Binary
DLL False
Size 106.00KB
trid 61.7% Win64 Executable
14.7% Win32 Dynamic Link Library 10.0% Win32 Executable
4.5% OS/2 Executable
4.4% Generic Win/DOS Executable
type PE
wordsize 64
Subsystem Windows CLI
Hashes
md5 8bf43caa31c50ba12d04142195bd26d1
sha1 3fd3fa6663c7699457fe4dfc8222f84addf5408d
crc32 0xa7623a0f
sha224 fa888b2f90b5ce1ffc8437b803626dfd944de07b5acfecb4c726162b
sha256 212d2eb9c06777bcd97943470409da8fd1d2f1654b407008abdfa708cb669 211
sha384 f24b976dc4fe90d8ae802add42674c2b5d9a740ad9ac20d500084f2d1bb26e 86c1da6de345f941d28d46eec9bdbdb8ea
sha512 ca14879d2669f2cef59f82648bbf2616ec0a20c383ce245d2d476d5ca9dc14 933d4280d987fc1b9fc3be902c6a9ed912088139672864eafdacc2c79b7b07 4ff2
ssdeep 1536:WTUPEBwl+KXpsqN5vlwWYyhY9S4Aqx1QvXxrCA4/6yqdZ7wWEf:WTU Puw+asqN5aW/hLSkbyqdREf
Report #11248
Creation Date: Sept. 10, 2020, 1:38 p.m.
Last Update: Sept. 10, 2020, 5:36 p.m.
File:
004_adv Results:
Community
Google False
HashLib False
YARA
Matches RIPEMD160_Constants, domain, contentis_base64, anti_dbg, IsPE64, SHA1_
Constants, CRC32_table, HasDebugData, RijnDael_AES, IsConsole, RijnDael _AES_LONG, CRC32_poly_Constant, win_registry, BASE64_table, Microsoft_V isual_Cpp_80_DLL, HasRichSignature, RijnDael_AES_CHAR, IsPacked
Suspicious True
Strings
List
C:\Users\Win\Documents\Visual Studio 2012\Projects\Dropper\x64\Release\Dropper.pdb C:\crysis\Release\PDB\payload.pdb
COMCTL32.dll MSVCR110.dll WINMM.dll UxTheme.dll proc.exe proc.exe eUv%d
<requestedPrivileges>
__crt_debugger_hook IsProcessorFeaturePresent GetProcAddress
CreateEventW IsDebuggerPresent CreateProcessW CoCreateInstance LoadLibraryA GetModuleHandleW RegGetValueW RegDeleteKeyW RegQueryValueExW RegCreateKeyW RegSetValueExW RegOpenKeyExW LoadResource
QueryPerformanceCounter RegEnumKeyExW
fprintf fopen
__crtCapturePreviousContext
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
__crtTerminateProcess _commode
_initterm
__setusermatherr __C_specific_handler _initterm_e
_calloc_crt __set_app_type __dllonexit _amsg_exit __getmainargs _XcptFilter __initenv
?terminate@@YAXXZ
;22dV::tN
D$(9D$$s.HcD$$H
</assembly>
s23w(Tr co7ro>
_unlock O44h\
V22dN::t 2dV2:tN:
dV22tN::
Df""T~**;
`.rdata
`.rdata _onexit 2Ht\l
""Df**T~
f""D~**T LcA<E3
$lOC9 dHEp*6
`3SbE H3E H3E p\lHtW
"iMw\e
=Hi$\
@.data
@.data +L]DAb PaM_t=
i">OG
?tMA+
R##Fe
WideCharToMultiByte M H1E
H51A QPeA~S Pi!LEf _cexit _fmode RSDS%~m _exit 'CRG oG [hvDE mv&TO gT]Ow
Rich?
oD/TD fT6a 11#?*0 D3Hak
%[:\7 eSCaHY oc3t
@.rsrc
Foremost
Matches 24.exe, 92 KB
Suspicious True
Heuristics
IPs hasIPs: False
Allowed Suspicious
hasAllowed: False hasSuspicious: False
URLs Allowed
hasURLs: False Suspicious
hasAllowed: False hasSuspicious: False
Files Allowed: UxTheme.dll, ADVAPI32.dll, MSVCR110.dll, ole32.dll, SHLWAPI.dll, USER32.dll, SHELL32.dll, COMCTL32.dll, RPCRT4.dll, WINMM.dll, GDI32.dll, OLEAUT32.dll, KERNEL32.dll
hasFiles: True Suspicious
hasAllowed: True hasSuspicious: False
Binary
Sizes RVA
RVA: 16
Suspicious: False Code
Size: 103936 Suspicious: False Image
Address: 5368709120 Suspicious: False Stack
Stack: 4096
Suspicious: False Headers
Headers: 1024 Suspicious: False Suspicious: False
Symbols Number
Number: 0
Suspicious: True Pointer
Pointer: 0
Suspicious: True Directories Number: 16 Suspicious: False
Checksum Value: 0
Suspicous: True
Sections Allowed: .text, .rdata, .data, .pdata, .rsrc, .reloc Suspicious
hasAllowed: True hasSections: True hasSuspicious: False
Versions OS
Version: 6
Suspicious: False Image
Version: True Suspicious: 6 Linker
Version: 11.0 Suspicious: False Subsystem
Version: 6.0 Suspicious: False Suspicious: False
EntryPoint Address: 6772
Suspicious: False
Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.
hasAnomalies: True
Libraries Allowed: uxtheme.dll, advapi32.dll, ole32.dll, shlwapi.dll, user32.dll, shell3 2.dll, comctl32.dll, rpcrt4.dll, winmm.dll, gdi32.dll, oleaut32.dll, kernel32.dll hasLibs: True
Suspicious: msvcr110.dll
hasAllowed: True hasSuspicious: True
Timestamp Past: False
Valid: True
Value: 2020-09-03 16:42:57 Future: False
Compilation Packed: False
Missing: False Packers
Compiled: True
Compilers: Microsoft Visual C++ 8.0 (DLL)
Obfuscation XOR: True
Fuzzing: False
PEDetector
Matches 12448
Suspicious True
Disassembly
hasTricks False
Tricks
AVclass
crysis 1
VirusTotal
md5 8bf43caa31c50ba12d04142195bd26d1
sha1 3fd3fa6663c7699457fe4dfc8222f84addf5408d
SCANS (DETECTION RATE = 63.24%)
AVG result: Win32:RansomX-gen [Ransom]
update: 20200908 version: 18.4.3895.0 detected: True
CMC update: 20200908 version: 2.7.2019.1 detected: False
MAX result: malware (ai score=100)
update: 20200908 version: 2019.9.16.1 detected: True
APEX update: 20200907
version: 6.68 detected: False
Bkav update: 20200908
version: 1.3.0.9899 detected: False
K7GW result: Trojan ( 00519f781 )
update: 20200908 version: 11.135.35196 detected: True
ALYac result: Trojan.Ransom.Crysis
update: 20200908 version: 1.1.1.5 detected: True
Avast result: Win32:RansomX-gen [Ransom]
update: 20200908 version: 18.4.3895.0 detected: True
Avira result: TR/AD.Crysis.zliit
update: 20200908 version: 8.3.3.8 detected: True
Baidu update: 20190318
version: 1.0.0.2 detected: False
Cynet update: 20200905
version: 4.0.0.24 detected: False
Cyren update: 20200908
version: 6.3.0.2
detected: False
DrWeb result: Trojan.Encoder.3953
update: 20200908 version: 7.0.48.8080 detected: True
GData result: Trojan.Ransom.Crysis.E
update: 20200908
version: A:25.26931B:27.20096 detected: True
Panda result: Trj/CI.A
update: 20200908 version: 4.6.4.2 detected: True
VBA32 update: 20200908
version: 4.4.1 detected: False
VIPRE result: Trojan.Win32.Generic!BT
update: 20200908 version: 86532 detected: True
Zoner update: 20200908
version: 0.0.0.0 detected: False
ClamAV result: Win.Trojan.Dharma-6668198-0
update: 20200907 version: 0.102.4.0 detected: True
Ikarus result: Trojan-Ransom.Crysis
update: 20200908 version: 0.1.5.2 detected: True
McAfee update: 20200908
version: 6.0.6.653 detected: False
Rising result: Ransom.Crysis!1.A6AA (CLASSIC)
update: 20200908 version: 25.0.0.26
detected: True
Sophos result: Mal/Generic-S
update: 20200908 version: 4.98.0 detected: True
Yandex result: Trojan.Filecoder!2Xf+YV1oAlA update: 20200907
version: 5.5.2.24 detected: True
Zillya update: 20200908
version: 2.0.0.4171 detected: False
Acronis update: 20200806
version: 1.1.1.77 detected: False
Alibaba result: Ransom:Win32/Crusis.ae76ac31
update: 20190527 version: 0.3.0.5 detected: True
Arcabit result: Trojan.Ransom.Crysis.E
update: 20200908 version: 1.0.0.881 detected: True
Cylance result: Unsafe
update: 20200908 version: 2.3.1.101 detected: True
Elastic update: 20200831
version: 4.0.8 detected: False
FireEye result: Trojan.Ransom.Crysis.E
update: 20200908 version: 32.36.1.0 detected: True
Sangfor update: 20200814
version: 1.0 detected: False
TACHYON result: Ransom/W64.Crusis.108544 update: 20200908
version: 2020-09-08.02 detected: True
Tencent result: Trojan-Ransom.Win32.Crysis.a update: 20200908
version: 1.0.0.1 detected: True
ViRobot update: 20200908
version: 2014.3.20.0 detected: False
Webroot update: 20200908
version: 1.0.0.403 detected: False
eGambit update: 20200908
detected: False
Ad-Aware result: Trojan.Ransom.Crysis.E
update: 20200908 version: 3.0.16.117 detected: True
AegisLab result: Trojan.Win32.Crusis.j!c update: 20200908
version: 4.2 detected: True
F-Secure update: 20200908
version: 12.0.86.52 detected: False
Fortinet result: W32/Crusis.P!tr
update: 20200908 version: 6.2.142.0 detected: True
Invincea result: Mal/Generic-S
update: 20200908 version: 1.0.1.0 detected: True
Jiangmin result: Trojan.MSIL.qkml update: 20200908 version: 16.0.100 detected: True
Kingsoft update: 20200908
version: 2013.8.14.323 detected: False
Paloalto update: 20200908
version: 1.0 detected: False
Symantec result: Ransom.Crysis
update: 20200907 version: 1.12.0.0 detected: True
AhnLab-V3 update: 20200908
version: 3.18.1.10026 detected: False
Antiy-AVL result: Trojan/Win32.AGeneric update: 20200908
version: 3.0.0.1 detected: True
Kaspersky result: Trojan-Ransom.Win32.Crusis.to update: 20200908
version: 15.0.1.13 detected: True
MaxSecure result: Trojan.Malware.121218.susgen update: 20200908
version: 1.0.0.1 detected: True
Microsoft update: 20200908
version: 1.1.17400.5 detected: False
Qihoo-360 result: Generic/Trojan.06b
update: 20200908 version: 1.0.0.1120 detected: True
ZoneAlarm result: Trojan-Ransom.Win32.Crusis.to
update: 20200908 version: 1.0 detected: True
Cybereason result: malicious.a31c50
update: 20190616 version: 1.2.449 detected: True
ESET-NOD32 result: a variant of Win64/GenKryptik.ERUI update: 20200908
version: 21955 detected: True
TrendMicro result: Ransom_Crusis.R011C0GI520 update: 20200908
version: 11.0.0.1006 detected: True
BitDefender result: Trojan.Ransom.Crysis.E update: 20200908
version: 7.2 detected: True
CrowdStrike result: win/malicious_confidence_80% (W) update: 20190702
version: 1.0 detected: True
K7AntiVirus result: Trojan ( 00519f781 ) update: 20200908
version: 11.135.35194 detected: True
SentinelOne update: 20200724
version: 4.4.0.0 detected: False
Malwarebytes update: 20200908
version: 3.6.4.335 detected: False
TotalDefense update: 20200908
version: 37.1.62.1 detected: False
CAT-QuickHeal result: TrojanRansom.Crusis
update: 20200908 version: 14.00 detected: True
NANO-Antivirus result: Trojan.Win32.Filecoder.emdnxn update: 20200908
version: 1.0.134.25140 detected: True
BitDefenderTheta result: AI:Packer.D3B9457E1E update: 20200902
version: 7.2.37796.0 detected: True
MicroWorld-eScan result: Trojan.Ransom.Crysis.E update: 20200908
version: 14.0.409.0 detected: True
SUPERAntiSpyware update: 20200904 version: 5.6.0.1032 detected: False
TrendMicro-HouseCall result: Ransom_Crusis.R011C0GI520 update: 20200908
version: 10.0.0.1040 detected: True
total 68
sha256 212d2eb9c06777bcd97943470409da8fd1d2f1654b407008abdfa708cb669 211
scan_id 212d2eb9c06777bcd97943470409da8fd1d2f1654b407008abdfa708cb669 211-1599568023
resource 8bf43caa31c50ba12d04142195bd26d1
permalink https://www.virustotal.com/gui/file/212d2eb9c06777bcd97943470409da8fd 1d2f1654b407008abdfa708cb669211/detection/f-212d2eb9c06777bcd979 43470409da8fd1d2f1654b407008abdfa708cb669211-1599568023
positives 43
scan_date 2020-09-08 12:27:03
verbose_msg Scan finished, information embedded
response_code 1
File
Trace
Process
Trace
Analysis
Reason Blue Screen
Status Machine Crashed
Results 0
Registry
Trace
File Summary
Created Identified: False
Deleted Identified: False
Process Summary
Created Identified: False
Deleted Identified: False
Registry Summary
Proxy Identified: False
AutoRun Identified: False
Created Identified: False
Deleted Identified: False
Browsers Identified: False
Internet Identified: False
DNS
Query
localhost gateway:DNS ctldl.windowsupdate.com.
localhost gateway:DNS time.windows.com.
localhost gateway:DNS teredo.ipv6.microsoft.com.
localhost gateway:55140 ctldl.windowsupdate.com.
localhost gateway:50974 ipv6.msftncsi.com.
localhost gateway:DNS www.msftncsi.com.
localhost gateway:63070 time.windows.com.
localhost gateway:49315 teredo.ipv6.microsoft.com.
localhost gateway:DNS ipv6.msftncsi.com.
Response
gateway:DNS localhost time.windows.com. 40.119.6.228
gateway:DNS localhost ipv6.msftncsi.com. a978.i6g1.akamai.net.
gateway:DNS localhost ctldl.windowsupdate.com. 200.143.247.10 gateway:DNS localhost www.msftncsi.com. 200.143.247.9
TCP
Info
localhost:49159 200.143.247.8:80 200.143.247.8:80 localhost:49159 200.143.247.8:80 localhost:49157 localhost:49157 200.143.247.8:80
UDP
Info
localhost:53 localhost:63070 40.119.6.228:123 localhost:123 localhost:53 localhost:55140 localhost:53937 localhost:53 localhost:55573 224.0.0.252:5355 localhost:53 localhost:53937 localhost:51036 224.0.0.252:5355 localhost:57491 224.0.0.252:5355 localhost:59593 224.0.0.252:5355 localhost:54919 224.0.0.252:5355 localhost:55574 239.255.255.250:3702 localhost:50974 localhost:53
localhost:62064 224.0.0.252:5355 localhost:63070 localhost:53 localhost:54968 224.0.0.252:5355 localhost:53 localhost:49315 localhost:68 255.255.255.255:67 localhost:55140 localhost:53 localhost:49315 localhost:53 localhost:123 40.119.6.228:123 localhost:53 localhost:50974 localhost:67 localhost:68
localhost:52081 224.0.0.252:5355
HTTP
Info
localhost GET ctldl.windowsupdate.com /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
?80e9da75df15e134
localhost GET www.msftncsi.com /ncsi.txt
Summary
DNS True
TCP True
UDP True
HTTP True
Results
BINARY
NFS 2.0 (Threshold = 0.8) confidence: 82.50%
suspicious: False
Decision Tree (NFS-BRMalware) confidence: 100.00%
suspicious: True
MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 99.70%
suspicious: True
Random Forest (100 estimators, NFS-BRMalware) confidence: 63.00%
suspicious: False
Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 47.28%
suspicious: True
LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 85.99%
suspicious: False
