Architecture |
IMAGE_FILE_MACHINE_I386
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date |
2106-Feb-07 06:28:15
|
Detected languages |
English - United States
|
Suspicious |
The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
- GetProcAddress
- LoadLibraryW
- LoadLibraryA
Can create temporary files:
- CreateFileW
- GetTempPathA
- CreateFileA
- GetTempPathW
Leverages the raw socket API to access the Internet:
|
Malicious |
The PE's digital signature is invalid. |
Signer: Symantec Corporation
Issuer: VeriSign Class 3 Code Signing 2004 CA
The file was modified after it was signed.
|
Malicious |
VirusTotal score: 47/68 (Scanned on 2021-11-03 05:35:52) |
Lionic:
Trojan.Win32.Razy.4!c
Elastic:
malicious (high confidence)
MicroWorld-eScan:
Gen:Variant.Razy.980431
FireEye:
Generic.mg.bb97b436d1228b69
McAfee:
Artemis!BB97B436D122
Cylance:
Unsafe
Sangfor:
Trojan.Win32.Save.a
K7AntiVirus:
Trojan ( 00589a9c1 )
Alibaba:
Ransom:Win32/generic.ali2000010
K7GW:
Trojan ( 00589a9c1 )
Cybereason:
malicious.064414
Symantec:
ML.Attribute.HighConfidence
ESET-NOD32:
a variant of Win32/GenKryptik.FMWD
APEX:
Malicious
Paloalto:
generic.ml
Kaspersky:
Trojan-Downloader.Win32.Cridex.oil
BitDefender:
Gen:Variant.Razy.980431
Avast:
Win32:Trojan-gen
Ad-Aware:
Gen:Variant.Razy.980431
DrWeb:
Trojan.Encoder.34408
TrendMicro:
Ransom.Win32.CONTI.YXBJ3
McAfee-GW-Edition:
Artemis!Trojan
Emsisoft:
Gen:Variant.Razy.980431 (B)
SentinelOne:
Static AI - Malicious PE
GData:
Gen:Variant.Razy.980431
Jiangmin:
TrojanDownloader.Cridex.akl
eGambit:
PE.Heur.InvalidSig
Avira:
TR/Kryptik.elxbs
Kingsoft:
Win32.TrojDownloader.Cridex.o.(kcloud)
Gridinsoft:
Ransom.Win32.Sabsik.sa
Arcabit:
Trojan.Razy.DEF5CF
Microsoft:
Trojan:Win32/Mamson.A!ac
Cynet:
Malicious (score: 100)
AhnLab-V3:
Ransomware/Win.NEWCD.C4744241
BitDefenderTheta:
Gen:NN.ZexaF.34236.yu1@ai1aP8di
ALYac:
Trojan.Ransom.Conti
MAX:
malware (ai score=87)
VBA32:
TrojanDownloader.Cridex
Malwarebytes:
Trojan.Crypt
TrendMicro-HouseCall:
Ransom.Win32.NEWCD.YXBJ3
Rising:
Trojan.Generic@ML.89 (RDMK:38oKwW6pRkMvgpPhlJHlZQ)
Yandex:
Trojan.Agent!MxAltOW1cTg
Ikarus:
Trojan.Win32.Krypt
Fortinet:
W32/GenKryptik.FMSS!tr
AVG:
Win32:Trojan-gen
Panda:
Trj/GdSda.A
CrowdStrike:
win/malicious_confidence_100% (W)
|
MD5 |
bb97b436d1228b690ae475a8bcfe2cc5
|
SHA1 |
37ba5ec064414a74ecf86afba89fc57e627b0193
|
SHA256 |
b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a
|
SHA3 |
6138cc784f99bdb770086a7ef73f8837e110f00cf1ee4cf9a6666bf321b57474
|
SSDeep |
6144:XcBqHRF6AYfkVXRn8TrOaaJNJpUNhHeZJJCCXdXmS+LxU6droR:sEHf6zfkVXRn1RtpQhHeZ/X5Oq
|
Imports Hash |
8d9c58fff14c5d5b2fe59152d65812dd
|
e_magic |
MZ
|
e_cblp |
0x90
|
e_cp |
0x3
|
e_crlc |
0
|
e_cparhdr |
0x4
|
e_minalloc |
0
|
e_maxalloc |
0xffff
|
e_ss |
0
|
e_sp |
0xb8
|
e_csum |
0
|
e_ip |
0
|
e_cs |
0
|
e_ovno |
0
|
e_oemid |
0
|
e_oeminfo |
0
|
e_lfanew |
0x80
|
Signature |
PE
|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections |
5
|
TimeDateStamp |
2106-Feb-07 06:28:15
|
PointerToSymbolTable |
0
|
NumberOfSymbols |
0
|
SizeOfOptionalHeader |
0xe0
|
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic |
PE32
|
LinkerVersion |
5.0
|
SizeOfCode |
0xffffffff
|
SizeOfInitializedData |
0x5ec00
|
SizeOfUninitializedData |
0
|
AddressOfEntryPoint |
0x0000E4FB (Section: .text)
|
BaseOfCode |
0x1000
|
BaseOfData |
0x1000
|
ImageBase |
0x400000
|
SectionAlignment |
0x1000
|
FileAlignment |
0x200
|
OperatingSystemVersion |
4.0
|
ImageVersion |
0.0
|
SubsystemVersion |
4.0
|
Win32VersionValue |
0
|
SizeOfImage |
0x6d000
|
SizeOfHeaders |
0x1000
|
Checksum |
0x65649
|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve |
0x100000
|
SizeofStackCommit |
0x1000
|
SizeofHeapReserve |
0x100000
|
SizeofHeapCommit |
0x1000
|
LoaderFlags |
0
|
NumberOfRvaAndSizes |
16
|
MD5 |
45c297e605479f73e35a6e549e6b07bc
|
SHA1 |
05f2dd67ad068de262e5f5c25e75a361e1ca1dc5
|
SHA256 |
8c6a00151ced530b4582f5521fa7d04da70714838ccc2714acaf65188a7bd4cc
|
SHA3 |
55260bb581fb6f6cd1d19946241b6a3740f0d8bd5c9cf1bf7ec3b65af2a32f3a
|
VirtualSize |
0x17f60
|
VirtualAddress |
0x1000
|
SizeOfRawData |
0x18000
|
PointerToRawData |
0x1000
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
|
Entropy |
6.13243
|
MD5 |
886e321cf98a9c27f04cadb5a7f5b5de
|
SHA1 |
8b1bd902772e2cebeeac0ff5cd89db810edad252
|
SHA256 |
b8e3ef390af3a4144fc30fb2454e717e43b05f26967c7f83b634c70b7061a5b1
|
SHA3 |
807e4a105a9acf715bd90e551f72bb703eb4825df5855cf2b16c9e83e1280e23
|
VirtualSize |
0x614
|
VirtualAddress |
0x19000
|
SizeOfRawData |
0x800
|
PointerToRawData |
0x19000
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
Entropy |
4.26254
|
MD5 |
bddc8bb56277c59d0eb05ea864396594
|
SHA1 |
ba2a61a69528e43d144ddb914a64f7779b2a857a
|
SHA256 |
fb1a4425b38bfc6afe61ee482ea8b70101bfa57df1fb885796749d773cb9ffa6
|
SHA3 |
c9e8c9f842997715c5fae8a25fcff8e3713ac5373c8afabaac3875f8607b3a34
|
VirtualSize |
0x4aac1
|
VirtualAddress |
0x1a000
|
SizeOfRawData |
0x3ea00
|
PointerToRawData |
0x19800
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
Entropy |
5.56801
|
MD5 |
c3201a966f2472bf7d2d94c93cdd697a
|
SHA1 |
2f7956a37389e8d9d26975438651c7cb1f3e0e48
|
SHA256 |
ade2861bda8f7f5d479b6734ad60fb100158aee9772d98b2471ea14906d90627
|
SHA3 |
1b0df4df4427d1dc649fb49e6dbec466985b5544b9b41a1d400c363bf1c9ddd9
|
VirtualSize |
0x5aa3
|
VirtualAddress |
0x65000
|
SizeOfRawData |
0x5c00
|
PointerToRawData |
0x58200
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
Entropy |
3.93052
|
MD5 |
149af8d9644f29fc30401394a32d1852
|
SHA1 |
f54af173ccb8d53e72927b0e2a84b25e5811ac79
|
SHA256 |
b91bc035ed8e7a8f97246d4f51c1baf2b26c8231dce6e812631d90a3af78a7d5
|
SHA3 |
2a31f83604553838bea2af20f707bebdb51e6b5c1e7ae041dd6ef51c82b2bf08
|
VirtualSize |
0x1d14
|
VirtualAddress |
0x6b000
|
SizeOfRawData |
0x1e00
|
PointerToRawData |
0x5de00
|
PointerToRelocations |
0
|
PointerToLineNumbers |
0
|
NumberOfLineNumbers |
0
|
NumberOfRelocations |
0
|
Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
Entropy |
6.69534
|
advapi32.dll |
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
|
gdi32.dll |
GetObjectType
|
kernel32.dll |
WriteFile
SetConsoleCtrlHandler
DeleteFileA
FreeLibrary
MultiByteToWideChar
OpenMutexW
IsDebuggerPresent
GetModuleHandleA
CloseHandle
VirtualProtect
GetLastError
CreateFileW
GetProcAddress
LoadLibraryW
CreateThread
AreFileApisANSI
CreateEventW
SetFilePointer
GetFileAttributesA
ReadFile
LockFile
GetFullPathNameA
GetTickCount
TlsAlloc
WideCharToMultiByte
GetSystemTime
LockFileEx
GetCurrentProcessId
IsProcessorFeaturePresent
WaitForSingleObject
UnlockFile
FlushFileBuffers
SetEndOfFile
GetTempPathA
GetFullPathNameW
GetFileSize
GetVersionExW
ResetEvent
CreateMutexW
Sleep
GetFileAttributesW
GetCurrentThreadId
TlsGetValue
DeleteFileW
OutputDebugStringA
LoadLibraryA
TlsSetValue
QueryPerformanceCounter
CreateFileA
GetTempPathW
|
ws2_32.dll |
WSASend
|
Type |
RT_BITMAP
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x6e8
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.26791
|
MD5 |
d66cdc356431ad0d6ce990f6477b934e
|
SHA1 |
546c729ba1dff604d3570f75a5b9e409c82c8171
|
SHA256 |
5d3f2dcb8ac83f52b8ad1876933e09403aff22f6e48db3cfbd1d279d2be2b493
|
SHA3 |
d4a4542c2eb3fe5e5342d3e0f937174bb1de9fea61e0bd3d4a6854bb4a861218
|
Preview |
|
Type |
RT_ICON
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x8a8
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
2.58729
|
MD5 |
a01c5244937ccc680e46844279cb4b60
|
SHA1 |
3e6d4c78af65e2dc111a60c83172343d69458eb0
|
SHA256 |
6e6e6d30842570d41ae27a9f381fac94ebc5b3c25367ce34ad3fc5c3b6dc24ae
|
SHA3 |
c1616c1fe9b7993ac5be138183bb846da07570e19ef86506454387ea40525d07
|
Type |
RT_ICON
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x2e8
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
2.67412
|
MD5 |
3b48e6a6946f8b2ee9749d66b56d13d2
|
SHA1 |
ecd3fca946ea34cd77cbafd60462677395a08669
|
SHA256 |
6ebd60d2fb8578fbc7e0a078fc6060d914b39e1893f8cd55be9b2bb165022611
|
SHA3 |
8c6818c6d79275c59626ca282e3bdc82d3334043aeaf370767f350578a8168b9
|
Type |
RT_ICON
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x668
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.00025
|
MD5 |
3fa77262138db46e42951bce9ea4504c
|
SHA1 |
818f1b6b7790791468f4a076681b6dc0e2a33572
|
SHA256 |
426575beb4e212ff7878407bb4521011e20e35661c6193c0ecbd2412f25b7ff1
|
SHA3 |
0d8b1323daaf7874d269a9869564cd0d61602f8f813998b32915a02d84408c5c
|
Type |
RT_STRING
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x4e
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
2.15369
|
MD5 |
a0a81798b1cab1b5982af0cb87f056b8
|
SHA1 |
847b26096fe278a3b957514108de723db0180fd1
|
SHA256 |
f439ef347d41a65512bf1839024066e444997dcb23c91bea26e612657a2844b7
|
SHA3 |
a766490d70306e0d2b3259c3d56cec0a6fb582e9261e4228081ee33417415644
|
Type |
RT_MESSAGETABLE
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x3b18
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.40998
|
MD5 |
63c630af8b2cc95947f278b1e47f7520
|
SHA1 |
1faf3d022bff9b73e5ccd7014de93d34c524737e
|
SHA256 |
5fd047ce7b3494b3d05cc879328aee2b5d5f1aa56ddc347267d26fda0ad9ca99
|
SHA3 |
9290f2abc2efac948a2b73d6ae92152ce91d2a59edccde9e40d9196e06486b76
|
Type |
RT_GROUP_ICON
|
Language |
English - United States
|
Codepage |
UNKNOWN
|
Size |
0x14
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
1.5789
|
Detected Filetype |
Icon file
|
MD5 |
0ff22963979a69ff909f1ce95a705681
|
SHA1 |
ed9c287aa8d5d049a6e6841ce03cd4cfbd640d74
|
SHA256 |
5229ebc9de78c7349a3eace7cdc13219d7da7d66bd1006e5fc494ff29b48f6e2
|
SHA3 |
e095232b59feedbc19f3f0ab50ce0cc03df1016330a748208b07445b53eaf031
|
Type |
RT_GROUP_ICON
|
Language |
English - United States
|
Codepage |
UNKNOWN
|
Size |
0x14
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
1.87095
|
Detected Filetype |
Icon file
|
MD5 |
54a9b7bc379f28408052646ef7075350
|
SHA1 |
e5208e9ccf0c962118b3b3a61dcb484f41e4ad45
|
SHA256 |
600818e39296e85805bb061feb3b52fc1da27bc02ce0d16b0b620b6a50bef03c
|
SHA3 |
f97d6e1a03bf5dfb3ea5cab1c867290f5993aea2961a7f3fef96c0fcead62273
|
Type |
RT_GROUP_ICON
|
Language |
English - United States
|
Codepage |
UNKNOWN
|
Size |
0x14
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
1.97095
|
Detected Filetype |
Icon file
|
MD5 |
5ef6256b2511c8ba5fbbe45d4f1ae19d
|
SHA1 |
fcccac350c6673f811e88b02b42faa0136eb6579
|
SHA256 |
ede327539249bea8c63e4f5974a8cc5dfff6af378cc7a9ba97238ef12b3d6ce6
|
SHA3 |
3b7fc614f01a862d867eb282d5266ef181bff8e8ed4693de6c71eb893ab72a73
|
Type |
RT_VERSION
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x1dc
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
3.31109
|
MD5 |
286ddaac80f8a61b301f56282cf1af65
|
SHA1 |
b40be7958e3fd4f195ee25601d50d9405bf9661b
|
SHA256 |
c5877d0913084aa6ecc88f39c4abe65d89a23fa9741b16c8df2a53925c5a8ac5
|
SHA3 |
8cba117ddc7eab4a58a2a2d4bc85a7c115445835b3d1ca2057e5603d6a251e77
|
Type |
RT_MANIFEST
|
Language |
English - United States
|
Codepage |
Latin 1 / Western European
|
Size |
0x17d
|
TimeDateStamp |
1980-Jan-01 00:00:00
|
Entropy |
4.81604
|
MD5 |
6b57c64e1d0a1415d952bebde8b7a232
|
SHA1 |
b8230899ebd9a2e8ee7f3b78b02abdb6dbb527d5
|
SHA256 |
9eae5017c42682debd9dec71f576fa07837e002f15ba6a3825df91dbcaaecccf
|
SHA3 |
66ba43d4526b40d007147d2719326d41f094653362c99b3f4bf7597bf1cb7a4d
|
[!] Error: Could not read a VS_FIXED_FILE_INFO!
[!] Error: Could not read a VS_FIXED_FILE_INFO!
[*] Warning: Could not parse a VERSION_INFO resource!