Manalyze report for e82686fa553545a9b3ffc1225f0bc5fa

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-Aug-04 04:57:19

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	The PE is possibly packed.	`Unusual section name found: .ruf`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryW GetProcAddress LoadLibraryA` `Can access the registry: RegRestoreKeyW` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Functions related to the privilege level: AdjustTokenPrivileges`
Malicious	VirusTotal score: 54/66 (Scanned on 2019-06-15 10:22:20)	`MicroWorld-eScan: Trojan.GenericKD.32024741` `CAT-QuickHeal: Trojan.Fuerboos` `McAfee: GCrab-FOC!E82686FA5535` `Cylance: Unsafe` `K7AntiVirus: Trojan ( 0054f2d61 )` `Alibaba: Trojan:Win32/DelShad.cd9484d9` `K7GW: Trojan ( 0054f2d61 )` `Cybereason: malicious.a55354` `Symantec: Downloader` `ESET-NOD32: a variant of Win32/Kryptik.GTOE` `APEX: Malicious` `Paloalto: generic.ml` `ClamAV: Win.Trojan.Agent-6993115-0` `GData: Win32.Trojan-Ransom.Sodinokibi.A` `Kaspersky: Trojan.Win32.DelShad.kl` `BitDefender: Trojan.GenericKD.32024741` `NANO-Antivirus: Trojan.Win32.DelShad.fqwsxh` `ViRobot: Trojan.Win32.Z.Genkryptik.321024.A` `Avast: Win32:Trojan-gen` `Tencent: Win32.Trojan.Delshad.Ajbi` `Endgame: malicious (high confidence)` `Sophos: Troj/Ransom-FLK` `Comodo: Malware@#1aevoxp3babq5` `F-Secure: Trojan.TR/AD.SodinoRansom.dkaaw` `DrWeb: Trojan.Encoder.28363` `Qihoo-360: HEUR/QVM10.2.8DE3.Malware.Gen` `Invincea: heuristic` `McAfee-GW-Edition: BehavesLike.Win32.MultiPlug.fh` `FireEye: Generic.mg.e82686fa553545a9` `Emsisoft: Trojan.Generic (A)` `Ikarus: Trojan.Win32.Krypt` `Cyren: W32/Trojan.OYTL-6660` `Webroot: W32.Trojan.Gen` `Avira: TR/AD.SodinoRansom.dkaaw` `Antiy-AVL: Trojan/Win32.DelShad` `Arcabit: Trojan.Generic.D1E8A8A5` `AegisLab: Trojan.Win32.DelShad.4!c` `ZoneAlarm: Trojan.Win32.DelShad.kl` `Microsoft: Trojan:Win32/Occamy.C` `AhnLab-V3: Malware/Win32.RL_Generic.R273958` `Acronis: suspicious` `VBA32: BScope.Trojan.AET.281105` `ALYac: Trojan.Ransom.Sodinokibi` `MAX: malware (ai score=100)` `Ad-Aware: Trojan.GenericKD.32024741` `Malwarebytes: Trojan.MalPack.GS.Generic` `Rising: Trojan.Fuerboos!8.EFC8 (TFE:6:UhCF5SP22tR)` `Yandex: Trojan.DelShad!` `SentinelOne: DFI - Malicious PE` `Fortinet: W32/GenKryptik.DJOD!tr` `AVG: Win32:Trojan-gen` `Panda: Trj/GdSda.A` `CrowdStrike: win/malicious_confidence_100% (W)` `MaxSecure: Trojan.Malware.74359613.susgen`

Hashes

MD5	`e82686fa553545a9b3ffc1225f0bc5fa`
SHA1	`9bfc63f18069b03e4cbbc3248d71d70cd2d0e80e`
SHA256	`5dde3386e0ce769bfd1880175168a71931d1ffb881b5050760c19f46a318efc9`
SHA3	`7e1b64c64737166da46286b6e21a3785a9a09ad1fdfc1f1c65d59ac3c2773daf`
SSDeep	`6144:GRMb3yPooZC0aVJmV0haDF9HUPGSllA8D9:GRO3yPozaDFRUuSz`
Imports Hash	`c99ea698585be79c80a3d3d279e53c57`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2018-Aug-04 04:57:19
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x41e00`
SizeOfInitializedData	`0x105600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00006183 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x43000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x14c000`
SizeOfHeaders	`0x400`
Checksum	`0x4e976`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`4c6de89474b9239c496eb421e0dd6e58`
SHA1	`967a7805fd7a617a3aeea995c23538cb8b68218b`
SHA256	`ced1869332aeaa86eb069109302b9eabd2c405040f5be302b363d6f2b002d170`
SHA3	`0d878a675f50e6734319428c04508a8b9262dfe9ef52da8676b993676ec80b20`
VirtualSize	`0x41c8b`
VirtualAddress	`0x1000`
SizeOfRawData	`0x41e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.93842`

.rdata

MD5	`ab981f59fc174252b6bdcfe5fba02f54`
SHA1	`9bd521fa506000b4771dd676369ea4a008801ccb`
SHA256	`0ff341ac4f95e2fca490b272d4216f9542e85d1c27ddead126d84e4e3eebc9cd`
SHA3	`123fa790c3fc29659c4fcb7afe1b31893a47315d3b32436716823110fe7fb07b`
VirtualSize	`0x4669`
VirtualAddress	`0x43000`
SizeOfRawData	`0x4800`
PointerToRawData	`0x42200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.15603`

.data

MD5	`526b6d43fe63decd6ef1183e3ac97c4e`
SHA1	`259ca6bec417acc42c5905ef117bf89e37a165a5`
SHA256	`d349094142bf35326af9650607c81f06013ba6ded8e2091bfb0b325b38bab12c`
SHA3	`6d14f256edfaaada7bed754383cce93b8518bdb23f63379352f6174af7085b70`
VirtualSize	`0xfa7a8`
VirtualAddress	`0x48000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x46a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.23553`

.ruf

MD5	`0f343b0931126a20f133d67c2b018a3b`
SHA1	`60cacbf3d72e1e7834203da608037b1bf83b40e8`
SHA256	`5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef`
SHA3	`6841b2c10aa6e5f7a384143e4de58fbc9aa28a4b742e9ad4ed14ba148a723a43`
VirtualSize	`0x1200`
VirtualAddress	`0x143000`
SizeOfRawData	`0x400`
PointerToRawData	`0x48000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`4afe45d6f90d8f30e93673057f10aada`
SHA1	`d27fb3f8ca2e4540fccbfab53175f55773f6bbcf`
SHA256	`ee6f26e78c707d5a66a65fafe0eba3225d051d835cf4bced6efaebaddbb92eef`
SHA3	`47fd4582a221898fff636a16c9328324966eff15375bcaf8054bd5867f76ffef`
VirtualSize	`0x3cb8`
VirtualAddress	`0x145000`
SizeOfRawData	`0x3e00`
PointerToRawData	`0x48400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.87074`

.reloc

MD5	`285d6628e9c5d7d643c85e2c7c8680ad`
SHA1	`6f637fc3a7d768c3fdc3bdbce7ffefa9c8b6a860`
SHA256	`002a2e0fb15fa8d9ad8c8c6d29a9a430566f6b40b26bf0adead81f3c3c81fb7b`
SHA3	`94b2ef952c288b09ec05044fc30dd243cd0704554a9a350e8b36621976f714e4`
VirtualSize	`0x2354`
VirtualAddress	`0x149000`
SizeOfRawData	`0x2400`
PointerToRawData	`0x4c200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.10522`

Imports

KERNEL32.dll	`GetTickCount` `GlobalAlloc` `LoadLibraryW` `GetBinaryTypeA` `lstrlenW` `GetStartupInfoA` `GetLastError` `LockFile` `PeekConsoleInputW` `MoveFileA` `WTSGetActiveConsoleSessionId` `VirtualProtect` `GetFileAttributesExW` `CloseHandle` `lstrcpyA` `SetHandleInformation` `LoadResource` `GetProcAddress` `lstrcpynA` `GetCommandLineA` `RaiseException` `RtlUnwind` `TerminateProcess` `GetCurrentProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `HeapAlloc` `HeapFree` `WriteFile` `WideCharToMultiByte` `GetConsoleCP` `GetConsoleMode` `FlushFileBuffers` `DeleteCriticalSection` `LeaveCriticalSection` `FatalAppExitA` `EnterCriticalSection` `MultiByteToWideChar` `ReadFile` `GetModuleHandleW` `Sleep` `ExitProcess` `GetStdHandle` `GetModuleFileNameA` `FreeEnvironmentStringsA` `GetEnvironmentStrings` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `SetHandleCount` `GetFileType` `TlsGetValue` `TlsAlloc` `TlsSetValue` `TlsFree` `InterlockedIncrement` `SetLastError` `GetCurrentThreadId` `InterlockedDecrement` `GetCurrentThread` `HeapCreate` `HeapDestroy` `VirtualFree` `QueryPerformanceCounter` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `VirtualAlloc` `HeapReAlloc` `WriteConsoleA` `GetConsoleOutputCP` `WriteConsoleW` `SetFilePointer` `SetStdHandle` `InitializeCriticalSectionAndSpinCount` `HeapSize` `SetConsoleCtrlHandler` `FreeLibrary` `InterlockedExchange` `LoadLibraryA` `GetCPInfo` `GetACP` `GetOEMCP` `IsValidCodePage` `CreateFileA` `GetLocaleInfoW` `GetLocaleInfoA` `LCMapStringA` `LCMapStringW` `GetStringTypeA` `GetStringTypeW` `GetTimeFormatA` `GetDateFormatA` `GetUserDefaultLCID` `EnumSystemLocalesA` `IsValidLocale` `GetTimeZoneInformation` `CompareStringA` `CompareStringW` `SetEnvironmentVariableA`
ADVAPI32.dll	`LockServiceDatabase` `RegRestoreKeyW` `AdjustTokenPrivileges`

Delayed Imports

MyFunc165

Ordinal	`1`
Address	`0x1460`

118

Type	`HOHAVICEPEVEZEXADAGUKOBOPUSI`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0xb4c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.58889`
MD5	`35fdbaefd1378568ff377723a2e94ff3`
SHA1	`eff39e00faaa3efffadb8416efa7a7649b5410e7`
SHA256	`ddcfc74db4555a389a40924462579942766eb2840ef516773da15cae049db2e7`
SHA3	`87ad8279e2c48b5bb474d6a7e91e24e7701f3476d5af4173ae15ac60b6f696c7`

842

Type	`PIHAVEJALE`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0xbf4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.58108`
MD5	`640b746e5ff0416cff7011fcf3283fa2`
SHA1	`4a7cddf93c3f206c6d7a7e917340eb3c34416ae3`
SHA256	`b053b590e3aff85ac9393bbe5aa6c89e3dbf8c6632cb75a90f4a65c9b39965ba`
SHA3	`57b58e11d96f4bcb15f6ee87125b968b9a38e6b410e57d2019dc22e9a193be22`

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.6342`
MD5	`f1487e7c8e5e72607fe2407022224a8c`
SHA1	`94d8f8896b976055cb264d9d62576fa6958bd97d`
SHA256	`7b26dcb318b9db39137f193e21031e8ebfe92a8c3fa99d2f8661a5d5aab4099d`
SHA3	`df791fe1078923870e4c5c118427a57ba91ee996cb553bccdad7d6f1a5892455`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x6c8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.0147`
MD5	`aebac83c2da844567b4ae87908780585`
SHA1	`cb8aba19d754a7a05f3972c739d866277a5cbf09`
SHA256	`829dc3f56ec34c3189573737647b3a029b3ac4e8c4c4f38f65c49b83be7e4e77`
SHA3	`1f4c3d37ede20fc26cf6f9e888d11a01b1d31d010ffe9a4f2e73d9c200d1a15b`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.07284`
MD5	`fffa371e56026433bb39ed74ea6b82e5`
SHA1	`54cb8c05e5c3fa0696761ac59001aa973ec27062`
SHA256	`0ee55ed5fed060d404d0ac4207dde49120e46d11fa3105c570665708a48ad83b`
SHA3	`b2b2d53a29eb02f921335d4b9f6d85483fedcf26610aa3119c67f235c71cf691`

16

Type	`RT_STRING`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x1fe`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.15779`
MD5	`23fce281fa2748e4140a5d6a0dbc291f`
SHA1	`24f573289548d9ce45f8f21626395b90fa1d74aa`
SHA256	`4bed01fbf3a4a178eb3327365d8d24387b7debb9070cfc82cda216828b886322`
SHA3	`6f10988161a9c7f28bfc421877caf12f9cf0008420485257765753170a996ada`

217

Type	`RT_ACCELERATOR`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x70`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.19282`
MD5	`ce7a69d7796026fc3d39c6fc285f0a87`
SHA1	`9d6abefb908dfa082214e22ed354a582af58a8be`
SHA256	`a839415d9fe17bedd4069ad00cfb207ba5ba5fef13b8cf8c41014cd37206c4ba`
SHA3	`f00e1999a043696ca3f3778d88c05b4587bd9756cd1d20968f530f94008943f5`

960

Type	`RT_ACCELERATOR`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x18`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.62581`
MD5	`9df2d6f763379e954465123be9904b9a`
SHA1	`da3a340a0815b6a16d8bb225a0efaba8c87ee15b`
SHA256	`90bf581bebbe28f4d31dcd9fe449bf840772e0ea5cdebe27b9bfecf06f6ebd52`
SHA3	`8a91b9058af91de2e8b33bb9961598bf40669454ad15a3b3f403a446ae160869`

126

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x30`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.45849`
Detected Filetype	Icon file
MD5	`5c633e48288ebb93c1284ca8588c1aeb`
SHA1	`f920a2e3a39d8010353e6d8ef18f29205a0eaf53`
SHA256	`14290527167110848231ed93f633d2d0a00b9736cca663894f61cfbbaaca7bd0`
SHA3	`a6bda3b127c8b7fcd293ffef7fb99e50dd55515592ad2ff28afa33eae0a1cac1`

String Table contents

Ricozigipa xuxavo hubiyikehacixu hogicu pa pure nikuvi
Kayuse
Zuwapajaji xopuyasuyiyigi fadunoxawiza kepicu newahavitaxoya boriwiwoja ribukexe
Tuhajixizu
Cogazehewozayi wuji muzelalomafe kilasolu
Miwuxedo boxaxila te voce ba julijiyocupibo zeyi

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x63ea5b13`
Unmarked objects	`0`
ASM objects (VS2008 build 21022)	`17`
C objects (VS2008 build 21022)	`98`
C++ objects (VS2008 build 21022)	`38`
Imports (VS2012 build 50727 / VS2005 build 50727)	`5`
Total imports	`102`
138 (VS2008 build 21022)	`1`
Exports (VS2008 build 21022)	`1`
Linker (VS2008 build 21022)	`1`
Resource objects (VS2008 build 21022)	`1`

e82686fa553545a9b3ffc1225f0bc5fa

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.ruf

.rsrc

.reloc

Imports

Delayed Imports

MyFunc165

118

842

1

2

3

16

217

960

126

String Table contents

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors