Manalyze report for e120c26a601ee0eceb84068728910e89

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-May-24 15:23:07

Plugin Output

Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`Can access the registry: RegEnumKeyW` `Uses Microsoft's cryptographic API: CryptGetUserKey CryptGenRandom CryptGenKey CryptDestroyKey` `Functions related to the privilege level: DuplicateToken` `Enumerates local disk drives: GetVolumeInformationW` `Manipulates other processes: Process32First`
Malicious	VirusTotal score: 42/67 (Scanned on 2018-06-12 07:54:27)	`MicroWorld-eScan: Gen:Variant.Ransom.RotorCrypt.2` `McAfee: RansomRotorCrypt!E120C26A601E` `Cylance: Unsafe` `K7AntiVirus: Trojan ( 0050f06c1 )` `K7GW: Trojan ( 0050f06c1 )` `TrendMicro: Mal_CrypRoto` `Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9998` `Symantec: Ransom.Troldesh` `ESET-NOD32: a variant of Win32/Filecoder.RotoCrypt.C` `TrendMicro-HouseCall: Suspicious_GEN.F47V0612` `Kaspersky: HEUR:Trojan.Win32.Generic` `BitDefender: Gen:Variant.Ransom.RotorCrypt.2` `NANO-Antivirus: Trojan.Win32.Filecoder.fdybxi` `Avast: Win32:KadrBot [Trj]` `Tencent: Win32.Trojan.Filecoder.Agke` `Ad-Aware: Gen:Variant.Ransom.RotorCrypt.2` `Sophos: Mal/Generic-S` `F-Secure: Gen:Variant.Ransom.RotorCrypt.2` `DrWeb: Trojan.Encoder.5342` `Invincea: heuristic` `McAfee-GW-Edition: RansomRotorCrypt!E120C26A601E` `Emsisoft: Gen:Variant.Ransom.RotorCrypt.2 (B)` `Ikarus: Trojan-Ransom.Rotocrypt` `Cyren: W32/Ransom.PGTG-7732` `Avira: TR/Crypt.XPACK.Gen2` `Antiy-AVL: Trojan/Win32.AGeneric` `Microsoft: Ransom:Win32/Genasom` `Endgame: malicious (high confidence)` `Arcabit: Trojan.Ransom.RotorCrypt.2` `AegisLab: Troj.W32.Generic!c` `ZoneAlarm: HEUR:Trojan.Win32.Generic` `GData: Gen:Variant.Ransom.RotorCrypt.2` `ALYac: Trojan.Ransom.RotorCrypt` `MAX: malware (ai score=99)` `Malwarebytes: Trojan.MalPack` `SentinelOne: static engine - malicious` `Fortinet: W32/RotoCrypt.C!tr` `AVG: Win32:KadrBot [Trj]` `Cybereason: malicious.a601ee` `Panda: Trj/GdSda.A` `CrowdStrike: malicious_confidence_100% (W)` `Qihoo-360: HEUR/QVM20.1.6CC1.Malware.Gen`

Hashes

MD5	`e120c26a601ee0eceb84068728910e89`
SHA1	`2e074045c334a5e59a536b1397d6a4d63437c10b`
SHA256	`3637c9f27d8599d1c79a1de6f4eb2bf2795f831d43d9d4b0c821e73bdbebafcf`
SHA3	`cea0f7291e6e37a13a2b83f1cc2ec7b7b796bd6848a7ae243941482c7343085d`
SSDeep	`1536:25EgY2I1Dx07GN6bM+/nIbtHGZo8GlRSSU32egMY1tPjwmwAa7V:8Cx046zOtmZo3lRSSw2eNY1tsmO`
Imports Hash	`b1a6fba59730062d23755804b451bf50`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xb0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2018-May-24 15:23:07
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`8.0`
SizeOfCode	`0xc800`
SizeOfInitializedData	`0x6600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00009517 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xe000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x15000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NO_SEH`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`24d86a59131bce9fd9dd1defbac9da18`
SHA1	`bf38d800bddb06c45bdfa6298cd11cc72a06bb78`
SHA256	`95b64e2a54f805c8e1c55de305a17ffb04a6acd61885695b2632cb720e674eee`
SHA3	`480c3b85db6170bd1b455ba201dc7bce4e05f7d21633b71909ba2c0f11a1c33b`
VirtualSize	`0xc6b0`
VirtualAddress	`0x1000`
SizeOfRawData	`0xc800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.5427`

.rdata

MD5	`f0e11d8137c43dcc271f9c2b3a33e41e`
SHA1	`b80bf904c23da55a09859731da2ecb062f0fc405`
SHA256	`1327798b6abedf373f88307fd7c9303771f693b2d932d25d7547c3c03b1074e6`
SHA3	`0c96a15806e10b78764579f959c5300c5658f100f9b167781eb4c4ebfa0e0fb0`
VirtualSize	`0xb85`
VirtualAddress	`0xe000`
SizeOfRawData	`0xc00`
PointerToRawData	`0xcc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.1524`

.data

MD5	`c7ec64cead2cb15b6d8e645db2bc3f76`
SHA1	`21ec5b9c64f15c370424c1532492954a6eeaf7a0`
SHA256	`952be35405a151a0b76da2b31a22c50e4a24a34484dc58cab25fc79b5c899764`
SHA3	`df5c55fd884ae33c29c42d14acb95a46c9cf5b576024ad27e8d6012ee75f0690`
VirtualSize	`0x5921`
VirtualAddress	`0xf000`
SizeOfRawData	`0x5a00`
PointerToRawData	`0xd800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.57454`

Imports

KERNEL32.DLL	`InterlockedDecrement` `FileTimeToLocalFileTime` `DebugBreak` `GetConsoleMode` `DeleteFileW` `CloseHandle` `ConnectNamedPipe` `FileTimeToDosDateTime` `GetCommandLineW` `GetStringTypeA` `GetCommandLineA` `InterlockedExchange` `LocalLock` `GetFileTime` `GetEnvironmentVariableW` `RemoveDirectoryW` `ReplaceFileW` `DuplicateHandle` `TlsAlloc` `WriteConsoleA` `GetSystemDefaultLCID` `GetVolumeInformationW` `OpenSemaphoreW` `Process32First` `IsBadReadPtr` `SetComputerNameW` `SizeofResource` `TlsSetValue` `MulDiv` `GetLastError` `GetProcAddress` `GetPrivateProfileIntW` `UnhandledExceptionFilter` `LCMapStringA` `CreateThread` `Sleep` `GetModuleHandleA`
USER32.DLL	`GetWindowPlacement` `AppendMenuW` `GetMessageW` `GrayStringW` `GetClipCursor` `GetSysColorBrush` `SetMenuItemBitmaps` `ValidateRect` `SetFocus` `TabbedTextOutW` `MapVirtualKeyW` `GetClassInfoW` `SendMessageW` `InvalidateRgn` `GetWindow` `GetKeyNameTextW`
OLE32.DLL	`CoTaskMemFree` `CoTaskMemAlloc` `WriteClassStg` `SetConvertStg` `CreateBindCtx` `CLSIDFromString` `WriteFmtUserTypeStg` `ReadClassStg` `CoCreateInstance` `ReleaseStgMedium` `StringFromCLSID` `OleDuplicateData` `CoTreatAsClass` `CLSIDFromProgID`
GDI32.DLL	`GetPixel` `CreateSolidBrush` `CreatePatternBrush` `GetCharWidthW` `CreateCompatibleDC` `PolyBezier` `GetArcDirection` `CreateICW` `CloseMetaFile` `GetTextExtentPoint32W` `CreateFontIndirectW` `SaveDC`
SHLWAPI.DLL	`PathFindExtensionW` `PathRemoveExtensionW` `PathIsUNCW` `PathFindFileNameW`
COMDLG32.DLL	`ChooseFontW` `GetSaveFileNameW`
SHELL32.DLL	`DragAcceptFiles` `ExtractIconW` `SHGetFileInfoW` `DragFinish`
ADVAPI32.DLL	`CryptGetUserKey` `RegEnumKeyW` `IsValidSecurityDescriptor` `CryptGenRandom` `CryptGenKey` `SetAclInformation` `FreeSid` `CryptDestroyKey` `DuplicateToken` `SetSecurityDescriptorDacl`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x25427b87`
Unmarked objects	`0`
C++ objects (VS2012 build 50727 / VS2005 build 50727)	`26`
Linker (VS2012 build 50727 / VS2005 build 50727)	`1`

e120c26a601ee0eceb84068728910e89

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

Imports

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors