Manalyze report for ab70755be8d2525c4d74f9e80f979386

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2019-Nov-02 10:09:05
Detected languages	English - United States

Plugin Output

Suspicious	The PE is possibly packed.	`The PE only has 4 import(s).`
Malicious	VirusTotal score: 57/70 (Scanned on 2019-11-05 09:27:46)	`MicroWorld-eScan: Win32.Virlock.Gen.8` `VBA32: Virus.PolyRansom.k` `FireEye: Generic.mg.ab70755be8d2525c` `CAT-QuickHeal: Ransom.PolyRansom.F3` `ALYac: Win32.Virlock.Gen.8` `Malwarebytes: Ransom.VirLock` `K7AntiVirus: Trojan ( 0052b3dd1 )` `K7GW: Trojan ( 0052b3dd1 )` `Cybereason: malicious.be8d25` `Arcabit: Win32.Virlock.Gen.8` `TrendMicro: PE_VIRLOCK.K` `Baidu: Win32.Virus.Virlock.e` `F-Prot: W32/S-c1bd2b76!Eldorado` `Symantec: W32.Virlock!inf3` `APEX: Malicious` `Avast: Win32:Cryptor` `ClamAV: Win.Virus.Virlock-6332874-0` `Kaspersky: HEUR:Trojan.Win32.Generic` `BitDefender: Win32.Virlock.Gen.8` `NANO-Antivirus: Virus.Win32.Virlock.dsdros` `ViRobot: Trojan.Win32.Virlock.Gen.A` `Tencent: Virus.Win32.VirLocker.ja` `Endgame: malicious (high confidence)` `Emsisoft: Win32.Virlock.Gen.8 (B)` `Comodo: Virus.Win32.VirLock.GA@7lv9go` `F-Secure: Trojan.TR/Crypt.ZPACK.Gen` `DrWeb: Win32.VirLock.16` `VIPRE: Virus.Win32.Nabucur.c (v)` `Invincea: heuristic` `McAfee-GW-Edition: BehavesLike.Win32.VirRansom.tc` `MaxSecure: Virus.PolyRansom.b` `Trapmine: malicious.high.ml.score` `Sophos: W32/VirRnsm-F` `Cyren: W32/S-c1bd2b76!Eldorado` `Webroot: W32.Malware.gen` `Avira: TR/Crypt.ZPACK.Gen` `Fortinet: W32/Virlock.J` `Microsoft: Trojan:Win32/Nabucur.AA` `ZoneAlarm: HEUR:Trojan.Win32.Generic` `TACHYON: Virus/W32.VirRansom.B` `AhnLab-V3: Win32/Nabucur.D` `Acronis: suspicious` `McAfee: Trojan-FQZC!AB70755BE8D2` `MAX: malware (ai score=82)` `Ad-Aware: Win32.Virlock.Gen.8` `Cylance: Unsafe` `ESET-NOD32: a variant of Win32/Virlock.J` `TrendMicro-HouseCall: PE_VIRLOCK.K` `Rising: Malware.Undefined!8.C (TFE:2:F9oTcQmkAMJ)` `SentinelOne: DFI - Malicious PE` `eGambit: Unsafe.AI_Score_99%` `GData: Win32.Virlock.Gen.8` `BitDefenderTheta: AI:FileInfector.394B29A813` `AVG: Win32:Cryptor` `Panda: Trj/Genetic.gen` `CrowdStrike: win/malicious_confidence_100% (D)` `Qihoo-360: HEUR/QVM20.1.052B.Malware.Gen`

Hashes

MD5	`ab70755be8d2525c4d74f9e80f979386`
SHA1	`382f5bce36ba05242569e5a24166472de85c7a1a`
SHA256	`9fa039cb520a3e37aca6dd1a6124b65366930469112b0ee59e901f75da2eb93b`
SHA3	`012af96a541aacb6be5b8525aa359a00fcfe42d41d8d6c6625411f8de4878d9b`
SSDeep	`24576:xHchz6vspWjxWbO/Q+mB9+GoksMoQpphyc9YNiGj+KHU3q0QbCRJmhRNMSuZo+i:xHcp6vspSxWbKQHBkfkslGpQ8YNiGj5`
Imports Hash	`7983265fef5982537cc862d7253624b4`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xb0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2019-Nov-02 10:09:05
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`5.0`
SizeOfCode	`0x88a00`
SizeOfInitializedData	`0xcf200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00001000 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8a000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x15c000`
SizeOfHeaders	`0x600`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`7949d17b555b573bd431161a2854c3b3`
SHA1	`6ef98312b1aa050be90cef74a9e0e4ee75cf0656`
SHA256	`70c091a8dddd8e5c688b00d03deb4f134c4527259168e971d6ac65d30e0fecad`
SHA3	`70d68f69c3e29a2d1e8e41ae014c6b313301b01b95962cf8e0096959967efa04`
VirtualSize	`0x89000`
VirtualAddress	`0x1000`
SizeOfRawData	`0x88a00`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.1847`

.rdata

MD5	`015b7c3c2562c7c6052f93501f95b3d8`
SHA1	`4c83c4b450788e1e93b1d313b8d64cc7530fb95d`
SHA256	`beb9aad35e631740da10141b605fec69c7a2d5bc0aac61dd11ed7a40c3bceae9`
SHA3	`1673e13ce831f9f00d3d5fbaa9f5571ac7a3e14556fcb5d90b36f1d0ddb12818`
VirtualSize	`0x1000`
VirtualAddress	`0x8a000`
SizeOfRawData	`0x200`
PointerToRawData	`0x89000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.11046`

.data

MD5	`ae9a0f35c57f8d007480aac8fd7d5bcc`
SHA1	`3bcdd77295e4733ba403ae6b9c5c86a1f6469d35`
SHA256	`97321506e214d391933f76d01daa9e31fbae8e0ed547c2041225428310c2ac4f`
SHA3	`ee41af04518981a035e9b7ee71c62ec8dd2a698aab01d889e07f97b94ed0850f`
VirtualSize	`0xcf000`
VirtualAddress	`0x8b000`
SizeOfRawData	`0xcf000`
PointerToRawData	`0x89200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.78126`

.rsrc

MD5	`cde328219e656fce4c04af073c87cfaa`
SHA1	`ad73156f0111681fd029d619ac2c53b5b085e7f3`
SHA256	`fe2b8b20da2447a2874a81fe221c1533ba920238db913fe76c31348b9e07e091`
SHA3	`6d7e229439fa223e3ccd44d503c94d5a517974e6b344cb0b549f9e39324fd094`
VirtualSize	`0x1200`
VirtualAddress	`0x15a000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x158200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_LOCKED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.97754`

Imports

kernel32.dll	`VirtualAlloc`
user32.dll	`GetProcessWindowStation` `GetClipboardOwner` `GetShellWindow`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.22413`
MD5	`3499ac8142dc912a1a3340d35f339ad7`
SHA1	`f419d256668db1860e9bf09827ce96a81f1fa14c`
SHA256	`beb0af303ee34c9d6641ce2fb77c5b159f609330e67710e53a35c49c2e2f71f3`
SHA3	`156916fe5806e85df81f5a3d62c9e63311d737ca43c00c289284ee82b9e8c2ec`

1 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.94375`
Detected Filetype	Icon file
MD5	`aaba260d0fffc1b1f8ca91cf14ebb086`
SHA1	`f9303169a79d768cd2877c896611d8523c80f945`
SHA256	`bd7b891000b776021bd2d3790a165561c6134cea734f0d70a52a9b9c0b363321`
SHA3	`c71b97c34a1b8d59396b2dc78a1e5c5cce90da1de42d4cd98e168d9cb151bf8e`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd4f1ae19`
Unmarked objects	`0`
19 (8078)	`10`
18 (8444)	`1`

ab70755be8d2525c4d74f9e80f979386

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

1

1 (#2)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors