Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2018-Aug-04 04:57:19 |
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Suspicious | The PE is possibly packed. | Unusual section name found: .ruf |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 54/66 (Scanned on 2019-06-15 10:22:20) |
MicroWorld-eScan:
Trojan.GenericKD.32024741
CAT-QuickHeal: Trojan.Fuerboos McAfee: GCrab-FOC!E82686FA5535 Cylance: Unsafe K7AntiVirus: Trojan ( 0054f2d61 ) Alibaba: Trojan:Win32/DelShad.cd9484d9 K7GW: Trojan ( 0054f2d61 ) Cybereason: malicious.a55354 Symantec: Downloader ESET-NOD32: a variant of Win32/Kryptik.GTOE APEX: Malicious Paloalto: generic.ml ClamAV: Win.Trojan.Agent-6993115-0 GData: Win32.Trojan-Ransom.Sodinokibi.A Kaspersky: Trojan.Win32.DelShad.kl BitDefender: Trojan.GenericKD.32024741 NANO-Antivirus: Trojan.Win32.DelShad.fqwsxh ViRobot: Trojan.Win32.Z.Genkryptik.321024.A Avast: Win32:Trojan-gen Tencent: Win32.Trojan.Delshad.Ajbi Endgame: malicious (high confidence) Sophos: Troj/Ransom-FLK Comodo: Malware@#1aevoxp3babq5 F-Secure: Trojan.TR/AD.SodinoRansom.dkaaw DrWeb: Trojan.Encoder.28363 Qihoo-360: HEUR/QVM10.2.8DE3.Malware.Gen Invincea: heuristic McAfee-GW-Edition: BehavesLike.Win32.MultiPlug.fh FireEye: Generic.mg.e82686fa553545a9 Emsisoft: Trojan.Generic (A) Ikarus: Trojan.Win32.Krypt Cyren: W32/Trojan.OYTL-6660 Webroot: W32.Trojan.Gen Avira: TR/AD.SodinoRansom.dkaaw Antiy-AVL: Trojan/Win32.DelShad Arcabit: Trojan.Generic.D1E8A8A5 AegisLab: Trojan.Win32.DelShad.4!c ZoneAlarm: Trojan.Win32.DelShad.kl Microsoft: Trojan:Win32/Occamy.C AhnLab-V3: Malware/Win32.RL_Generic.R273958 Acronis: suspicious VBA32: BScope.Trojan.AET.281105 ALYac: Trojan.Ransom.Sodinokibi MAX: malware (ai score=100) Ad-Aware: Trojan.GenericKD.32024741 Malwarebytes: Trojan.MalPack.GS.Generic Rising: Trojan.Fuerboos!8.EFC8 (TFE:6:UhCF5SP22tR) Yandex: Trojan.DelShad! SentinelOne: DFI - Malicious PE Fortinet: W32/GenKryptik.DJOD!tr AVG: Win32:Trojan-gen Panda: Trj/GdSda.A CrowdStrike: win/malicious_confidence_100% (W) MaxSecure: Trojan.Malware.74359613.susgen |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 6 |
TimeDateStamp | 2018-Aug-04 04:57:19 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 9.0 |
SizeOfCode | 0x41e00 |
SizeOfInitializedData | 0x105600 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00006183 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x43000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.0 |
ImageVersion | 0.0 |
SubsystemVersion | 5.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x14c000 |
SizeOfHeaders | 0x400 |
Checksum | 0x4e976 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetTickCount
GlobalAlloc LoadLibraryW GetBinaryTypeA lstrlenW GetStartupInfoA GetLastError LockFile PeekConsoleInputW MoveFileA WTSGetActiveConsoleSessionId VirtualProtect GetFileAttributesExW CloseHandle lstrcpyA SetHandleInformation LoadResource GetProcAddress lstrcpynA GetCommandLineA RaiseException RtlUnwind TerminateProcess GetCurrentProcess UnhandledExceptionFilter SetUnhandledExceptionFilter IsDebuggerPresent HeapAlloc HeapFree WriteFile WideCharToMultiByte GetConsoleCP GetConsoleMode FlushFileBuffers DeleteCriticalSection LeaveCriticalSection FatalAppExitA EnterCriticalSection MultiByteToWideChar ReadFile GetModuleHandleW Sleep ExitProcess GetStdHandle GetModuleFileNameA FreeEnvironmentStringsA GetEnvironmentStrings FreeEnvironmentStringsW GetEnvironmentStringsW SetHandleCount GetFileType TlsGetValue TlsAlloc TlsSetValue TlsFree InterlockedIncrement SetLastError GetCurrentThreadId InterlockedDecrement GetCurrentThread HeapCreate HeapDestroy VirtualFree QueryPerformanceCounter GetCurrentProcessId GetSystemTimeAsFileTime VirtualAlloc HeapReAlloc WriteConsoleA GetConsoleOutputCP WriteConsoleW SetFilePointer SetStdHandle InitializeCriticalSectionAndSpinCount HeapSize SetConsoleCtrlHandler FreeLibrary InterlockedExchange LoadLibraryA GetCPInfo GetACP GetOEMCP IsValidCodePage CreateFileA GetLocaleInfoW GetLocaleInfoA LCMapStringA LCMapStringW GetStringTypeA GetStringTypeW GetTimeFormatA GetDateFormatA GetUserDefaultLCID EnumSystemLocalesA IsValidLocale GetTimeZoneInformation CompareStringA CompareStringW SetEnvironmentVariableA |
---|---|
ADVAPI32.dll |
LockServiceDatabase
RegRestoreKeyW AdjustTokenPrivileges |
Ordinal | 1 |
---|---|
Address | 0x1460 |
Ricozigipa xuxavo hubiyikehacixu hogicu pa pure nikuvi |
Kayuse |
Zuwapajaji xopuyasuyiyigi fadunoxawiza kepicu newahavitaxoya boriwiwoja ribukexe |
Tuhajixizu |
Cogazehewozayi wuji muzelalomafe kilasolu |
Miwuxedo boxaxila te voce ba julijiyocupibo zeyi |
XOR Key | 0x63ea5b13 |
---|---|
Unmarked objects | 0 |
ASM objects (VS2008 build 21022) | 17 |
C objects (VS2008 build 21022) | 98 |
C++ objects (VS2008 build 21022) | 38 |
Imports (VS2012 build 50727 / VS2005 build 50727) | 5 |
Total imports | 102 |
138 (VS2008 build 21022) | 1 |
Exports (VS2008 build 21022) | 1 |
Linker (VS2008 build 21022) | 1 |
Resource objects (VS2008 build 21022) | 1 |