× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: de271e00cdba9f2819e20a3860b425dcc1066c7a8fdd89e18798e249bf64b1c6
File name: 2017-03-06-Spora-Ransomware-7th-run-Chrome_font.exe
Detection ratio: 18 / 59
Analysis date: 2017-03-06 21:47:12 UTC ( 2 months, 2 weeks ago ) View latest
Antivirus Result Update
AhnLab-V3 Trojan/Win32.Ursnif.R196304 20170306
Antiy-AVL Trojan/Win32.TSGeneric 20170306
Avira (no cloud) TR/Crypt.ZPACK.awdwy 20170306
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9995 20170306
CAT-QuickHeal Ransom.Exxroute.A3 20170306
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170130
Endgame malicious (high confidence) 20170222
ESET-NOD32 a variant of Win32/GenKryptik.WZW 20170306
Invincea ddos.win32.nitol.a 20170203
Kaspersky UDS:DangerousObject.Multi.Generic 20170306
McAfee Ransomware-FMJ!57484440F7BE 20170306
McAfee-GW-Edition BehavesLike.Win32.Downloader.lh 20170306
Qihoo-360 HEUR/QVM20.1.0000.Malware.Gen 20170306
Rising Malware.Generic.2!tfe (thunder:2:jPDdkXmPEOM) 20170306
Sophos Mal/Elenoocka-E 20170306
Symantec ML.Attribute.HighConfidence 20170306
Webroot Malicious 20170306
ZoneAlarm by Check Point UDS:DangerousObject.Multi.Generic 20170306
Ad-Aware 20170306
AegisLab 20170306
Alibaba 20170228
ALYac 20170306
Arcabit 20170306
Avast 20170306
AVG 20170306
AVware 20170306
BitDefender 20170306
Bkav 20170306
ClamAV 20170306
CMC 20170306
Comodo 20170306
Cyren 20170306
DrWeb 20170306
Emsisoft 20170306
F-Prot 20170306
F-Secure 20170306
Fortinet 20170306
GData 20170306
Ikarus 20170306
Jiangmin 20170306
K7AntiVirus 20170306
K7GW 20170306
Kingsoft 20170306
Malwarebytes 20170306
Microsoft 20170306
eScan 20170306
NANO-Antivirus 20170306
nProtect 20170306
Panda 20170306
SUPERAntiSpyware 20170306
Tencent 20170306
TheHacker 20170305
TrendMicro 20170306
TrendMicro-HouseCall 20170306
Trustlook 20170306
VBA32 20170306
VIPRE 20170306
ViRobot 20170306
WhiteArmor 20170303
Yandex 20170306
Zillya 20170304
Zoner 20170306
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-09-02 10:01:36
Entry Point 0x000040DA
Number of sections 4
PE sections
PE imports
OpenThread
WriteProcessMemory
CreateJobObjectW
CreateMailslotA
GetLocalTime
OpenFileMappingW
GetPrivateProfileStringA
GetCurrentProcessId
GetVolumeInformationW
GetProcAddress
GetTimeFormatW
SetEnvironmentVariableW
GetModuleHandleA
lstrcpy
CompareStringA
lstrcmpi
GetLongPathNameW
GetLogicalDriveStringsA
OpenJobObjectW
FindClose
InterlockedDecrement
SetLastError
WriteConsoleW
OneXInitialize
OneXCopyAuthParams
OneXAddTLV
OneXDeInitialize
PathIsSlowA
ShellAboutA
DragFinish
DragQueryFileW
SHChangeNotify
FindExecutableA
SHBrowseForFolderA
StrChrA
SHEmptyRecycleBinA
SHGetFileInfoW
ExtractIconW
SHQueryRecycleBinA
SHFileOperationA
ShellExecuteA
SHGetDataFromIDListA
PE exports
Number of PE resources by type
RT_DIALOG 1
UMAE 1
Number of PE resources by language
NEUTRAL 2
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2013:09:02 11:01:36+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
20480

LinkerVersion
5.12

EntryPoint
0x40da

InitializedDataSize
53248

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

Compressed bundles
File identification
MD5 57484440f7be94394fd851de3e416285
SHA1 48098684eebb1315739df9ab9685a2c2af96d8c5
SHA256 de271e00cdba9f2819e20a3860b425dcc1066c7a8fdd89e18798e249bf64b1c6
ssdeep
1536:aqe2qDqe7+Ogyqe7qG5M7qNwGh7ULJxS:PqGYGYqqNwGhoi

authentihash b90133551f4e32b077bf70cf2c7f351129bf8ec908a47ca9c01b668e71605e24
imphash 12e08b7594c958fcd938cbf1920f2078
File size 76.0 KB ( 77824 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Tags
peexe

VirusTotal metadata
First submission 2017-03-06 21:47:12 UTC ( 2 months, 2 weeks ago )
Last submission 2017-05-12 19:11:18 UTC ( 1 week, 3 days ago )
File names 2017-03-06-Spora-Ransomware-7th-run-Chrome_font.exe
2017-03-06-spora-ransomware-7th-run-chrome_font.exe
Spora-Ransomware-7.exe
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications