Ransomware[.]Cerber (2)[.]zip

Resubmissions

14-05-2023 19:15

230514-xydc6sdc98 10

Sharing

Copy URL

Twitter E-mail

General

Target

Ransomware.Cerber (2).zip
Size

1.6MB
MD5

5e321d806b5c4e59ca70d27a29048014
SHA1

552fa6fbfdd55c11a18ea6a81fb92169e859a49c
SHA256

ea46a1fb5b5896dfe1f49d26ca9946d7fd76d525da791dee481694912f02d257
SHA512

1b05f4e8da82ee834f9c8982dc989d6c861622253e1894d0dc57c7dfae4c120d7a70ac581bc4af4aec36b2a7b0492b4805144bed023036f4818a2225c110c04e
SSDEEP

49152:Zm0woyiNyrSV0Bw7eQxwkbD08b2RVYT2lO:Z5wotNkSV0fQFZ2RVYP

Score

3^/10

Malware Config

Signatures

Unsigned PE 6 IoCs

Checks for missing Authenticode signature.

resource
unpack002/cerber.exe
unpack004/Locky
unpack006/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.bin
unpack006/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin
unpack009/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin
unpack009/unpacked.mem

Files

Ransomware.Cerber (2).zip
.zip

Password: infected
Ransomware.Cerber.zip
.zip

Password: infected
cerber.exe
.exe windows x86

Password: infected

9d6ed8d049bc10bc45b1995cb6f7f4b6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetExitCodeProcess
GetFileAttributesExW
GetFileAttributesW
GetFileSize
GetFileType
GetFullPathNameW
GetLastError
GetLocalTime
GetLocaleInfoW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetPrivateProfileStringW
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetSystemTime
GetSystemTimeAsFileTime
GetTempFileNameW
GetTempPathW
GetThreadLocale
GetTickCount
GetTimeFormatW
GetUserDefaultLCID
GetVersion
GetVersionExA
GetVolumeInformationW
GetWindowsDirectoryW
Heap32ListFirst
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IsSystemResumeAutomatic
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
LocalFree
MoveFileExA
MoveFileExW
MoveFileW
MultiByteToWideChar
GetEnvironmentVariableW
QueryPerformanceCounter
QueueUserAPC
RaiseException
ReadConsoleW
ReadFile
ReadProcessMemory
RemoveDirectoryW
ScrollConsoleScreenBufferW
SearchPathW
SetConsoleCtrlHandler
SetConsoleCursorPosition
SetConsoleMode
SetConsoleTextAttribute
SetConsoleTitleW
SetCurrentDirectoryW
SetEnvironmentVariableW
SetErrorMode
SetFileAttributesW
SetFilePointer
SetFileTime
SetLastError
SetLocalTime
SetSystemTime
SetThreadLocale
SetUnhandledExceptionFilter
SetVolumeLabelA
SleepEx
SwitchToThread
SystemTimeToFileTime
TerminateProcess
TransmitCommChar
UnhandledExceptionFilter
VirtualAlloc
VirtualFree
VirtualFreeEx
VirtualQuery
WaitForSingleObject
WideCharToMultiByte
WriteConsoleW
WriteFile
WritePrivateProfileSectionA
_hwrite
lstrcmpW
lstrcmpiW
lstrcpyW
lstrlenW
GetEnvironmentStringsW
GetDriveTypeW
GetDiskFreeSpaceExW
GetDateFormatW
GetCurrentThreadId
GetCurrentThread
GetCurrentProcessId
GetCurrentProcess
GetCurrentDirectoryW
GetConsoleTitleW
GetConsoleScreenBufferInfo
GetConsoleOutputCP
GetConsoleMode
GetCompressedFileSizeW
GetCommandLineW
GetCPInfo
GetBinaryTypeW
GetBinaryType
FreeLibrary
FormatMessageW
FlushFileBuffers
FlushConsoleInputBuffer
FindNextFileW
FindNextFileA
FindFirstFileW
FindFirstFileA
FindClose
FillConsoleOutputCharacterW
FillConsoleOutputAttribute
FileTimeToSystemTime
FileTimeToLocalFileTime
ExpandEnvironmentStringsW
EraseTape
EnterCriticalSection
DuplicateHandle
DeleteFileW
DeleteFileA
CreateThread
CreateProcessW
CreateFileW
CreateFileA
CreateDirectoryW
CopyFileW
CopyFileA
ConvertDefaultLocale
CompareFileTime
CloseHandle
OpenProcess
AddAtomW

user32

DefWindowProcW
DrawFocusRect
CreateWindowStationA
CreateMenu
FillRect
FindWindowW
GetMenuCheckMarkDimensions
GetProcessWindowStation
GetSysColorBrush
GetThreadDesktop
GetUpdateRgn
GetUserObjectInformationW
InflateRect
InsertMenuItemW
IsIconic
LockWindowUpdate
MessageBeep
MessageBoxW
MonitorFromWindow
OffsetRect
PostMessageW
RealGetWindowClass
SendMessageW
SetUserObjectInformationW
ShowWindow
ToUnicode
WinHelpA
LoadCursorW
GetKBCodePage
DefMDIChildProcW
CloseWindowStation

gdi32

StartPage
SetMiterLimit
SetMapperFlags
SetBitmapBits
PtVisible
OffsetClipRgn
GetViewportOrgEx
GetTextFaceW
AddFontMemResourceEx
AnimatePalette
Arc
BRUSHOBJ_pvAllocRbrush
ColorMatchToTarget
CopyEnhMetaFileA
CreatePatternBrush
DescribePixelFormat
EngFreeModule
EngTextOut
EnumFontsW
FillRgn
GdiGetPageCount
GetGlyphOutlineW
GetMiterLimit
GetOutlineTextMetricsA

advapi32

RegOpenKeyW
SaferRecordEventLogEntry
SaferIdentifyLevel
SaferComputeTokenFromLevel
SaferCloseLevel
RevertToSelf
RegSetValueW
RegSetValueExW
RegQueryValueW
RegQueryValueExW
CreateProcessAsUserW
RegOpenKeyExW
RegEnumKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCloseKey
LookupAccountSidW
ImpersonateLoggedOnUser
GetSecurityDescriptorOwner
GetFileSecurityW
FreeSid

shell32

ShellExecuteExW
ShellExecuteA
ShellAboutA
SHIsFileAvailableOffline
SHGetSettings
CheckEscapesW
DragQueryFile
DragQueryFileAorW
ExtractIconExW
SHAppBarMessage
SHBrowseForFolderA
SHChangeNotify
SHCreateProcessAsUserW
SHEmptyRecycleBinA
SHFileOperationA
SHGetDataFromIDListA
SHGetDiskFreeSpaceA
SHGetMalloc
WOWShellExecute

shlwapi

StrCmpNW
StrStrIA
StrStrIW
StrCmpNA
StrChrIA

comctl32

ImageList_Create

msvcrt

_XcptFilter
__getmainargs
__initenv
__p__commode
__p__fmode
__set_app_type
__setusermatherr
_adjust_fdiv
_c_exit
_cexit
_close
_controlfp
_dup
_dup2
_errno
_except_handler3
_exit
_get_osfhandle
_getch
_initterm
_iob
_open_osfhandle
_pclose
_pipe
_seh_longjmp_unwind
_setjmp3
_setmode
_snwprintf
_tell
_ultoa
_vsnwprintf
_wcsicmp
_wcslwr
_wcsnicmp
_wcsupr
_wpopen
_wtol
calloc
exit
fflush
fgets
fprintf
free
iswalpha
iswdigit
iswspace
iswxdigit
longjmp
malloc
memmove
printf
qsort
rand
realloc
setlocale
srand
swprintf
swscanf
time
towlower
towupper
wcscat
wcschr
wcscmp
wcscpy
wcslen
wcsncmp
wcsncpy
wcsrchr
wcsspn
wcsstr
wcstol
wcstoul

Sections

.text
Size: 315KB - Virtual size: 315KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 234KB - Virtual size: 234KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Ransomware.Locky (1).zip
.zip

Password: infected
Locky
.exe windows x86

Password: infected

0fcea3af550ad0a893e93808dccf17f4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

GetSecurityDescriptorDacl
RegisterEventSourceA
RegQueryInfoKeyA
GetSidSubAuthorityCount
RegSetValueExA
RegDeleteKeyA
GetKernelObjectSecurity
RegCloseKey
RegQueryValueA
RegLoadKeyA
GetSidSubAuthority
RegConnectRegistryA
LookupPrivilegeValueA
InitiateSystemShutdownA
CreateProcessAsUserA
GetSidIdentifierAuthority
OpenThreadToken
LsaQueryInformationPolicy
RegQueryValueW
EncryptFileW
RegSetValueW
MakeAbsoluteSD
RegOpenKeyExA
RegCreateKeyExW
AddAce
SetNamedSecurityInfoW
OpenEventLogW
GetUserNameW
SetSecurityDescriptorSacl
MakeSelfRelativeSD
RegFlushKey
InitializeSecurityDescriptor
InitializeAcl
SetEntriesInAclA
GetSidLengthRequired
RegSetValueA
SetEntriesInAclW
GetAclInformation

user32

DrawIconEx
IsDialogMessageA
OffsetRect
PostThreadMessageW
DialogBoxParamA
GetLastActivePopup
GetGUIThreadInfo
DrawStateA
IsWindow
OpenClipboard
InSendMessage
FindWindowW
IsMenu
EnumDisplaySettingsA
DrawAnimatedRects
FrameRect
SetMenuDefaultItem
GrayStringW
CreateDialogIndirectParamW
ClientToScreen
GetParent
TranslateMDISysAccel
CreateDesktopW
ShowCaret
GetProcessWindowStation
TrackPopupMenu
IntersectRect
DialogBoxIndirectParamA
DefWindowProcA
ReuseDDElParam
NotifyWinEvent
SetClipboardData
CloseClipboard
DdeDisconnect
GetClassNameA
GetCaretPos
CharLowerW
GetWindowModuleFileNameA
IsWindowVisible
wvsprintfA
ModifyMenuA
SendDlgItemMessageW
SetCaretBlinkTime
LoadMenuW
GetMenuState
DrawTextExA
ChangeDisplaySettingsW
CreateWindowExW
GetCapture
CreatePopupMenu
SetMenu
CharUpperBuffW
DrawStateW
LoadImageA
GetScrollPos
GetDlgItem
GetClipboardFormatNameW
ValidateRgn
GetWindowThreadProcessId
GetClassInfoExW
DdeAccessData
ShowWindow
GetKeyboardLayout
GetClassInfoW
SetCaretPos
LoadCursorA
FillRect
LoadMenuA
mouse_event
ModifyMenuW
InvalidateRgn
GetMenuItemID
IsIconic
OemToCharA
LoadCursorFromFileW
RegisterWindowMessageA
DispatchMessageW
GetCursorPos
CharPrevA
GetWindowWord

imm32

ImmGetProperty
ImmGetCandidateListCountA
ImmGetCompositionStringA
ImmSetConversionStatus
ImmSetOpenStatus
ImmCreateContext
ImmGetOpenStatus
ImmNotifyIME
ImmInstallIMEA
ImmGetContext
ImmDestroyContext
ImmSimulateHotKey
ImmConfigureIMEA
ImmAssociateContext

rasapi32

RasDialA
RasGetProjectionInfoA

kernel32

WriteFileGather
PulseEvent
GetLongPathNameA

Sections

.text
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 3.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 104KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Ransomware.Petya.zip
.zip

Password: infected
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.bin
.exe windows x86

Password: infected

1a63922d5931d1bb8ca5188313f78eaa

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCurrentThreadId
GetStdHandle
GetFileType
GetStartupInfoW
GetModuleFileNameW
WriteFile
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
CreateEventW
Sleep
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetTickCount
CreateSemaphoreW
FreeLibrary
LoadLibraryExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
RtlUnwind
LCMapStringW
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetStdHandle
SetFilePointerEx
WriteConsoleW
CloseHandle
CreateFileW
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
LocalFree
CreateDirectoryW
DeleteFileW
GetCurrentThread
WaitForMultipleObjects
LoadLibraryW
WaitForSingleObject
GetExitCodeProcess
DuplicateHandle
ReleaseMutex
GetEnvironmentVariableW
lstrcmpiW
VirtualQuery
GetTempPathW
GetLocalTime
OutputDebugStringA
GetPrivateProfileIntW
GetPrivateProfileStringW
lstrcmpW
lstrlenW
SetFilePointer
CreateMutexW
InitializeCriticalSection
TryEnterCriticalSection
SetEvent
ResetEvent
GetFileAttributesExW
SetLastError
VerifyVersionInfoW
VerSetConditionMask
MoveFileExW
GetFileTime
ReadFile
DeviceIoControl
SetProcessWorkingSetSize
OpenProcess
CreateProcessW
ReadProcessMemory
lstrcpynW
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
CreateThread
DebugActiveProcess
GetThreadContext
DebugActiveProcessStop
VirtualQueryEx
GetProcessId
GetSystemInfo
ContinueDebugEvent
WaitForDebugEvent
WideCharToMultiByte
MultiByteToWideChar
GetModuleHandleExW
ExitProcess
IsProcessorFeaturePresent
GetCommandLineW
EncodePointer
LeaveCriticalSection
WaitNamedPipeW
TransactNamedPipe
SetNamedPipeHandleState
RtlCaptureContext
ReleaseSemaphore
EnterCriticalSection
OutputDebugStringW
DeleteCriticalSection
DecodePointer
HeapSize
GetProcAddress
GetLastError
RaiseException
HeapDestroy
InitializeCriticalSectionAndSpinCount
GetProcessHeap
GetModuleHandleW
HeapFree
IsDebuggerPresent
GetUserDefaultLangID
GetSystemDefaultLangID
GetComputerNameExW
GetOverlappedResult
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
UnregisterWait
GetProcessTimes
UnregisterWaitEx
RegisterWaitForSingleObject
VirtualProtect
VirtualAlloc
HeapAlloc
RemoveDirectoryW
HeapReAlloc

user32

SetClipboardData
EmptyClipboard
OpenClipboard
GetProcessWindowStation
CloseDesktop
CloseClipboard
CharUpperW
CharLowerW
PostThreadMessageW
DispatchMessageW
GetMessageW
PeekMessageW
EnumWindows
IsWindowVisible
GetWindowThreadProcessId
SetThreadDesktop
CreateWindowStationW
CloseWindowStation
GetThreadDesktop
SetProcessWindowStation
CreateDesktopW
wvsprintfW
wsprintfW
MessageBoxW

advapi32

GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
GetSecurityDescriptorControl
GetLengthSid
CopySid
IsValidSid
GetSidSubAuthority
InitializeSid
GetSidLengthRequired
SetSecurityDescriptorDacl
AddAce
InitializeAcl
GetAclInformation
InitializeSecurityDescriptor
MakeAbsoluteSD
OpenProcessToken
GetTokenInformation
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
GetAce
MakeSelfRelativeSD
GetSecurityDescriptorLength
EqualSid
SetNamedSecurityInfoW
ConvertStringSidToSidW
OpenThreadToken
RegQueryValueExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteValueW
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegQueryInfoKeyW
ConvertSidToStringSidW
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
SetSecurityDescriptorSacl
GetTraceLoggerHandle
GetTraceEnableFlags
GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids
TraceEvent
SetTokenInformation

ole32

CoCreateGuid
StringFromGUID2

shell32

SHGetFolderPathW

netapi32

NetApiBufferFree
NetWkstaGetInfo

rpcrt4

UuidCreate

shlwapi

PathRemoveExtensionW
PathRemoveFileSpecW
PathStripPathW
PathCanonicalizeW
PathIsRelativeW
SHQueryValueExW
PathAppendW

userenv

UnloadUserProfile

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

Sections

.text
Size: 156KB - Virtual size: 155KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin
.exe windows x86

Password: infected

bf084102e13441ce39f8d51d9bf55857

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

IIDFromString
StringFromGUID2
OleUninitialize
OleInitialize
OleRun
OleSetContainedObject
CoInitializeEx
CoTaskMemAlloc
CoTaskMemFree
CoInitialize
CoTaskMemRealloc
CoUninitialize
CoCreateInstance

shell32

SHGetFolderPathW
FindExecutableA
Shell_NotifyIconA
SHGetFolderPathA
ShellExecuteExA

wininet

InternetTimeFromSystemTime
InternetTimeToSystemTime
InternetCrackUrlA
HttpQueryInfoA
InternetConnectA
InternetReadFile
HttpOpenRequestA
InternetGetConnectedState
InternetErrorDlg
HttpSendRequestA
InternetOpenA
InternetCloseHandle

user32

IsChild
SetFocus
SetRect
GetWindowThreadProcessId
RegisterClassExA
GetFocus
GetAncestor
GetSystemMenu
GetWindowRect
GetParent
GetClientRect
SendMessageA
GetClassInfoExW
GetDC
TranslateMessage
RegisterClassExW
GetWindowLongW
ReleaseDC
EnableMenuItem
SetWindowLongW
GetDesktopWindow
SetWindowPos
CreateWindowExW
AdjustWindowRectEx
LoadCursorA
SetWindowLongA
GetWindowLongA
CreateWindowExA
MessageBoxA
CharNextA
DispatchMessageW
RegisterClassA
LoadImageA
GetSystemMetrics
DispatchMessageA
PostMessageA
AppendMenuA
CreatePopupMenu
ShowWindow
MsgWaitForMultipleObjectsEx
GetCursorPos
DefWindowProcA
IsWindowUnicode
SetWindowTextW
DefWindowProcW
wsprintfA
LoadStringA
DestroyWindow
GetMessageA
GetMessageW
PostQuitMessage
TrackPopupMenu
SetForegroundWindow
PeekMessageA

comctl32

InitCommonControlsEx

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueW
VerQueryValueA

kernel32

GetStdHandle
WriteConsoleW
GetConsoleMode
GetConsoleCP
GetFileType
GetStartupInfoW
HeapSetInformation
GetSystemTimeAsFileTime
VirtualQuery
GetSystemInfo
GetModuleHandleW
VirtualAlloc
GetModuleFileNameW
HeapAlloc
HeapFree
FileTimeToLocalFileTime
GetDriveTypeW
FindFirstFileExW
SetStdHandle
HeapReAlloc
GetCPInfo
RtlUnwind
LCMapStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
ExitThread
CreateDirectoryW
VirtualProtect
GetFullPathNameW
HeapCreate
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
HeapSize
GetLocaleInfoW
SetHandleCount
GetTimeZoneInformation
SetFilePointer
FlushFileBuffers
IsDebuggerPresent
IsProcessorFeaturePresent
GetACP
GetOEMCP
IsValidCodePage
FreeEnvironmentStringsW
GetEnvironmentStringsW
lstrcmpA
GetModuleHandleA
FindResourceA
lstrlenA
GetModuleHandleExA
FreeLibrary
LoadResource
SetEndOfFile
InterlockedDecrement
GetCommandLineA
WideCharToMultiByte
InitializeCriticalSectionAndSpinCount
SizeofResource
SetDllDirectoryA
IsDBCSLeadByte
MultiByteToWideChar
lstrlenW
RaiseException
GetLastError
lstrcmpiA
GetProcAddress
GetModuleFileNameA
LoadLibraryExA
CreateMutexA
DeleteCriticalSection
CloseHandle
WaitForSingleObject
FormatMessageA
GetExitCodeProcess
LocalFree
DeleteFileA
SetEvent
CreateEventA
lstrcatA
ResetEvent
WaitForMultipleObjects
CreateThread
lstrcpyA
lstrcpynA
CreateFileA
WriteFile
Sleep
ReadFile
OpenEventA
GetSystemTime
GetCurrentProcess
GetTickCount
GetCurrentProcessId
GetTempPathA
SystemTimeToFileTime
FileTimeToSystemTime
MulDiv
InterlockedExchange
InterlockedExchangeAdd
LocalAlloc
GetCurrentThreadId
FormatMessageW
GetLocalTime
ExitProcess
GetLocaleInfoA
GetWindowsDirectoryA
OpenProcess
TerminateProcess
GetSystemDirectoryA
FindFirstFileA
FindClose
LoadLibraryA
LockResource
GetNativeSystemInfo
PeekNamedPipe
SetHandleInformation
CreateProcessA
CreateDirectoryA
GetProcessHeap
CreatePipe
GetSystemDefaultUILanguage
GetThreadLocale
GetUserDefaultUILanguage
MoveFileExA
GetFileAttributesA
FindNextFileA
OpenThread
GetExitCodeThread
GetModuleHandleExW
LoadLibraryW
LoadLibraryExW
ReleaseMutex
QueryPerformanceCounter
QueryPerformanceFrequency
CreateFileW
SetFilePointerEx
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
InterlockedCompareExchange
GetStringTypeW
EncodePointer
DecodePointer
GetCurrentDirectoryW
GetFileInformationByHandle
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
CompareStringW
SetEnvironmentVariableA
InterlockedIncrement
RemoveDirectoryA

advapi32

SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegCloseKey
RegDeleteValueA
RegOpenKeyExA
RegCreateKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyW
RegSetValueExA
CryptGetHashParam
RegQueryInfoKeyA
GetTokenInformation
CopySid
GetWindowsAccountDomainSid
CreateWellKnownSid
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
RegQueryValueExA
CryptReleaseContext
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptHashData
RegEnumKeyA
OpenProcessToken

oleaut32

SysFreeString
VarUI4FromStr
VariantClear
SysAllocString
VariantCopy
VariantInit
VariantChangeType
GetErrorInfo
SysStringByteLen

shlwapi

ord12

gdi32

GetStockObject
GetDeviceCaps

wintrust

WinVerifyTrust

crypt32

CryptMsgClose
CryptQueryObject
CertGetNameStringW
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CryptStringToBinaryA
CryptBinaryToStringA
CryptProtectData
CryptUnprotectData

msi

ord141
ord168
ord160
ord158
ord115
ord159
ord117
ord8
ord44
ord204
ord189
ord67
ord31
ord137
ord91

Sections

.text
Size: 447KB - Virtual size: 446KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 138KB - Virtual size: 137KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 146KB - Virtual size: 145KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ransomware.Satana.zip
.zip

Password: infected
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin
.exe windows x86

a3bc0305643e7601d6deca72652f4ab5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_ISOLATION
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

vsprintf
memmove
NtYieldExecution
strchr
strncpy
_stricmp
memset

kernel32

GetLocalTime
OutputDebugStringA

user32

MessageBoxA

opengl32

glEnd
glEnable
glLineWidth
glPolygonMode
glColor3d
glBegin
glDisable
glClear
glPointSize
glLineStipple
glVertex3d

Sections

.text
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 38KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 930B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
unpacked.mem
.exe windows x86

d99e35e9d4559cb6df0e1eb507b928cc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

RtlGetNtVersionNumbers
strrchr
wcsncmp
wcstombs
_vsnwprintf
wcsstr
wcsrchr
NtQueryInformationProcess
RtlGetCurrentPeb
NtYieldExecution
vsprintf
mbstowcs
sprintf
_stricmp
_chkstk
memset
memcpy
_allrem
RtlUnwind

msvcrt

??3@YAXPAX@Z
free
??2@YAPAXI@Z
malloc

kernel32

GetTempPathW
SwitchToThread
ExpandEnvironmentStringsW
CreateThread
DeleteFileA
SetFileAttributesW
ResumeThread
WriteProcessMemory
LocalFree
DeleteFileW
GetWindowsDirectoryW
CloseHandle
GetFullPathNameW
ExitProcess
GetCommandLineW
GetComputerNameA
CreateFileA
GetFileSize
SetPriorityClass
FindFirstFileW
SetFilePointer
GetLocaleInfoA
MapViewOfFile
UnmapViewOfFile
GetDriveTypeW
FreeLibrary
HeapAlloc
SetUnhandledExceptionFilter
InterlockedIncrement
MoveFileExW
InterlockedDecrement
GetCurrentProcess
GetLogicalDriveStringsW
HeapFree
WaitForSingleObject
GetSystemDefaultLCID
OutputDebugStringW
GetTickCount
GetProcessHeap
FormatMessageA
WriteFile
InitializeCriticalSection
GetSystemDirectoryW
Sleep
CopyFileW
LeaveCriticalSection
HeapCreate
CreateProcessA
ReadFile
CreateFileW
SetThreadPriority
FlushFileBuffers
OutputDebugStringA
GetFileSizeEx
GetLastError
GetProcAddress
QueueUserAPC
MoveFileW
EnterCriticalSection
VirtualAllocEx
FindClose
GetLocalTime
LoadLibraryA
CreateFileMappingA
LocalAlloc
DeviceIoControl
WaitForMultipleObjects
GetModuleFileNameA
GetModuleHandleA
FindNextFileW
GetShortPathNameW

mpr

WNetOpenEnumW
WNetEnumResourceW
WNetCloseEnum

ws2_32

WSAStartup
connect
send
gethostbyname
closesocket
socket
htons

user32

MessageBoxA
wsprintfW

advapi32

GetUserNameA
RegSetValueExW
RegCloseKey
GetCurrentHwProfileW
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA
RegQueryValueExA

shell32

CommandLineToArgvW

Sections

.text
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ransomware.TeslaCrypt.zip
.zip
Ransomware.XData.zip
.zip

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

Password: infected

9d6ed8d049bc10bc45b1995cb6f7f4b6

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

shlwapi

comctl32

msvcrt

Sections

.text Size: 315KB - Virtual size: 315KB

.rdata Size: 234KB - Virtual size: 234KB

.data Size: 4KB - Virtual size: 4KB

.rsrc Size: 49KB - Virtual size: 48KB

Password: infected

Password: infected

0fcea3af550ad0a893e93808dccf17f4

Headers

File Characteristics

Imports

advapi32

user32

imm32

rasapi32

kernel32

Sections

.text Size: 48KB - Virtual size: 44KB

.rdata Size: 8KB - Virtual size: 4KB

.data Size: 16KB - Virtual size: 3.7MB

.rsrc Size: 104KB - Virtual size: 100KB

Password: infected

Password: infected

1a63922d5931d1bb8ca5188313f78eaa

Headers

File Characteristics

Imports

kernel32

user32

advapi32

ole32

shell32

netapi32

rpcrt4

shlwapi

userenv

version

Sections

.text Size: 156KB - Virtual size: 155KB

.rdata Size: 48KB - Virtual size: 48KB

.data Size: 6KB - Virtual size: 18KB

.rsrc Size: 4KB - Virtual size: 4KB

.reloc Size: 9KB - Virtual size: 8KB

Password: infected

bf084102e13441ce39f8d51d9bf55857

Headers

File Characteristics

Imports

ole32

shell32

wininet

user32

comctl32

version

kernel32

advapi32

oleaut32

shlwapi

.text
Size: 315KB - Virtual size: 315KB

.rdata
Size: 234KB - Virtual size: 234KB

.data
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 49KB - Virtual size: 48KB

.text
Size: 48KB - Virtual size: 44KB

.rdata
Size: 8KB - Virtual size: 4KB

.data
Size: 16KB - Virtual size: 3.7MB

.rsrc
Size: 104KB - Virtual size: 100KB

.text
Size: 156KB - Virtual size: 155KB

.rdata
Size: 48KB - Virtual size: 48KB

.data
Size: 6KB - Virtual size: 18KB

.rsrc
Size: 4KB - Virtual size: 4KB

.reloc
Size: 9KB - Virtual size: 8KB

.text
Size: 447KB - Virtual size: 446KB

.rdata
Size: 138KB - Virtual size: 137KB

.data
Size: 15KB - Virtual size: 26KB

.rsrc
Size: 146KB - Virtual size: 145KB

.reloc
Size: 40KB - Virtual size: 40KB

.text
Size: 8KB - Virtual size: 12KB

.data
Size: 38KB - Virtual size: 40KB

.rsrc
Size: 1024B - Virtual size: 4KB

.reloc
Size: 1024B - Virtual size: 930B

.text
Size: 22KB - Virtual size: 21KB

.data
Size: 8KB - Virtual size: 70KB

.tls
Size: 512B - Virtual size: 12B

.reloc
Size: 2KB - Virtual size: 2KB