× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 903f891d6489935b69f24590ca74b900bebf849552897406885582427ae39984
File name: spora_unpacked.exe
Detection ratio: 28 / 59
Analysis date: 2017-03-06 22:05:49 UTC ( 9 months, 1 week ago ) View latest
Antivirus Result Update
Ad-Aware Gen:Variant.Ransom.Spora.1 20170306
AhnLab-V3 Trojan/Win32.Gen.C1752666 20170306
ALYac Gen:Variant.Ransom.Spora.1 20170306
Antiy-AVL Trojan/Win32.AGeneric 20170306
Arcabit Trojan.Ransom.Spora.1 20170306
AVG Generic_r.RCV 20170306
Avira (no cloud) TR/Crypt.ZPACK.Gen 20170306
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170306
BitDefender Gen:Variant.Ransom.Spora.1 20170306
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170130
DrWeb Trojan.Encoder.10103 20170306
Emsisoft Gen:Variant.Ransom.Spora.1 (B) 20170306
Endgame malicious (high confidence) 20170222
ESET-NOD32 a variant of Win32/Filecoder.Spora.A 20170306
F-Secure Gen:Variant.Ransom.Spora.1 20170306
GData Gen:Variant.Ransom.Spora.1 20170306
Ikarus Trojan-Ransom.Spora 20170306
Sophos ML trojandownloader.win32.upatre.a 20170203
Kaspersky HEUR:Trojan.Win32.Generic 20170306
Microsoft Ransom:Win32/Spora.A 20170306
eScan Gen:Variant.Ransom.Spora.1 20170306
NANO-Antivirus Trojan.Win32.Filecoder.emazsc 20170306
Qihoo-360 HEUR/QVM19.1.0000.Malware.Gen 20170306
Rising Malware.Generic.2!tfe (thunder:2:AyZKCwjv64B) 20170306
Sophos AV Troj/Spora-G 20170306
Symantec ML.Attribute.HighConfidence 20170306
Yandex Trojan.Agent!Sy+7zlN1m88 20170306
ZoneAlarm by Check Point HEUR:Trojan.Win32.Generic 20170306
AegisLab 20170306
Alibaba 20170228
Avast 20170306
AVware 20170306
Bkav 20170306
CAT-QuickHeal 20170306
ClamAV 20170306
CMC 20170306
Comodo 20170306
Cyren 20170306
F-Prot 20170306
Fortinet 20170306
Jiangmin 20170306
K7AntiVirus 20170306
K7GW 20170306
Kingsoft 20170306
Malwarebytes 20170306
McAfee 20170306
McAfee-GW-Edition 20170306
nProtect 20170306
Panda 20170306
SUPERAntiSpyware 20170306
Tencent 20170306
TheHacker 20170305
TrendMicro 20170306
TrendMicro-HouseCall 20170306
Trustlook 20170306
VBA32 20170306
VIPRE 20170306
ViRobot 20170306
Webroot 20170306
WhiteArmor 20170303
Zillya 20170304
Zoner 20170306
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-02-27 22:32:48
Entry Point 0x000063FE
Number of sections 2
PE sections
PE imports
CryptDestroyKey
GetTokenInformation
RegDeleteValueW
CryptReleaseContext
RegCloseKey
GetSidSubAuthority
OpenProcessToken
GetSidSubAuthorityCount
CryptGetHashParam
CryptExportKey
RegOpenKeyExW
CryptAcquireContextW
GetUserNameA
CryptEncrypt
CryptDestroyHash
CryptHashData
CryptDecrypt
CryptGenKey
CryptImportKey
CryptCreateHash
CryptUnprotectData
CryptStringToBinaryA
CryptBinaryToStringA
CryptProtectData
CryptDecodeObjectEx
CryptImportPublicKeyInfo
CryptBinaryToStringW
CopyFileW
GetDriveTypeW
lstrlenW
lstrlenA
GetModuleFileNameW
ExitProcess
GlobalUnlock
GetFileAttributesW
lstrcmpiW
GetLocalTime
GlobalSize
GetCurrentProcess
FindNextFileW
GetLocaleInfoA
GetFileSize
lstrcatA
GetCommandLineW
GetVolumeInformationW
SetErrorMode
GetLogicalDrives
DeleteFileW
GlobalLock
GetLocaleInfoW
CreateFileMappingW
SetFilePointer
lstrcpyW
MapViewOfFile
GetModuleHandleA
ReadFile
WriteFile
CreateMutexW
CloseHandle
OpenMutexW
FindFirstFileW
lstrcmpW
GetProcAddress
LocalFree
LocalSize
UnmapViewOfFile
lstrcpyA
CreateFileW
FindClose
lstrcatW
Sleep
SetFileAttributesW
LocalAlloc
WNetEnumResourceW
WNetCloseEnum
WNetOpenEnumW
SHChangeNotify
SHGetSpecialFolderPathW
ShellExecuteExW
StrStrA
StrRChrW
StrStrW
wsprintfA
wsprintfW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
GetHGlobalFromStream
CoCreateInstance
CoUninitialize
CoInitialize
CreateStreamOnHGlobal
SysFreeString
SysAllocString
Number of PE resources by type
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2017:02:27 23:32:48+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
25600

LinkerVersion
9.0

EntryPoint
0x63fe

InitializedDataSize
512

SubsystemVersion
5.0

ImageVersion
0.0

OSVersion
5.0

UninitializedDataSize
0

File identification
MD5 3b80deb6d55cb0bb8560afd22238885c
SHA1 dfa890f45879a489198e27d537a805ca58a2fc8e
SHA256 903f891d6489935b69f24590ca74b900bebf849552897406885582427ae39984
ssdeep
384:JXwiwD51ZqSLZ+Urx0tU9CG0cFzMxVe4Mk4EKJCI+M0el/WY5Yfy:JgjaSoUlGOQpQk4l0el/WOYfy

authentihash 28cb7844b4b5a5e35f25032e59408adc21fbda9f48538cbe394e2582416ea92f
imphash 2a776c2d371d3caed91594ccd6eb7fad
File size 26.5 KB ( 27136 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (64.6%)
Win32 Dynamic Link Library (generic) (15.4%)
Win32 Executable (generic) (10.5%)
Generic Win/DOS Executable (4.6%)
DOS Executable Generic (4.6%)
Tags
peexe

VirusTotal metadata
First submission 2017-03-06 22:05:49 UTC ( 9 months, 1 week ago )
Last submission 2017-11-24 17:40:35 UTC ( 2 weeks, 5 days ago )
File names spora_unpacked.exe
903f891d6489935b69f24590ca74b900bebf849552897406885582427ae39984.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.