xorist | Ransomware[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

Ransomware.zip
Size

15.7MB
MD5

db5767904e1067a3ab570f60300e10ef
SHA1

09be1da25133fbf0527b6034b7626cbcc8fc7c69
SHA256

c2bf26d1b3a311be1bec839ca7c26bf2c944fd79333485a271230ec435c318dd
SHA512

fee1c72f97302642d5d57c174e871ed3a55e2cb1d71d6d8304bc5676a4e7d770fe66730d8687d32815a44473b1e9030b09c6ba7d54d77adecba53c27385d4f74
SSDEEP

393216:OQm4g9/2UsB+tKQTdnhxN/+FIUScHbJAB6o1EljZBh2Hjj6eVu98D9:Rg9/uOTfx4aSbJRoOBh2n/

Score

10^/10

xorist

Malware Config

Signatures

Detected Xorist Ransomware 2 IoCs

resource	yara_rule
static1/unpack002/3da65a0e613fadcff41992bd4f74b7dc1e71f9cb542339679185f79de6503f0e.bin	family_xorist
static1/unpack001/Ransomware/xorist.bin	family_xorist

Xorist family
xorist

Unsigned PE 19 IoCs

Checks for missing Authenticode signature.

resource
unpack002/3da65a0e613fadcff41992bd4f74b7dc1e71f9cb542339679185f79de6503f0e.bin
unpack001/Ransomware/Alphabet.bin
unpack001/Ransomware/Atom Payload Builder.exe
unpack001/Ransomware/Cerber
unpack001/Ransomware/EternalRocks
unpack001/Ransomware/GLOBEIMPOSTER
unpack001/Ransomware/GhostCrypter.bin
unpack001/Ransomware/Golden Eyes - via unikey.exe
unpack001/Ransomware/Locky
unpack001/Ransomware/Matsnu.com_
unpack001/Ransomware/ShellLocker.exe
unpack001/Ransomware/Unlock92.bin
unpack001/Ransomware/cryptowall.bin
unpack001/Ransomware/eda2.exe
unpack001/Ransomware/jigsaw
unpack001/Ransomware/mamba.exe
unpack001/Ransomware/petya2.exe
unpack001/Ransomware/wannacrypt.exe
unpack001/Ransomware/xorist.bin

Files

Ransomware.zip
.zip
Ransomware/3da65a0e613fadcff41992bd4f74b7dc1e71f9cb542339679185f79de6503f0e.bin.gz
.gz
3da65a0e613fadcff41992bd4f74b7dc1e71f9cb542339679185f79de6503f0e.bin
.exe windows:4 windows x86 arch:x86

0d5a4c77fb840a628560e02b85835ba4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

user32

RegisterClassExA
PeekMessageA
SendMessageA
LoadCursorA
GetSystemMetrics
GetMessageA
GetDlgItemTextA
EndPaint
SystemParametersInfoA
TranslateMessage
UpdateWindow
MessageBoxA
DispatchMessageA
DefWindowProcA
CreateWindowExA
BeginPaint

kernel32

lstrlenA
CloseHandle
CopyFileA
CreateFileA
ExitProcess
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FreeResource
GetCommandLineA
GetEnvironmentVariableA
GetFileAttributesA
GetFileSize
GetFileTime
GetLogicalDrives
GetModuleFileNameA
GetModuleHandleA
GetProcessHeap
GetTempPathA
GetWindowsDirectoryA
GlobalFree
HeapAlloc
LoadResource
LockResource
MoveFileA
ReadFile
RtlMoveMemory
SetErrorMode
SetFilePointer
SetFileTime
SizeofResource
WriteFile
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA

shell32

ShellExecuteA
SHGetSpecialFolderPathA

advapi32

RegCreateKeyExA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
RegSetValueExA
RegDeleteKeyA
CryptAcquireContextA
RegCloseKey
CryptReleaseContext
CryptHashData

shlwapi

PathFindFileNameA
PathFindExtensionA
PathAddBackslashA
PathMatchSpecA

gdi32

CreateFontIndirectA

comctl32

InitCommonControls

Sections

.text
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 61KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Ransomware/Alphabet.bin
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\NikiTos\documents\visual studio 2015\Projects\Alphabet\Alphabet\obj\Debug\Alphabet.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 165KB - Virtual size: 164KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ransomware/Atom Payload Builder.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

atom_payload_builder.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 493KB - Virtual size: 493KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.sdata
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ransomware/Cerber
.exe windows:5 windows x86 arch:x86

fe586131a824714774b47ac27da9e046

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CloseHandle
DeleteCriticalSection
EnterCriticalSection
EnumLanguageGroupLocalesA
ExitProcess
FindClose
FindFirstFileA
FindNextFileA
FormatMessageA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetACP
GetCPInfo
GetCommMask
GetCommandLineA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastError
WriteFile
WideCharToMultiByte
WaitForSingleObject
VirtualFree
VirtualAlloc
VerifyVersionInfoW
UnhandledExceptionFilter
TlsSetValue
TlsGetValue
TlsFree
TlsAlloc
Thread32Next
TerminateProcess
Sleep
SetUnhandledExceptionFilter
SetLocalTime
SetLastError
SetHandleCount
SetConsoleScreenBufferSize
RtlUnwind
RaiseException
QueryPerformanceCounter
MultiByteToWideChar
LocalFree
LoadLibraryA
LeaveCriticalSection
LCMapStringW
LCMapStringA
IsValidCodePage
IsDebuggerPresent
InterlockedIncrement
InterlockedDecrement
InitializeCriticalSectionAndSpinCount
HeapSize
HeapReAlloc
BeginUpdateResourceA
HeapFree
HeapCreate
HeapAlloc
GetVersionExA
GetTickCount
GetTempPathA
GetSystemTimeAsFileTime
GetStringTypeW
GetStringTypeA
GetStdHandle
GetStartupInfoA
GetProcAddress
GetOEMCP
GetModuleHandleW
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA

user32

LoadCursorFromFileA
CloseClipboard
GetLastActivePopup
GetMenuContextHelpId
IsMenu
GetInputState
GetKeyboardLayout
CloseDesktop
IsCharAlphaNumericA
GetWindowDC
PaintDesktop
GetActiveWindow
CharUpperA
IsWindow
GetCaretBlinkTime
GetClipboardSequenceNumber
GetThreadDesktop
CopyIcon
GetCursor
WindowFromDC
LoadCursorFromFileW
GetMenu
GetProcessWindowStation
EndMenu
GetOpenClipboardWindow
GetWindowTextLengthW
IsGUIThread
CharLowerA
GetDialogBaseUnits
IsCharLowerA
ShowCaret
GetKeyState
GetMessageExtraInfo
GetTopWindow
CharNextA
IsCharAlphaA
DestroyIcon
UserHandleGrantAccess
TranslateMessage
TranslateMDISysAccel
ToAscii
SystemParametersInfoW
SetWindowTextW
SetWindowRgn
SetWindowPos
SetWindowLongW
SetTimer
SetScrollInfo
SetMenuContextHelpId
SetForegroundWindow
SetDlgItemTextW
SetClipboardViewer
SendMessageW
SendMessageTimeoutA
SendInput
SendDlgItemMessageW
ReplyMessage
ReleaseDC
ReleaseCapture
RegisterWindowMessageW
CharLowerW
RegisterClassExA
PostThreadMessageW
PostQuitMessage
PostMessageW
OpenIcon
OffsetRect
MonitorFromRect
MessageBoxW
MessageBoxA
LoadStringW
LoadKeyboardLayoutW
LoadImageW
LoadBitmapW
KillTimer
IsWindowVisible
IsWindowEnabled
IsRectEmpty
IsIconic
IsCharUpperW
InflateRect
HiliteMenuItem
GetWindowThreadProcessId
GetWindowTextW
GetWindowRect
GetWindowLongW
GetSystemMetrics
GetSysColorBrush
GetScrollPos
GetMonitorInfoW
GetMessageW
GetMenuItemRect
GetInputDesktop
GetDlgItem
GetDlgCtrlID
GetDesktopWindow
GetDC
GetCursorPos
GetClientRect
GetClassNameW
GetClassLongW
FindWindowW
FillRect
EnumWindows
EnumWindowStationsA
EnumThreadWindows
EnumDisplaySettingsW
EnumDisplayDevicesW
EndDialog
DispatchMessageW
DestroyWindow
DefWindowProcW
CreateWindowExW
CreateMenu
CreateIconIndirect
CreateIconFromResourceEx
CreateIcon
CreateDialogIndirectParamW
IsCharAlphaNumericW
DestroyCursor
VkKeyScanA
VkKeyScanW
CopyRect
CloseWindow
CharNextW
ChangeDisplaySettingsExW
GetQueueStatus
RegisterClipboardFormatA
GetSysColor
CallWindowProcW
ShowWindow

gdi32

CreateMetaFileA
AddFontResourceExW
AngleArc
CloseEnhMetaFile
CopyEnhMetaFileA
CreateColorSpaceW
CreateCompatibleDC
CreateFontA
CreateFontIndirectW
CreateSolidBrush
DeleteObject
EngCreateDeviceSurface
EngCreatePalette
EngDeleteSurface
EngFillPath
EngPaint
EngTextOut
FillRgn
FlattenPath
FloodFill
FontIsLinked
GdiAlphaBlend
GdiConvertBrush
GdiDeleteSpoolFileHandle
GdiEntry8
GdiPlayJournal
GdiPlayPrivatePageEMF
GdiSetBatchLimit
GetCharABCWidthsFloatW
GetCharABCWidthsW
GetCurrentPositionEx
GetDeviceCaps
GetEnhMetaFileW
GetFontData
GetGlyphIndicesA
GetObjectW
GetTextExtentExPointWPri
GetWinMetaFileBits
ModifyWorldTransform
NamedEscape
PathToRegion
PolyDraw
ScaleViewportExtEx
SetDIBColorTable
SetMetaRgn
SetPolyFillMode
SetROP2
SetTextAlign
UpdateColors
GetSystemPaletteUse
CreateMetaFileW
EndDoc
DeleteEnhMetaFile
BeginPath
CreatePatternBrush
GetTextCharacterExtra
CancelDC
GdiGetBatchLimit
GetColorSpace
EndPath
EndPage
SaveDC
SwapBuffers
CloseMetaFile
GetDCPenColor
AbortDoc
GetTextCharset
GdiFlush
FillPath
CloseFigure
GetTextAlign
GetMapMode
GetBkMode
GetStretchBltMode
AbortPath

advapi32

RegOpenKeyExA
CryptAcquireContextW
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseContext
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueA
RegOpenKeyW
RegQueryValueExA
RegSetValueExA
RegSetValueExW
RegQueryValueExW

shell32

SHGetFolderPathW
CommandLineToArgvW
ShellExecuteExA

ole32

CoInitialize
CoUninitialize
CoCreateInstance

shlwapi

StrCmpNA
StrStrA

comctl32

ImageList_AddMasked
InitCommonControlsEx
ImageList_Destroy
ImageList_Create
CreateStatusWindowW

msvcrt

_except_handler3
wcslen
wcscpy
wcscmp
_XcptFilter
__dllonexit
__p__commode
__p__fmode
__set_app_type
__setusermatherr
__wgetmainargs
_adjust_fdiv
_c_exit
_cexit
_controlfp
_exit
_initterm
_onexit
_purecall
_snwprintf
_wcmdln
_wcsicmp
_wcsnicmp
exit
wcscat

Sections

.text
Size: 337KB - Virtual size: 337KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 92KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Ransomware/EternalRocks
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

PG!yh
Size: 4.5MB - Virtual size: 4.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 523KB - Virtual size: 523KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Ransomware/GLOBEIMPOSTER
.exe windows:5 windows x86 arch:x86

a3d2d2f8a5b221bb654fa891b2fcdf88

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

VirtualProtect
GlobalAlloc
lstrlenA
GetNativeSystemInfo
CreateFileA
InterlockedIncrement
InterlockedDecrement
Sleep
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetLastError
HeapFree
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCommandLineA
GetStartupInfoA
RtlUnwind
RaiseException
LCMapStringA
WideCharToMultiByte
MultiByteToWideChar
LCMapStringW
GetCPInfo
SetHandleCount
GetStdHandle
GetFileType
HeapAlloc
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
ReadFile
WriteFile
GetConsoleCP
GetConsoleMode
FlushFileBuffers
GetModuleHandleW
GetProcAddress
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
SetFilePointer
CloseHandle
ExitProcess
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapSize
GetACP
GetOEMCP
IsValidCodePage
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetStringTypeA
GetStringTypeW
InitializeCriticalSectionAndSpinCount
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
LoadLibraryA
GetLocaleInfoW

gdi32

SetPixel
StretchDIBits

shell32

FindExecutableA
DragQueryFileW

Sections

.text
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 137KB - Virtual size: 136KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Ransomware/GhostCrypter.bin
.exe windows:4 windows x86 arch:x86

a1dc8578b35ed9e848cf933267695396

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

DeleteCriticalSection
EnterCriticalSection
FreeLibrary
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetSystemTimeAsFileTime
GetSystemWow64DirectoryW
GetTickCount
GetVersion
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
QueryPerformanceCounter
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VerSetConditionMask
VerifyVersionInfoW
VirtualProtect
VirtualQuery

msvcrt

__dllonexit
__getmainargs
__initenv
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_cexit
_fmode
_initterm
_iob
_lock
_onexit
calloc
exit
fprintf
fputs
free
isprint
malloc
memset
realloc
signal
sprintf
strncmp
_unlock
abort
vfprintf
wcsstr

Sections

.text
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 10KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Ransomware/Golden Eyes - via unikey.exe
.exe windows:1 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 1024B - Virtual size: 592B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 3KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 8B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Ransomware/Locky
.exe windows:4 windows x86 arch:x86

0fcea3af550ad0a893e93808dccf17f4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

GetSecurityDescriptorDacl
RegisterEventSourceA
RegQueryInfoKeyA
GetSidSubAuthorityCount
RegSetValueExA
RegDeleteKeyA
GetKernelObjectSecurity
RegCloseKey
RegQueryValueA
RegLoadKeyA
GetSidSubAuthority
RegConnectRegistryA
LookupPrivilegeValueA
InitiateSystemShutdownA
CreateProcessAsUserA
GetSidIdentifierAuthority
OpenThreadToken
LsaQueryInformationPolicy
RegQueryValueW
EncryptFileW
RegSetValueW
MakeAbsoluteSD
RegOpenKeyExA
RegCreateKeyExW
AddAce
SetNamedSecurityInfoW
OpenEventLogW
GetUserNameW
SetSecurityDescriptorSacl
MakeSelfRelativeSD
RegFlushKey
InitializeSecurityDescriptor
InitializeAcl
SetEntriesInAclA
GetSidLengthRequired
RegSetValueA
SetEntriesInAclW
GetAclInformation

user32

DrawIconEx
IsDialogMessageA
OffsetRect
PostThreadMessageW
DialogBoxParamA
GetLastActivePopup
GetGUIThreadInfo
DrawStateA
IsWindow
OpenClipboard
InSendMessage
FindWindowW
IsMenu
EnumDisplaySettingsA
DrawAnimatedRects
FrameRect
SetMenuDefaultItem
GrayStringW
CreateDialogIndirectParamW
ClientToScreen
GetParent
TranslateMDISysAccel
CreateDesktopW
ShowCaret
GetProcessWindowStation
TrackPopupMenu
IntersectRect
DialogBoxIndirectParamA
DefWindowProcA
ReuseDDElParam
NotifyWinEvent
SetClipboardData
CloseClipboard
DdeDisconnect
GetClassNameA
GetCaretPos
CharLowerW
GetWindowModuleFileNameA
IsWindowVisible
wvsprintfA
ModifyMenuA
SendDlgItemMessageW
SetCaretBlinkTime
LoadMenuW
GetMenuState
DrawTextExA
ChangeDisplaySettingsW
CreateWindowExW
GetCapture
CreatePopupMenu
SetMenu
CharUpperBuffW
DrawStateW
LoadImageA
GetScrollPos
GetDlgItem
GetClipboardFormatNameW
ValidateRgn
GetWindowThreadProcessId
GetClassInfoExW
DdeAccessData
ShowWindow
GetKeyboardLayout
GetClassInfoW
SetCaretPos
LoadCursorA
FillRect
LoadMenuA
mouse_event
ModifyMenuW
InvalidateRgn
GetMenuItemID
IsIconic
OemToCharA
LoadCursorFromFileW
RegisterWindowMessageA
DispatchMessageW
GetCursorPos
CharPrevA
GetWindowWord

imm32

ImmGetProperty
ImmGetCandidateListCountA
ImmGetCompositionStringA
ImmSetConversionStatus
ImmSetOpenStatus
ImmCreateContext
ImmGetOpenStatus
ImmNotifyIME
ImmInstallIMEA
ImmGetContext
ImmDestroyContext
ImmSimulateHotKey
ImmConfigureIMEA
ImmAssociateContext

rasapi32

RasDialA
RasGetProjectionInfoA

kernel32

WriteFileGather
PulseEvent
GetLongPathNameA

Sections

.text
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 3.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 104KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Ransomware/Matsnu.com_
.exe windows:5 windows x86 arch:x86

bd52eaa585e8f1c2fba85e8df7a2e191

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

LookupPrivilegeDisplayNameW

gdi32

AbortPath
AbortDoc

dbghelp

SymLoadModule64
FindFileInSearchPath
SymGetLineFromAddr64
SymGetSymFromAddr64

clusapi

FailClusterResource
GetClusterFromNetwork
ClusterRegEnumKey
ClusterGroupGetEnumCount
RestoreClusterDatabase
GetClusterNodeId
ClusterRegDeleteValue
CloseClusterResource
ClusterOpenEnum

kernel32

HeapSize
GetLastError
MoveFileA
GetCommandLineA
HeapSetInformation
GetStartupInfoW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
DecodePointer
TerminateProcess
GetCurrentProcess
HeapFree
GetFileAttributesA
EnterCriticalSection
LeaveCriticalSection
SetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
WriteFile
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
SetHandleCount
GetStdHandle
DeleteCriticalSection
GetProcAddress
GetModuleHandleW
ExitProcess
GetModuleFileNameW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
Sleep
GetExitCodeProcess
WaitForSingleObject
CloseHandle
CreateProcessA
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
RtlUnwind
WriteConsoleW
MultiByteToWideChar
SetFilePointer
LoadLibraryW
IsProcessorFeaturePresent
HeapAlloc
HeapReAlloc
CompareStringW
SetEnvironmentVariableA
FlushFileBuffers
LCMapStringW
GetStringTypeW
CreateFileW

Sections

.text
Size: 37KB - Virtual size: 36KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ransomware/README.md
Ransomware/Rex
.elf linux x86
Ransomware/ShellLocker.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\EVILTWIN\Desktop\ShellLocker\ShellLocker\obj\Debug\ShellLocker.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 560KB - Virtual size: 560KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 117KB - Virtual size: 117KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ransomware/Unlock92.bin
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ransomware/cryptowall.bin
.exe windows:5 windows x86 arch:x86

edbc0337cc897a187d263d79c09c15c7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

user32

EnableMenuItem
GetDlgItem
SendDlgItemMessageA
AppendMenuA
GetWindowLongA
wvsprintfA
SetWindowPos
FindWindowA
RedrawWindow
GetWindowTextA
EnableWindow
GetSystemMetrics
IsWindow
CheckRadioButton
UnregisterClassA
SetCursor
GetSysColorBrush
DialogBoxParamA
DestroyAcceleratorTable
DispatchMessageA
TranslateMessage
LoadIconA
EmptyClipboard
SetClipboardData
SetFocus
CharUpperA
OpenClipboard
IsDialogMessageA
TranslateAcceleratorA
GetMessageA
LoadAcceleratorsA
RemoveMenu
InvalidateRect
ChildWindowFromPoint
PostMessageA
DestroyCursor
CreateDialogParamA
GetWindowRect
IsMenu
GetSubMenu
SetDlgItemInt
GetWindowPlacement
CharLowerBuffA
LoadCursorA
CheckMenuRadioItem
GetSysColor
KillTimer
DestroyIcon
DestroyWindow
PostQuitMessage
GetClientRect
MoveWindow
GetSystemMenu
SetTimer
SetWindowPlacement
InsertMenuItemA
GetMenu
CheckMenuItem
SetMenuItemInfoA
SetActiveWindow
DefDlgProcA
RegisterClassA
EndDialog
SetDlgItemTextA
EnumClipboardFormats
GetClipboardData
CloseClipboard
GetClassInfoA
CallWindowProcA
SetWindowLongA
IsDlgButtonChecked
SetWindowTextA
CheckDlgButton
GetActiveWindow
MessageBoxA
wsprintfA
GetDlgItemTextA
SendMessageA
GetCursorPos
TrackPopupMenu
ClientToScreen
DestroyMenu
CreatePopupMenu

comdlg32

GetSaveFileNameA
GetOpenFileNameA

advapi32

RegSetValueA
RegQueryValueExA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegOpenKeyExA
RegCloseKey
RegCreateKeyA
RegDeleteKeyA
GetUserNameA

dbghelp

ImageNtHeader
ImageRvaToSection
ImageRvaToVa

comctl32

ImageList_Destroy
InitCommonControlsEx
ImageList_ReplaceIcon
ImageList_Remove
CreateToolbarEx
ImageList_SetBkColor
ImageList_Create

kernel32

IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
HeapFree
VirtualFree
HeapCreate
GetFileType
SetHandleCount
GetEnvironmentStringsW
WideCharToMultiByte
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
InitializeCriticalSectionAndSpinCount
LoadLibraryA
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
EnterCriticalSection
HeapSize
LeaveCriticalSection
DeleteCriticalSection
GetLocaleInfoA
WriteFile
InterlockedDecrement
GetLastError
GetCurrentThreadId
SetLastError
InterlockedIncrement
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
GetStartupInfoA
ExitProcess
GetProcAddress
Sleep
GetModuleHandleW
GlobalCompact
SetProcessWorkingSetSize
EncodePointer
OpenProcess
GlobalUnWire
GetStdHandle
IsWow64Process
GetProcessHandleCount
GetProcessHeap
FlushFileBuffers
PulseEvent
GetVersion
RtlUnwind
HeapAlloc
VirtualAlloc
HeapReAlloc
GetStringTypeA
MultiByteToWideChar
GetStringTypeW
GetCommandLineA
GetProcessId
LockResource
GlobalDeleteAtom
LCMapStringA
LCMapStringW
GetModuleFileNameA
SetProcessPriorityBoost
GlobalUnfix
RequestWakeupLatency
IsProcessInJob
GetThreadTimes
GetProcessTimes
PeekNamedPipe

Sections

.text
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 104KB - Virtual size: 51.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 90KB - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Ransomware/eda2.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\malware\theZoo-master\malwares\Binaries\eda2-master\eda2\eda2\obj\Debug\eda2.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 108KB - Virtual size: 107KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 99KB - Virtual size: 99KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ransomware/jigsaw
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

!mmUPp
Size: 209KB - Virtual size: 208KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Ransomware/mamba.exe
.exe windows:5 windows x86 arch:x86

dd8fd079a980cb9227eb869f7da9b258

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

Imports

shlwapi

PathFileExistsW
PathFileExistsA

kernel32

Sleep
SizeofResource
GetConsoleWindow
GetVersionExW
GetModuleFileNameW
CreateFileW
MultiByteToWideChar
GetLastError
GetProcAddress
GetSystemDirectoryW
CreateEventW
GetModuleFileNameA
GetModuleHandleA
CloseHandle
CreateThread
CreateProcessA
GetExitCodeProcess
WriteConsoleW
WriteFile
GetModuleHandleW
SetEvent
WaitForSingleObject
CreateDirectoryW
GetCurrentProcess
LoadResource
FindResourceW
GetNativeSystemInfo
GetCommandLineW
GetFileAttributesExW
SetEnvironmentVariableA
LockResource
GetModuleHandleExW
SetStdHandle
ReadConsoleW
LoadLibraryW
InterlockedIncrement
InterlockedDecrement
EncodePointer
DecodePointer
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
WideCharToMultiByte
GetStringTypeW
HeapFree
HeapAlloc
ExitProcess
SetEndOfFile
AreFileApisANSI
GetCommandLineA
RaiseException
RtlUnwind
InitializeCriticalSectionAndSpinCount
GetCPInfo
IsProcessorFeaturePresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
IsDebuggerPresent
GetStdHandle
GetFileType
GetProcessHeap
ReadFile
SetFilePointerEx
FlushFileBuffers
GetConsoleCP
GetConsoleMode
HeapSize
LoadLibraryExW
IsValidCodePage
GetACP
GetOEMCP
GetCurrentThreadId
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetFilePointer
HeapReAlloc
OutputDebugStringW

user32

ExitWindowsEx
ShowWindow

advapi32

RegisterServiceCtrlHandlerW
RevertToSelf
SetServiceStatus
ImpersonateLoggedOnUser
ChangeServiceConfig2W
LookupPrivilegeValueW
CreateProcessAsUserW
LogonUserW
StartServiceCtrlDispatcherW
OpenSCManagerW
OpenProcessToken
CreateServiceW
AdjustTokenPrivileges

shell32

ShellExecuteW
ShellExecuteA

Sections

.text
Size: 120KB - Virtual size: 119KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 39KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ransomware/petya2.exe
.exe windows:5 windows x86 arch:x86

bf084102e13441ce39f8d51d9bf55857

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

IIDFromString
StringFromGUID2
OleUninitialize
OleInitialize
OleRun
OleSetContainedObject
CoInitializeEx
CoTaskMemAlloc
CoTaskMemFree
CoInitialize
CoTaskMemRealloc
CoUninitialize
CoCreateInstance

shell32

SHGetFolderPathW
FindExecutableA
Shell_NotifyIconA
SHGetFolderPathA
ShellExecuteExA

wininet

InternetTimeFromSystemTime
InternetTimeToSystemTime
InternetCrackUrlA
HttpQueryInfoA
InternetConnectA
InternetReadFile
HttpOpenRequestA
InternetGetConnectedState
InternetErrorDlg
HttpSendRequestA
InternetOpenA
InternetCloseHandle

user32

IsChild
SetFocus
SetRect
GetWindowThreadProcessId
RegisterClassExA
GetFocus
GetAncestor
GetSystemMenu
GetWindowRect
GetParent
GetClientRect
SendMessageA
GetClassInfoExW
GetDC
TranslateMessage
RegisterClassExW
GetWindowLongW
ReleaseDC
EnableMenuItem
SetWindowLongW
GetDesktopWindow
SetWindowPos
CreateWindowExW
AdjustWindowRectEx
LoadCursorA
SetWindowLongA
GetWindowLongA
CreateWindowExA
MessageBoxA
CharNextA
DispatchMessageW
RegisterClassA
LoadImageA
GetSystemMetrics
DispatchMessageA
PostMessageA
AppendMenuA
CreatePopupMenu
ShowWindow
MsgWaitForMultipleObjectsEx
GetCursorPos
DefWindowProcA
IsWindowUnicode
SetWindowTextW
DefWindowProcW
wsprintfA
LoadStringA
DestroyWindow
GetMessageA
GetMessageW
PostQuitMessage
TrackPopupMenu
SetForegroundWindow
PeekMessageA

comctl32

InitCommonControlsEx

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueW
VerQueryValueA

kernel32

GetStdHandle
WriteConsoleW
GetConsoleMode
GetConsoleCP
GetFileType
GetStartupInfoW
HeapSetInformation
GetSystemTimeAsFileTime
VirtualQuery
GetSystemInfo
GetModuleHandleW
VirtualAlloc
GetModuleFileNameW
HeapAlloc
HeapFree
FileTimeToLocalFileTime
GetDriveTypeW
FindFirstFileExW
SetStdHandle
HeapReAlloc
GetCPInfo
RtlUnwind
LCMapStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
ExitThread
CreateDirectoryW
VirtualProtect
GetFullPathNameW
HeapCreate
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
HeapSize
GetLocaleInfoW
SetHandleCount
GetTimeZoneInformation
SetFilePointer
FlushFileBuffers
IsDebuggerPresent
IsProcessorFeaturePresent
GetACP
GetOEMCP
IsValidCodePage
FreeEnvironmentStringsW
GetEnvironmentStringsW
lstrcmpA
GetModuleHandleA
FindResourceA
lstrlenA
GetModuleHandleExA
FreeLibrary
LoadResource
SetEndOfFile
InterlockedDecrement
GetCommandLineA
WideCharToMultiByte
InitializeCriticalSectionAndSpinCount
SizeofResource
SetDllDirectoryA
IsDBCSLeadByte
MultiByteToWideChar
lstrlenW
RaiseException
GetLastError
lstrcmpiA
GetProcAddress
GetModuleFileNameA
LoadLibraryExA
CreateMutexA
DeleteCriticalSection
CloseHandle
WaitForSingleObject
FormatMessageA
GetExitCodeProcess
LocalFree
DeleteFileA
SetEvent
CreateEventA
lstrcatA
ResetEvent
WaitForMultipleObjects
CreateThread
lstrcpyA
lstrcpynA
CreateFileA
WriteFile
Sleep
ReadFile
OpenEventA
GetSystemTime
GetCurrentProcess
GetTickCount
GetCurrentProcessId
GetTempPathA
SystemTimeToFileTime
FileTimeToSystemTime
MulDiv
InterlockedExchange
InterlockedExchangeAdd
LocalAlloc
GetCurrentThreadId
FormatMessageW
GetLocalTime
ExitProcess
GetLocaleInfoA
GetWindowsDirectoryA
OpenProcess
TerminateProcess
GetSystemDirectoryA
FindFirstFileA
FindClose
LoadLibraryA
LockResource
GetNativeSystemInfo
PeekNamedPipe
SetHandleInformation
CreateProcessA
CreateDirectoryA
GetProcessHeap
CreatePipe
GetSystemDefaultUILanguage
GetThreadLocale
GetUserDefaultUILanguage
MoveFileExA
GetFileAttributesA
FindNextFileA
OpenThread
GetExitCodeThread
GetModuleHandleExW
LoadLibraryW
LoadLibraryExW
ReleaseMutex
QueryPerformanceCounter
QueryPerformanceFrequency
CreateFileW
SetFilePointerEx
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
InterlockedCompareExchange
GetStringTypeW
EncodePointer
DecodePointer
GetCurrentDirectoryW
GetFileInformationByHandle
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
CompareStringW
SetEnvironmentVariableA
InterlockedIncrement
RemoveDirectoryA

advapi32

SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegCloseKey
RegDeleteValueA
RegOpenKeyExA
RegCreateKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyW
RegSetValueExA
CryptGetHashParam
RegQueryInfoKeyA
GetTokenInformation
CopySid
GetWindowsAccountDomainSid
CreateWellKnownSid
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
RegQueryValueExA
CryptReleaseContext
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptHashData
RegEnumKeyA
OpenProcessToken

oleaut32

SysFreeString
VarUI4FromStr
VariantClear
SysAllocString
VariantCopy
VariantInit
VariantChangeType
GetErrorInfo
SysStringByteLen

shlwapi

ord12

gdi32

GetStockObject
GetDeviceCaps

wintrust

WinVerifyTrust

crypt32

CryptMsgClose
CryptQueryObject
CertGetNameStringW
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CryptStringToBinaryA
CryptBinaryToStringA
CryptProtectData
CryptUnprotectData

msi

ord141
ord168
ord160
ord158
ord115
ord159
ord117
ord8
ord44
ord204
ord189
ord67
ord31
ord137
ord91

Sections

.text
Size: 447KB - Virtual size: 446KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 138KB - Virtual size: 137KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 146KB - Virtual size: 145KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Ransomware/stampado.au3
.ps1
Ransomware/wannacrypt.exe
.exe windows:4 windows x86 arch:x86

68f013d7437aa653a8a98a05807afeb1

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetFileAttributesW
GetFileSizeEx
CreateFileA
InitializeCriticalSection
DeleteCriticalSection
ReadFile
GetFileSize
WriteFile
LeaveCriticalSection
EnterCriticalSection
SetFileAttributesW
SetCurrentDirectoryW
CreateDirectoryW
GetTempPathW
GetWindowsDirectoryW
GetFileAttributesA
SizeofResource
LockResource
LoadResource
MultiByteToWideChar
Sleep
OpenMutexA
GetFullPathNameA
CopyFileA
GetModuleFileNameA
VirtualAlloc
VirtualFree
FreeLibrary
HeapAlloc
GetProcessHeap
GetModuleHandleA
SetLastError
VirtualProtect
IsBadReadPtr
HeapFree
SystemTimeToFileTime
LocalFileTimeToFileTime
CreateDirectoryA
GetStartupInfoA
SetFilePointer
SetFileTime
GetComputerNameW
GetCurrentDirectoryA
SetCurrentDirectoryA
GlobalAlloc
LoadLibraryA
GetProcAddress
GlobalFree
CreateProcessA
CloseHandle
WaitForSingleObject
TerminateProcess
GetExitCodeProcess
FindResourceA

user32

wsprintfA

advapi32

CreateServiceA
OpenServiceA
StartServiceA
CloseServiceHandle
CryptReleaseContext
RegCreateKeyW
RegSetValueExA
RegQueryValueExA
RegCloseKey
OpenSCManagerA

msvcrt

realloc
fclose
fwrite
fread
fopen
sprintf
rand
srand
strcpy
memset
strlen
wcscat
wcslen
__CxxFrameHandler
??3@YAXPAX@Z
memcmp
_except_handler3
_local_unwind2
wcsrchr
swprintf
??2@YAPAXI@Z
memcpy
strcmp
strrchr
__p___argv
__p___argc
_stricmp
free
malloc
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
calloc
strcat
_mbsstr
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp

Sections

.text
Size: 28KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Ransomware/xorist.bin
.exe windows:4 windows x86 arch:x86

0d5a4c77fb840a628560e02b85835ba4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

user32

RegisterClassExA
PeekMessageA
SendMessageA
LoadCursorA
GetSystemMetrics
GetMessageA
GetDlgItemTextA
EndPaint
SystemParametersInfoA
TranslateMessage
UpdateWindow
MessageBoxA
DispatchMessageA
DefWindowProcA
CreateWindowExA
BeginPaint

kernel32

lstrlenA
CloseHandle
CopyFileA
CreateFileA
ExitProcess
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FreeResource
GetCommandLineA
GetEnvironmentVariableA
GetFileAttributesA
GetFileSize
GetFileTime
GetLogicalDrives
GetModuleFileNameA
GetModuleHandleA
GetProcessHeap
GetTempPathA
GetWindowsDirectoryA
GlobalFree
HeapAlloc
LoadResource
LockResource
MoveFileA
ReadFile
RtlMoveMemory
SetErrorMode
SetFilePointer
SetFileTime
SizeofResource
WriteFile
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA

shell32

ShellExecuteA
SHGetSpecialFolderPathA

advapi32

RegCreateKeyExA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
RegSetValueExA
RegDeleteKeyA
CryptAcquireContextA
RegCloseKey
CryptReleaseContext
CryptHashData

shlwapi

PathFindFileNameA
PathFindExtensionA
PathAddBackslashA
PathMatchSpecA

gdi32

CreateFontIndirectA

comctl32

InitCommonControls

Sections

.text
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 61KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

0d5a4c77fb840a628560e02b85835ba4

Headers

File Characteristics

Imports

user32

kernel32

shell32

advapi32

shlwapi

gdi32

comctl32

Sections

.text Size: 6KB - Virtual size: 5KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 1KB - Virtual size: 14KB

.rsrc Size: 61KB - Virtual size: 60KB

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 165KB - Virtual size: 164KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 493KB - Virtual size: 493KB

.sdata Size: 512B - Virtual size: 488B

.rsrc Size: 18KB - Virtual size: 17KB

.reloc Size: 512B - Virtual size: 12B

fe586131a824714774b47ac27da9e046

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

shlwapi

comctl32

msvcrt

Sections

.text Size: 337KB - Virtual size: 337KB

.rdata Size: 9KB - Virtual size: 9KB

.data Size: 52KB - Virtual size: 51KB

.rsrc Size: 92KB - Virtual size: 92KB

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

PG!yh Size: 4.5MB - Virtual size: 4.5MB

.text Size: 523KB - Virtual size: 523KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Size: 512B - Virtual size: 16B

a3d2d2f8a5b221bb654fa891b2fcdf88

Headers

DLL Characteristics

File Characteristics

Imports

.text
Size: 6KB - Virtual size: 5KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 1KB - Virtual size: 14KB

.rsrc
Size: 61KB - Virtual size: 60KB

.text
Size: 165KB - Virtual size: 164KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 493KB - Virtual size: 493KB

.sdata
Size: 512B - Virtual size: 488B

.rsrc
Size: 18KB - Virtual size: 17KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 337KB - Virtual size: 337KB

.rdata
Size: 9KB - Virtual size: 9KB

.data
Size: 52KB - Virtual size: 51KB

.rsrc
Size: 92KB - Virtual size: 92KB

PG!yh
Size: 4.5MB - Virtual size: 4.5MB

.text
Size: 523KB - Virtual size: 523KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 73KB - Virtual size: 73KB

.rdata
Size: 16KB - Virtual size: 15KB

.data
Size: 5KB - Virtual size: 13KB

.rsrc
Size: 137KB - Virtual size: 136KB

.text
Size: 60KB - Virtual size: 60KB

.data
Size: 11KB - Virtual size: 11KB

.rdata
Size: 4KB - Virtual size: 3KB

.bss
Size: - Virtual size: 10KB

.idata
Size: 2KB - Virtual size: 1KB

.CRT
Size: 512B - Virtual size: 52B

.tls
Size: 512B - Virtual size: 32B

.rsrc
Size: 7KB - Virtual size: 6KB

CODE
Size: 40KB - Virtual size: 40KB

DATA
Size: 1024B - Virtual size: 592B

BSS
Size: - Virtual size: 3KB

.idata
Size: 2KB - Virtual size: 2KB

.tls
Size: - Virtual size: 8B

.rdata
Size: 512B - Virtual size: 24B

.reloc
Size: - Virtual size: 2KB

.rsrc
Size: 10KB - Virtual size: 10KB

.text
Size: 48KB - Virtual size: 44KB

.rdata
Size: 8KB - Virtual size: 4KB

.data
Size: 16KB - Virtual size: 3.7MB

.rsrc
Size: 104KB - Virtual size: 100KB

.text
Size: 37KB - Virtual size: 36KB

.rdata
Size: 11KB - Virtual size: 10KB

.data
Size: 6KB - Virtual size: 13KB

.rsrc
Size: 44KB - Virtual size: 43KB

.reloc
Size: 3KB - Virtual size: 3KB