c2203c89...59aa | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Spyware, Ransomware, Trojan

sam.exe

Windows Exe (x86-32)

Created at 2019-10-02T16:30:00

...

Remarks

(0x200001e): The maximum size of extracted files was exceeded. Some files may be missing in the report.

(0x200001d): The maximum number of extracted files was exceeded. Some files may be missing in the report.

Filters:
Filename Category Type Severity Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\sam.exe Sample File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 1.00 MB
MD5 3be340d007d83fa930f05efff7c0f693 Copy to Clipboard
SHA1 4a88d365b246d3d35ba7d644781a4bde01651084 Copy to Clipboard
SHA256 c2203c894ed7f4daa70a40ceefb4a3a05f16baed2f7a7fbd4d1f922bd6b859aa Copy to Clipboard
SSDeep 24576:9N7Sy8HgvR1n+rSbYGqXv3YuYL8cslRg0uuociRwjIjJoMBlL:aSjnblqXvWkI0v0RwjIjJd Copy to Clipboard
ImpHash 6ed4f5f04d62b18d96b26d6db7c18840 Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
First Seen 2019-09-06 10:15 (UTC+2)
Last Seen 2019-09-20 04:26 (UTC+2)
Names Win32.Trojan.Delshad
Families Delshad
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x67ac60
Size Of Code 0xff000
Size Of Initialized Data 0x1000
Size Of Uninitialized Data 0x17b000
File Type FileType.executable
Subsystem Subsystem.windows_cui
Machine Type MachineType.i386
Compile Timestamp 1970-01-01 00:00:00+00:00
Packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
UPX0 0x401000 0x17b000 0x0 0x200 IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
UPX1 0x57c000 0xff000 0xff000 0x200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 7.91
UPX2 0x67b000 0x1000 0x200 0xff200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 1.38
Imports (1)
»
KERNEL32.DLL (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LoadLibraryA 0x0 0x67b028 0x27b028 0xff228 0x0
ExitProcess 0x0 0x67b02c 0x27b02c 0xff22c 0x0
GetProcAddress 0x0 0x67b030 0x27b030 0xff230 0x0
VirtualProtect 0x0 0x67b034 0x27b034 0xff234 0x0
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Points AV YARA Actions
sam.exe 1 0x00400000 0x0067BFFF Relevant Image - 32-bit - True False
...
sam.exe 1 0x00400000 0x0067BFFF Final Dump - 32-bit - True False
...
Local AV Matches (1)
»
Threat Name Severity
Generic.Ransom.Estemani.A095E571
Malicious
C:/Boot/BOOTSTAT.DAT Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 64.26 KB
MD5 2ce9a3e3e7ed81e54ddf5831a402aff8 Copy to Clipboard
SHA1 8c95fb53559d8c3f6570ad0972113244514b67b7 Copy to Clipboard
SHA256 09e174d93ad5fbb04982fa45bdc5bd323a8c6f569cc087c8576b5c62642eb9de Copy to Clipboard
SSDeep 1536:TVWFxEqgMJt9Rw1ZiBhI2SpY7N18yavEnTUkykbKqcdo03hYljZnH:JWFd2BBY7YC4kykb87KH Copy to Clipboard
C:/MSOCache/All Users/{90140000-0016-0409-1000-0000000FF1CE}-C/ExcelLR.cab Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 16.19 MB
MD5 4b9a3c08e1e4f2fe0369fbe5721c4926 Copy to Clipboard
SHA1 d64fb56ecde1f11c5f12a2b2193c3d2e92772bdf Copy to Clipboard
SHA256 ed3611c956a84b54a7e90ba5317e7abb20a6ba3c57e708b36b825dcdea8eebeb Copy to Clipboard
SSDeep 196608:K+9e9NpfB1pvmap6ccSYT18mtRbV8einCWXXgirH67WAuLvRQGwyiGkmPj:K+yLflvmapwT1HUrH67WreNO Copy to Clipboard
C:/MSOCache/All Users/{90140000-0018-0409-1000-0000000FF1CE}-C/PptLR.cab Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 67.10 MB
MD5 241f948c7f2136a9e04a8d92b6639ebc Copy to Clipboard
SHA1 ab1c6e6b76f6a9ee7acd9fc37cb0f395e9c813aa Copy to Clipboard
SHA256 d67be48a3704ba73d0e9dafdb792714a39f5f29ea07e125c1d8a6878422a80a5 Copy to Clipboard
SSDeep 196608:pUTe59P0DGyZSyLNWLA1E1OxcvkDRsxkeBdhEAu1FtcN42FN0BrY:p/9P0DXZSyLa1OBDosACtP2FqBrY Copy to Clipboard
C:/MSOCache/All Users/{90140000-0019-0409-1000-0000000FF1CE}-C/PubLR.cab Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 9.50 MB
MD5 3ad9f825212d0e4a15bd30b4e08738d9 Copy to Clipboard
SHA1 137c16d82883ba582a43236c37e74d0490b96069 Copy to Clipboard
SHA256 2b2d4f1d8a636021bf6d5684bb4fa8476dbc8a6b96f62854b6808e86b231e5d5 Copy to Clipboard
SSDeep 196608:xEpT7SwBdw2MJkmoUyQ5KIRudE0FeNbsiSQHbIMYv30zVr/i+g32KuvGp:xEZldwH1wKaE0IN4iHbYwrtSp Copy to Clipboard
C:/MSOCache/All Users/{90140000-001A-0409-1000-0000000FF1CE}-C/OutlkLR.cab Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 14.13 MB
MD5 0bf87b2a51f07c7a1039713fa8c3c8a4 Copy to Clipboard
SHA1 c6e0c23b5cdc720ae241b53d35f5d6e92641790b Copy to Clipboard
SHA256 5843b427422e7dedb6df19151ef9cdb3d1be64c9620eda1fc9e390895e54d633 Copy to Clipboard
SSDeep 196608:q8XBhH2wmVhbWHTTqc1mjss9qB3mSImQeaRPXtnhaFUPwfDW5h19o+a9ucdz:FV28HTTqsmjss9qBfQ5PXJhaFUICM+sx Copy to Clipboard
C:/MSOCache/All Users/{90140000-001B-0409-1000-0000000FF1CE}-C/WordLR.cab Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 41.78 MB
MD5 8aea7eb5bb399fad51c2a6d9acae8318 Copy to Clipboard
SHA1 f6ae24412db5be85c6564a912f5fb79fa6bdaf43 Copy to Clipboard
SHA256 20cab3cc2731d1018dafb2124c69b5f90547d9e3c6fc0c01feca4ed03757807c Copy to Clipboard
SSDeep 196608:vIayf90fQUWKO0pHrRGoQUR7JatXB6dCzcTEn5semsunljt8oISc9UPSW:w7F0fQUWK5rRLQURJatx+gCEn5szsg7n Copy to Clipboard
C:/MSOCache/All Users/{90140000-002C-0409-1000-0000000FF1CE}-C/Proof.en/Proof.cab Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 10.95 MB
MD5 9003a50b705ac07b2110a5acab0b0643 Copy to Clipboard
SHA1 a2bc7a96ae2b603b22c192d7904e6a1525da6804 Copy to Clipboard
SHA256 6a248610924e21c0c985be88ebdaea8bb855c9024374809bb22c698abe801179 Copy to Clipboard
SSDeep 196608:TUOl1FaQRmJnuPuiD9KR9Uio4+m7CpsAxXOjvQ//bePdzukHqZ10Ixeuynmupu/m:TUOlraQRHuipKUghOpVaq/XkqrMm0uuV Copy to Clipboard
C:/MSOCache/All Users/{90140000-002C-0409-1000-0000000FF1CE}-C/Proof.es/Proof.cab Modified File Binary
Unknown
...
»
Mime Type application/x-dosexec
File Size 13.01 MB
MD5 0170d9a4bd7bd56c5c7ab0d5c8a2b55e Copy to Clipboard
SHA1 77e74425e6a158bda761f665c404761933468332 Copy to Clipboard
SHA256 f6147b52e12e84bec42c3e9765c393cb578699c6f6159efb3585492b90cd9365 Copy to Clipboard
SSDeep 196608:b2X0jQyLOHmdp+rscm6WcixtB00nXhsYBhZun5iP6ovZEVBNPdKJJLUwOIT:b2X0EyPdp+IcmHzfBZunIPVQjPAFUKT Copy to Clipboard
C:/MSOCache/All Users/{90140000-002C-0409-1000-0000000FF1CE}-C/Proof.fr/Proof.cab Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 20.09 MB
MD5 71e89bb696d936289d716f791c338f59 Copy to Clipboard
SHA1 d86b8977247bcf1a383f22b3eee51c62541d7d8d Copy to Clipboard
SHA256 6aa5fe7c7902a11d4d056d9fc43ad7ebc57b630dda315717b98fa0c9c627ff59 Copy to Clipboard
SSDeep 196608:Fn6lsqyxZYfAggDPzJ0MRaIAA9u1R2hlhr+fyf153jmv:DqyxZY4gOzRhAA9qR2hOaf15Tmv Copy to Clipboard
C:/MSOCache/All Users/{90140000-0043-0409-1000-0000000FF1CE}-C/OWOW32LR.cab Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 2.79 MB
MD5 63394c6c8625deb651b58ee9d1af3d46 Copy to Clipboard
SHA1 d4c177ed37110a309b800545d9303b84f8f5b62e Copy to Clipboard
SHA256 ac9a2e93fb7f9efa1f88d287566c94b547ee5b02cf5d140e8e439580bc46ed58 Copy to Clipboard
SSDeep 49152:DaDr2csbbp2pRPNSou9VfM61v50XPHBJsdPstoUYlP5neWyzkFuquq:DO5MMzNjOEA50pJoPsql/n2ywq Copy to Clipboard
C:/MSOCache/All Users/{90140000-0044-0409-1000-0000000FF1CE}-C/InfLR.cab Modified File Binary
Unknown
...
»
Mime Type application/x-dosexec
File Size 18.00 MB
MD5 7da21e2994a8a794b462e84e0e473316 Copy to Clipboard
SHA1 a33d3dfa8ac75297110bcdf38a246eff6bc1c902 Copy to Clipboard
SHA256 a05fcae69650be7c402bf9e2ccb1126939da518539840b5ab24eabc6080a5c7c Copy to Clipboard
SSDeep 98304:lnB0IkDc12Bx1nLF+raRze2EFhtJ7j/wgmekAQMi+7p0A2n1Kw9TZk7tbtYWso7I:lB0HIMBx+OontdkgFxQpGp0dT+bto9 Copy to Clipboard
C:\ProgramData\00000000.pky Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 451 bytes
MD5 b60c4fd346d872ca652b9cbc86635999 Copy to Clipboard
SHA1 a25d4f2a3c14e6b46554467d89422f0b4f93218a Copy to Clipboard
SHA256 be8c092b318493338b2a84c67d3c75140a5ca6916094abf4ee9db35eb39ffdaf Copy to Clipboard
SSDeep 12:LrL48nmzZTA7GMx8/eiBYrg9ROEpDpOkDW:LrLHnmNs7GMoeUJyE2ka Copy to Clipboard
C:\ProgramData\00000000.eky Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 2.13 KB
MD5 5f80dbfa0b268254fd4c9d778400e8f5 Copy to Clipboard
SHA1 a6bd2be2360f04ef5f9904325c4bc645e716b498 Copy to Clipboard
SHA256 1a7d11a7649be7fd51dc510267ed1643528a0b48be8e55ac891fe719b9f76e73 Copy to Clipboard
SSDeep 48:RzOyZZO4RgE8bDw4yXo9qAA1WDXO83atAdiZG8sRp2BL8:RrcCgE8/w4gAqAAoXVKshVRKL8 Copy to Clipboard
C:/MSOCache/All Users/{90140000-0019-0409-1000-0000000FF1CE}-C\@_READ_TO_RECOVER_FILES_@.txt Dropped File Text
Unknown
...
»
Also Known As C:/Boot/Fonts\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/Fonts/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/it-IT\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/it-IT/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/pl-PL\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/pl-PL/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/nl-NL\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/nl-NL/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/fr-FR\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/fr-FR/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/es-ES\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/es-ES/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/nb-NO\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/nb-NO/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-002C-0409-1000-0000000FF1CE}-C\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-002C-0409-1000-0000000FF1CE}-C/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-0018-0409-1000-0000000FF1CE}-C\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-0018-0409-1000-0000000FF1CE}-C/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/en-US\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/en-US/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/da-DK\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/da-DK/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/el-GR\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/el-GR/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/pt-PT\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/pt-PT/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-001A-0409-1000-0000000FF1CE}-C\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-001A-0409-1000-0000000FF1CE}-C/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-002C-0409-1000-0000000FF1CE}-C/Proof.en\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-002C-0409-1000-0000000FF1CE}-C/Proof.en/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/cs-CZ\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/cs-CZ/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-0043-0409-1000-0000000FF1CE}-C\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-0043-0409-1000-0000000FF1CE}-C/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/hu-HU\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/hu-HU/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-0044-0409-1000-0000000FF1CE}-C\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-0044-0409-1000-0000000FF1CE}-C/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/ja-JP\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/ja-JP/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/pt-BR\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/pt-BR/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-002C-0409-1000-0000000FF1CE}-C/Proof.es\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-002C-0409-1000-0000000FF1CE}-C/Proof.es/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/ko-KR\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/ko-KR/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/ru-RU\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/ru-RU/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/de-DE\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/de-DE/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-002C-0409-1000-0000000FF1CE}-C/Proof.fr\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-002C-0409-1000-0000000FF1CE}-C/Proof.fr/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-001B-0409-1000-0000000FF1CE}-C\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/MSOCache/All Users/{90140000-001B-0409-1000-0000000FF1CE}-C/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/fi-FI\@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
C:/Boot/fi-FI/@_READ_TO_RECOVER_FILES_@.txt (Dropped File)
Mime Type text/plain
File Size 4.05 KB
MD5 350a947d2cc13f8b089544362c9c4f1b Copy to Clipboard
SHA1 8dac7205f76abd5100832b081858d914901081ac Copy to Clipboard
SHA256 331db974cff8c4b4344055fe907c47ccf449552760531866e9a3447cd7998ef3 Copy to Clipboard
SSDeep 96:13tSCil893QM1Jrw19rXVIASAgUPWn6sC1L3VsL3SW/lHNmRe:10CW85QM1O19S2gUPtrVsLbdNmRe Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image