× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
File name: {71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
Detection ratio: 57 / 60
Analysis date: 2017-04-26 21:53:55 UTC ( 3 days, 16 hours ago )
Antivirus Result Update
Ad-Aware Trojan.Agent.BBPC 20170426
AegisLab Troj.Ransom.W32.Blocker.cfwh!c 20170426
AhnLab-V3 Trojan/Win32.Blocker.C199567 20170426
ALYac Trojan.Ransom.CryptoLocker.A 20170426
Antiy-AVL Trojan[Ransom]/Win32.Blocker 20170426
Arcabit Trojan.Agent.BBPC 20170426
Avast Win32:Ransom-AQL [Trj] 20170426
AVG Ransomer.CEL 20170426
Avira (no cloud) TR/Crilock.A.11 20170426
AVware Trojan.Win32.Cryptolocker.mc (fs) 20170426
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9727 20170426
BitDefender Trojan.Agent.BBPC 20170426
CAT-QuickHeal Ransom.Crilock.A5 20170426
ClamAV Win.Trojan.Cryptolocker-2 20170426
Comodo Worm.Win32.Ransom.CryptoLocker.~ 20170426
CrowdStrike Falcon (ML) malicious_confidence_67% (W) 20170130
Cyren W32/Ransom.RQHI-1717 20170426
DrWeb Trojan.Encoder.304 20170426
Emsisoft Trojan.Agent.BBPC (B) 20170426
Endgame malicious (moderate confidence) 20170419
ESET-NOD32 Win32/Filecoder.BQ 20170426
F-Prot W32/Ransom.EC 20170426
F-Secure Trojan.Agent.BBPC 20170426
Fortinet W32/Filecoder.BQ!tr 20170426
GData Win32.Trojan-Ransom.Cryptolocker.A 20170426
Ikarus Trojan-Ransom.CryptoLocker 20170426
Invincea trojan.win32.eyestye.n 20170413
Jiangmin Trojan/Blocker.gig 20170425
K7AntiVirus Trojan ( 0001140e1 ) 20170426
K7GW Trojan ( 0001140e1 ) 20170426
Kaspersky Trojan-Ransom.Win32.Blocker.cfwh 20170426
Malwarebytes Ransom.FileCryptor 20170426
McAfee Generic.dx!04FB36199787 20170426
McAfee-GW-Edition Generic.dx!04FB36199787 20170426
Microsoft Ransom:Win32/Crilock.A 20170426
eScan Trojan.Agent.BBPC 20170426
NANO-Antivirus Trojan.Win32.Blocker.ctckvo 20170426
nProtect Trojan/W32.Blocker.346112.B 20170426
Palo Alto Networks (Known Signatures) generic.ml 20170426
Panda Trj/WLT.A 20170426
Qihoo-360 Win32/Trojan.Ransom.5c9 20170426
Rising Trojan.Generic (cloud:TRlJh4vu2hC) 20170426
Sophos Troj/Ransom-ACV 20170426
SUPERAntiSpyware Trojan.Agent/Gen 20170426
Symantec Ransom.Cryptolocker 20170426
Tencent Win32.Trojan.Blocker.Hfn 20170426
TheHacker Trojan/Filecoder.bq 20170424
TrendMicro TROJ_RANSOM.SMLD 20170426
TrendMicro-HouseCall TROJ_RANSOM.SMLD 20170426
VBA32 Hoax.Blocker 20170426
VIPRE Trojan.Win32.Cryptolocker.mc (fs) 20170426
ViRobot Trojan.Win32.S.Agent.346112.BG[h] 20170426
Webroot W32.Obfuscated.Gen 20170426
Yandex Trojan.Kazy!HF4Ga+lwjwI 20170426
Zillya Trojan.Blocker.Win32.10224 20170426
ZoneAlarm by Check Point Trojan-Ransom.Win32.Blocker.cfwh 20170426
Zoner Trojan.Filecoder.BQ 20170426
Alibaba 20170426
CMC 20170421
Kingsoft 20170426
SentinelOne (Static ML) 20170330
Symantec Mobile Insight 20170426
Trustlook 20170426
WhiteArmor 20170409
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-09-07 14:57:57
Entry Point 0x00001E00
Number of sections 5
PE sections
PE imports
CryptDestroyKey
RegCreateKeyExW
RegCloseKey
RegEnumValueW
CryptEncrypt
RegDeleteKeyW
CryptHashData
RegQueryValueExW
CryptImportKey
CryptCreateHash
RegFlushKey
CryptGetKeyParam
RegOpenKeyExW
CryptGenKey
CryptReleaseContext
RegQueryInfoKeyW
RegEnumKeyExW
CryptAcquireContextW
CryptDecrypt
CryptDestroyHash
RegDeleteValueW
RegSetValueExW
CryptSetKeyParam
CryptGetHashParam
CryptExportKey
Ord(413)
InitCommonControlsEx
Ord(410)
CryptDecodeObjectEx
CryptStringToBinaryA
CryptImportPublicKeyInfo
GetDeviceCaps
GetObjectA
DeleteDC
CreateFontIndirectW
SelectObject
CreateSolidBrush
GetObjectW
SetBkMode
SetBkColor
CreateCompatibleDC
DeleteObject
SetTextColor
GetUserDefaultUILanguage
GetSystemTime
GetLastError
HeapFree
GetModuleFileNameW
SystemTimeToFileTime
ReleaseMutex
FileTimeToSystemTime
LoadLibraryW
GlobalFree
SetEvent
FreeLibrary
QueryPerformanceCounter
EnterCriticalSection
HeapAlloc
FlushFileBuffers
GetHandleInformation
GlobalUnlock
GetFileAttributesW
GetCommandLineW
DeleteCriticalSection
FileTimeToLocalFileTime
SizeofResource
GetVolumeInformationW
WaitForSingleObject
WaitForMultipleObjects
LockResource
SetFileTime
GetModuleHandleW
CreateThread
GetDateFormatW
SetErrorMode
MultiByteToWideChar
SetFilePointerEx
DeleteFileW
GetProcAddress
GetProcessHeap
GetComputerNameW
GetFileTime
GetTimeFormatW
GetLogicalDrives
GetFileSizeEx
WideCharToMultiByte
GetDiskFreeSpaceExW
MoveFileExW
ExpandEnvironmentStringsW
lstrcmpA
FindNextFileW
FindResourceExW
CreateMutexW
ReadFile
ResetEvent
FindFirstFileW
HeapReAlloc
GlobalLock
GetDriveTypeW
LocalFree
GetTempPathW
ResumeThread
CreateEventW
InitializeCriticalSection
LoadResource
WriteFile
CreateFileW
GlobalAlloc
CreateProcessW
FindClose
Sleep
GetCurrentThread
SetFileAttributesW
SetThreadPriority
CloseHandle
GetTickCount
GetCurrentThreadId
LeaveCriticalSection
ExitProcess
GetEnvironmentVariableW
SetLastError
CopyFileExW
AlphaBlend
SHGetFolderPathW
ShellExecuteExW
CommandLineToArgvW
SHGetFileInfoW
Ord(12)
StrCmpW
StrCmpNW
PathUnquoteSpacesW
PathFindFileNameW
PathRemoveFileSpecW
PathMatchSpecW
PathAddBackslashW
PathQuoteSpacesW
StrCmpIW
PathRemoveBackslashW
StrChrW
SetFocus
EmptyClipboard
GetMonitorInfoW
GetForegroundWindow
GetParent
UpdateWindow
IntersectRect
EndDialog
SystemParametersInfoW
CreateDialogParamW
DefWindowProcW
GetDlgCtrlID
DestroyMenu
RegisterClassExW
PostQuitMessage
ScreenToClient
ShowWindow
GetCaretPos
FlashWindowEx
SetWindowPos
GetSystemMetrics
MonitorFromWindow
MessageBoxW
PeekMessageW
GetWindowRect
EndPaint
ScrollWindowEx
MoveWindow
DialogBoxParamW
AppendMenuW
CharLowerW
AdjustWindowRectEx
TranslateMessage
CreateWindowExW
MessageBoxIndirectW
GetScrollInfo
SetScrollInfo
GetKeyState
GetCursorPos
ReleaseDC
BeginPaint
CreatePopupMenu
SendMessageW
SetClipboardData
IsWindowVisible
UnregisterClassW
GetClientRect
SetWindowLongW
GetDlgItem
SetForegroundWindow
SetMenuDefaultItem
DispatchMessageW
ClientToScreen
InSendMessage
InvalidateRect
PostMessageW
DrawFocusRect
SetTimer
GetClassNameW
TrackPopupMenu
IsDialogMessageW
MonitorFromPoint
SetWindowTextW
GetWindowTextW
LoadIconW
GetDC
MsgWaitForMultipleObjects
GetWindowLongW
CloseClipboard
DrawTextW
DestroyWindow
ReplyMessage
OpenClipboard
SetWindowTheme
WinHttpConnect
WinHttpQueryHeaders
WinHttpReadData
WinHttpCloseHandle
WinHttpWriteData
WinHttpAddRequestHeaders
WinHttpReceiveResponse
WinHttpOpen
WinHttpOpenRequest
WinHttpSendRequest
GdipCreateFontFromDC
GdipCreateStringFormat
GdipDeleteBrush
GdipCreateSolidFill
GdiplusShutdown
GdipDisposeImage
GdipCreateHBITMAPFromBitmap
GdiplusStartup
GdipSetStringFormatHotkeyPrefix
GdipDeleteGraphics
GdipCreateBitmapFromStream
GdipDeleteFont
GdipCreateFontFromLogfontA
GdipCreateFromHDC
GdipSetStringFormatAlign
GdipGetImageWidth
GdipAlloc
GdipDrawImageRectI
GdipCloneBrush
GdipFree
GdipDrawString
GdipGetImageHeight
GdipDeleteStringFormat
GdipCloneImage
GdipSetStringFormatLineAlign
_except_handler3
_purecall
_vsnprintf
memmove
memset
memcpy
_vsnwprintf
CoInitializeEx
CoUninitialize
CoTaskMemFree
StringFromGUID2
Number of PE resources by type
RT_RCDATA 11
RT_DIALOG 5
RT_ICON 2
RT_MANIFEST 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 19
ENGLISH US 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2013:09:07 15:57:57+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
64512

LinkerVersion
11.0

FileTypeExtension
exe

InitializedDataSize
284160

SubsystemVersion
5.1

EntryPoint
0x1e00

OSVersion
5.1

ImageVersion
0.0

UninitializedDataSize
0

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Compressed bundles
File identification
MD5 04fb36199787f2e3e2135611a38321eb
SHA1 65559245709fe98052eb284577f1fd61c01ad20d
SHA256 d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
ssdeep
6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv

authentihash ebb27a081a337cc9f514610c1b03a5cefbcdb2f89a8ee63e06c400d44de69274
imphash 7e8ad4139efc6cbcf31df3bc4b291dd8
File size 338.0 KB ( 346112 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe via-tor

VirusTotal metadata
First submission 2013-09-08 15:47:14 UTC ( 3 years, 7 months ago )
Last submission 2017-04-26 21:53:55 UTC ( 3 days, 16 hours ago )
File names 0709.exe.x-msdos-program
{213D7E33-3912-1C20-3D3D-01070BCDFFF3}.exe
salab138.soleranetworks.com_2014-10-15T11.09.45-0600_192.168.0.32-2201_174.138.172.57-80_04fb36199787f2e3e2135611a38321eb_8.exe
fiche de paie.pdf.exe
37769.bin
cry3.exe
{D0EE94E5-EF8C-E6CC-8E83-EDE6D2CD2F14}.exe
file.exe
{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe.1
vti-rescan
0709.exe.dat
malware_sample.exe
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
cry2.exe
0709.exe
cryptolocker_DO_NOT_RUN_WILL_ENCRYPT_ALL_FILES.notanexe
2 CRYPTOLOCKER federal.exe
malware
{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
04fb36
{112c4a02-1112-2f13-0e03-001d1d0117df}.exe
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.bin
{213D7E33-3912-1C20-3D38-1A0B15CDFFF3}.exe
{DBE0B9A3-FD8E-322E-2C13-2B1406153237}.exe
D765E722E295969C0A5C2D90F549DB8B89AB617900BF4698DB41C7CDAD993BB9.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!