Antivirus scan for 5f1fcdfb951dc4642ce136a5d3e6bc42021f8e0cd631975a5eb3842da020531c at 2019-02-21 00:50:14 UTC

Vírusirtó	Eredmény	Utolsó frissítés
Ad-Aware	Trojan.GenericKD.5101930	20190220
AhnLab-V3	Trojan/Win32.JaffCrypto.C1959547	20190220
ALYac	Trojan.Ransom.Jaff	20190220
Antiy-AVL	Trojan[Ransom]/Win32.Scatter	20190220
Arcabit	Trojan.Generic.D4DD96A	20190220
Avast	Win32:Trojan-gen	20190220
AVG	Win32:Trojan-gen	20190220
Avira (no cloud)	TR/Crypt.XPACK.zomwe	20190220
BitDefender	Trojan.GenericKD.5101930	20190220
CAT-QuickHeal	Ransom.JAFF.A4	20190220
ClamAV	Win.Ransomware.Jaff-6316620-4	20190220
Comodo	Malware@#zq0z4t1bbqwu	20190220
CrowdStrike Falcon (ML)	win/malicious_confidence_100% (W)	20190211
Cybereason	malicious.b51e81	20190109
Cylance	Unsafe	20190220
Cyren	W32/Filecoder.PUQS-5261	20190220
DrWeb	Trojan.Encoder.11498	20190220
Emsisoft	Trojan.GenericKD.5101930 (B)	20190220
Endgame	malicious (high confidence)	20190215
ESET-NOD32	Win32/Filecoder.Jaff.A	20190220
F-Secure	Trojan.TR/Crypt.XPACK.zomwe	20190220
Fortinet	W32/Filecoder_Jaff.A!tr	20190220
GData	Win32.Trojan-Ransom.Jaff.C	20190220
Ikarus	Trojan.Win32.Filecoder	20190220
Sophos ML	heuristic	20181128
Jiangmin	Trojan.Scatter.eg	20190220
K7AntiVirus	Trojan ( 0050de1d1 )	20190220
K7GW	Trojan ( 0050de1d1 )	20190220
Kaspersky	Trojan-Ransom.Win32.Scatter.vd	20190220
MAX	malware (ai score=100)	20190220
McAfee	Generic.abu	20190220
McAfee-GW-Edition	Generic.abu	20190220
Microsoft	Ransom:Win32/Jaffrans.A	20190220
eScan	Trojan.GenericKD.5101930	20190220
NANO-Antivirus	Trojan.Win32.Scatter.epvmhq	20190220
Palo Alto Networks (Known Signatures)	generic.ml	20190220
Panda	Trj/WLT.C	20190220
Qihoo-360	Trojan.Generic	20190220
Rising	Ransom.Scatter!8.139C (CLOUD)	20190220
SentinelOne (Static ML)	static engine - malicious	20190203
Sophos AV	Troj/Ransom-EMU	20190220
SUPERAntiSpyware	Ransom.Jaff/Variant	20190220
Symantec	Ransom.Enciphered	20190220
TACHYON	Ransom/W32.Scatter.163840	20190220
Tencent	Win32.Trojan.Raas.Auto	20190220
TheHacker	Trojan/Filecoder.Jaff.a	20190217
Trapmine	malicious.high.ml.score	20190123
VBA32	SScope.TrojanRansom.WannaCry	20190220
VIPRE	Trojan.Win32.Generic!BT	20190220
ViRobot	Trojan.Win32.Ransom.163840.C	20190220
Webroot	W32.Ransomware.Jaff	20190220
Yandex	Trojan.Scatter!	20190219
ZoneAlarm by Check Point	Trojan-Ransom.Win32.Scatter.vd	20190220
Zoner	Trojan.Win32.58591	20190220
Acronis		20190220
AegisLab		20190220
Alibaba		20180921
Avast-Mobile		20190220
Babable		20180917
Baidu		20190214
CMC		20190220
eGambit		20190220
Kingsoft		20190220
Malwarebytes		20190220
Symantec Mobile Insight		20190220
TotalDefense		20190220
Trustlook		20190220

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.

FileVersionInfo properties

Product Umhcrew mvh

Original name Vfbmzerekbl

Internal name Vfbmzerekbl

File version 6.486

Description Pa sf yrqbunq hsg

PE header basic information

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2017-05-15 13:53:44

Entry Point 0x0001A61C

Number of sections 4

PE sections

Name Virtual address Virtual size Raw size Entropy MD5

.text 4096 104590 106496 6.59 d22043aa072b123f1fe0d0951d7b4f08

.rdata 110592 7488 8192 5.57 cd7fa08f28f008325d707b78dfbfc1b8

.data 118784 100188 36864 6.56 82f557f3877a2f0faa5cf7638749aab6

.rsrc 221184 7424 8192 5.85 ae3cf6e819dd249de2e80b3cd48bc5a9

PE imports

SQLTablesW

SQLStatisticsW

SQLBrowseConnectW

SQLColumnPrivilegesA

ODBCInternalConnectW

SQLTablesA

DllBidEntryPoint

SQLBrowseConnectA

SQLTransact

SQLParamData

SQLGetConnectAttrW

SQLPrepareA

ODBCGetTryWaitValue

OpenODBCPerfData

SQLPrepareW

SQLGetConnectAttrA

SQLSetPos

SQLRowCount

GetODBCSharedData

SQLAllocHandle

SQLFreeEnv

SQLDriversW

SQLGetDiagRecA

CursorLibTransact

SQLBulkOperations

g_hHeapMalloc

SQLPutData

SQLConnectA

SQLSetDescFieldW

SQLGetCursorNameW

SQLDescribeParam

SQLErrorA

SQLEndTran

SQLGetTypeInfoW

SQLGetDiagFieldA

VFreeErrors

SQLColAttributesA

SQLSetScrollOptions

SQLFetchScroll

SQLGetDiagFieldW

SQLAllocConnect

CloseODBCPerfData

SQLColAttributesW

SQLGetConnectOptionW

SQLSetStmtAttrW

SQLNumParams

SQLBindParam

SQLProcedureColumnsA

SQLFetch

SQLGetConnectOptionA

SQLColAttributeW

SQLSetDescRec

SQLDisconnect

SQLMoreResults

SQLColumnsA

SQLGetCursorNameA

SQLTablePrivilegesW

SQLSetCursorNameA

SQLGetInfoW

SQLSetParam

SQLParamOptions

SQLTablePrivilegesA

SQLExecute

SQLFreeStmt

SearchStatusCode

SQLGetInfoA

SQLGetFunctions

SQLNativeSqlA

SQLPrimaryKeysW

SQLGetEnvAttr

PostODBCError

SQLPrimaryKeysA

SQLNativeSqlW

ODBCSetTryWaitValue

PostODBCComponentError

SQLCloseCursor

SQLSetDescFieldA

SQLGetDescFieldA

SQLAllocHandleStd

SQLDriverConnectW

SQLDescribeColA

SQLSetEnvAttr

SQLFreeConnect

SQLDriverConnectA

SQLDescribeColW

ODBCQualifyFileDSNW

SQLCancel

SQLForeignKeysA

SQLSpecialColumnsW

SQLColumnPrivilegesW

SQLForeignKeysW

SQLSpecialColumnsA

SQLNumResultCols

CursorLibLockStmt

SQLCopyDesc

CollectODBCPerfData

SQLGetStmtOption

SQLAllocEnv

SQLGetData

SQLGetDescRecW

CursorLibLockDbc

SQLGetStmtAttrA

SQLSetConnectAttrW

PostComponentError

SQLGetDescRecA

ValidateErrorQueue

SQLFreeHandle

SQLSetConnectAttrA

SQLExecDirectW

LockHandle

SQLSetConnectOptionA

SQLDataSourcesW

SQLExecDirectA

CursorLibLockDesc

SQLDataSourcesA

SQLBindParameter

SQLProceduresW

Number of PE resources by type

RT_ACCELERATOR 5

RT_ICON 2

RT_STRING 2

RT_GROUP_ICON 2

RT_MANIFEST 1

RT_VERSION 1

Number of PE resources by language

ENGLISH US 13

PE resources

0a8154bf54a5be669fb23c15a539a4ecfcaf45ad966f1cf164db5bc361b44a96 ASCII text

36a5bbe60682a0deb52668e6fc7ae87ef8b9ea79fe9db84747afa0191212acd8 data

404e02d011bc669c67ead03b175f7eaab8a01e00c044f6aed26dc0fb1ffef4f5 ASCII text

49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e ASCII text

7514ac1a36372b209a03bdb769c1a84f49b9a83de5bef3caff1fe2f85363f909 data

8434fe0186a13e9b7a2bddfe971401edf66fa6f3c22a26210b30ebba1c3c5166 data

9c02e5ed1506ab30938c0d1c71f9e433780f210fd357e4e6d4d1568d740d2a26 data

b02c0e0aad68508cca1d974535dd48e5934729d667d2309779172eeb5a439960 data

c3191724eaac284e37d4104b33f71b335c92803913f304a92f666ebb5338fcb8 data

ca71e5268d3195397dd534aa4e85afaa82cf71382835106cf380b3db5d6a9aaa ASCII text

ExifTool file metadata

UninitializedDataSize

LinkerVersion

6.0

ImageVersion

0.0

FileSubtype

FileVersionNumber

6.486.0.0

LanguageCode

Unknown (0003)

FileFlagsMask

0x003f

FileDescription

Pa sf yrqbunq hsg

ImageFileCharacteristics

No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet

Unknown (0003)

InitializedDataSize

118784

EntryPoint

0x1a61c

OriginalFileName

Vfbmzerekbl

MIMEType

application/octet-stream

LegalCopyright

FileVersion

6.486

TimeStamp

2017:05:15 06:53:44-07:00

FileType

Win32 EXE

PEType

PE32

InternalName

Vfbmzerekbl

ProductVersion

6.486

SubsystemVersion

4.0

OSVersion

4.0

FileOS

Windows NT 32-bit

Subsystem

Windows GUI

MachineType

Intel 386 or later, and compatibles

CompanyName

Tbn mfitlnky

CodeSize

106496

ProductName

Umhcrew mvh

ProductVersionNumber

6.486.0.0

FileTypeExtension

exe

ObjectFileType

Executable application

Compressed bundles

This file was also submitted to VirusTotal in the following compressed file bundles.

0ed8099300e1c062f516752c42868fc33b0149c7f61aea8dd45c8d4fae7b2332

1164bef30c3387aeb11e0b3f9f18f6efd71fdcbebeb4b646bef3bdae297ee026

20d0ebff8196952520a839a7af4dc1a7ae60336ca1ab9fed57f5355ef07d3bf1

561282e3da1920849701ef9a13a4797a84fab7d0b8cef58e9173d8ebda1c0e15

57dd45c77acd054aa371d6ffa21924bba83bd52419d18663c86f8a4681c61e19

b578e0eee0853b990cd2a1e05cce276be64485be943ddda149d29e6a64b2aa30

File identification

MD5 f3d9b2cb51e81d12ff3d5faaca231041

SHA1 ca7cf9e472f34973216781c3a1e269c510af0300

SHA256 5f1fcdfb951dc4642ce136a5d3e6bc42021f8e0cd631975a5eb3842da020531c

ssdeep

3072:ho+Z3+yf/xg77QtPrn4FAsm+Ro5nLAdGkk3JIFBKuHIGQ5Nxb+b5knn:2o+yf+Kn4FAsm4MMd3kkKuHINLZ+9

authentihash 7d2b1d8ef9ccaf355658eea16d197fd1e335dd61f3230b04cc5c7f5729b64070

imphash c02ee2da36fedd83f5dd868cf320e1b5

Fájl méret 160.0 KB ( 163840 bytes )

Fájl típus Win32 EXE

Magic literal

PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID	Win32 Executable MS Visual C++ 5.0 (39.0%) Win32 Executable MS Visual C++ (generic) (20.0%) Win64 Executable (generic) (17.7%) Microsoft Visual C++ compiled executable (generic) (10.6%) Win32 Dynamic Link Library (generic) (4.2%)

VirusTotal metadata

First submission 2017-05-17 12:37:51 UTC ( 1 év, 9 hónap ezelőtt )

Last submission 2018-10-08 06:02:23 UTC ( 4 hónap, 2 hét ezelőtt )

Fájl nevek

Vfbmzerekbl.exe
f3d9b2cb51e81d12ff3d5faaca231041
Vfbmzerekbl
Vfbmzerekbl.exe
WannaCry.exe
jaf.exe_
malw
bbb.exe
hardiloch8.exe
Vfbmzerekbl.exe
bad.exe
hardiloch8.exe
f3d9b2cb51e81d12ff3d5faaca231041.exe
hjt67t.exe
Vfbmzerekbl.exe
X.exe
5f1fcdfb951dc4642ce136a5d3e6bc42021f8e0cd631975a5eb3842da020531c.bin
5f1fcdfb951dc4642ce136a5d3e6bc42021f8e0cd631975a5eb3842da020531c
hardiloch8.exe
hardiloch8.exe

Behaviour characterization

Zemana

dll-injection

Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

Opened files

C:\WINDOWS\system32\rsaenh.dll (successful)

C:\WINDOWS\Registration\R000000000007.clb (successful)

\\.\PIPE\lsarpc (successful)

C:\WINDOWS\WindowsShell.manifest (successful)

C:\WINDOWS\system32\mshtml.tlb (successful)

C:\WINDOWS\system32\stdole2.tlb (successful)

\\.\VBoxGuest (successful)

\\.\VBoxMiniRdrDN (successful)

C:\eula.1028.txt.jaff (successful)

C:\eula.1031.txt.jaff (successful)

Read files

C:\WINDOWS\system32\rsaenh.dll (successful)

C:\WINDOWS\Registration\R000000000007.clb (successful)

C:\WINDOWS\system32\mshtml.tlb (successful)

C:\WINDOWS\system32\stdole2.tlb (successful)

C:\eula.1028.txt.jaff (successful)

C:\eula.1033.txt.jaff (successful)

C:\eula.1041.txt.jaff (successful)

C:\vcredist.bmp.jaff (successful)

C:\Python27\LICENSE.txt.jaff (successful)

C:\Python27\NEWS.txt.jaff (successful)

Written files

C:\eula.1028.txt.jaff (successful)

C:\eula.1033.txt.jaff (successful)

C:\eula.1041.txt.jaff (successful)

C:\vcredist.bmp.jaff (successful)

C:\ReadMe.bmp (successful)

C:\ReadMe.html (successful)

C:\ReadMe.txt (successful)

C:\Python27\LICENSE.txt.jaff (successful)

C:\Python27\NEWS.txt.jaff (successful)

C:\Python27\PIL-wininst.log.jaff (successful)

Moved files

SRC: C:\eula.1028.txt
DST: C:\eula.1028.txt.jaff (successful)

SRC: C:\eula.1031.txt
DST: C:\eula.1031.txt.jaff (successful)

SRC: C:\eula.1033.txt
DST: C:\eula.1033.txt.jaff (successful)

SRC: C:\eula.1036.txt
DST: C:\eula.1036.txt.jaff (successful)

SRC: C:\eula.1040.txt
DST: C:\eula.1040.txt.jaff (successful)

SRC: C:\eula.1041.txt
DST: C:\eula.1041.txt.jaff (successful)

SRC: C:\eula.1042.txt
DST: C:\eula.1042.txt.jaff (successful)

SRC: C:\eula.2052.txt
DST: C:\eula.2052.txt.jaff (successful)

SRC: C:\eula.3082.txt
DST: C:\eula.3082.txt.jaff (successful)

SRC: C:\vcredist.bmp
DST: C:\vcredist.bmp.jaff (successful)

Created processes

cmd.exe /C del /Q /F C:\5f1fcdfb951dc4642ce136a5d3e6bc42021f8e0cd631975a5eb3842da020531c"" (successful)

Created mutexes

RasPbFile (failed)

Opened mutexes

RasPbFile (successful)

ShimCacheMutex (successful)

Opened service managers

MACHINE: localhost
DATABASE: SERVICES_ACTIVE_DATABASE (successful)

Opened services

LanmanWorkstation (successful)

WebClient (successful)

RASMAN (successful)

Runtime DLLs

oleprn (successful)

o%eprn (failed)

shlwapi.dll (successful)

mpr.dll (successful)

wininet.dll (successful)

shell32.dll (successful)

kernel32.dll (successful)

user32.dll (successful)

gdi32.dll (successful)

advapi32.dll (successful)

HTTP requests

URL: http://eesiiuroffde445.com/a5/
TYPE: GET
USER AGENT: None

DNS requests

eesiiuroffde445.com (47.91.107.213)

TCP connections

47.91.107.213:80

UDP communications

<MACHINE_DNS_SERVER>:53

SHA256:	5f1fcdfb951dc4642ce136a5d3e6bc42021f8e0cd631975a5eb3842da020531c
Fájl neve:	Vfbmzerekbl
Észlelési arány:	54 / 66
Elemzés ideje:	2019-02-21 00:50:14 UTC ( 2 nap, 12 óra ezelőtt )

Ciphered bundle

FileVersionInfo properties

PE header basic information

PE sections

PE imports

Number of PE resources by type

Number of PE resources by language

PE resources

ExifTool file metadata

Compressed bundles

File identification

VirusTotal metadata

Behaviour characterization

Hozzászólás írása...

Opened files

Read files

Written files

Moved files

Created processes

Created mutexes

Opened mutexes

Opened service managers

Opened services

Runtime DLLs

HTTP requests

DNS requests

TCP connections

UDP communications

Elfelejtett jelszó

Csatlakozz a VirusTotal Közösséghez

Jelentkezz be