a20156344fc4832ecc1b914f7de1a922

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-May-06 18:42:41

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to Blowfish
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryW
 Functions which can be used for anti-debugging purposes:
  • SwitchToThread
 Possibly launches other programs:
  • ShellExecuteA
 Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
 Enumerates local disk drives:
  • GetVolumeInformationA
Malicious VirusTotal score: 32/71 (Scanned on 2019-05-09 05:44:19) MicroWorld-eScan: Gen:Heur.Ransom.REntS.Gen.1
FireEye: Gen:Heur.Ransom.REntS.Gen.1
Qihoo-360: Win32/Trojan.Ransom.ec8
McAfee: Artemis!A20156344FC4
Malwarebytes: Ransom.JSWorm
K7AntiVirus: Riskware ( 0040eff71 )
K7GW: Riskware ( 0040eff71 )
Arcabit: Trojan.Ransom.REntS.Gen.1
TrendMicro: Trojan.Win32.SONBOKLI.USXVPE819
TrendMicro-HouseCall: Trojan.Win32.SONBOKLI.USXVPE819
Avast: FileRepMalware
Kaspersky: Trojan.Win32.DelShad.ec
BitDefender: Gen:Heur.Ransom.REntS.Gen.1
Paloalto: generic.ml
AegisLab: Trojan.Win32.Rents.4!c
Tencent: Win32.Trojan.Delshad.Lifx
Ad-Aware: Gen:Heur.Ransom.REntS.Gen.1
Sophos: Mal/Generic-S
DrWeb: Trojan.Encoder.28062
McAfee-GW-Edition: BehavesLike.Win32.Dropper.fh
Fortinet: W32/DelShad.EC!tr
Trapmine: malicious.moderate.ml.score
Emsisoft: Gen:Heur.Ransom.REntS.Gen.1 (B)
Cyren: W32/Trojan.MBYK-3909
Microsoft: Trojan:Win32/Tiggre!plock
ZoneAlarm: Trojan.Win32.DelShad.ec
ALYac: Trojan.Ransom.JSWorm
Rising: Trojan.Fuerboos!8.EFC8 (CLOUD)
GData: Gen:Heur.Ransom.REntS.Gen.1
AVG: FileRepMalware
Cybereason: malicious.44fc48
Panda: Trj/GdSda.A

Hashes

MD5 a20156344fc4832ecc1b914f7de1a922
SHA1 79c6c6215d2259cda68d40fcfa350971acb53158
SHA256 52389889be43b87d8b0aecc5fb74c84bd891eb3ce86731b081e51486378f58d2
SHA3 b5b244519b57d9ada2c03ad61e456da1040a6e4d7691c6c5e8f59fd1bc1a9d61
SSDeep 6144:4ia9go9bZPS+Us/g+IYHWCaHlF2qYPeYpj87DMi+FLgum+HoCx1j+ZAOzvz+yEF:4iCB9o+LQWW8GYpj87DMHFUAxh+ZRz+
Imports Hash 3f512906e2581e5b7d670d8eb6080d35

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x108

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2019-May-06 18:42:41
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x3f400
SizeOfInitializedData 0x4ee00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000BA20 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x41000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x91000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 b679e443655a90784dc10195944c157b
SHA1 253e357e3e485dc78377a2a026503d103ad68a13
SHA256 089ffce47640cf5ebb5f7c6471104ce449f9dddd3d91910e0d8ed980f56dbdcc
SHA3 affa7847259fa60ecb402fd4f4b3dc7cd7292031191b0d0e8f62b762480a8456
VirtualSize 0x3f285
VirtualAddress 0x1000
SizeOfRawData 0x3f400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.64498

.rdata

MD5 80d5eef5e69a85bd1f903dbbf1f74555
SHA1 14ad98852993598cf14a8af25b09e55378143dae
SHA256 2ec6e977def8162902b978042fbc0b4abb1d17f15c40dad3f18fd5a9b61f66c8
SHA3 fd2d312ed14126d8745c283ee33e23b435f7137f2d9bf533cc9c71803eea96e5
VirtualSize 0x16994
VirtualAddress 0x41000
SizeOfRawData 0x16a00
PointerToRawData 0x3f800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.53778

.data

MD5 649879ff7f8570243a72ba637d5e1c7e
SHA1 673ac80e4bd7e98aff1e73216cc8d1bd86ac61ed
SHA256 7d72783e403ae28714e092798611c57aa2f238ebb1afa20b0d9f4c9b26096fd4
SHA3 f88e589d669a5b7302074a606d4ee10d04aa856a2ed3b5fd904940bbc3a0db31
VirtualSize 0x34398
VirtualAddress 0x58000
SizeOfRawData 0x2400
PointerToRawData 0x56200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.40407

.reloc

MD5 74d79871f61214198d85e00da33fe707
SHA1 5c54d3062d9b117d7724495b157ee3d685e1c4ba
SHA256 cfb0588c29c1a8c7b6220873cbfdf8de67ab2f3173e9ddfbb1855516d9d8f182
SHA3 4a787b61c4a99d55c1cedc676aaf15ef8b2c98fe18ccba6263e7e8f3b76e9de0
VirtualSize 0x3e58
VirtualAddress 0x8d000
SizeOfRawData 0x4000
PointerToRawData 0x58600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.55869

Imports

KERNEL32.dll WriteFile
SetFilePointer
FindClose
CreateFileW
GetFileAttributesW
SetFileAttributesW
CloseHandle
lstrcmpiW
CreateMutexA
FindNextFileW
Sleep
GetLastError
GetModuleFileNameA
GetVolumeInformationA
MultiByteToWideChar
WideCharToMultiByte
MoveFileW
SetEndOfFile
GetFileSizeEx
FindFirstFileW
WriteConsoleW
HeapSize
WaitForSingleObject
ReadFile
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
GetCurrentThreadId
DuplicateHandle
WaitForSingleObjectEx
GetCurrentProcess
SwitchToThread
GetCurrentThread
GetExitCodeThread
QueryPerformanceCounter
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetTickCount
GetModuleHandleW
GetProcAddress
EncodePointer
DecodePointer
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetCurrentProcessId
InitializeSListHead
CreateTimerQueue
SetEvent
SignalObjectAndWait
CreateThread
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
GetThreadTimes
FreeLibrary
FreeLibraryAndExitThread
GetModuleFileNameW
GetModuleHandleA
LoadLibraryExW
GetVersionExW
VirtualAlloc
VirtualProtect
VirtualFree
ReleaseSemaphore
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
LoadLibraryW
RaiseException
RtlUnwind
ExitProcess
GetModuleHandleExW
ExitThread
GetStdHandle
GetCommandLineA
GetCommandLineW
SetFilePointerEx
GetFileType
FlushFileBuffers
GetConsoleCP
GetConsoleMode
HeapFree
HeapAlloc
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
ReadConsoleW
HeapReAlloc
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
SetStdHandle
ADVAPI32.dll GetUserNameA
SHELL32.dll ShellExecuteA
IPHLPAPI.DLL GetAdaptersInfo

Delayed Imports

??0CBLOWFISH@@QAE@XZ

Ordinal 1
Address 0x6287

??1CBLOWFISH@@QAE@XZ

Ordinal 2
Address 0x6291

??4CBLOWFISH@@QAEAAV0@ABV0@@Z

Ordinal 3
Address 0x3043

?BlowFishRoundDecrypt@CBLOWFISH@@AAEXPAI0@Z

Ordinal 4
Address 0x648e

?BlowFishRoundEncrypt@CBLOWFISH@@AAEXPAI0@Z

Ordinal 5
Address 0x6407

?DecryptData@CBLOWFISH@@QAE_NPAEH0H@Z

Ordinal 6
Address 0x6595

?EncryptData@CBLOWFISH@@QAE_NPAEH0H@Z

Ordinal 7
Address 0x6515

?InitKey@CBLOWFISH@@QAE_NPAEH@Z

Ordinal 8
Address 0x6300

?KeyExpansion@CBLOWFISH@@AAEXXZ

Ordinal 9
Address 0x6317

?KeyMaxSize@CBLOWFISH@@QAEIXZ

Ordinal 10
Address 0x303d

?KeyMinSize@CBLOWFISH@@QAEIXZ

Ordinal 11
Address 0x2b00

?PBox@CBLOWFISH@@0QBIB

Ordinal 12
Address 0x50a38

?SBox@CBLOWFISH@@0QAY0BAA@$$CBIA

Ordinal 13
Address 0x50a80

?SetKey@CBLOWFISH@@AAE_NPAEH@Z

Ordinal 14
Address 0x62aa

?__autoclassinit2@CBLOWFISH@@QAEXI@Z

Ordinal 15
Address 0x3061

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2019-May-06 18:42:41
Version 0.0
SizeofData 804
AddressOfRawData 0x5458c
PointerToRawData 0x52d8c

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2019-May-06 18:42:41
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

Size 0xa0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x458068
SEHandlerTable 0x4543f0
SEHandlerCount 103

RICH Header

XOR Key 0x929a0ca0
Unmarked objects 0
ASM objects (26213) 18
C++ objects (26213) 175
C objects (26213) 23
ASM objects (VS 2015/2017 runtime 26706) 22
C++ objects (VS 2015/2017 runtime 26706) 120
C objects (VS 2015/2017 runtime 26706) 36
Imports (26213) 9
Total imports 138
265 (VS2017 v15.9.11 compiler 27030) 8
Exports (VS2017 v15.9.11 compiler 27030) 1
Linker (VS2017 v15.9.11 compiler 27030) 1

Errors

<-- -->