26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2016-Jan-09 12:11:59
Detected languages English - United States
Debug artifacts GoogleCrashHandler_unsigned.pdb

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • .google.com
  • google.com
Info Cryptographic algorithms detected in the binary: Uses constants related to SHA1
Uses constants related to SHA256
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryExW
  • LoadLibraryW
  • GetProcAddress
 Can access the registry:
  • RegQueryValueExW
  • RegOpenKeyExW
  • RegDeleteKeyW
  • RegDeleteValueW
  • RegCloseKey
  • RegCreateKeyExW
  • RegSetValueExW
  • RegEnumKeyExW
  • RegQueryInfoKeyW
  • SHQueryValueExW
 Possibly launches other programs:
  • CreateProcessW
 Can create temporary files:
  • CreateFileW
  • GetTempPathW
 Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
 Functions related to the privilege level:
  • OpenProcessToken
  • CheckTokenMembership
 Manipulates other processes:
  • OpenProcess
  • ReadProcessMemory
 Changes object ACLs:
  • SetNamedSecurityInfoW
 Queries user information on remote machines:
  • NetWkstaGetInfo
Malicious VirusTotal score: 66/70 (Scanned on 2026-06-15 00:50:51) ALYac: Trojan.Ransom.Petya
APEX: Malicious
AVG: Other:Malware-gen [Trj]
AhnLab-V3: Trojan/Win32.Ransom.R177575
Alibaba: Ransom:Win32/Petya.8d8
Antiy-AVL: Trojan[Ransom]/Win32.Petya.aa
Arcabit: Trojan.Ransomware.BM
Avast: Other:Malware-gen [Trj]
Avira: TR/Malware
BitDefender: Trojan.Ransomware.BM
Bkav: W32.LuckiiQwufsR.Trojan
CAT-QuickHeal: Ransom.Petya.S5
CTX: exe.trojan.petya
ClamAV: Win.Trojan.Petya-5637914-0
CrowdStrike: win/malicious_confidence_100% (W)
Cylance: Unsafe
Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
DrWeb: Trojan.Ransom.369
ESET-NOD32: Win32/Diskcoder.Petya.A trojan
Elastic: malicious (high confidence)
Emsisoft: Trojan.Ransomware.BM (B)
F-Secure: Trojan:W32/Petya.A
Fortinet: W32/Petya.EOB!tr.ransom
GData: Win32.Trojan.Agent.IT92BA
Google: Detected
Gridinsoft: Ransom.Win32.Gen.cc!s1
Jiangmin: TrojanRansom.Petya.a
K7AntiVirus: Ransomware ( 005d115b1 )
K7GW: Ransomware ( 005d115b1 )
Kaspersky: Trojan-Ransom.Win32.Petr.a
Kingsoft: malware.kb.a.984
Lionic: Trojan.Win32.Petya.j!c
Malwarebytes: Petya.Ransom.MBRLock.DDS
MaxSecure: Trojan.Malware.300983.susgen
McAfeeD: Trojan:Win/Petya.B
MicroWorld-eScan: Trojan.Ransomware.BM
Microsoft: Ransom:Win32/Filecoder.DLK!MTB
NANO-Antivirus: Trojan.Win32.Crypted.ebffer
Paloalto: generic.ml
Panda: Trj/RansomCrypt.E
Rising: Ransom.Petr!1.B334 (CLASSIC)
SUPERAntiSpyware: Ransom.Petya/Variant
Sangfor: Suspicious.Win32.Save.ins
SentinelOne: Static AI - Suspicious PE
Skyhigh: BehavesLike.Win32.NetLoader.dh
Sophos: ATK/Shellter-AC
Symantec: Trojan Horse
TACHYON: Ransom/W32.Petya.230912
Tencent: Malware.Win32.Gencirc.10be8de3
Trapmine: malicious.high.ml.score
TrellixENS: Generic .jy
TrendMicro: Ransom_PETYA.A
TrendMicro-HouseCall: Ransom_PETYA.A
VBA32: Trojan.Ransom
VIPRE: Trojan.Ransomware.BM
Varist: W32/Trojan.NREO-5105
ViRobot: Trojan.Win32.Z.Petya.230912.A
VirIT: Trojan.Win32.CryptoPetya.A
Xcitium: Malware@#16w0g1hhe70i6
Yandex: Trojan.Petr!74zaaTOl8KA
ZoneAlarm: Troj/Ransom-CPS
Zoner: Trojan.Win32.40474
alibabacloud: RansomWare
huorong: Ransom/Petya.c
tehtris: Generic.Malware

Hashes

MD5 af2379cc4d607a45ac44d62135fb7015
SHA1 39b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA256 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA3 a806c2e54fc7bbd01217d9e7171447b8684d3006d5534e19c919c1bf28a84bc8
SSDeep 6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f
Imports Hash 1a63922d5931d1bb8ca5188313f78eaa

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2016-Jan-09 12:11:59
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 12.0
SizeOfCode 0x27000
SizeOfInitializedData 0x14200
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0001716F (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x28000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x3f000
SizeOfHeaders 0x400
Checksum 0x45c45
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 f2e70be0d367c8117c2ed57ff56127ff
SHA1 d38181d052d9da22fe22f503730b27174cb6ec2a
SHA256 da527831c15f734439e93d65a8ea04bfc6cebcd8641032937039254606cb5d33
SHA3 24a0f6ed313a8cddc5b6ff487025a8333f07b048f4b391d3838385ac69015d47
VirtualSize 0x26f35
VirtualAddress 0x1000
SizeOfRawData 0x27000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 7.19364

.rdata

MD5 3eeba6f3dc074d0bb5539f91a6a37172
SHA1 bab412f55d6430fb3b893a63a4da3dc44be8898f
SHA256 0424b921238fb6976fb105f17643c7e7cc96af18e89a788d83e32d4d8365fef3
SHA3 36354a56f4f7de6746987e04b3fb9f057c04982f86e7d2c530999a5932f4f884
VirtualSize 0xc0f2
VirtualAddress 0x28000
SizeOfRawData 0xc200
PointerToRawData 0x27400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.74214

.data

MD5 3bde36f5da7c0616579da8263a5e0619
SHA1 1781da17b22a4755eaec25419a12eb9eef30a13f
SHA256 2310dd7afec8a64c979ae74dabcacda55bcc5ccc5d739721c1d5efe0bf2abf64
SHA3 219e1c807ee1a79e64f8479a177df1a1adadd6da7ba2f4bbad4c2e43454d0c37
VirtualSize 0x4940
VirtualAddress 0x35000
SizeOfRawData 0x1a00
PointerToRawData 0x33600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.97322

.rsrc

MD5 0307cc7fad0f281b577f4c20bb197455
SHA1 9848bcb135372246aceaeeb9873b07c42936283a
SHA256 2b88190530ad5d4d972a56f3e730c8c7c2dcabdaae7aded85dc7a8492a0787b2
SHA3 a14dcda62a6a6be9f8f39f39762bb05920ec51449e32de66219cf9f562831e45
VirtualSize 0x1102
VirtualAddress 0x3a000
SizeOfRawData 0x1200
PointerToRawData 0x35000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.53242

.reloc

MD5 b17e62017261595e68023468139bf549
SHA1 e2a72140086fc571f9e9f322fb8ad6308aa4f9e3
SHA256 f19537b99f0615fab23560bfc40a47b0f3e62ed40f3e7e9e184f28d183464ed0
SHA3 f5c9f7d153aac3ccde15d57977526009afe6ecc7d4109c59838c8c4d388a1fdf
VirtualSize 0x2300
VirtualAddress 0x3c000
SizeOfRawData 0x2400
PointerToRawData 0x36200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.58667

Imports

KERNEL32.dll GetCurrentThreadId
GetStdHandle
GetFileType
GetStartupInfoW
GetModuleFileNameW
WriteFile
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
CreateEventW
Sleep
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetTickCount
CreateSemaphoreW
FreeLibrary
LoadLibraryExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
RtlUnwind
LCMapStringW
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetStdHandle
SetFilePointerEx
WriteConsoleW
CloseHandle
CreateFileW
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
LocalFree
CreateDirectoryW
DeleteFileW
GetCurrentThread
WaitForMultipleObjects
LoadLibraryW
WaitForSingleObject
GetExitCodeProcess
DuplicateHandle
ReleaseMutex
GetEnvironmentVariableW
lstrcmpiW
VirtualQuery
GetTempPathW
GetLocalTime
OutputDebugStringA
GetPrivateProfileIntW
GetPrivateProfileStringW
lstrcmpW
lstrlenW
SetFilePointer
CreateMutexW
InitializeCriticalSection
TryEnterCriticalSection
SetEvent
ResetEvent
GetFileAttributesExW
SetLastError
VerifyVersionInfoW
VerSetConditionMask
MoveFileExW
GetFileTime
ReadFile
DeviceIoControl
SetProcessWorkingSetSize
OpenProcess
CreateProcessW
ReadProcessMemory
lstrcpynW
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
CreateThread
DebugActiveProcess
GetThreadContext
DebugActiveProcessStop
VirtualQueryEx
GetProcessId
GetSystemInfo
ContinueDebugEvent
WaitForDebugEvent
WideCharToMultiByte
MultiByteToWideChar
GetModuleHandleExW
ExitProcess
IsProcessorFeaturePresent
GetCommandLineW
EncodePointer
LeaveCriticalSection
WaitNamedPipeW
TransactNamedPipe
SetNamedPipeHandleState
RtlCaptureContext
ReleaseSemaphore
EnterCriticalSection
OutputDebugStringW
DeleteCriticalSection
DecodePointer
HeapSize
GetProcAddress
GetLastError
RaiseException
HeapDestroy
InitializeCriticalSectionAndSpinCount
GetProcessHeap
GetModuleHandleW
HeapFree
IsDebuggerPresent
GetUserDefaultLangID
GetSystemDefaultLangID
GetComputerNameExW
GetOverlappedResult
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
UnregisterWait
GetProcessTimes
UnregisterWaitEx
RegisterWaitForSingleObject
VirtualProtect
VirtualAlloc
HeapAlloc
RemoveDirectoryW
HeapReAlloc
USER32.dll SetClipboardData
EmptyClipboard
OpenClipboard
GetProcessWindowStation
CloseDesktop
CloseClipboard
CharUpperW
CharLowerW
PostThreadMessageW
DispatchMessageW
GetMessageW
PeekMessageW
EnumWindows
IsWindowVisible
GetWindowThreadProcessId
SetThreadDesktop
CreateWindowStationW
CloseWindowStation
GetThreadDesktop
SetProcessWindowStation
CreateDesktopW
wvsprintfW
wsprintfW
MessageBoxW
ADVAPI32.dll GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
GetSecurityDescriptorControl
GetLengthSid
CopySid
IsValidSid
GetSidSubAuthority
InitializeSid
GetSidLengthRequired
SetSecurityDescriptorDacl
AddAce
InitializeAcl
GetAclInformation
InitializeSecurityDescriptor
MakeAbsoluteSD
OpenProcessToken
GetTokenInformation
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
GetAce
MakeSelfRelativeSD
GetSecurityDescriptorLength
EqualSid
SetNamedSecurityInfoW
ConvertStringSidToSidW
OpenThreadToken
RegQueryValueExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteValueW
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegQueryInfoKeyW
ConvertSidToStringSidW
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
SetSecurityDescriptorSacl
GetTraceLoggerHandle
GetTraceEnableFlags
GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids
TraceEvent
SetTokenInformation
ole32.dll CoCreateGuid
StringFromGUID2
SHELL32.dll SHGetFolderPathW
NETAPI32.dll NetApiBufferFree
NetWkstaGetInfo
RPCRT4.dll UuidCreate
SHLWAPI.dll PathRemoveExtensionW
PathRemoveFileSpecW
PathStripPathW
PathCanonicalizeW
PathIsRelativeW
SHQueryValueExW
PathAppendW
USERENV.dll UnloadUserProfile
VERSION.dll GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.14876
MD5 af84bedc9ab3f3c084b1ab3aa6fa893e
SHA1 94118997d63921031b1ac1dc7ce5c70c76fe607e
SHA256 6f456edb922c6adca98bcb94f171434d112b46dd678fb494ca47f1c745710c3f
SHA3 532702f5541cfac7c0cec67b66b957d6ad105eedad15a5f99585c03d97aaf7b8

100

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.81924
Detected Filetype Icon file
MD5 cbee427fa121aba9b9b265ff05de5383
SHA1 24fcae33001c8e0f5ec795c6edf076a69d59589f
SHA256 494e4fd717fa1ee0c5c7bb3b4e28fdab4b7f6e95b4f9865f5ab86f03f62ae62c
SHA3 a3fa35d56632275ba55716a4964f02031270f61f06a903fc460ac2dd6bebde85

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x75e
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.24978
MD5 ac7be1b128ec14d0a735a4986204c8dc
SHA1 0c502d7feda7c4dc172a5af7ef67b8e6050f519c
SHA256 ea932f4dd9f86d6a83eb2ca2564c933d0110688404aa8734889f2737c4f6ebfa
SHA3 9b2764282aeaf6e7cd7f2a0a04727d5c7afdbdb5d10e21d7387e7d4ca9972a62

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2016-Jan-09 12:11:59
Version 0.0
SizeofData 56
AddressOfRawData 0x32000
PointerToRawData 0x31400
Referenced File GoogleCrashHandler_unsigned.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2016-Jan-09 12:11:59
Version 0.0
SizeofData 20
AddressOfRawData 0x32038
PointerToRawData 0x31438

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x435980
SEHandlerTable 0x4323a0
SEHandlerCount 7

RICH Header

XOR Key 0x7dfef65c
Unmarked objects 0
C++ objects (VS2013 build 21005) 73
ASM objects (VS2013 build 21005) 30
C objects (VS2013 build 21005) 201
C++ objects (20806) 2
C objects (65501) 4
Imports (65501) 33
Total imports 468
229 (VS2013 UPD2 build 30501) 101
Resource objects (VS2013 build 21005) 1
Linker (VS2013 UPD2 build 30501) 1

Errors

Leave a comment

No comments yet.