Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2022-Sep-26 00:58:36 |
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Info | Libraries used to perform cryptographic operations: | Microsoft's Cryptography API |
Suspicious | The PE is an NSIS installer | Unusual section name found: .ndata |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 50/71 (Scanned on 2022-11-24 12:17:28) |
Bkav:
W32.AIDetect.malware2
Cynet: Malicious (score: 100) ALYac: Gen:Variant.Ransom.Makop.50 Malwarebytes: Ransom.Phobos VIPRE: Gen:Variant.Ransom.Makop.50 Sangfor: Trojan.Win32.Save.a Cybereason: malicious.3366a7 VirIT: Ransom.Win32.Makop.DME Symantec: Ransom.Makop!g1 Elastic: Windows.Ransomware.Makop ESET-NOD32: a variant of Win32/Filecoder.Phobos.E APEX: Malicious ClamAV: Win.Trojan.Makop-9940824-0 Kaspersky: VHO:Trojan-Ransom.Win32.Convagent.gen BitDefender: Gen:Variant.Ransom.Makop.50 NANO-Antivirus: Trojan.Win32.Makop.joefww MicroWorld-eScan: Gen:Variant.Ransom.Makop.50 Avast: Win32:Fasec [Trj] Rising: Ransom.Makop!8.11819 (TFE:4:rh5MfE0aAtH) Ad-Aware: Gen:Variant.Ransom.Makop.50 TACHYON: Trojan/W32.Agent.50176.APE Sophos: ML/PE-A F-Secure: Heuristic.HEUR/AGEN.1213916 DrWeb: Trojan.Encoder.35067 Zillya: Trojan.Filecoder.Win32.21346 TrendMicro: Ransom.Win32.MAKOP.SMYXCBKT McAfee-GW-Edition: BehavesLike.Win32.Dropper.ph Trapmine: malicious.moderate.ml.score FireEye: Generic.mg.ab3f03b3366a7229 Emsisoft: Gen:Variant.Ransom.Makop.50 (B) Jiangmin: Trojan.Makop.m Avira: HEUR/AGEN.1213916 Antiy-AVL: Trojan[Ransom]/Win32.Phobos Microsoft: Trojan:Win32/Wacatac.B!ml Arcabit: Trojan.Ransom.Makop.50 ZoneAlarm: VHO:Trojan-Ransom.Win32.Convagent.gen GData: Gen:Variant.Ransom.Makop.50 Google: Detected AhnLab-V3: Malware/Win.Generic.R459921 Acronis: suspicious McAfee: GenericRXRF-JK!AB3F03B3366A MAX: malware (ai score=89) VBA32: BScope.TrojanSpy.Zbot Cylance: Unsafe Yandex: Trojan.Filecoder!dQ1UDw9XPGI Fortinet: W32/FilecoderPhobos.E!tr.ransom BitDefenderTheta: Gen:NN.ZexaF.34796.duW@aGszEio AVG: Win32:Fasec [Trj] Panda: Trj/GdSda.A CrowdStrike: win/malicious_confidence_90% (D) |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2022-Sep-26 00:58:36 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 8.0 |
SizeOfCode | 0x8000 |
SizeOfInitializedData | 0x18400 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00006800 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x9000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x23000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_NO_SEH
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
MPR.dll |
WNetCloseEnum
WNetOpenEnumW WNetEnumResourceW |
---|---|
KERNEL32.dll |
ReadFile
CreateFileW GetFileSizeEx MoveFileW SetFileAttributesW HeapAlloc GetCurrentProcess HeapFree GetProcessHeap GlobalAlloc GlobalFree GetVersion PeekNamedPipe GetProcAddress LoadLibraryA GetComputerNameW SetEvent CreateEventW TerminateThread SetFilePointerEx GetFileType GetModuleHandleA DuplicateHandle GetCurrentProcessId ExitProcess GetModuleHandleW CreatePipe LocalFree GetCommandLineW GetEnvironmentVariableW CreateProcessW GetLocaleInfoW GetModuleFileNameW Process32FirstW Process32NextW CreateToolhelp32Snapshot GetSystemWindowsDirectoryW SetHandleInformation GetTempPathW GetTempFileNameW CreateDirectoryW GetStdHandle WriteFile Sleep TryEnterCriticalSection FindClose GetLastError GetFileAttributesW GetLogicalDrives WaitForSingleObject CreateThread GetVolumeInformationW SetErrorMode FindNextFileW GetDriveTypeW WaitForMultipleObjects FindFirstFileW TerminateProcess DeleteCriticalSection GetExitCodeProcess LeaveCriticalSection InitializeCriticalSection EnterCriticalSection CloseHandle OpenProcess |
USER32.dll |
DialogBoxParamW
RegisterHotKey PostMessageW EndDialog KillTimer ShowWindow wsprintfA MessageBoxW SetWindowTextA SendMessageW GetShellWindow UnregisterHotKey SetTimer SetWindowTextW GetWindowTextW GetWindowTextLengthW CloseClipboard GetWindowTextA EmptyClipboard GetDlgItem OpenClipboard GetWindowThreadProcessId ReleaseDC SystemParametersInfoW GetDC DrawTextA EnableWindow SetClipboardData wsprintfW |
GDI32.dll |
SetTextColor
DeleteDC GetDeviceCaps GetDIBits CreateCompatibleDC CreateCompatibleBitmap CreateFontW GetObjectW DeleteObject SelectObject SetBkMode |
ADVAPI32.dll |
CryptGenRandom
RegOpenKeyExA RegQueryValueExA RegCloseKey DuplicateTokenEx OpenProcessToken SetTokenInformation GetTokenInformation CryptDecrypt CryptAcquireContextW CryptSetKeyParam CryptReleaseContext CryptImportKey CryptEncrypt CryptDestroyKey |
SHELL32.dll |
#680
ShellExecuteExW CommandLineToArgvW SHBrowseForFolderW SHGetPathFromIDListW SHGetSpecialFolderPathW |
ole32.dll |
CoInitialize
CoTaskMemFree CoUninitialize |
MSIMG32.dll |
GradientFill
|
XOR Key | 0xe96b138 |
---|---|
Unmarked objects | 0 |
ASM objects (VS2012 build 50727 / VS2005 build 50727) | 4 |
Imports (VS2008 SP1 build 30729) | 17 |
Total imports | 133 |
114 (VS2012 build 50727 / VS2005 build 50727) | 17 |
Resource objects (VS2012 build 50727 / VS2005 build 50727) | 1 |
Linker (VS2012 build 50727 / VS2005 build 50727) | 1 |