nefilim | ea6ced3730495e2231c1a755fcc1aefac7622ac4bd5e269b2a5996572acb42f9

Sharing

Copy URL

Twitter E-mail

General

Target

ea6ced3730495e2231c1a755fcc1aefac7622ac4bd5e269b2a5996572acb42f9
Size

79KB
MD5

780a4c89ba8e4af56e557b7faf73b42b
SHA1

d255716d5e2a6ce57ec07f13de38d2000dd3bb8d
SHA256

ea6ced3730495e2231c1a755fcc1aefac7622ac4bd5e269b2a5996572acb42f9
SHA512

37b66f2ba70cf1dd785fe21f49627e208c2c3d1f92bfc5b39882099109fbcb6822366d4a876062a8b66c0b4a9b9098333fc3b21792786be1f3ee2346a6e82800
SSDEEP

768:PXKTJbrfwy8pnq7y2YzxYYP1d5ptDxyvhg6zkkhvkxEDZHKnv04Z4lvH+M+vTxQ:P0J3z8pnqIteZkhvslvUotY

Score

10^/10

upx nefilim

Malware Config

Signatures

Nefilim Ransomware Executable 1 IoCs
File contains patterns typical of Nefilim samples.

Processes:

resource yara_rule

sample nefilim_ransomware
Nefilim family
nefilim
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

sample upx

resource	yara_rule
sample	nefilim_ransomware

resource	yara_rule
sample	upx

Files

ea6ced3730495e2231c1a755fcc1aefac7622ac4bd5e269b2a5996572acb42f9
.exe windows x86

5d263e2fae768bf9e065c1809198cfd5

Code Sign

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

CryptDecrypt
CryptCreateHash
CryptDeriveKey
CryptDestroyKey
CryptEncrypt
CryptImportKey
CryptAcquireContextA
CryptReleaseContext
CryptHashData

kernel32

GetTickCount
GetProcessHeap
WriteFile
Sleep
ReadFile
CreateFileW
GetFileSizeEx
GetStdHandle
GetLastError
SetLastError
GetProcAddress
MoveFileW
GetLogicalDrives
LoadLibraryA
lstrcmpiW
FindNextFileW
CloseHandle
CreateThread
ExitProcess
GetModuleFileNameW
WideCharToMultiByte
ExitThread
MultiByteToWideChar
CreateMutexA
WaitForSingleObject
HeapFree
SetFilePointerEx
GetCurrentProcess
HeapAlloc
GetDriveTypeW
lstrlenA
FindFirstFileW
FindClose
GetSystemDefaultLangID
GetStringTypeW
LCMapStringW
IsValidCodePage
GetSystemTimeAsFileTime
EncodePointer
DecodePointer
GetCommandLineA
HeapSetInformation
RaiseException
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
HeapSize
GetModuleHandleW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
DeleteCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
GetCurrentThreadId
InterlockedDecrement
HeapCreate
QueryPerformanceCounter
GetCurrentProcessId
LeaveCriticalSection
EnterCriticalSection
RtlUnwind
HeapReAlloc
LoadLibraryW
GetCPInfo
GetACP
GetOEMCP

shell32

ShellExecuteW

shlwapi

PathFindExtensionW
PathIsDirectoryW

Sections

UPX0
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 27KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

UPX2
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.SCY
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

5d263e2fae768bf9e065c1809198cfd5

Code Sign

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

shell32

shlwapi

Sections

UPX0 Size: 48KB - Virtual size: 48KB

UPX1 Size: 27KB - Virtual size: 28KB

UPX2 Size: 512B - Virtual size: 4KB

.SCY Size: 2KB - Virtual size: 4KB

UPX0
Size: 48KB - Virtual size: 48KB

UPX1
Size: 27KB - Virtual size: 28KB

UPX2
Size: 512B - Virtual size: 4KB

.SCY
Size: 2KB - Virtual size: 4KB