Sample details: 47620ea52545f4dace8f739a2509736f --

Hashes
MD5: 47620ea52545f4dace8f739a2509736f
SHA1: 4c55dc17c88fcfec0e9d431d8f3cac49b6903e53
SHA256: 4afb71ac05df4509394fb3c620c60c30829a6cbd5c520f11b8a13e90863ca01b
SSDEEP: 3072:13BuhvrYN0MqqDL2/+hDMkcUrIwofej9Q7WWdE+FBaDmh8CohxBGER4JQtRR/olQ:xwZrYNXqqDL6OXvd
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Borland_Delphi_30_additional | YRP/Borland_Delphi_30_ | YRP/Borland_Delphi_v40_v50 | YRP/Borland_Delphi_v30 | YRP/Borland_Delphi_DLL | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/Antivirus | YRP/VM_Generic_Detection | YRP/Dropper_Strings | YRP/Misc_Suspicious_Strings | YRP/Check_OutputDebugStringA_iat | YRP/anti_dbg | YRP/network_http | YRP/win_mutex | YRP/win_registry | YRP/win_files_operation | YRP/Crypt32_CryptBinaryToString_API | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API | FlorianRoth/ReflectiveLoader |
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.rsrc
@.reloc
$SVWj@h
<}tV<=tMF
SVWj@h
L$(QVh
t6hx	7
SVWj@h
SVWj@h
@VWj@h
Qj@PhT
WPPPPf
B~4eF~
L&&jl66Z~??A
Oh44\Q
sb11S*
uB!!c 
D""fT**~;
;d22Vt::N
J%%o\..r8
gg}V++
jL&&Zl66A~??
Sb11?*
tX,,.4
RRMv;;a
MMUf33
PPDx<<
cB!!0 
~~Gz==
fD""~T**
Vd22Nt::
xxoJ%%r\..$8
ppB|>>
aa_j55
UUxP((z
&jL&6Zl6?A~?
~=Gz=d
"fD"*~T*
2Vd2:Nt:
x%oJ%.r\.
a5_j5W
=&&jL66Zl??A~
g99KrJJ
==Gzdd
""fD**~T
22Vd::Nt
$$lH\\
77Ynmm
%%oJ..r\
55_jWW
[T:$6.
[.:$6g
j_FbT~
h4,8$@_
2\tHlWB
PQAeS~
~4[C)v
8$4,6-9'$6.:*?#1pHhX~AeSlZrNbS
EHl\tFeQ
T~FbZwKi
,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS
FeQbT~FiZwK
4,8$9'6-.:$6#1*?hXpHeS~ArNlZ
EbS\tHlQ
FeFbT~KiZw
$4,8-9'66.:$?#1*HhXpAeS~ZrNlS
Ebl\tHeQ
F~FbTwKiZ
cant write to target location
cant create target file
Cant read self
cant map self
cant view self
Can not open HKEY_LOCAL_MACHINE
Already in temp directory
Kis is running...
[AUTORUN MODULE] Catched 0xDEADBEEF signal, exiting...
F-Secure either Symantec is running
Parsing sub command: 
Operand delitimeter not found: 
Checking: 
pub_key
Error delitimeter not found: 
Error: operand is empty
DELETE}
{DELETE}
Syntax error
Answer is corrupted
Not blocklisted...
Found first occurence
Error paring command...
Found unknown command: 
Error generating random IV
Error generating random string
Fatal error
Fatal error: rsaenh.dll is not initialized as well
RSA Encrypt error
Write file error
Crypting finished
File skipped
SysInfo constructor
Checking user rights0
advapi32.dll
CheckTokenMembership
Checking user rights
Elevating uac
Error: no memory in uac elevation
WMI, elevation succeed
Elevation failed
UAC elevation is not required
Total files: %d
Total bytes: %I64u
Time: %d
Encryption end
Sending data to server...
Error sending result to server...
Running a copy, exiting...
Waiting autorun
Wait timeout, killing thread
Wait signaled
Error creating autorun thread
Private key len:
Key generation error
Error sending keys to the server
Received public key from server, performing base64_out
Error decoding public key...
Shadow copy removed
Shadow copy removing error
Reflective-DllMain...
LockerMain thread error
Memory manager: error allocating memory page
Memory manager: there is no allocated memory to reserve
Response from the server is: 
[BLACKLISTED] Melting...
Mask has not been received, using default...
No public key... running first time
Error converting base64 to bin
Output parsed successfully
Output parsing error...
Error CryptBinaryToString
Error sending request...
Network API is not implemented yet...
Error converting key
Debug version, saving keys to file...
ProcScanner: memory allocation error
ProcScanner: process32first error
ProcScanner: Creating snapshot of processes error
aeriedjD#shasj
Error in AcquireContext
Error in CryptGenKey
Removed keys from container
error removing keys from container
Generation failed
CryptImportKey error
*******************
ERROR: Insufficient buffer in GrabUserIP
Read error
Error reading a key
Info grabber
GetUserName failed
GetComputerName failed
RegKey read error
Error reading os
Antivirus not found
Got volume serial number
GetVolumeInformation error
RtlComputeCrc32
Error grabbing user IP
HeapAlloc memory error
Loader http warn: Can not retrieve INTERNET handle with OPEN_TYPE_DIRECT
Loader http info: trying to use preconfigured proxy server
Loader http error: Error: can not retrieve INTERNET handle
Loader warn: internet was not initialized. Nothing to free
InternetConnect failed to server:
Connecting to: 
BOT: Request sent
BOT: Can't send request
No memory in random generator
CryptGenRandom failed
CryptGenRandom not found in advapi
Advapi32.dll not found
CryptAquireContext error
GandCrabGandCrabnomoreransom.coinomoreransom.bit
encryption.dll
_ReflectiveLoader@0
ExitProcess
lstrlenA
HeapAlloc
HeapFree
OutputDebugStringW
VirtualFree
GetProcessHeap
lstrlenW
GetProcAddress
VirtualAlloc
GetModuleHandleA
lstrcatW
lstrcpyA
GetEnvironmentVariableW
GetFileSize
MapViewOfFile
UnmapViewOfFile
GetModuleHandleW
WriteFile
GetModuleFileNameW
CreateFileW
ExitThread
GetTempPathW
CreateFileMappingW
CloseHandle
CreateThread
lstrcmpiW
lstrcmpiA
SetFilePointer
GetFileAttributesW
ReadFile
GetLastError
MoveFileW
lstrcpyW
SetFileAttributesW
CreateMutexW
GetDriveTypeW
VerSetConditionMask
WaitForSingleObject
GetTickCount
InitializeCriticalSection
OpenProcess
GetSystemDirectoryW
TerminateThread
TerminateProcess
VerifyVersionInfoW
WaitForMultipleObjects
DeleteCriticalSection
OutputDebugStringA
ExpandEnvironmentStringsW
lstrcatA
MultiByteToWideChar
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
LeaveCriticalSection
EnterCriticalSection
FindFirstFileW
lstrcmpW
FindClose
FindNextFileW
GetNativeSystemInfo
GetComputerNameW
GetDiskFreeSpaceW
GetWindowsDirectoryW
GetVolumeInformationW
LoadLibraryA
KERNEL32.dll
MessageBoxW
wsprintfW
DispatchMessageW
DefWindowProcW
UpdateWindow
SendMessageW
CreateWindowExW
ShowWindow
SetWindowLongW
LoadIconW
RegisterClassExW
TranslateMessage
BeginPaint
LoadCursorW
GetMessageW
DestroyWindow
EndPaint
MessageBoxA
wsprintfA
GetForegroundWindow
USER32.dll
TextOutW
GDI32.dll
RegCloseKey
RegCreateKeyExW
RegSetValueExW
AllocateAndInitializeSid
FreeSid
CryptExportKey
CryptAcquireContextW
CryptGetKeyParam
CryptReleaseContext
CryptImportKey
CryptEncrypt
CryptGenKey
CryptDestroyKey
GetUserNameW
RegQueryValueExW
RegOpenKeyExW
ADVAPI32.dll
ShellExecuteExW
ShellExecuteW
SHGetSpecialFolderPathW
SHELL32.dll
CryptStringToBinaryA
CryptBinaryToStringA
CRYPT32.dll
InternetOpenW
InternetReadFile
InternetConnectW
HttpSendRequestW
HttpAddRequestHeadersW
HttpOpenRequestW
InternetCloseHandle
WININET.dll
GetDeviceDriverBaseNameW
EnumDeviceDrivers
PSAPI.DLL
IsProcessorFeaturePresent
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
1#1-171A1i1s1}1
2:2D2N2X2b2l2v2
3)333=3G3^3h3r3|3
4/494C4M4W4g4q4{4
5(585B5L5V5~5
6'6O6Y6c6m6w6
6 7*747>7H7R7\7s7}7
8#8-8D8N8X8b8l8|8
9)939=9M9W9a9k9
:(:2:<:d:n:x:
;5;?;I;S;];g;q;
='=1=;=E=m=w=
>?>I>S>]>g>q>{>
?%?/?9?C?M?e?o?y?
070A0K0U0_0o0y0
1'111A1K1U1_1
2'212Y2c2m2w2
3+353?3I3S3]3g3
4%4/494Q4[4e4o4y4
5#5-575A5K5[5e5o5y5
6-676A6K6s6}6
7E7O7Y7c7m7w7
788_8g8|8
9)9.9J9k9
:!:,:3:8:?:Y:
;5;C;I;Y;o;z;
<[<:=V=c=s=
>R>^>r>
?"?2?8?K?g?n?
0<0Q0^0o0}0
2.292@2E2L2f2l2
3"3*373B3K3R3\3f3q3w3
4)6T6`6g6n6
7$7>7N7
7 8j8q8
:9:I:_:j:q:v:}:
;1;;;@;H;=<R<]<
=%=5=>=R=h=s=z=
?6?L?[?b?g?n?
1G1V1s1
1]2d2r2y2
3*3J3Z3p3{3
4$4:4E4L4Q4X4r4
5e6q6W7
7*8A8W8b8i8n8u8
9#9*9D9r9
9	:O:U:G;M;U;q;
;-<2<?<N<f<
=\=r=}=
>(>/>9>@>H>U>m>
0$0b0p0v0z0
4'4.4:4J4R4l4
5&5:5J5P5z5
6'6/676?6G6O6W6_6g6o6z6
7'777F7M7W7l7
8#818B8K8Z8c8
979?9j9z9
:":3:9:Y:_:v:|:
:@;P;Z;m;v;
=(=-=5===^=l=
=L>d>o>v>{>
?,?A?J?X?^?p?
0#0*0[0b0g0n0
001S1X1l1}1
2 2&232`2o2
3,373=3B3G3N3
3?4X4a4k4{4
5#5*5D5M5R5Z5`5p5
5\6r6}6
7%777D7K7P7Z7
9)90959<9z9
9 :%:.:C:V:k:p:z:
;&;8;J;R;`;
= =*=8=K=R=W=e=v=}=
>#>*>D>N>h>
0!0&0-0S0o0t0|0
1)10151<1
2%2B2H2M2f2q2
2;8G8Q8a8m8x8
9$9/9=9
;$;0;:;J;V;a;v;
< <%<+<b<z<
>%>1>=>I>U>a>
1'1B1N1i1
2?2W2p2w2
3=3[3g3m3r3
585c5k5
6(6B6]6s6~6
777G7X7k7y7
8#878E8Y8g8
9,969Q9k9u9
:(:3:I:T:s:~:
;,;<;R;];d;i;p;
<0<<<N<Z<`<e<j<
=	=+=5=f=q=}=
>0>>>L>V>}>
?+?>?G?g?
0)030K0k0r0w0~0
3'3B3i3s3
4-464=4H4
475C5K5Z5i5o5t5y5
6(6,6064686Z6
717W7|7
;&;<;B;M;T;Y;v;
<%<,<1<N<d<t<
=0=?=U=`=g=l=s=
>0>7><>C>]>y>
0&0&1T1Z1{1
292D2T2
2B3Y3o3z3
4,5B5M5T5Y5`5
6%626S6j6
8!818>8i8p8
8&9-9<9F9L9
:	:]:d:t:
:2;9;I;V;
<+<d<k<~<
0 0$0(0,0004080
1 1'1,10141U1
2$2(2,202
354C4Z4e4
5$5C5X5b5{5