b971580ef1199b29ea32b394546052c2

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-May-05 17:26:43
Detected languages English - United States

Plugin Output

Suspicious The PE is possibly packed. The PE only has 0 import(s).
Malicious VirusTotal score: 61/70 (Scanned on 2020-01-22 16:16:31) MicroWorld-eScan: Win32.Virlock.Gen.5
FireEye: Generic.mg.b971580ef1199b29
CAT-QuickHeal: Ransom.PolyRansom.B2
McAfee: W32/VirRansom
ALYac: Win32.Virlock.Gen.5
Cylance: Unsafe
VIPRE: Virus.Win32.Nabucur.a (v)
SUPERAntiSpyware: Trojan.Agent/Gen-Crypt
Sangfor: Malware
K7AntiVirus: Virus ( 0040f99f1 )
Alibaba: Virus:Win32/NabucurObfs.c9d0f27a
K7GW: Virus ( 0040f99f1 )
Cybereason: malicious.ef1199
Arcabit: Win32.Virlock.Gen.5
Invincea: heuristic
BitDefenderTheta: AI:FileInfector.47FA551513
F-Prot: W32/A-eb557c81!Eldorado
TotalDefense: Win32/Nabucur.B
Baidu: Win32.Virus.Virlock.a
APEX: Malicious
Avast: Win32:VirLock
ClamAV: BC.Win.Virus.Ransom-9157.B
Kaspersky: Virus.Win32.PolyRansom.a
BitDefender: Win32.Virlock.Gen.5
NANO-Antivirus: Trojan.Win32.PolyRansom.exypia
Paloalto: generic.ml
AegisLab: Virus.Win32.PolyRansom.n!c
Rising: Malware.Heuristic!ET#100% (RDMK:cmRtazq3tjV46OADZmUfitY/70qS)
Endgame: malicious (high confidence)
Sophos: W32/VirRnsm-A
Comodo: Packed.Win32.Graybird.B@5hgpd5
F-Secure: Trojan.TR/Crypt.XPACK.Gen7
DrWeb: Win32.VirLock.4
Zillya: Virus.PolyRansom.Win32.2
TrendMicro: PE_VIRLOCK.E
McAfee-GW-Edition: BehavesLike.Win32.VirRansom.tc
Emsisoft: Win32.Virlock.Gen.5 (B)
SentinelOne: DFI - Malicious PE
Cyren: W32/A-eb557c81!Eldorado
Fortinet: W32/Virlock.K
Antiy-AVL: Virus/Win32.PolyRansom.a
Microsoft: Trojan:Win32/NabucurObfs
ZoneAlarm: Virus.Win32.PolyRansom.a
TACHYON: Virus/W32.VirRansom.C
AhnLab-V3: Win32/Nabucur.B
Acronis: suspicious
VBA32: Virus.VirLock
MAX: malware (ai score=100)
Ad-Aware: Win32.Virlock.Gen.5
Malwarebytes: Trojan.VirLock
Zoner: Packer.Win32.Virlock
ESET-NOD32: a variant of Win32/Virlock.C
TrendMicro-HouseCall: PE_VIRLOCK.E
Tencent: Virus.Win32.Polyransom.a
Ikarus: Trojan.Win32.Cryptor
eGambit: Unsafe.AI_Score_100%
GData: Win32.Virlock.Gen.5
AVG: Win32:VirLock
Panda: Trj/Genetic.gen
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: Virus.Win32.VirLock.E

Hashes

MD5 b971580ef1199b29ea32b394546052c2
SHA1 38f4d01b2c803b3d4d2c436be38cdc6990ac4fe6
SHA256 0001886ff549e5211428fb117a752cf87afadc556fc12cea5f7ba54bfc4663db
SHA3 a6300ed50971c55f9f19ca8c2b4becbb93c635b8d03e5bfdce7fce9ce91863ab
SSDeep 24576:cmfs+SS4hechg1cyXwqFk3pMwplFamVWTbwoN:nfs+h4hdIK5FfamVEV
Imports Hash d41d8cd98f00b204e9800998ecf8427e

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xb0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 2
TimeDateStamp 2019-May-05 17:26:43
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 5.0
SizeOfCode 0x1a1600
SizeOfInitializedData 0x1200
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0019F85E (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1a3000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x1a5000
SizeOfHeaders 0x200
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 abb64fd5501b158649bf7750040c0f85
SHA1 c554fd5a834573dd60de17597c671eb8fb04053d
SHA256 946ffec019183d18dbabbf86a8d988ac31d4b14181f77506189843c0be506855
SHA3 3106be68c7a550762126c85b78491d8c3f9382c5a143c079cb51603277e1e628
VirtualSize 0x1a14a7
VirtualAddress 0x1000
SizeOfRawData 0x1a1600
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_LOCKED
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.25309

.rsrc

MD5 d639766d48116705f37e4e0f7c171cac
SHA1 5ae5722addb912c8c84d7ca748a1fa2228d6ec21
SHA256 7ce41efb180a8b2cec268027b8ec7eae623c421feb84c32fa0152362270f01e8
SHA3 ee27fb36509362ae2ebc3184141d98f504ca7e7343e1997009cc182ed7f7881c
VirtualSize 0x115c
VirtualAddress 0x1a3000
SizeOfRawData 0x1200
PointerToRawData 0x1a1800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_LOCKED
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.04121

Imports

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.98964
MD5 a28494263e5ba476e534109c1d68169b
SHA1 4f638b9bc74c881656e7acdb770e934123532b6c
SHA256 b705f6c39853b4f1e395e164dd9dc10ab2aa19f6994e8bd1de4897735a35dcdb
SHA3 670f436cca7ba45db393c1e6790f5567fc298a4b2588e48d2b53b12ad5e5b3d5

1 (#2)

Type RT_GROUP_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.94375
Detected Filetype Icon file
MD5 aaba260d0fffc1b1f8ca91cf14ebb086
SHA1 f9303169a79d768cd2877c896611d8523c80f945
SHA256 bd7b891000b776021bd2d3790a165561c6134cea734f0d70a52a9b9c0b363321
SHA3 c71b97c34a1b8d59396b2dc78a1e5c5cce90da1de42d4cd98e168d9cb151bf8e

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x884f3421
Unmarked objects 0
Unmarked objects (#2) 1

Errors

<-- -->