
Trojan.Ransom.GandCrab.W
CAT-QuickHeal: Trojan.Mauvaise.SL1 ALYac: Trojan.Ransom.GandCrab Malwarebytes: Ransom.GandCrab SUPERAntiSpyware: Ransom.GandCrab/Variant K7GW: Trojan ( 00536ba11 ) K7AntiVirus: Trojan ( 00536ba11 ) Invincea: heuristic NANO-Antivirus: Trojan.Win32.GandCrypt.fjrarj F-Prot: W32/S-02398261!Eldorado Symantec: Ransom.GandCrab!g4 TrendMicro-HouseCall: Ransom.Win32.GANDCRAB.SMK Paloalto: generic.ml ClamAV: Win.Ransomware.Gandcrab-6667060-0 Kaspersky: Trojan-Ransom.Win32.GandCrypt.fbd BitDefender: Trojan.Ransom.GandCrab.W Avast: Win32:RansomX-gen [Ransom] Tencent: Win32.Trojan.Raas.Auto Ad-Aware: Trojan.Ransom.GandCrab.W Emsisoft: Trojan.Ransom.GandCrab.W (B) Comodo: TrojWare.Win32.Gandcrab.AA@7w10qu F-Secure: Heuristic.HEUR/AGEN.1036379 DrWeb: Trojan.Encoder.26667 Zillya: Trojan.GandCrypt.Win32.1154 TrendMicro: Ransom.Win32.GANDCRAB.SMK McAfee-GW-Edition: BehavesLike.Win32.ExploitDcomRpc.ch Trapmine: suspicious.low.ml.score SentinelOne: static engine - malicious Cyren: W32/Trojan.TYMS-0759 Webroot: W32.Malware.gen Avira: HEUR/AGEN.1036379 Fortinet: W32/GandCrab.D!tr Antiy-AVL: Trojan[Ransom]/Win32.GandCrypt Endgame: malicious (high confidence) Arcabit: Trojan.Ransom.GandCrab.W ViRobot: Trojan.Win32.Agent.142336.AE ZoneAlarm: Trojan-Ransom.Win32.GandCrypt.fbd Microsoft: Ransom:Win32/Gandcrab.AW!bit TACHYON: Ransom/W32.GandCrab.142336 Sophos: Mal/GandCrab-E AhnLab-V3: Trojan/Win32.Gandcrab.R247471 Acronis: suspicious McAfee: Ran-GandCrabv4!9CEA364F372F MAX: malware (ai score=100) VBA32: BScope.TrojanRansom.Cryptor Cylance: Unsafe Zoner: Trojan.Win32.71452 ESET-NOD32: Win32/Filecoder.GandCrab.D Rising: Trojan.Filecoder!1.B42B (CLOUD) Yandex: Trojan.GandCrypt! Ikarus: Trojan-Ransom.GandCrab GData: Trojan.Ransom.GandCrab.W AVG: Win32:RansomX-gen [Ransom] Cybereason: malicious.f372f2 Panda: Trj/Genetic.gen CrowdStrike: malicious_confidence_100% (W) Qihoo-360: Win32/Trojan.Ransom.ffd |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2018-Oct-26 08:47:08 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 12.0 |
SizeOfCode | 0x13c00 |
SizeOfInitializedData | 0x10a00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00006229 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x15000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x28000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
OpenMutexW
GetSystemInfo WaitForMultipleObjects lstrcmpiW GetUserDefaultUILanguage DeleteCriticalSection GetShortPathNameW GetWindowsDirectoryW GetVolumeInformationW CreateThread lstrcpyA ExpandEnvironmentStringsW GetTickCount lstrcmpiA Process32FirstW Process32NextW CreateToolhelp32Snapshot LeaveCriticalSection EnterCriticalSection VirtualLock FindFirstFileW MoveFileExW FindFirstFileExW WideCharToMultiByte lstrcmpW FindClose FindNextFileW GetSystemTime GetNativeSystemInfo GetDriveTypeW GetDiskFreeSpaceW VirtualUnlock VerSetConditionMask VerifyVersionInfoW SetLastError LoadLibraryA LocalAlloc GetModuleHandleA LocalFree GlobalAlloc MulDiv GetTempPathW GlobalFree ConnectNamedPipe CreateNamedPipeW CreateEventW GetCurrentProcessId GetFullPathNameW SetStdHandle GetConsoleMode GetConsoleCP FlushFileBuffers OutputDebugStringW HeapAlloc RtlUnwind ExitThread GetModuleFileNameW VirtualAlloc TerminateProcess OpenProcess InitializeCriticalSection GetDriveTypeA GetCommandLineA GetProcessHeap GetComputerNameW WaitForSingleObject SetErrorMode GetSystemDefaultUILanguage CreateMutexW ExitProcess lstrcpyW lstrcatW GetProcAddress GetLastError LoadLibraryW GetSystemDirectoryW GetModuleHandleW GetCurrentProcess LoadLibraryExW VirtualQuery MultiByteToWideChar VirtualFree lstrlenA lstrlenW CloseHandle CreateFileW ReadFile Sleep WriteFile UnlockFile SetFilePointerEx GetStdHandle LCMapStringW IsDebuggerPresent TlsSetValue TlsGetValue InitializeCriticalSectionAndSpinCount SetUnhandledExceptionFilter UnhandledExceptionFilter GetStringTypeW HeapFree GetModuleHandleExW IsProcessorFeaturePresent IsValidCodePage GetACP GetOEMCP GetCPInfo GetCurrentThreadId EncodePointer DecodePointer WriteConsoleW |
---|---|
USER32.dll |
SystemParametersInfoW
ReleaseDC GetDC wsprintfA wsprintfW CreateWindowStationW SetProcessWindowStation DrawTextA DrawTextW FillRect GetForegroundWindow |
GDI32.dll |
SetTextColor
DeleteDC GetDeviceCaps GetDIBits SetBkColor SetPixel DeleteObject SelectObject CreateCompatibleDC CreateCompatibleBitmap CreateFontW GetObjectW GetPixel GetStockObject SetBitmapBits CreateBitmap GetBitmapBits |
ADVAPI32.dll |
GetTokenInformation
GetSidSubAuthorityCount GetSidSubAuthority OpenProcessToken GetUserNameW CryptDestroyKey CryptGenKey CryptEncrypt CryptImportKey CryptReleaseContext CryptGetKeyParam CryptAcquireContextW CryptExportKey RegSetValueExW RegCloseKey RegOpenKeyExW RegQueryValueExW RegCreateKeyExW |
SHELL32.dll |
ShellExecuteW
ShellExecuteExW SHGetSpecialFolderPathW |
ole32.dll |
CoInitialize
CoCreateInstance CoUninitialize |
MPR.dll |
WNetEnumResourceW
WNetCloseEnum WNetOpenEnumW |
WININET.dll |
InternetOpenW
HttpOpenRequestW HttpSendRequestW HttpQueryInfoA InternetCloseHandle InternetConnectW |
RPCRT4.dll |
NdrClientCall2
|
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x41ca50 |
SEHandlerTable | 0 |
SEHandlerCount | 0 |
XOR Key | 0x898579ee |
---|---|
Unmarked objects | 0 |
C++ objects (20806) | 23 |
ASM objects (20806) | 16 |
C objects (20806) | 97 |
Imports (VS2008 SP1 build 30729) | 19 |
Total imports | 198 |
229 (VS2013 build 21005) | 30 |
ASM objects (VS2013 build 21005) | 3 |
Resource objects (VS2013 build 21005) | 1 |
Linker (VS2013 build 21005) | 1 |