b7ad5f7ec71dc812b4771950671b192a

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2020-Mar-17 20:33:10
Debug artifacts G:\aaaa\bbbb\cccc\dddd\eeee.pdb

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryW
  • LoadLibraryA
  • LoadLibraryExW
Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
Malicious VirusTotal score: 37/71 (Scanned on 2020-03-25 16:16:29) MicroWorld-eScan: Trojan.GenericKD.42872102
McAfee: Artemis!B7AD5F7EC71D
Alibaba: Ransom:Win32/Cryptor.492dda55
K7GW: Riskware ( 0040eff71 )
K7AntiVirus: Riskware ( 0040eff71 )
Arcabit: Trojan.Generic.D28E2D26
Avast: Win32:Malware-gen
Kaspersky: Trojan-Ransom.Win32.Cryptor.ddu
BitDefender: Trojan.GenericKD.42872102
Paloalto: generic.ml
Tencent: Win32.Trojan.Cryptor.Pgwr
Ad-Aware: Trojan.GenericKD.42872102
Emsisoft: Trojan.GenericKD.42872102 (B)
DrWeb: Trojan.Encoder.31322
TrendMicro: Ransom.Win32.SEKHMET.A
McAfee-GW-Edition: Artemis!Trojan
Sophos: Mal/Generic-S
Cyren: W32/Trojan.KCGR-6380
Jiangmin: Trojan.Cryptor.ps
eGambit: Unsafe.AI_Score_94%
Fortinet: W32/Cryptor.DDU!tr.ransom
Antiy-AVL: Trojan[Ransom]/Win32.Cryptor
Endgame: malicious (high confidence)
Microsoft: Trojan:Win32/Occamy.C
AegisLab: Trojan.Win32.Cryptor.j!c
ZoneAlarm: Trojan-Ransom.Win32.Cryptor.ddu
TACHYON: Ransom/W32.Cryptor.709632
ALYac: Trojan.Ransom.Filecoder
MAX: malware (ai score=82)
ESET-NOD32: a variant of Generik.GYISLCY
TrendMicro-HouseCall: Ransom.Win32.SEKHMET.A
Rising: Ransom.Cryptor!8.10A9 (CLOUD)
Ikarus: Trojan.SuspectCRC
GData: Trojan.GenericKD.42872102
AVG: Win32:Malware-gen
Panda: Trj/GdSda.A
Qihoo-360: Win32/Trojan.Ransom.135

Hashes

MD5 b7ad5f7ec71dc812b4771950671b192a
SHA1 cf02d630465eaf009db8bcc8a0dd4242a1d2dd82
SHA256 0a739f4ec3d096010d0cd9fc0c0631f0b080cc2aad1f720fd1883737b6a6a952
SHA3 6a5d731cf1c266993394d8f9ef01aeb032e08ff36b57ee324733d48b82741695
SSDeep 12288:XEcAC948owAoT9eEoz6bN8Y1pZZ7Ll2oeP2HQ7q/jV4:01Ch+vOZ7h2om57q/p
Imports Hash 505285b5c7f1918326c961aae0b20a69

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 7
TimeDateStamp 2020-Mar-17 20:33:10
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x63e00
SizeOfInitializedData 0x4a800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001460 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x65000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0xb2000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 c0b58a0bf6d5752a7f9b6a3597403709
SHA1 dc15e2202c026cb8483f1369dfc2c348c2e302a1
SHA256 ebeff347afc1f71e65c33984ca70818325f8cd2adc749bbea7ddf09cf42067b7
SHA3 98c8e384c260870478723e5d61e60927d5b588e23a3b2178f9779e0cfaefabe6
VirtualSize 0x63d09
VirtualAddress 0x1000
SizeOfRawData 0x63e00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.8575

.rdata

MD5 b5b7969bfee12efd305591e3c5189bd9
SHA1 894064caea3df495262b052b43f5dbe4462b2359
SHA256 40717c55e12f33fc9843d40d4f4dd2fdce5f10a4147f3a35158fe7dc9773340e
SHA3 7f80a515e02dbca3bccd5282e3d94402cc531af6cd94e11da9053dbadb384c44
VirtualSize 0xac58
VirtualAddress 0x65000
SizeOfRawData 0xae00
PointerToRawData 0x64200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.96458

.data

MD5 638e9159e0f3487a8b6827ba8334dc8f
SHA1 207184e66477d5534762b0c2c85edcd4c0d3f681
SHA256 ca33c8710f6632548df28c48baf8e227f5e1d81edaa5b7aa458a0e5ed7dc06f9
SHA3 268e8d6ec24111b730f3af1cdb4698381550fe6ff30bd30426bc92fe54b075c0
VirtualSize 0x3b34c
VirtualAddress 0x70000
SizeOfRawData 0x39e00
PointerToRawData 0x6f000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.63235

.idata

MD5 34cd92498ff22105850d398d2cddd791
SHA1 ab31c41ab5c13d21d7c533631cccf33960e409e6
SHA256 8ab73fdce613c28d88ec92838d3b11e3fb7fb594e09d33032d58f1d2ce7f7ae6
SHA3 4074b5da5373b0184a93de4e66e92c670289ed3f5f5738a67f11ef7591c7d446
VirtualSize 0xc98
VirtualAddress 0xac000
SizeOfRawData 0xe00
PointerToRawData 0xa8e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.45989

.gfids

MD5 164b28db79dd2521227a18c132f1994b
SHA1 e0851e1d107fe1f68e75aa171183b1383c78ee45
SHA256 b2c977dab11ee73774e575e727db20065a162687c002cb62558ddc3123b8ac05
SHA3 8d84caee2957cb4d9701ddbd42a7f14c90999010d024465e9c2b8f96c5f93803
VirtualSize 0x406
VirtualAddress 0xad000
SizeOfRawData 0x600
PointerToRawData 0xa9c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.38298

.00cfg

MD5 0d00d0c92ceb2a6baaf31e8420c68ed4
SHA1 6034fddc4ea501f8f9c91da28218cbc53fb9a5bf
SHA256 79110c1749b7757d23f05332910f427f72d34faa5c4eb8649d59e4710b495962
SHA3 8432829de7f954690c5d93bc9b8151165b640e186f984f900bbc546de38627d8
VirtualSize 0x104
VirtualAddress 0xae000
SizeOfRawData 0x200
PointerToRawData 0xaa200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 0.0611629

.reloc

MD5 f8903cb0dbfaa8a3de118ed1d515be65
SHA1 d331ab69440353f1d94c13f24650cc9b2b259439
SHA256 0775b6cd6adab818e416ba18a7e86191563159879ae7104eb2cca86cba800616
SHA3 2666f6c44550a1365109ab863335ec080ebba44ccba6b5228cddcac3186e1df4
VirtualSize 0x2ffd
VirtualAddress 0xaf000
SizeOfRawData 0x3000
PointerToRawData 0xaa400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.02857

Imports

KERNEL32.dll VirtualAlloc
Sleep
GetProcAddress
LoadLibraryW
CreateFileW
VirtualQuery
VirtualFree
VirtualProtect
GetCurrentProcess
FlushInstructionCache
LoadLibraryA
IsBadReadPtr
FreeLibrary
lstrcmpA
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetModuleHandleW
TerminateProcess
InterlockedPushEntrySList
InterlockedFlushSList
RaiseException
RtlUnwind
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetModuleFileNameA
GetModuleFileNameW
MultiByteToWideChar
WideCharToMultiByte
HeapFree
HeapAlloc
GetCurrentThread
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FindClose
FindFirstFileExA
FindFirstFileExW
FindNextFileA
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetEnvironmentVariableW
GetProcessHeap
GetStdHandle
GetFileType
SetConsoleCtrlHandler
GetStringTypeW
HeapSize
HeapReAlloc
SetStdHandle
WriteFile
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetFilePointerEx
OutputDebugStringA
OutputDebugStringW
CloseHandle
WaitForSingleObjectEx
CreateThread
WriteConsoleW
EncodePointer
DecodePointer

Delayed Imports

DllInstall

Ordinal 1
Address 0x2dbf

DllRegisterServer

Ordinal 2
Address 0x1573

DllUnregisterServer

Ordinal 3
Address 0x2158

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2020-Mar-17 20:33:10
Version 0.0
SizeofData 56
AddressOfRawData 0x6eb90
PointerToRawData 0x6dd90
Referenced File G:\aaaa\bbbb\cccc\dddd\eeee.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2020-Mar-17 20:33:10
Version 0.0
SizeofData 20
AddressOfRawData 0x6ebc8
PointerToRawData 0x6ddc8

TLS Callbacks

Load Configuration

Size 0x5c
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x100a9038
SEHandlerTable 0x1006ea80
SEHandlerCount 3

RICH Header

XOR Key 0x840b13da
Unmarked objects 0
241 (40116) 9
243 (40116) 117
242 (40116) 24
ASM objects (VS2015 UPD3 build 24123) 17
C++ objects (VS2015 UPD3 build 24123) 27
C objects (VS2015 UPD3 build 24123) 15
Imports (65501) 3
Total imports 94
Unmarked objects (#2) 3
Exports (VS2015 UPD3 build 24210) 1
Linker (VS2015 UPD3 build 24210) 1

Errors

<-- -->