Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2019-Jun-14 16:38:16 |
Detected languages |
English - United States
|
Debug artifacts |
C:\Users\Usuario\Documents\Proyectos\sher.lock\Debug\LooCipher.pdb
|
Info | Matching compiler(s): |
Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 - 8.0 MASM/TASM - sig1(h) |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Miscellaneous malware strings:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to SHA1
Uses constants related to SHA256 Uses constants related to SHA512 Uses constants related to AES Microsoft's Cryptography API |
Malicious | This program contains valid cryptocurrency addresses. |
Contains a valid Bitcoin address:
|
Suspicious | The PE is possibly packed. | Section .textbss is both writable and executable. |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 50/69 (Scanned on 2019-07-13 19:38:02) |
MicroWorld-eScan:
Trojan.Ransom.LooCipher.A
CAT-QuickHeal: Trojan.Occamy McAfee: Ransomware-GNY!DC645F572D1F Cylance: Unsafe Alibaba: Trojan:Win32/Filecoder.c2d5c42d K7GW: Trojan ( 005508131 ) K7AntiVirus: Trojan ( 005508131 ) Symantec: Trojan.Gen.MBT ESET-NOD32: a variant of Win32/Filecoder.NWG Paloalto: generic.ml ClamAV: Win.Ransomware.LooCipher-7001151-0 BitDefender: Trojan.Ransom.LooCipher.A NANO-Antivirus: Trojan.Win32.ULPM.frnkry AegisLab: Trojan.Win32.Imps.4!c Avast: Win32:Malware-gen Tencent: Win32.Trojan.Filecoder.Wtdk Emsisoft: Trojan.Ransom.LooCipher.A (B) Comodo: Malware@#2xrh2h694k8g8 F-Secure: Trojan.TR/AD.Loocipher.yotjq DrWeb: Trojan.Siggen8.33057 VIPRE: Trojan.Win32.Generic!BT McAfee-GW-Edition: Ransomware-GNY!DC645F572D1F FireEye: Generic.mg.dc645f572d1f06d9 Sophos: Troj/Ransom-FMJ SentinelOne: DFI - Suspicious PE Cyren: W32/Trojan.QNKV-0098 Jiangmin: Trojan.Loo.a Webroot: W32.Ransom.Gen Avira: TR/AD.Loocipher.yotjq Fortinet: W32/Filecoder.NWG!tr Antiy-AVL: GrayWare/Win32.Generic Arcabit: Trojan.Ransom.LooCipher.A ViRobot: Trojan.Win32.Ransom.5637632 AhnLab-V3: Trojan/Win32.Sonoko.C3293222 Microsoft: Trojan:Win32/CryptInject TACHYON: Ransom/W32.LooCipher.5637632 VBA32: suspected of Trojan.Downloader.gen.h ALYac: Trojan.Ransom.LooCipher Ad-Aware: Trojan.Ransom.LooCipher.A Malwarebytes: Ransom.LooCipher TrendMicro-HouseCall: Ransom.Win32.LOOCIPHER.THFBOAIA Rising: Malware.Undefined!8.C (TFE:5:KZCOBsBjs9P) Yandex: Trojan.Filecoder!0nC9xGTNUMY Ikarus: Trojan-Ransom.FileCrypter GData: Trojan.Ransom.LooCipher.A AVG: Win32:Malware-gen Cybereason: malicious.72d1f0 Panda: Trj/GdSda.A CrowdStrike: win/malicious_confidence_100% (W) Qihoo-360: Win32/Trojan.IM.57e |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x108 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 9 |
TimeDateStamp | 2019-Jun-14 16:38:16 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x421600 |
SizeOfInitializedData | 0x156a00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x001FB2AC (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x1000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.0 |
ImageVersion | 0.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x771000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetLocalTime
GetShortPathNameA GetLogicalDriveStringsA GetStartupInfoA WritePrivateProfileStringA MultiByteToWideChar IsDebuggerPresent DebugBreak GlobalAlloc GlobalUnlock GlobalLock GetPrivateProfileStringA GetLastError SetLastError QueryPerformanceCounter QueryPerformanceFrequency GetCurrentThread GetThreadTimes ReadConsoleW FreeEnvironmentStringsW GetEnvironmentStringsW GetCommandLineW GetCommandLineA GetOEMCP IsValidCodePage FindNextFileA FindFirstFileExA SetStdHandle CreateProcessA SetConsoleCtrlHandler WriteConsoleW OutputDebugStringA HeapQueryInformation HeapReAlloc HeapSize ReadFile GetConsoleMode GetConsoleCP FlushFileBuffers GetFileType EnumSystemLocalesW GetUserDefaultLCID IsValidLocale GetTimeFormatW GetDateFormatW CreateProcessW GetExitCodeProcess GetACP WriteFile GetStdHandle ExitProcess ResumeThread ExitThread DeleteFileW MoveFileExW RemoveDirectoryW GetCurrentDirectoryW GetCurrentDirectoryA SetCurrentDirectoryW TerminateThread CreateThread Sleep CreateEventA CreateMutexA ReleaseMutex WaitForSingleObject SetEvent CloseHandle GetTimeZoneInformation GetEnvironmentVariableA SetCurrentDirectoryA SetEnvironmentVariableW SetEnvironmentVariableA GetFullPathNameA GetFullPathNameW GetDriveTypeW GetModuleHandleExW WideCharToMultiByte FormatMessageW CreateDirectoryW CreateFileW FindClose FindFirstFileExW FindNextFileW GetDiskFreeSpaceExW GetFileAttributesExW GetFileInformationByHandle SetEndOfFile SetFileAttributesW SetFilePointerEx SetFileTime GetTempPathW AreFileApisANSI CopyFileW CreateHardLinkW DuplicateHandle WaitForSingleObjectEx GetCurrentProcess GetCurrentThreadId GetExitCodeThread GetNativeSystemInfo EnterCriticalSection LeaveCriticalSection TryEnterCriticalSection DeleteCriticalSection EncodePointer DecodePointer InitializeCriticalSectionAndSpinCount CreateEventW TlsAlloc TlsGetValue TlsSetValue TlsFree GetSystemTimeAsFileTime GetTickCount GetModuleHandleW GetProcAddress CompareStringW LCMapStringW GetLocaleInfoW GetStringTypeW GetCPInfo ResetEvent InitializeSListHead UnhandledExceptionFilter SetUnhandledExceptionFilter TerminateProcess IsProcessorFeaturePresent GetStartupInfoW RaiseException GetCurrentProcessId HeapAlloc HeapFree GetProcessHeap VirtualQuery FreeLibrary CreateTimerQueue SignalObjectAndWait SwitchToThread SetThreadPriority GetThreadPriority GetLogicalProcessorInformation CreateTimerQueueTimer ChangeTimerQueueTimer DeleteTimerQueueTimer GetNumaHighestNodeNumber GetProcessAffinityMask SetThreadAffinityMask RegisterWaitForSingleObject UnregisterWait OutputDebugStringW FreeLibraryAndExitThread GetModuleFileNameW GetModuleHandleA LoadLibraryExW GetVersionExW VirtualAlloc VirtualProtect VirtualFree SetProcessAffinityMask ReleaseSemaphore InterlockedPopEntrySList InterlockedPushEntrySList InterlockedFlushSList QueryDepthSList UnregisterWaitEx WaitForMultipleObjectsEx LoadLibraryW RtlUnwind HeapValidate GetSystemInfo GetModuleFileNameA RtlCaptureStackBackTrace |
---|---|
USER32.dll |
PeekMessageA
DispatchMessageA GetMessageA TrackMouseEvent LoadCursorA SetClassLongA GetClassLongA MessageBoxW SetWindowTextA UpdateWindow GetSystemMetrics EnableWindow KillTimer SetTimer EmptyClipboard SetClipboardData CloseClipboard OpenClipboard GetDlgCtrlID CreateWindowExW RegisterClassW PostQuitMessage DefWindowProcW SendMessageA TranslateMessage SystemParametersInfoA EnumDisplaySettingsA ChangeDisplaySettingsA SetWindowLongA GetWindowLongA ShowCursor AdjustWindowRect GetWindowRect GetDC SetForegroundWindow SetWindowPos ShowWindow DestroyWindow CreateWindowExA DefWindowProcA |
GDI32.dll |
SetBkColor
DeleteObject CreateSolidBrush CreateFontA SetDIBitsToDevice SetTextColor |
ADVAPI32.dll |
CryptReleaseContext
CryptAcquireContextA CryptGenRandom |
SHELL32.dll |
SHGetSpecialFolderPathA
|
WININET.dll |
InternetCloseHandle
InternetOpenUrlA InternetReadFile InternetOpenA |
Characteristics |
0
|
---|---|
TimeDateStamp | 2019-Jun-14 15:47:16 |
Version | 0.0 |
SizeofData | 91 |
AddressOfRawData | 0x6e5ac4 |
PointerToRawData | 0x4f04c4 |
Referenced File | C:\Users\Usuario\Documents\Proyectos\sher.lock\Debug\LooCipher.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2019-Jun-14 15:47:16 |
Version | 0.0 |
SizeofData | 20 |
AddressOfRawData | 0x6e5b20 |
PointerToRawData | 0x4f0520 |
StartAddressOfRawData | 0xb44000 |
---|---|
EndAddressOfRawData | 0xb44208 |
AddressOfIndex | 0xb40384 |
AddressOfCallbacks | 0xa17e2c |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_ALIGN_4BYTES
|
Callbacks | (EMPTY) |
Size | 0x68 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0xb16254 |
SEHandlerTable | 0 |
SEHandlerCount | 0 |
XOR Key | 0x1c2e1b8f |
---|---|
Unmarked objects | 0 |
ASM objects (24610) | 28 |
C++ objects (24610) | 197 |
C objects (24610) | 26 |
ASM objects (24723) | 23 |
C++ objects (24723) | 132 |
C objects (24723) | 37 |
Imports (24610) | 13 |
Total imports | 227 |
C++ objects (VS2017 v15.2 compiler 25019) | 37 |
Resource objects (VS2017 v15.2 compiler 25019) | 1 |
Linker (VS2017 v15.2 compiler 25019) | 1 |