× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: c04836696d715c544382713eebf468aeff73c15616e1cd8248ca8c4c7e931505
File name: ransom.exe
Detection ratio: 14 / 55
Analysis date: 2017-01-18 16:14:43 UTC ( 2 years, 4 months ago ) View latest
Antivirus Result Update
Ad-Aware Gen:Trojan.Heur2.FU.kqZ@aK4h0xo 20170118
Arcabit Trojan.Heur2.FU.EBA500 20170118
AVG Win32/DH{gRsxE4EP?} 20170118
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170118
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20161024
Emsisoft Gen:Trojan.Heur2.FU.kqZ@aK4h0xo (B) 20170118
F-Secure Gen:Trojan.Heur2.FU.kqZ@aK4h0xo 20170118
GData Gen:Trojan.Heur2.FU.kqZ@aK4h0xo 20170118
Ikarus Trojan-Banker.Win32.Citadel 20170118
Sophos ML worm.win32.citeary.d 20170111
eScan Gen:Trojan.Heur2.FU.kqZ@aK4h0xo 20170118
Qihoo-360 HEUR/QVM20.1.0000.Malware.Gen 20170118
Rising Malware.Generic!ZzQ2pPl4dFB@2 (thunder) 20170118
Symantec ML.Attribute.VeryHighConfidence [Heur.AdvML.B] 20170118
AegisLab 20170118
AhnLab-V3 20170118
Alibaba 20170118
ALYac 20170118
Antiy-AVL 20170118
Avast 20170118
Avira (no cloud) 20170118
AVware 20170118
CAT-QuickHeal 20170118
ClamAV 20170118
CMC 20170118
Comodo 20170118
Cyren 20170118
DrWeb 20170118
ESET-NOD32 20170118
F-Prot 20170118
Fortinet 20170118
Jiangmin 20170118
K7AntiVirus 20170118
K7GW 20170118
Kaspersky 20170118
Kingsoft 20170118
Malwarebytes 20170118
McAfee 20170118
McAfee-GW-Edition 20170118
Microsoft 20170118
NANO-Antivirus 20170118
nProtect 20170118
Panda 20170117
Sophos AV 20170118
SUPERAntiSpyware 20170118
Tencent 20170118
TheHacker 20170117
TotalDefense 20170118
TrendMicro 20170118
TrendMicro-HouseCall 20170118
Trustlook 20170118
VBA32 20170118
VIPRE 20170118
ViRobot 20170118
WhiteArmor 20170117
Yandex 20170117
Zillya 20170117
Zoner 20170118
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-01-17 22:27:13
Entry Point 0x0000121C
Number of sections 4
PE sections
Overlays
MD5 4ca5dc1aed4b153f3e9b3f968643e739
File type data
Offset 91136
Size 82787
Entropy 8.00
PE imports
CryptReleaseContext
RegCloseKey
GetUserNameW
CryptGetHashParam
RegOpenKeyExW
CryptAcquireContextW
CryptHashData
RegQueryValueExW
CryptDestroyHash
CryptCreateHash
CreateToolhelp32Snapshot
DeviceIoControl
InitializeCriticalSectionAndSpinCount
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
VirtualAllocEx
LoadLibraryW
GetLastError
GetConsoleCP
GetOEMCP
IsDebuggerPresent
EncodePointer
VirtualProtect
FlushFileBuffers
RtlUnwind
Process32NextW
VirtualFree
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
GetStringTypeW
GetFileSize
OpenProcess
GetCommandLineW
GetCPInfo
UnhandledExceptionFilter
LoadLibraryExW
MultiByteToWideChar
SetFilePointerEx
DeleteFileW
GetProcAddress
GetThreadContext
Process32FirstW
GetProcessHeap
SetStdHandle
GetModuleHandleA
WideCharToMultiByte
GetModuleFileNameW
ExpandEnvironmentStringsW
ReadFile
SetUnhandledExceptionFilter
WriteFile
CloseHandle
IsProcessorFeaturePresent
GetACP
DecodePointer
GetModuleHandleW
TerminateProcess
AddVectoredExceptionHandler
VirtualAlloc
GetModuleHandleExW
IsValidCodePage
OutputDebugStringW
CreateFileW
VirtualQuery
CreateProcessW
TlsGetValue
Sleep
WriteConsoleW
TlsSetValue
HeapAlloc
GetCurrentThreadId
GetCurrentThread
ExitProcess
RemoveVectoredExceptionHandler
SetLastError
LeaveCriticalSection
SHGetFolderPathW
PathFileExistsW
PathAppendW
FindWindowW
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2017:01:17 23:27:13+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
54272

LinkerVersion
12.0

ImageFileCharacteristics
Executable, 32-bit

EntryPoint
0x121c

InitializedDataSize
44544

SubsystemVersion
5.1

ImageVersion
1.0

OSVersion
5.1

UninitializedDataSize
0

Compressed bundles
File identification
MD5 c50deba5542672ce85086c6ad747a1e4
SHA1 25bb2935f75e15b4117779b93d064367049b5fa9
SHA256 c04836696d715c544382713eebf468aeff73c15616e1cd8248ca8c4c7e931505
ssdeep
3072:uq53wlc9y5sfFhIHYM4kNgMkLUiPfY7W0yPARAlYk:uq5S8GHYMHdlOfSW0wAC

authentihash d1ae0a4d78022a89234f3cd10851a3eabf36c5cd4bb709f0e21e71be8e761ee8
imphash b53f6e0803fd24f3dd50f45f3b463d3f
File size 169.8 KB ( 173923 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
peexe overlay

VirusTotal metadata
First submission 2017-01-18 16:14:43 UTC ( 2 years, 4 months ago )
Last submission 2018-05-15 00:05:24 UTC ( 1 year ago )
File names localfile~
RAAS RANSOMWARE
satan.exe
ransom.exe
c04836696d715c544382713eebf468aeff73c15616e1cd8248ca8c4c7e931505.bin
c50deba5542672ce85086c6ad747a1e4.bin
c50deba5542672ce85086c6ad747a1e4
ransome.exe
Satan2.exe
ransom.exe
Advanced heuristic and reputation engines
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Searched windows
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
UDP communications