Manalyze report for c81dae5c67fb72a2c2f24b178aea50b7

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2020-Aug-08 06:33:11

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Section is both writable and executable.` `The PE only has 3 import(s).`
Suspicious	The file contains overlay data.	`133144 bytes of data starting at offset 0x18328.` `The overlay data has an entropy of 7.99884 and is possibly compressed or encrypted.`
Malicious	VirusTotal score: 53/69 (Scanned on 2021-05-12 08:09:08)	`Bkav: W32.AIDetect.malware1` `Elastic: malicious (high confidence)` `MicroWorld-eScan: Gen:Trojan.Heur.PT.omZ@bSEA3vk` `CAT-QuickHeal: Trojanransom.Darkside` `ALYac: Trojan.Ransom.Filecoder` `Cylance: Unsafe` `VIPRE: Trojan.Win32.Generic!BT` `Sangfor: Trojan.Win32.Save.a` `K7AntiVirus: Trojan ( 005696151 )` `Alibaba: Ransom:Win32/generic.ali2000010` `K7GW: Trojan ( 005696151 )` `Cybereason: malicious.c67fb7` `Cyren: W32/Trojan.UJXE-8785` `Symantec: Trojan Horse` `ESET-NOD32: Win32/Filecoder.DarkSide.A` `APEX: Malicious` `Paloalto: generic.ml` `Kaspersky: Trojan-Ransom.Win32.Darkside.b` `BitDefender: Gen:Trojan.Heur.PT.omZ@bSEA3vk` `NANO-Antivirus: Trojan.Win32.Encoder.hsqsoj` `Tencent: Win32.Trojan.Agent.Swun` `Ad-Aware: Gen:Trojan.Heur.PT.omZ@bSEA3vk` `Sophos: ML/PE-A + Mal/EncPk-ANL` `Comodo: Packed.Win32.MNSP.Gen@2697wr` `DrWeb: Trojan.Encoder.32386` `Zillya: Trojan.Obsidium.Win32.802` `TrendMicro: Ransom.Win32.DARKSIDE.FAIQ` `McAfee-GW-Edition: BehavesLike.Win32.Generic.dc` `FireEye: Generic.mg.c81dae5c67fb72a2` `Emsisoft: Gen:Trojan.Heur.PT.omZ@bSEA3vk (B)` `Ikarus: Trojan.Win32.Obsidium` `GData: Gen:Trojan.Heur.PT.omZ@bSEA3vk` `Webroot: W32.Trojan.Gen` `Avira: HEUR/AGEN.1128017` `ViRobot: Trojan.Win32.S.DarkSide.232256` `Microsoft: Trojan:MSIL/Cryptor` `Cynet: Malicious (score: 100)` `AhnLab-V3: Trojan/Win.Ransomlock.C4465498` `Acronis: suspicious` `McAfee: Generic-FAWW!C81DAE5C67FB` `MAX: malware (ai score=100)` `VBA32: TrojanRansom.Agent` `Malwarebytes: Ransom.DarkSide` `TrendMicro-HouseCall: Ransom.Win32.DARKSIDE.FAIQ` `Rising: Ransom.DarkSide!8.11F84 (CLOUD)` `Yandex: Trojan.Obsidium!eyTqKn+WhnM` `SentinelOne: Static AI - Malicious PE` `eGambit: Unsafe.AI_Score_98%` `Fortinet: W32/Packed.OBSIDIUM.BV!tr` `BitDefenderTheta: AI:Packer.A420046E1E` `AVG: Win32:Trojan-gen` `Avast: Win32:Trojan-gen` `CrowdStrike: win/malicious_confidence_100% (W)`

Hashes

MD5	`c81dae5c67fb72a2c2f24b178aea50b7`
SHA1	`4bd6437cd1dc77097a7951466531674f80c866c6`
SHA256	`48a848bc9e0f126b41e5ca196707412c7c40087404c0c8ed70e5cee4a418203a`
SHA3	`f8b4afc273468aaaaffd6ecb7fafe4e7817b9071dfcb0613b3cd30c6d51e2277`
SSDeep	`6144:UQyTTOip6TGcWnsmx7KbYrBPIJqcKxxY1:E3gGcWnNJIJqDxxY`
Imports Hash	`c9c7570f1933a49b91cfd02a7c59918f`

DOS Header

e_magic	`MZ`
e_cblp	`0xda6a`
e_cp	`0xc6f`
e_crlc	`0x87f6`
e_cparhdr	`0x673e`
e_minalloc	`0xea4d`
e_maxalloc	`0x3156`
e_ss	`0xe28b`
e_sp	`0x8f02`
e_csum	`0x2fc0`
e_ip	`0xa1da`
e_cs	`0xbe32`
e_ovno	`0xb017`
e_oemid	`0x3730`
e_oeminfo	`0x72fd`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2020-Aug-08 06:33:11
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x4c00`
SizeOfInitializedData	`0x5600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000F000 (Section: )`
BaseOfCode	`0x1000`
BaseOfData	`0x6000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x27000`
SizeOfHeaders	`0x400`
Checksum	`0x3b867`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

Section_1

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xd000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

Section_2

MD5	`91e9e808205f8bcf624f6ec329b0cb86`
SHA1	`038e3e051cfb3976d0bb10806ec884bbbe55ef4c`
SHA256	`5a8db4e8a4cd09902cd5f1e232539653b39f148feae6fb88f1bf8eef7ce21ea4`
SHA3	`caaaabe12068820574d3171d0a9785c16840327e47947b33e9209105c97acb6d`
VirtualSize	`0x1000`
VirtualAddress	`0xe000`
SizeOfRawData	`0x200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.97411`

Section_3

MD5	`c8636d0d7c5bb9986772a62cac3bb8a5`
SHA1	`f3857600eaf67782a61b65a4c5d73b6936367202`
SHA256	`f01f315acee3b78a0b982d6a4b7adb5eb412b6cf5bf4edadcabc2fa89a0e4a56`
SHA3	`c1df0fb0f51c434f7ff7114b12ad4ef383b952efe25e6b192588f7c25d8c1068`
VirtualSize	`0x18000`
VirtualAddress	`0xf000`
SizeOfRawData	`0x17d28`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99725`

Imports

kernel32.dll	`GetModuleHandleA`
user32.dll	`GetMenu`
advapi32.dll	`RegisterEventSourceW`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Section  has a size of 0!