ab3f03b3366a72293c053f566509ebc5

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2022-Sep-26 00:58:36

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Suspicious The PE is an NSIS installer Unusual section name found: .ndata
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Can access the registry:
  • RegisterHotKey
  • RegOpenKeyExA
  • RegQueryValueExA
  • RegCloseKey
 Possibly launches other programs:
  • CreateProcessW
 Uses Microsoft's cryptographic API:
  • CryptGenRandom
  • CryptDecrypt
  • CryptAcquireContextW
  • CryptSetKeyParam
  • CryptReleaseContext
  • CryptImportKey
  • CryptEncrypt
  • CryptDestroyKey
 Can create temporary files:
  • CreateFileW
  • GetTempPathW
 Functions related to the privilege level:
  • DuplicateTokenEx
  • OpenProcessToken
 Enumerates local disk drives:
  • GetVolumeInformationW
  • GetDriveTypeW
 Manipulates other processes:
  • Process32FirstW
  • Process32NextW
  • OpenProcess
 Can take screenshots:
  • GetDC
  • CreateCompatibleDC
Malicious VirusTotal score: 50/71 (Scanned on 2022-11-24 12:17:28) Bkav: W32.AIDetect.malware2
Cynet: Malicious (score: 100)
ALYac: Gen:Variant.Ransom.Makop.50
Malwarebytes: Ransom.Phobos
VIPRE: Gen:Variant.Ransom.Makop.50
Sangfor: Trojan.Win32.Save.a
Cybereason: malicious.3366a7
VirIT: Ransom.Win32.Makop.DME
Symantec: Ransom.Makop!g1
Elastic: Windows.Ransomware.Makop
ESET-NOD32: a variant of Win32/Filecoder.Phobos.E
APEX: Malicious
ClamAV: Win.Trojan.Makop-9940824-0
Kaspersky: VHO:Trojan-Ransom.Win32.Convagent.gen
BitDefender: Gen:Variant.Ransom.Makop.50
NANO-Antivirus: Trojan.Win32.Makop.joefww
MicroWorld-eScan: Gen:Variant.Ransom.Makop.50
Avast: Win32:Fasec [Trj]
Rising: Ransom.Makop!8.11819 (TFE:4:rh5MfE0aAtH)
Ad-Aware: Gen:Variant.Ransom.Makop.50
TACHYON: Trojan/W32.Agent.50176.APE
Sophos: ML/PE-A
F-Secure: Heuristic.HEUR/AGEN.1213916
DrWeb: Trojan.Encoder.35067
Zillya: Trojan.Filecoder.Win32.21346
TrendMicro: Ransom.Win32.MAKOP.SMYXCBKT
McAfee-GW-Edition: BehavesLike.Win32.Dropper.ph
Trapmine: malicious.moderate.ml.score
FireEye: Generic.mg.ab3f03b3366a7229
Emsisoft: Gen:Variant.Ransom.Makop.50 (B)
Jiangmin: Trojan.Makop.m
Avira: HEUR/AGEN.1213916
Antiy-AVL: Trojan[Ransom]/Win32.Phobos
Microsoft: Trojan:Win32/Wacatac.B!ml
Arcabit: Trojan.Ransom.Makop.50
ZoneAlarm: VHO:Trojan-Ransom.Win32.Convagent.gen
GData: Gen:Variant.Ransom.Makop.50
Google: Detected
AhnLab-V3: Malware/Win.Generic.R459921
Acronis: suspicious
McAfee: GenericRXRF-JK!AB3F03B3366A
MAX: malware (ai score=89)
VBA32: BScope.TrojanSpy.Zbot
Cylance: Unsafe
Yandex: Trojan.Filecoder!dQ1UDw9XPGI
Fortinet: W32/FilecoderPhobos.E!tr.ransom
BitDefenderTheta: Gen:NN.ZexaF.34796.duW@aGszEio
AVG: Win32:Fasec [Trj]
Panda: Trj/GdSda.A
CrowdStrike: win/malicious_confidence_90% (D)

Hashes

MD5 ab3f03b3366a72293c053f566509ebc5
SHA1 9ba515ddea1a7abbaa01f491b39afe8a8256554d
SHA256 b08ba51136b2f4ff7a477735d05e91ccc09be3eacbd706331e4a81af7fc68940
SHA3 366f31dc8a45a91ac4cea78a85526f9cf4489622dbc0116c7e8ae654bb453836
SSDeep 768:MaQRffjB31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YADaT2kyVDpxEl0:MaC318HxZATvnsblYOaT2kyVDpxESc
Imports Hash b7b88f9fba96375d4eebc5d049319af3

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2022-Sep-26 00:58:36
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 8.0
SizeOfCode 0x8000
SizeOfInitializedData 0x18400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00006800 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x9000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x23000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_NO_SEH
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 fed323e1f8cc93c43324fe3daf48c225
SHA1 0216981cbcf8873255bc1527a8ecb70b8c79f5ce
SHA256 6f007d24a341d30d5850500b3a7e5cef5bb9b9be964b11e9efcf1eb23cc567ea
SHA3 056801e51c1bb476e13ab7c3a7cc8dfd7172c306a45c84e7a99ed1c696647030
VirtualSize 0x7f64
VirtualAddress 0x1000
SizeOfRawData 0x8000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.40811

.rdata

MD5 84fdbb0b8121535a03407f9b456d2233
SHA1 35e28eaa115fa615080a9c14f3ec021db2805993
SHA256 43a14a27364b9deb23a3aba06da0eb1bda1084e33716809ae2663ac519f61d33
SHA3 9299261ad73f606a0b5a588ef1511f0bb518d61b4bd07d25feba17865abb9eec
VirtualSize 0xf5a
VirtualAddress 0x9000
SizeOfRawData 0x1000
PointerToRawData 0x8400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.09295

.data

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x142bc
VirtualAddress 0xa000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata

MD5 1502f8bc0f95adb275417bb70f0da3f5
SHA1 9989026fbd9f10d8da9ee370479b37aeebc050de
SHA256 3b68b83dd17088f0592176429d20241f6e4104cf940f38c197ea452b18d19b20
SHA3 a31f445579f45249027a7235b43123a89014bb429f120bd78c923bb745bbb6a1
VirtualSize 0x2ba1
VirtualAddress 0x1f000
SizeOfRawData 0x2c00
PointerToRawData 0x9400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.97112

.rsrc

MD5 73a2bb02e4e11acd158aade491362533
SHA1 75ed7a22bde6a1ddc72b70eedce38b6636f29aee
SHA256 3ba9ab7d9188cd81d763912a2d37959251b7a867976dffc662c8f592cedfe957
SHA3 8746c530bb521478844b6f903547c90d622517095d231175d751529c85e2f910
VirtualSize 0x2f8
VirtualAddress 0x22000
SizeOfRawData 0x400
PointerToRawData 0xc000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.3243

Imports

MPR.dll WNetCloseEnum
WNetOpenEnumW
WNetEnumResourceW
KERNEL32.dll ReadFile
CreateFileW
GetFileSizeEx
MoveFileW
SetFileAttributesW
HeapAlloc
GetCurrentProcess
HeapFree
GetProcessHeap
GlobalAlloc
GlobalFree
GetVersion
PeekNamedPipe
GetProcAddress
LoadLibraryA
GetComputerNameW
SetEvent
CreateEventW
TerminateThread
SetFilePointerEx
GetFileType
GetModuleHandleA
DuplicateHandle
GetCurrentProcessId
ExitProcess
GetModuleHandleW
CreatePipe
LocalFree
GetCommandLineW
GetEnvironmentVariableW
CreateProcessW
GetLocaleInfoW
GetModuleFileNameW
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
GetSystemWindowsDirectoryW
SetHandleInformation
GetTempPathW
GetTempFileNameW
CreateDirectoryW
GetStdHandle
WriteFile
Sleep
TryEnterCriticalSection
FindClose
GetLastError
GetFileAttributesW
GetLogicalDrives
WaitForSingleObject
CreateThread
GetVolumeInformationW
SetErrorMode
FindNextFileW
GetDriveTypeW
WaitForMultipleObjects
FindFirstFileW
TerminateProcess
DeleteCriticalSection
GetExitCodeProcess
LeaveCriticalSection
InitializeCriticalSection
EnterCriticalSection
CloseHandle
OpenProcess
USER32.dll DialogBoxParamW
RegisterHotKey
PostMessageW
EndDialog
KillTimer
ShowWindow
wsprintfA
MessageBoxW
SetWindowTextA
SendMessageW
GetShellWindow
UnregisterHotKey
SetTimer
SetWindowTextW
GetWindowTextW
GetWindowTextLengthW
CloseClipboard
GetWindowTextA
EmptyClipboard
GetDlgItem
OpenClipboard
GetWindowThreadProcessId
ReleaseDC
SystemParametersInfoW
GetDC
DrawTextA
EnableWindow
SetClipboardData
wsprintfW
GDI32.dll SetTextColor
DeleteDC
GetDeviceCaps
GetDIBits
CreateCompatibleDC
CreateCompatibleBitmap
CreateFontW
GetObjectW
DeleteObject
SelectObject
SetBkMode
ADVAPI32.dll CryptGenRandom
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
DuplicateTokenEx
OpenProcessToken
SetTokenInformation
GetTokenInformation
CryptDecrypt
CryptAcquireContextW
CryptSetKeyParam
CryptReleaseContext
CryptImportKey
CryptEncrypt
CryptDestroyKey
SHELL32.dll #680
ShellExecuteExW
CommandLineToArgvW
SHBrowseForFolderW
SHGetPathFromIDListW
SHGetSpecialFolderPathW
ole32.dll CoInitialize
CoTaskMemFree
CoUninitialize
MSIMG32.dll GradientFill

Delayed Imports

101

Type RT_DIALOG
Language UNKNOWN
Codepage UNKNOWN
Size 0x294
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.11363
MD5 b66df34208d25f160ff7dd7d9b637e71
SHA1 a306a2bc2dcf750cd1422a1834196e407a329d98
SHA256 2a33c9e0b6ffdf3e4c670baa66e1bf02689f1beb8b68116c0b94e5b23591ce10
SHA3 06a8388403b1dc72ac71c5599a1ac02ad8acbd2d4fb5bb0416268537a16af5ef

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xe96b138
Unmarked objects 0
ASM objects (VS2012 build 50727 / VS2005 build 50727) 4
Imports (VS2008 SP1 build 30729) 17
Total imports 133
114 (VS2012 build 50727 / VS2005 build 50727) 17
Resource objects (VS2012 build 50727 / VS2005 build 50727) 1
Linker (VS2012 build 50727 / VS2005 build 50727) 1

Errors

[*] Warning: Section .data has a size of 0!
<-- -->