× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 27958e55f7d5b9aad874ac61ff1df7cb78083eb4eca2201fcb3b343a628e8536
File name: Spora.exe
Detection ratio: 54 / 59
Analysis date: 2017-05-23 00:16:10 UTC ( 18 hours, 21 minutes ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Symmi.72838 20170522
AegisLab Troj.Ransom.W32.Spora!c 20170522
AhnLab-V3 Trojan/Win32.Spora.R196000 20170522
ALYac Trojan.Ransom.Spora 20170522
Antiy-AVL Trojan[Ransom]/Win32.Spora 20170522
Arcabit Trojan.Symmi.D11C86 20170522
Avast Win32:Malware-gen 20170522
AVG GenericX.1100 20170523
Avira (no cloud) TR/Crypt.ZPACK.kxrby 20170522
AVware Trojan.Win32.Generic!BT 20170522
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9870 20170503
BitDefender Gen:Variant.Symmi.72838 20170522
Bkav W32.Clod43c.Trojan.9b08 20170522
CAT-QuickHeal Ransom.Exxroute.A4 20170522
Comodo UnclassifiedMalware 20170523
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170130
Cyren W32/S-26bbd9ea!Eldorado 20170523
DrWeb Trojan.Encoder.10607 20170522
Emsisoft Trojan-Ransom.Spora (A) 20170523
Endgame malicious (high confidence) 20170515
ESET-NOD32 Win32/Filecoder.Spora.A 20170522
F-Prot W32/S-26bbd9ea!Eldorado 20170523
F-Secure Gen:Variant.Symmi.72838 20170523
Fortinet W32/Kryptik.FOUQ!tr 20170522
GData Gen:Variant.Symmi.72838 20170523
Ikarus Trojan.Win32.Crypt 20170522
Invincea ddos.win32.nitol.a 20170519
Jiangmin Trojan.Spora.fm 20170522
K7AntiVirus Trojan ( 00506d5c1 ) 20170522
K7GW Trojan ( 00506d5c1 ) 20170523
Kaspersky HEUR:Trojan.Win32.Generic 20170522
Malwarebytes Ransom.Spora 20170522
McAfee Ransom-Spora!559E8B46D881 20170522
McAfee-GW-Edition BehavesLike.Win32.FakeAlert.kh 20170522
Microsoft Ransom:Win32/Spora 20170522
eScan Gen:Variant.Symmi.72838 20170523
NANO-Antivirus Trojan.Win32.Spora.emafxm 20170522
nProtect Ransom/W32.Spora.69632.I 20170522
Palo Alto Networks (Known Signatures) generic.ml 20170523
Panda Trj/Genetic.gen 20170522
Qihoo-360 Win32/Trojan.Ransom.6ce 20170523
Rising Malware.Generic.6!tfe (cloud:ybBFYQUddTS) 20170523
SentinelOne (Static ML) static engine - malicious 20170516
Sophos Mal/Generic-S 20170522
Symantec Packed.Generic.493 20170522
Tencent Win32.Trojan.Raas.Auto 20170523
TheHacker Trojan/Filecoder.Spora.a 20170522
TrendMicro-HouseCall Ransom_SPORA.F117C1 20170522
VBA32 Hoax.Spora 20170522
VIPRE Trojan.Win32.Generic!BT 20170522
ViRobot Trojan.Win32.Spora.69632.A[h] 20170522
Webroot Trojan.Dropper.Gen 20170523
Yandex Trojan.Filecoder!89F/eI3Oiy4 20170518
ZoneAlarm by Check Point HEUR:Trojan.Win32.Generic 20170522
Alibaba 20170522
ClamAV 20170522
CMC 20170522
Kingsoft 20170523
SUPERAntiSpyware 20170522
Symantec Mobile Insight 20170523
Trustlook 20170523
WhiteArmor 20170517
Zoner 20170522
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-11-10 12:03:12
Entry Point 0x0000275A
Number of sections 4
PE sections
PE imports
ReplaceFileA
ReleaseMutex
SetEvent
GetFileAttributesW
FileTimeToLocalFileTime
OpenFileMappingW
GetCurrentProcessId
AddAtomA
GetCalendarInfoW
SetErrorMode
GetStartupInfoW
GetProcAddress
lstrcpyA
GetModuleHandleA
WriteFile
CompareStringA
OpenMutexW
CreateWaitableTimerA
GetStringTypeW
lstrcmpi
GetCurrentDirectoryW
InitializeCriticalSection
OutputDebugStringW
OpenSemaphoreA
FormatMessageA
CreateFileA
SetLocaleInfoW
SleepEx
FindFirstVolumeW
AlphaBlend
DllInitialize
TransparentBlt
vSetDdrawflag
CPGenKey
CPCreateHash
SE_InstallBeforeInit
SE_DllLoaded
SE_InstallAfterInit
PathCompactPathW
UrlCanonicalizeA
UrlHashW
UrlGetPartW
UrlIsNoHistoryW
UrlIsA
UrlCompareA
UrlGetLocationW
PathIsRootA
UrlCombineW
PathCommonPrefixA
UrlUnescapeA
UrlCreateFromPathW
UrlEscapeA
GetCursorPos
MessageBoxExA
LoadCursorA
wsprintfA
IsDialogMessageW
CharToOemW
DefDlgProcA
LoadBitmapW
DrawTextExW
SetWindowTextW
GetRawInputDeviceInfoA
CreateWindowExW
DdeQueryStringA
PE exports
Number of PE resources by type
RT_RCDATA 2
RT_MANIFEST 1
Number of PE resources by language
NEUTRAL 2
RUSSIAN 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2016:11:10 13:03:12+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
36864

LinkerVersion
6.0

EntryPoint
0x275a

InitializedDataSize
28672

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

Compressed bundles
File identification
MD5 559e8b46d88188a561e36fd83b5bd9e8
SHA1 d0416b82d035dfa8bc0b99a89d822400576d1baf
SHA256 27958e55f7d5b9aad874ac61ff1df7cb78083eb4eca2201fcb3b343a628e8536
ssdeep
768:fiQpNTSoMkz42Hu3e9i/I3IaROhF1mzwArcDftScTqVtFHlVuJDqTSoHTSo:fRv1zrOOyaXzwArcLtScw/FVnB

authentihash 104f1e4bb71e891cc2b0a4841622f59c738c6742e3b15f236e783ce87f26734d
imphash 39a948102bfb3a5ad4a5eacf9f120aea
File size 68.0 KB ( 69632 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (38.2%)
Win32 Executable (generic) (26.2%)
Win16/32 Executable Delphi generic (12.0%)
Generic Win/DOS Executable (11.6%)
DOS Executable Generic (11.6%)
Tags
peexe

VirusTotal metadata
First submission 2017-02-28 15:35:48 UTC ( 2 months, 3 weeks ago )
Last submission 2017-05-23 00:16:10 UTC ( 18 hours, 21 minutes ago )
File names 559e8b46d88188a561e36fd83b5bd9e8.exe
a609b02bdb90fa13.exe
d0416b82d035dfa8bc0b99a89d822400576d1baf.exe
Spora.exe
02729d4ee3bb7f75(03).exe
559e8b46d88188a561e36fd83b5bd9e8.exe
559e8b46d88188a561e36fd83b5bd9e8.exe
a.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications