× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: de4d32cf30b81cf3761b34940ae82e086cb1dbd34a4fd1d630d0416a6721324a
File name: sage.dll
Detection ratio: 28 / 61
Analysis date: 2017-03-24 19:55:48 UTC ( 8 months, 3 weeks ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.Ransom.BMM 20170324
AhnLab-V3 Trojan/Win32.SageCrypt.R197181 20170324
ALYac Trojan.Ransom.BMM 20170324
Antiy-AVL Trojan/Win32.Deshacop 20170324
Arcabit Trojan.Ransom.BMM 20170324
Avast Win32:Malware-gen 20170324
AVG FileCryptor.OET 20170324
Avira (no cloud) TR/Crypt.XPACK.Gen3 20170324
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9996 20170323
BitDefender Trojan.Ransom.BMM 20170324
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170130
DrWeb Trojan.Encoder.10433 20170324
Emsisoft Trojan.Ransom.BMM (B) 20170324
Endgame malicious (high confidence) 20170317
ESET-NOD32 a variant of Win32/Filecoder.NHQ 20170324
F-Secure Trojan.Ransom.BMM 20170324
GData Win32.Malware.Bucaspys.B 20170324
Sophos ML trojanspy.win32.nivdort.du 20170203
Kaspersky Trojan.Win32.Deshacop.eni 20170324
McAfee-GW-Edition BehavesLike.Win32.Backdoor.mc 20170324
Microsoft Ransom:Win32/Milicry.A 20170324
eScan Trojan.Ransom.BMM 20170324
NANO-Antivirus Virus.Win32.Gen.ccmw 20170324
Qihoo-360 HEUR/QVM20.1.0000.Malware.Gen 20170324
Rising Malware.Generic.3!tfe (thunder:3:fYPGxDKb1lB) 20170324
Symantec ML.Attribute.HighConfidence 20170324
VBA32 BScope.Trojan.Agent 20170324
ZoneAlarm by Check Point Trojan.Win32.Deshacop.eni 20170324
AegisLab 20170324
Alibaba 20170324
AVware 20170324
Bkav 20170324
CAT-QuickHeal 20170324
ClamAV 20170324
CMC 20170324
Comodo 20170324
Cyren 20170324
F-Prot 20170324
Fortinet 20170324
Ikarus 20170324
Jiangmin 20170324
K7AntiVirus 20170324
K7GW 20170324
Kingsoft 20170324
Malwarebytes 20170324
McAfee 20170324
nProtect 20170324
Palo Alto Networks (Known Signatures) 20170324
Panda 20170324
SentinelOne (Static ML) 20170315
Sophos AV 20170324
SUPERAntiSpyware 20170324
Symantec Mobile Insight 20170324
Tencent 20170324
TheHacker 20170321
TrendMicro 20170324
TrendMicro-HouseCall 20170324
Trustlook 20170324
VIPRE 20170324
ViRobot 20170324
Webroot 20170324
WhiteArmor 20170315
Yandex 20170323
Zillya 20170323
Zoner 20170324
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-03-04 17:30:57
Entry Point 0x00006750
Number of sections 4
PE sections
PE imports
RegCreateKeyExW
GetSidSubAuthorityCount
GetSidSubAuthority
RegCloseKey
OpenProcessToken
GetUserNameW
FreeSid
RegQueryValueExA
GetTokenInformation
RegEnumKeyExW
AllocateAndInitializeSid
CheckTokenMembership
RegSetValueW
RegDeleteKeyA
SystemFunction036
RegCreateKeyExA
RegOpenKeyExA
RegCreateKeyA
RegSetValueExW
CreateToolhelp32Snapshot
GetUserDefaultUILanguage
GetLastError
AttachConsole
HeapFree
GetStdHandle
GetDriveTypeW
GetShortPathNameW
OpenProcess
TerminateThread
lstrlenA
lstrcmpiA
WaitForSingleObject
GetVersionExW
GetExitCodeProcess
HeapAlloc
ReleaseMutex
lstrcmpiW
ExitThread
Process32Next
GetCurrentProcess
EnterCriticalSection
GetFileSize
Process32First
GetCommandLineW
CreateThread
MultiByteToWideChar
lstrlenW
GetTickCount
DeleteFileW
GetProcAddress
GetProcessHeap
GetComputerNameW
CreateMutexA
SetFilePointerEx
GetFileSizeEx
WideCharToMultiByte
GetModuleFileNameW
MoveFileExW
GetModuleHandleA
ReadFile
WriteFile
GetExitCodeThread
lstrcmpW
HeapReAlloc
LoadLibraryA
TerminateProcess
InitializeCriticalSection
GetTempPathW
CreateFileW
GetEnvironmentVariableW
CreateProcessW
Sleep
SetFileAttributesW
ExitProcess
LeaveCriticalSection
SleepEx
CloseHandle
SHChangeNotify
SHGetFolderPathW
ShellExecuteW
ShellExecuteExW
CommandLineToArgvW
StrStrA
StrStrIW
StrChrA
StrRChrW
GetForegroundWindow
GetSystemMetrics
GetKeyboardLayoutList
SystemParametersInfoW
WinHttpConnect
WinHttpQueryHeaders
WinHttpSendRequest
WinHttpCloseHandle
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpOpen
WinHttpOpenRequest
WinHttpReadData
getaddrinfo
getsockopt
closesocket
send
WSAStartup
freeaddrinfo
connect
sendto
htons
recv
socket
GdipCreateBitmapFromScan0
GdipCreateFont
GdipDeleteFontFamily
GdipCloneStringFormat
GdipGraphicsClear
GdipFree
GdipDrawString
GdipSetStringFormatAlign
GdipCreateFontFamilyFromName
GdipCreateStringFormat
GdipDeleteStringFormat
GdipAlloc
GdipDisposeImage
GdipSaveImageToFile
GdiplusStartup
GdipDeleteBrush
GdipGetImageGraphicsContext
GdipSetStringFormatLineAlign
GdipDeleteGraphics
GdipCreateLineBrushFromRectI
GdipDeleteFont
CoCreateInstance
CoInitialize
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2017:03:04 18:30:57+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
49664

LinkerVersion
10.0

EntryPoint
0x6750

InitializedDataSize
35328

SubsystemVersion
5.1

ImageVersion
0.0

OSVersion
5.1

UninitializedDataSize
0

File identification
MD5 159af0102877e71a1c3f5468bd02a8f3
SHA1 dda7ec2fd1fa648c2fad8a223e20e82e26095567
SHA256 de4d32cf30b81cf3761b34940ae82e086cb1dbd34a4fd1d630d0416a6721324a
ssdeep
1536:4xIzeLCccm4peVZAFf5kfrpZKbojnmU6CI9y+/DAK4IFu5dsVPV5cnZ:4xIzeLlcm4psshal8pf9y+/DAK4IFagc

authentihash edf737ddcb73b103094ec7bb9729202b6fa1858a6e641281c1973cd8a6da8d97
imphash 6f3c766afe4cd1ea6398b67f14de1434
File size 83.5 KB ( 85504 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (52.5%)
Windows screen saver (22.0%)
Win32 Dynamic Link Library (generic) (11.0%)
Win32 Executable (generic) (7.5%)
Generic Win/DOS Executable (3.3%)
Tags
peexe

VirusTotal metadata
First submission 2017-03-24 19:55:48 UTC ( 8 months, 3 weeks ago )
Last submission 2017-03-24 19:58:53 UTC ( 8 months, 3 weeks ago )
File names sage.exe
sage.dll
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!