× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 27958e55f7d5b9aad874ac61ff1df7cb78083eb4eca2201fcb3b343a628e8536
File name: Spora.exe
Detection ratio: 53 / 60
Analysis date: 2017-06-06 01:52:27 UTC ( 1 month, 2 weeks ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Symmi.72838 20170605
AegisLab Troj.Ransom.W32.Spora!c 20170606
AhnLab-V3 Trojan/Win32.Spora.R196000 20170605
ALYac Trojan.Ransom.Spora 20170605
Arcabit Trojan.Symmi.D11C86 20170606
Avast Win32:Filecoder-BD [Trj] 20170606
AVG GenericX.1100 20170605
Avira (no cloud) TR/Crypt.ZPACK.kxrby 20170605
AVware Trojan.Win32.Generic!BT 20170606
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9870 20170601
BitDefender Gen:Variant.Symmi.72838 20170606
Bkav W32.Clod43c.Trojan.9b08 20170605
CAT-QuickHeal Ransom.Exxroute.A4 20170605
Comodo UnclassifiedMalware 20170606
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170420
Cyren W32/S-26bbd9ea!Eldorado 20170606
DrWeb Trojan.Encoder.10607 20170606
Emsisoft Trojan-Ransom.Spora (A) 20170606
Endgame malicious (high confidence) 20170515
ESET-NOD32 Win32/Filecoder.Spora.A 20170606
F-Prot W32/S-26bbd9ea!Eldorado 20170606
F-Secure Gen:Variant.Symmi.72838 20170606
Fortinet W32/Kryptik.FOUQ!tr 20170606
GData Gen:Variant.Symmi.72838 20170606
Ikarus Trojan.Win32.Crypt 20170605
Sophos ML ddos.win32.nitol.a 20170604
Jiangmin Trojan.Spora.fm 20170606
K7AntiVirus Trojan ( 00506d5c1 ) 20170605
K7GW Trojan ( 00506d5c1 ) 20170606
Kaspersky HEUR:Trojan.Win32.Generic 20170605
Malwarebytes Ransom.Spora 20170605
McAfee Ransom-Spora!559E8B46D881 20170606
McAfee-GW-Edition BehavesLike.Win32.FakeAlert.kh 20170605
Microsoft Ransom:Win32/Spora 20170606
eScan Gen:Variant.Symmi.72838 20170605
NANO-Antivirus Trojan.Win32.Spora.emafxm 20170606
nProtect Ransom/W32.Spora.69632.I 20170606
Palo Alto Networks (Known Signatures) generic.ml 20170606
Panda Trj/Genetic.gen 20170605
Qihoo-360 Win32/Trojan.Ransom.6ce 20170606
SentinelOne (Static ML) static engine - malicious 20170516
Sophos AV Mal/Elenoocka-E 20170606
Symantec Packed.Generic.493 20170605
Tencent Win32.Trojan.Raas.Auto 20170606
TheHacker Trojan/Filecoder.Spora.a 20170605
TrendMicro Ransom_SPORA.F117C1 20170606
VBA32 Hoax.Spora 20170605
VIPRE Trojan.Win32.Generic!BT 20170606
ViRobot Trojan.Win32.Spora.69632.A[h] 20170606
Webroot Trojan.Dropper.Gen 20170606
Yandex Trojan.Filecoder!89F/eI3Oiy4 20170602
Zillya Trojan.Spora.Win32.206 20170605
ZoneAlarm by Check Point HEUR:Trojan.Win32.Generic 20170605
Alibaba 20170605
ClamAV 20170605
CMC 20170605
Kingsoft 20170606
Rising 20170605
SUPERAntiSpyware 20170605
Symantec Mobile Insight 20170605
TotalDefense 20170605
Trustlook 20170606
WhiteArmor 20170601
Zoner 20170606
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-11-10 12:03:12
Entry Point 0x0000275A
Number of sections 4
PE sections
PE imports
ReplaceFileA
ReleaseMutex
SetEvent
GetFileAttributesW
FileTimeToLocalFileTime
OpenFileMappingW
GetCurrentProcessId
AddAtomA
GetCalendarInfoW
SetErrorMode
GetStartupInfoW
GetProcAddress
lstrcpyA
GetModuleHandleA
WriteFile
CompareStringA
OpenMutexW
CreateWaitableTimerA
GetStringTypeW
lstrcmpi
GetCurrentDirectoryW
InitializeCriticalSection
OutputDebugStringW
OpenSemaphoreA
FormatMessageA
CreateFileA
SetLocaleInfoW
SleepEx
FindFirstVolumeW
AlphaBlend
DllInitialize
TransparentBlt
vSetDdrawflag
CPGenKey
CPCreateHash
SE_InstallBeforeInit
SE_DllLoaded
SE_InstallAfterInit
PathCompactPathW
UrlCanonicalizeA
UrlHashW
UrlGetPartW
UrlIsNoHistoryW
UrlIsA
UrlCompareA
UrlGetLocationW
PathIsRootA
UrlCombineW
PathCommonPrefixA
UrlUnescapeA
UrlCreateFromPathW
UrlEscapeA
GetCursorPos
MessageBoxExA
LoadCursorA
wsprintfA
IsDialogMessageW
CharToOemW
DefDlgProcA
LoadBitmapW
DrawTextExW
SetWindowTextW
GetRawInputDeviceInfoA
CreateWindowExW
DdeQueryStringA
PE exports
Number of PE resources by type
RT_RCDATA 2
RT_MANIFEST 1
Number of PE resources by language
NEUTRAL 2
RUSSIAN 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2016:11:10 13:03:12+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
36864

LinkerVersion
6.0

EntryPoint
0x275a

InitializedDataSize
28672

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

Compressed bundles
File identification
MD5 559e8b46d88188a561e36fd83b5bd9e8
SHA1 d0416b82d035dfa8bc0b99a89d822400576d1baf
SHA256 27958e55f7d5b9aad874ac61ff1df7cb78083eb4eca2201fcb3b343a628e8536
ssdeep
768:fiQpNTSoMkz42Hu3e9i/I3IaROhF1mzwArcDftScTqVtFHlVuJDqTSoHTSo:fRv1zrOOyaXzwArcLtScw/FVnB

authentihash 104f1e4bb71e891cc2b0a4841622f59c738c6742e3b15f236e783ce87f26734d
imphash 39a948102bfb3a5ad4a5eacf9f120aea
File size 68.0 KB ( 69632 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (38.2%)
Win32 Executable (generic) (26.2%)
Win16/32 Executable Delphi generic (12.0%)
Generic Win/DOS Executable (11.6%)
DOS Executable Generic (11.6%)
Tags
peexe

VirusTotal metadata
First submission 2017-02-28 15:35:48 UTC ( 4 months, 3 weeks ago )
Last submission 2017-06-06 01:52:27 UTC ( 1 month, 2 weeks ago )
File names 559e8b46d88188a561e36fd83b5bd9e8.exe
a609b02bdb90fa13.exe
d0416b82d035dfa8bc0b99a89d822400576d1baf.exe
Spora.exe
02729d4ee3bb7f75(03).exe
559e8b46d88188a561e36fd83b5bd9e8.exe
559e8b46d88188a561e36fd83b5bd9e8.exe
a.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications