dc645f572d1f06d93f8010434b70e206

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-Jun-14 16:38:16
Detected languages English - United States
Debug artifacts C:\Users\Usuario\Documents\Proyectos\sher.lock\Debug\LooCipher.pdb

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 - 8.0
MASM/TASM - sig1(h)
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to SHA1
Uses constants related to SHA256
Uses constants related to SHA512
Uses constants related to AES
Microsoft's Cryptography API
Malicious This program contains valid cryptocurrency addresses. Contains a valid Bitcoin address:
  • 19YmdTjw7ZWHEDac8wWzCNdZT8oXsDedtV
  • 1Azfk7fWwCRynRk8p7qupLqqaADsjwFm4N
  • 1CrdZvvtzrZTJ78k92XuPizhhgtDxQ8c4B
  • 1JHEqi4QsTWz4gB9qZTACP7JggJzAmf6eA
  • 1Ps5Vd9dKWuy9FuMDkec9qquCyTLjc2Bxe
Suspicious The PE is possibly packed. Section .textbss is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryW
Functions which can be used for anti-debugging purposes:
  • SwitchToThread
Possibly launches other programs:
  • CreateProcessA
  • CreateProcessW
Uses Microsoft's cryptographic API:
  • CryptReleaseContext
  • CryptAcquireContextA
  • CryptGenRandom
Can create temporary files:
  • CreateFileW
  • GetTempPathW
Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
Has Internet access capabilities:
  • InternetCloseHandle
  • InternetOpenUrlA
  • InternetReadFile
  • InternetOpenA
Enumerates local disk drives:
  • GetLogicalDriveStringsA
  • GetDriveTypeW
Malicious VirusTotal score: 50/69 (Scanned on 2019-07-13 19:38:02) MicroWorld-eScan: Trojan.Ransom.LooCipher.A
CAT-QuickHeal: Trojan.Occamy
McAfee: Ransomware-GNY!DC645F572D1F
Cylance: Unsafe
Alibaba: Trojan:Win32/Filecoder.c2d5c42d
K7GW: Trojan ( 005508131 )
K7AntiVirus: Trojan ( 005508131 )
Symantec: Trojan.Gen.MBT
ESET-NOD32: a variant of Win32/Filecoder.NWG
Paloalto: generic.ml
ClamAV: Win.Ransomware.LooCipher-7001151-0
BitDefender: Trojan.Ransom.LooCipher.A
NANO-Antivirus: Trojan.Win32.ULPM.frnkry
AegisLab: Trojan.Win32.Imps.4!c
Avast: Win32:Malware-gen
Tencent: Win32.Trojan.Filecoder.Wtdk
Emsisoft: Trojan.Ransom.LooCipher.A (B)
Comodo: Malware@#2xrh2h694k8g8
F-Secure: Trojan.TR/AD.Loocipher.yotjq
DrWeb: Trojan.Siggen8.33057
VIPRE: Trojan.Win32.Generic!BT
McAfee-GW-Edition: Ransomware-GNY!DC645F572D1F
FireEye: Generic.mg.dc645f572d1f06d9
Sophos: Troj/Ransom-FMJ
SentinelOne: DFI - Suspicious PE
Cyren: W32/Trojan.QNKV-0098
Jiangmin: Trojan.Loo.a
Webroot: W32.Ransom.Gen
Avira: TR/AD.Loocipher.yotjq
Fortinet: W32/Filecoder.NWG!tr
Antiy-AVL: GrayWare/Win32.Generic
Arcabit: Trojan.Ransom.LooCipher.A
ViRobot: Trojan.Win32.Ransom.5637632
AhnLab-V3: Trojan/Win32.Sonoko.C3293222
Microsoft: Trojan:Win32/CryptInject
TACHYON: Ransom/W32.LooCipher.5637632
VBA32: suspected of Trojan.Downloader.gen.h
ALYac: Trojan.Ransom.LooCipher
Ad-Aware: Trojan.Ransom.LooCipher.A
Malwarebytes: Ransom.LooCipher
TrendMicro-HouseCall: Ransom.Win32.LOOCIPHER.THFBOAIA
Rising: Malware.Undefined!8.C (TFE:5:KZCOBsBjs9P)
Yandex: Trojan.Filecoder!0nC9xGTNUMY
Ikarus: Trojan-Ransom.FileCrypter
GData: Trojan.Ransom.LooCipher.A
AVG: Win32:Malware-gen
Cybereason: malicious.72d1f0
Panda: Trj/GdSda.A
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.IM.57e

Hashes

MD5 dc645f572d1f06d93f8010434b70e206
SHA1 7e1dc07f454cc615e36830a29e82694934840af0
SHA256 2ca214c271920c7261fc0009971961fa6d2ee4bd23820899f4d6e0679739bf2e
SHA3 a99e5768c9822716c14ead8b3b9f50e39fa678cab77d28aa79f7f1d6954ca7cf
SSDeep 98304:nA+KF0wOG4lhMMs/xRSe7abbbbVIBwd57qo:nA+KF0DG4I/abbbbVI2
Imports Hash 8c1957dde2f628fdcbe049f10f2266a0

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x108

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 9
TimeDateStamp 2019-Jun-14 16:38:16
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x421600
SizeOfInitializedData 0x156a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x001FB2AC (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x771000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.textbss

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x1f31f1
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text

MD5 023524173e85f34df27d76b00675233e
SHA1 666bedb09eb1c4e9699be16f1df737d26531768d
SHA256 0e4df6cd1cb478b7b8d38fc51c7608a9b6a5869b5c391e4d64a2bdc642be4b6b
SHA3 5d1212ff84083659027918dcbff06844fb175cc0d5c57687be6f056e834d94c9
VirtualSize 0x421487
VirtualAddress 0x1f5000
SizeOfRawData 0x421600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.57238

.rdata

MD5 5b258510c5ed6b80b73756e59c72717a
SHA1 3504d7e0a4aae6cf1985cfa88b0c07ad2765494e
SHA256 f29cf9bda9463e1474497eb4b942f3ef02a50bd30cc59e4d6d3a3239a0ae827d
SHA3 6be4a4b079da5de9c151c964485148d38efb6b621d8258a371f8febc03a7f7b6
VirtualSize 0xfe502
VirtualAddress 0x617000
SizeOfRawData 0xfe600
PointerToRawData 0x421a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.50863

.data

MD5 24ba135dacd9756b91f20996ac4a69c0
SHA1 e8f62c08c0b6d02fb29cd9d25f2fd4ee7b9aa18a
SHA256 b4251a5bbfb21e0f6ba701978512b97afd5d2284d109381514c271a88bbaf94a
SHA3 db3ec3cc8bac5a0a2658c4057cb8305b1f200793b4064bbc669069ce9d5c7221
VirtualSize 0x2bd94
VirtualAddress 0x716000
SizeOfRawData 0x14000
PointerToRawData 0x520000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.62816

.idata

MD5 68a7a78d564f05984c04afef45d17e74
SHA1 8bef23f6d37ff58ea793d97f64e6a27c5667a62f
SHA256 76dd529abb0f123710794bf564dffea3e5636e47173db902bed39326439ff2ed
SHA3 b8ddf63e50aa430e58146000a6a63bc45de79daf44a93c713d811bdadf39df52
VirtualSize 0x1eff
VirtualAddress 0x742000
SizeOfRawData 0x2000
PointerToRawData 0x534000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.74951

.tls

MD5 c573bd7cea296a9c5d230ca6b5aee1a6
SHA1 04a0b9fde89c71864acaf5e74689fe4c269bd7a8
SHA256 13bde09a110c13b533dc985f3e2c475b6f6bcf514d1a23fce5b784a653548e91
SHA3 3679da6860e8ab20485113de9ac22dfe22ddc29d53f14ddc33a648aa98196361
VirtualSize 0x309
VirtualAddress 0x744000
SizeOfRawData 0x400
PointerToRawData 0x536000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.0111738

.00cfg

MD5 e3703138f864923f96b856bde5440d14
SHA1 2bf989888d1c0fda95d09be26243b89fe5af892f
SHA256 9e98381a9eada0b27809e582c7e13aa313dc8bf5f663e3a3e2807e93225d0296
SHA3 b1a8207b3693cda7b949c0992fa17e4b8e4af5f8d25cff3c5c375da0c36bfae3
VirtualSize 0x104
VirtualAddress 0x745000
SizeOfRawData 0x200
PointerToRawData 0x536400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 0.0611629

.rsrc

MD5 bf6f25ea585f2d6ed7064cb206d2af29
SHA1 90d6bfe1cc6469e4e555a8a74cdfcc22f5463257
SHA256 9ce4636532e503dc423b608858c45a03d3a373703638ddf6efa4d2311408add2
SHA3 42dd67ef290b7e7c45a12eb30ccb90157521db1995b34d07993d63a9cde7f71f
VirtualSize 0x43c
VirtualAddress 0x746000
SizeOfRawData 0x600
PointerToRawData 0x536600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.13629

.reloc

MD5 efbd05a7ed87162ecd1f7441968ae715
SHA1 c48a1e6dd0658f02a1f2c7d90d117c928534a870
SHA256 d687348de901d43280682d4e8b1bbe554cd512fb3e0b8a571ea84209dda2a671
SHA3 583aeb09c6b21c2109ca5c7798551de615d4be179e190dc002777ec7c652405d
VirtualSize 0x298a8
VirtualAddress 0x747000
SizeOfRawData 0x29a00
PointerToRawData 0x536c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.11706

Imports

KERNEL32.dll GetLocalTime
GetShortPathNameA
GetLogicalDriveStringsA
GetStartupInfoA
WritePrivateProfileStringA
MultiByteToWideChar
IsDebuggerPresent
DebugBreak
GlobalAlloc
GlobalUnlock
GlobalLock
GetPrivateProfileStringA
GetLastError
SetLastError
QueryPerformanceCounter
QueryPerformanceFrequency
GetCurrentThread
GetThreadTimes
ReadConsoleW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
IsValidCodePage
FindNextFileA
FindFirstFileExA
SetStdHandle
CreateProcessA
SetConsoleCtrlHandler
WriteConsoleW
OutputDebugStringA
HeapQueryInformation
HeapReAlloc
HeapSize
ReadFile
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetFileType
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
CreateProcessW
GetExitCodeProcess
GetACP
WriteFile
GetStdHandle
ExitProcess
ResumeThread
ExitThread
DeleteFileW
MoveFileExW
RemoveDirectoryW
GetCurrentDirectoryW
GetCurrentDirectoryA
SetCurrentDirectoryW
TerminateThread
CreateThread
Sleep
CreateEventA
CreateMutexA
ReleaseMutex
WaitForSingleObject
SetEvent
CloseHandle
GetTimeZoneInformation
GetEnvironmentVariableA
SetCurrentDirectoryA
SetEnvironmentVariableW
SetEnvironmentVariableA
GetFullPathNameA
GetFullPathNameW
GetDriveTypeW
GetModuleHandleExW
WideCharToMultiByte
FormatMessageW
CreateDirectoryW
CreateFileW
FindClose
FindFirstFileExW
FindNextFileW
GetDiskFreeSpaceExW
GetFileAttributesExW
GetFileInformationByHandle
SetEndOfFile
SetFileAttributesW
SetFilePointerEx
SetFileTime
GetTempPathW
AreFileApisANSI
CopyFileW
CreateHardLinkW
DuplicateHandle
WaitForSingleObjectEx
GetCurrentProcess
GetCurrentThreadId
GetExitCodeThread
GetNativeSystemInfo
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
EncodePointer
DecodePointer
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetTickCount
GetModuleHandleW
GetProcAddress
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
ResetEvent
InitializeSListHead
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
RaiseException
GetCurrentProcessId
HeapAlloc
HeapFree
GetProcessHeap
VirtualQuery
FreeLibrary
CreateTimerQueue
SignalObjectAndWait
SwitchToThread
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
OutputDebugStringW
FreeLibraryAndExitThread
GetModuleFileNameW
GetModuleHandleA
LoadLibraryExW
GetVersionExW
VirtualAlloc
VirtualProtect
VirtualFree
SetProcessAffinityMask
ReleaseSemaphore
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
WaitForMultipleObjectsEx
LoadLibraryW
RtlUnwind
HeapValidate
GetSystemInfo
GetModuleFileNameA
RtlCaptureStackBackTrace
USER32.dll PeekMessageA
DispatchMessageA
GetMessageA
TrackMouseEvent
LoadCursorA
SetClassLongA
GetClassLongA
MessageBoxW
SetWindowTextA
UpdateWindow
GetSystemMetrics
EnableWindow
KillTimer
SetTimer
EmptyClipboard
SetClipboardData
CloseClipboard
OpenClipboard
GetDlgCtrlID
CreateWindowExW
RegisterClassW
PostQuitMessage
DefWindowProcW
SendMessageA
TranslateMessage
SystemParametersInfoA
EnumDisplaySettingsA
ChangeDisplaySettingsA
SetWindowLongA
GetWindowLongA
ShowCursor
AdjustWindowRect
GetWindowRect
GetDC
SetForegroundWindow
SetWindowPos
ShowWindow
DestroyWindow
CreateWindowExA
DefWindowProcA
GDI32.dll SetBkColor
DeleteObject
CreateSolidBrush
CreateFontA
SetDIBitsToDevice
SetTextColor
ADVAPI32.dll CryptReleaseContext
CryptAcquireContextA
CryptGenRandom
SHELL32.dll SHGetSpecialFolderPathA
WININET.dll InternetCloseHandle
InternetOpenUrlA
InternetReadFile
InternetOpenA

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2019-Jun-14 15:47:16
Version 0.0
SizeofData 91
AddressOfRawData 0x6e5ac4
PointerToRawData 0x4f04c4
Referenced File C:\Users\Usuario\Documents\Proyectos\sher.lock\Debug\LooCipher.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2019-Jun-14 15:47:16
Version 0.0
SizeofData 20
AddressOfRawData 0x6e5b20
PointerToRawData 0x4f0520

TLS Callbacks

StartAddressOfRawData 0xb44000
EndAddressOfRawData 0xb44208
AddressOfIndex 0xb40384
AddressOfCallbacks 0xa17e2c
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x68
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0xb16254
SEHandlerTable 0
SEHandlerCount 0

RICH Header

XOR Key 0x1c2e1b8f
Unmarked objects 0
ASM objects (24610) 28
C++ objects (24610) 197
C objects (24610) 26
ASM objects (24723) 23
C++ objects (24723) 132
C objects (24723) 37
Imports (24610) 13
Total imports 227
C++ objects (VS2017 v15.2 compiler 25019) 37
Resource objects (VS2017 v15.2 compiler 25019) 1
Linker (VS2017 v15.2 compiler 25019) 1

Errors

[*] Warning: Section .textbss has a size of 0!
<-- -->