DigitalSide Threat Intel

ransomware.exe

First submission 2024-10-14 08:01:02

File details

File type: PE32+ executable (console) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 253.65 KB (259733 bytes)
Compile time: 2024-10-09 14:23:01
MD5: 90109ee185f4739ea25b371fb580576f
SHA1: 3a04885b481e61e184375ffaad685d7c0ac9e5ce
SHA256: 2378b573c7799fac6884657f5df6d524f47aed4e5348c9104a4943ce6276653b
Import Hash : 162ec132be76ae1f437ed25229025c13
Sections 20 .text .data .rdata /4 .pdata .xdata .bss .idata .CRT .tls .reloc /14 /29 /41 /55 /67 /80 /91 /107 /123
Directories 3 import tls relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 41/77 VT report date: 2024-10-13 19:43:23
Malware Type 2 trojan ransomware
Threat Type 3 nekark convagent filerepmalware

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://107.175.73.38/ransomware.exe VirusTotal Report 107.175.73.38 VirusTotal Report 2024-10-14 08:01:02

PE Sections 3 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x7038 29184 b91e930e98d76d8db639d2b89afb639d283a1c28 032fb10f9cefa3d666bdc40a7f8e1a90
.data 0x9000 0xd0 512 92938b23678d4f6e2247e5d2b3354266118df1cf 53666507b79dbc0fd6ebcd52dc53a41d
.rdata 0xa000 0xe40 4096 54859364a5b25a94958348b67825b251a0095f83 d086c2fead0cc7c875d8862b3521020f
/4 0xb000 0x4 512 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 bf619eac0cdf3f68d496ea9344137e8b
.pdata 0xc000 0x4a4 1536 0672ef2107dba09eb970a378e201ca745bcd2e1f d4d52c5c01c763c891efa43171684464
.xdata 0xd000 0x470 1536 a76739baeee5007076bc41ba6ddaf8105f6ba6c5 c181fb64782690ee63afbc8bd9fcabe4
.bss 0xe000 0xbe0 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.idata 0xf000 0x944 2560 8cfcc3b31f823b331a7bbb4be3ede3fc1ee47430 c5023ba5721fe83ecca5b41f35f89bbf
.CRT 0x10000 0x60 512 321b2aac7bb50ab3ec4fe45c4c34bc75ba66eca1 fe8732f9210f5b7f070db3c8c6d29b61
.tls 0x11000 0x10 512 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 bf619eac0cdf3f68d496ea9344137e8b
.reloc 0x12000 0x80 512 0b7523544e6552bc2591531de8343d428b0f1cdf ddb941a1531267f0df75f35dcbb557c4
/14 0x13000 0x640 2048 6fd7b2be6d36e1b37c653ac3b5908f2846dbf340 e73b0be73945897deb2212a81a98c916
/29 0x14000 0x12457 75264 49e56d46ae068f53d1f088c4015e637b2bc805e0 003050e8bcd72f8671310ef8e60ab06a
/41 0x27000 0x30a5 12800 0b474fb517129b814eaa32eb3b1731e412f14956 1473a55507ba0962e29b416d3d6d557b
/55 0x2b000 0x68a0 27136 98656465431ebe0b62be679469825f41b8b048e4 933733fe38ac1a3eeb3167a30c3f3963
/67 0x32000 0x20b8 8704 57a55f6bda27758a084051226f26e61e57697a97 a5f27802e0ff41d9680ec9687ae87b35
/80 0x35000 0x42e 1536 c53c174fcddb340d2b283d68e0da64bef11b285d 3569fa1071744dc1f121bdb1037be0d8
/91 0x36000 0x2dd5 11776 f8fba41818ee8bf788dec90de06b713f5556d8a0 dda5e3f47f0d964e3ce87d9ad009cbce
/107 0x39000 0x7852 31232 4daeef4648370390d772b2222fa96afec2cbd506 059de8954a2fe34465d5523e372ebd63
/123 0x41000 0x50f 1536 2884a0239abf1e81b28a80f18d06243ba9b26186 f8f4bf1ec41484b6feeaa931ee27304f

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 2

FindWindowA
GetLastError

Strings analysis - File found

Library
libgcc_s_dw2-1.dll
USER32.dll
MSVCRT.dll
KERNEL32.dll

Import functions

Function Address Souspicious Anti Debug
DeleteCriticalSection 0x14000f268
EnterCriticalSection 0x14000f270
FindClose 0x14000f278
FindFirstFileA 0x14000f280
FindNextFileA 0x14000f288
FreeLibrary 0x14000f290
GetLastError 0x14000f298
GetModuleHandleA 0x14000f2a0
GetProcAddress 0x14000f2a8
InitializeCriticalSection 0x14000f2b0
IsDBCSLeadByteEx 0x14000f2b8
LeaveCriticalSection 0x14000f2c0
LoadLibraryA 0x14000f2c8
MultiByteToWideChar 0x14000f2d0
SetUnhandledExceptionFilter 0x14000f2d8
Sleep 0x14000f2e0
TlsGetValue 0x14000f2e8
VirtualProtect 0x14000f2f0
VirtualQuery 0x14000f2f8
WideCharToMultiByte 0x14000f300
Function Address Souspicious Anti Debug
__C_specific_handler 0x14000f310
___lc_codepage_func 0x14000f318
___mb_cur_max_func 0x14000f320
__getmainargs 0x14000f328
__initenv 0x14000f330
__iob_func 0x14000f338
__set_app_type 0x14000f340
__setusermatherr 0x14000f348
_amsg_exit 0x14000f350
_cexit 0x14000f358
_commode 0x14000f360
_errno 0x14000f368
_fmode 0x14000f370
_initterm 0x14000f378
_onexit 0x14000f380
abort 0x14000f388
calloc 0x14000f390
exit 0x14000f398
fclose 0x14000f3a0
fopen 0x14000f3a8
fprintf 0x14000f3b0
fputc 0x14000f3b8
fread 0x14000f3c0
free 0x14000f3c8
fseek 0x14000f3d0
ftell 0x14000f3d8
fwrite 0x14000f3e0
localeconv 0x14000f3e8
malloc 0x14000f3f0
memcpy 0x14000f3f8
memset 0x14000f400
signal 0x14000f408
strcmp 0x14000f410
strerror 0x14000f418
strlen 0x14000f420
strncmp 0x14000f428
system 0x14000f430
vfprintf 0x14000f438
wcslen 0x14000f440
Function Address Souspicious Anti Debug
EnableWindow 0x14000f450
FindWindowA 0x14000f458
SendMessageA 0x14000f460
ShowWindow 0x14000f468
SystemParametersInfoA 0x14000f470