× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02
File name: 1.exe
Detection ratio: 29 / 59
Analysis date: 2017-03-04 18:04:08 UTC ( 3 months, 3 weeks ago ) View latest
Antivirus Result Update
Ad-Aware DeepScan:Generic.Ransom.Spora.B28BD708 20170304
AhnLab-V3 Trojan/Win32.Spora.R194566 20170304
ALYac DeepScan:Generic.Ransom.Spora.B28BD708 20170304
Arcabit DeepScan:Generic.Ransom.Spora.B28BD708 20170304
AVG Ransom_r.BEY 20170304
Avira (no cloud) TR/Crypt.ZPACK.Gen 20170304
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9991 20170303
BitDefender DeepScan:Generic.Ransom.Spora.B28BD708 20170304
Bkav W32.SporaNHc.Trojan 20170303
CAT-QuickHeal Ransom.Spora.A3 20170304
ClamAV Win.Ransomware.Spora-5743591-0 20170304
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170130
Emsisoft DeepScan:Generic.Ransom.Spora.B28BD708 (B) 20170304
Endgame malicious (high confidence) 20170222
ESET-NOD32 a variant of Win32/Filecoder.Spora.A 20170304
F-Secure DeepScan:Generic.Ransom.Spora.B28BD708 20170304
Fortinet W32/Generic.AP.3D151C!tr 20170304
GData DeepScan:Generic.Ransom.Spora.B28BD708 20170304
Ikarus Trojan-Ransom.Spora 20170304
Invincea trojan.win32.skeeyah.a!rfn 20170203
Kaspersky Trojan-Ransom.Win32.Spora.a 20170304
Malwarebytes Ransom.Spora 20170304
Microsoft Ransom:Win32/Spora.A 20170304
eScan DeepScan:Generic.Ransom.Spora.B28BD708 20170304
Qihoo-360 HEUR/QVM19.1.0000.Malware.Gen 20170304
Rising Malware.Generic.2!tfe (thunder:2:AyZKCwjv64B) 20170304
Sophos Troj/Spora-G 20170304
Symantec Ransom.Spora!g1 20170303
Zillya Trojan.Spora.Win32.99 20170304
AegisLab 20170304
Alibaba 20170228
Antiy-AVL 20170304
Avast 20170304
AVware 20170304
CMC 20170304
Comodo 20170304
Cyren 20170304
DrWeb 20170304
F-Prot 20170304
Jiangmin 20170301
K7AntiVirus 20170304
K7GW 20170304
Kingsoft 20170304
McAfee 20170304
McAfee-GW-Edition 20170304
NANO-Antivirus 20170304
nProtect 20170304
Panda 20170304
SUPERAntiSpyware 20170304
Tencent 20170304
TheHacker 20170302
TrendMicro 20170304
TrendMicro-HouseCall 20170304
Trustlook 20170304
VBA32 20170303
VIPRE 20170304
ViRobot 20170304
Webroot 20170304
WhiteArmor 20170303
Yandex 20170225
Zoner 20170304
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-01-10 21:38:18
Entry Point 0x000058E7
Number of sections 2
PE sections
PE imports
CryptDestroyKey
GetTokenInformation
RegDeleteValueW
CryptReleaseContext
RegCloseKey
GetSidSubAuthority
OpenProcessToken
GetSidSubAuthorityCount
CryptGetHashParam
CryptExportKey
RegOpenKeyExW
CryptAcquireContextW
GetUserNameA
CryptEncrypt
CryptDestroyHash
CryptHashData
CryptDecrypt
CryptGenKey
CryptImportKey
CryptCreateHash
CryptUnprotectData
CryptStringToBinaryA
CryptBinaryToStringA
CryptProtectData
CryptDecodeObjectEx
CryptImportPublicKeyInfo
CryptBinaryToStringW
CopyFileW
GetDriveTypeW
lstrlenW
lstrlenA
GetModuleFileNameW
ExitProcess
GlobalUnlock
GetFileAttributesW
lstrcmpiW
GetLocalTime
GlobalSize
GetCurrentProcess
FindNextFileW
GetLocaleInfoA
GetFileSize
lstrcatA
GetCommandLineW
GetVolumeInformationW
SetErrorMode
GetLogicalDrives
DeleteFileW
GlobalLock
GetLocaleInfoW
CreateFileMappingW
SetFilePointer
lstrcpyW
WideCharToMultiByte
MapViewOfFile
GetModuleHandleA
ReadFile
WriteFile
CreateMutexW
CloseHandle
OpenMutexW
FindFirstFileW
lstrcmpW
GetProcAddress
LocalFree
LocalSize
UnmapViewOfFile
lstrcpyA
CreateFileW
FindClose
lstrcatW
Sleep
SetFileAttributesW
LocalAlloc
WNetEnumResourceW
WNetCloseEnum
WNetOpenEnumW
SHChangeNotify
SHGetSpecialFolderPathW
ShellExecuteExW
StrStrA
StrRChrW
StrStrW
wsprintfA
wsprintfW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
GetHGlobalFromStream
CoCreateInstance
CoUninitialize
CoInitialize
CreateStreamOnHGlobal
SysFreeString
SysAllocString
Number of PE resources by type
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2017:01:10 22:38:18+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
23040

LinkerVersion
9.0

EntryPoint
0x58e7

InitializedDataSize
512

SubsystemVersion
5.0

ImageVersion
0.0

OSVersion
5.0

UninitializedDataSize
0

File identification
MD5 4a4a6d26e6c8a7df0779b00a42240e7b
SHA1 8072bada086040e07fa46ce8c12bf7c453c0e286
SHA256 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02
ssdeep
384:akN70EPxIDesCUxvDuzbKGxc5X4LtOFV4U7vqydPNdG2l2Zk1mvlCnqA+PQ+O9G:vZPxIuQunKGxJ44OdPNc2lEfCnqA+PQ+

authentihash 68824f7c7279401abb99016ad8039994fe1af3b172bee595e6c12ade62380437
imphash c3dba74b9c8c5852d9f79c7f4105f404
File size 24.0 KB ( 24576 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Tags
peexe

VirusTotal metadata
First submission 2017-03-04 18:04:08 UTC ( 3 months, 3 weeks ago )
Last submission 2017-03-04 18:04:08 UTC ( 3 months, 3 weeks ago )
File names 1.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications