MalScore
100/100
MalFamily
Wannacry

Loki_original.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 37/67 Related 2132
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 294.50 KB (301568 bytes)
Compile time: 2016-11-04 11:29:44
MD5: 5455364b437d431400267a9092d65442
SHA1: e34ddbf5ba33ffff8beca910cb17237553f4bfd1
SHA256: 3ed5d687a46e865424395d3dd455f69c82ac0b22fa24f361db6e87e7aa5019bd
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 3 .vmprote .Resolut .Resolut
Directories 3 import resource relocation
First submission: 2018-01-01 13:33:02
Last submission: 2018-05-29 11:06:07
Filename detected: - Loki_original.exe (3)
URL file hosting
hXXp://umunna.info/bestfile/Loki_original.exeVirusTotal
hXXp://blackat-com.gq/testingez/Loki_original.exeVirusTotal
hXXp://avvalves-com.ml/testingez/Loki_original.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2017-11-02 16:13:39 [37/67] VirusTotal
PE Sections 1 suspicious
Name VAddress VSize Size MD5 SHA1
.vmprote 0x2000 0x6d34 28160 08022c9969bc553ca226e773e585d664 4300fc14720ffe5247c43cc4e881c411c50c603d
.Resolut 0xa000 0x42688 272384 8a080a0d9b15bb9f61e6ff39b0e2356a c4b1a7d92ce11d5c787aa57c1f72aadb520f14c2
.Resolut 0x4e000 0xc 512 05d998e62f9404770559258e32b6e431 68f10ab09b0db21efdd0c110b6f5e1e8cd220960
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0xa130 270376 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_GROUP_ICON 0x4c158 20 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_VERSION 0x4c16c 816 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_MANIFEST 0x4c49c 490 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright: Copyright \xa9 Microsoft 2016
Assembly Version: 1.0.0.0
InternalName: KeyGen.exe
FileVersion: 1.0.0.0
CompanyName: Microsoft
LegalTrademarks:
Comments:
ProductName: KeyGen
ProductVersion: 1.0.0.0
FileDescription: KeyGen
Translation: 0x0000 0x04b0
OriginalFilename: KeyGen.exe
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Binary
\build.bin
FIle type: Library
mscoree.dll
IP Found
No IP detected
URL(s)
https://xakfor.net/forum/
Assembly Version
Create
Path Builder
Comments
solt1_{0:d}:solt2_{1}:solt3_{2}
\start.bat
Path Gate
Go to Xakfor.net?
https://xakfor.net/forum/
InternalName
groupBox1
groupBox2
Build create
Loki stealer get password
Translation
VarFileInfo
KeyGen
...
\build.bin
FileVersion
Copyright
VS_VERSION_INFO
StringFileInfo
KeyGen.exe
Form1
ProductVersion
FileDescription
Microsoft
OriginalFilename
$this.Icon
LegalCopyright
\build.exe
CompanyName
builder
1.0.0.0
LegalTrademarks
000004b0
ProductName
button2
button1
KeyGen.Properties.Resources
pathBuild
pathGate
Microsoft 2016
builder.exe {0} {1}
s,LV
AutoScaleMode
DateTime
get_UTF8
~kwxiZ
ibStart
<KOD
lxVRN
lx&"
set_WindowStyle
Int32
.cctor
~jMmmI
Object
set_FormBorderStyle
mscorlib
fSystem.Drawing.Icon, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
qurr
lx[YN
ltvtm
i:mmI
333#
lvfff
t
yg~/-)
3System.Resources.Tools.StronglyTypedResourceBuilder
set_UseVisualStyleBackColor
@.Resolut
}kzKH=
|iDUU*
ControlCollection
lxyys
Substring
eeeD
Kill
BitConverter
pathGate
~kw||f#
get_Controls
EditorBrowsableState
AssemblyConfigurationAttribute
qqU
o~dca
lx:8/
CultureInfo
Form
1.0.0.0
yi|}we|=>>
lx>=2
RuntimeTypeHandle
lxFEC
CommonDialog
hash
KeyGen.exe
~kwkg`
lxfff
lx^^\
path
==B6??@
sender
lxPLC
h6UUU
lxgg`
ProcessStartInfo
{uc~
IList`1
lxd_X
lxysg
Microsoft
~kE|vf
}kdmmm
ConfusedByAttribute
4erb
LLL(
TextBox
get_Culture
t]F
defaultTable
AssemblyDescriptionAttribute
lxCB7
Default
aaa?RQT
X 6=
lhUUU
EnableVisualStyles
lvebZ
cbSize
set_MinimizeBox
+ x
$0ac4cf8c-7ac4-42c9-8482-3d5dd60f4a57
AssemblyCompanyAttribute
8Chu
ComVisibleAttribute
ResumeLayout
mlvqe
tt]
Format
,Xg4
groupBox1
System.CodeDom.Compiler
groupBox2
GuidAttribute
GGGd
SetCompatibleTextRenderingDefault
FormStartPosition
ltmmI
ToLower
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
System.Threading
mztp`
get_Month
~j[vvb
MessageBoxIcon
~hQxse
lxjg[
XaaWRY[
mscoree.dll
!This program cannot be run in DOS mode. $
PADPADP
ButtonBase
File
lxXTK
cccdZZ[
lxkkj
Dispose
lxsmc
set_TabStop
lxJIC
AssemblyTrademarkAttribute
FormBorderStyle
jjU
ttF
CryptoObfuscator.ProtectedWithCryptoObfuscatorAttribute
Path
set_Text
Resolution Lite Edition
UInt32
lx~{i
lx~{l
get_HashSize
a_aq
HashSize
ToString
}we|
#Blob
Control
get_Year
X
}j`}zh
button2_Click
NineRays.Obfuscator.Evaluation
~kyLJ?
BabelObfuscatorAttribute
BSJB
Type
resourceCulture
4.0.0.0
VVVVUTV
~lUffL
3XcK
IContainer
+v
uint32
Copyright
set_Culture
get_ResourceManager
AssemblyTitleAttribute
ShowDialog
Delete
GetPassword
Point
Resoluti0n.Client.Attributes.AssemblyAttributes.ProcessedByResoluti0n
lvurg
~kya_U
v2.0.50727
lxkic
System.Security.Cryptography
ObfuscatedByGoliath
SettingsBase
HashCore
Start
Program
|hLyya
array
size
lxed`
~{{SJJJ-GGJdSST
HashAlgorithm
hClw
start
~kyecY
a^alTSV
IIIl@@@
~kS}wk
5Wgk
set_WorkingDirectory
get_FileName
FolderBrowserDialog
lx]ZN
add_Click
lxtna
.ctor
set_Size
GetTypeFromHandle
/ z
DialogResult
lxvvN
seed
Main
MessageBoxButtons
~d
GetObject
GetDirectoryName
buffer
ASY+
System.Configuration
xx`
System.Reflection
|gHwwf
wwwkZZZ
vssh
i `f
PerformLayout
z0Q]
Array
Microsoft 2016
ysa~
System.Runtime.InteropServices
lxzyl
SmartAssembly.Attributes.PoweredByAttribute
Resources
~kwurl
PAsL
CompilationRelaxationsAttribute
GetProcessesByName
}iZxsb
WriteAllText
Crc32
Byte
~gEmmI
$DI1o
System.Runtime.CompilerServices
InitializeTable
}
tXls
FFIPIHJ
lxGF?
Move
button2
button1
$.32
SecureTeam.Attributes.ObfuscatedByAgileDotNetAttribute
NumberStyles
IconData
get_Default
=UUU
ltED=
set_AutoScaleDimensions
Bkkk&]]]
~kkig[
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
lxnid
l(GP
MessageBox
lx}wg
lxa^W
lxCCB
{ue~
~jYzuf
Settings
lxC@9
set_TabIndex
kp~xf
IDisposable
o t
Synchronized
~h]zrb
]XX4
HashFinal
lxUUU
get_Item
~jgykQ
height
RuntimeCompatibilityAttribute
vvb
polynomial
table
AssemblyProductAttribute
Assembly
lxZWN
[[^QVUX
<Module>
lxztb
Concat
krone
~lq}w_+
System.Drawing.Size
UInt32ToBigEndianBytes
oz^\P
779}
SuspendLayout
ComputeHash
GetBytes
Process
value
}e5tt]
Culture
SizeF
Size
CompilerGeneratedAttribute
lxmh\
DamienG.Security.Cryptography
[[[CNMN
set_AutoScaleMode
l\UUU
}kz}we|YVT
get_Assembly
lxZYS
ProcessWindowStyle
~xh}
button1_Click
#GUID
yoom
AssemblyFileVersionAttribute
DefaultPolynomial
System.Text
i@@>
YanoAttribute
defaultInstance
.vmprote4m
lxB@6
DotfuscatorAttribute
~lo```
System.Resources
'GPv
krjfZ
get_Text
~jgxsc
System.IO
WrapNonExceptionThrows
get_Now
set_ClientSize
components
KeyGen.Properties
lxpla
DefaultSeed
lxgdZ
lxgd[
}kronf
IsLittleEndian
lxstr
ApplicationSettingsBase
qqU tt]
HashValue
`.Resolut
lx%%
Initialize
lxpl^
Icon
EventHandler
STAThreadAttribute
Thread
~hGmmI
lx}yo
lx}ys
Form1
set_MaximizeBox
~6Zf
System.Globalization
}kzURI
passrord
ResourceManager
Encoding
IconSize
Show
5Ycg
]]] WWY
heeg
14.0.0.0
get_SelectedPath
ContainerControl
|jHyk^
System
EventArgs
lxxws
Application
~iaUUU
}fAzzd
zd.qqq
System.Drawing.Icon
Parse
String
_CorExeMain
DebuggerNonUserCodeAttribute
lxvrk
KeyGen
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
~iKUU*
Button
PPPFQQStWWX
zzzb^^^
}w`-
}j`xxZ
~~zE
DebuggingModes
~gEUU
#Strings
~kS``@
}jvxxZ
Replace
set_Icon
CalculateHash
System.ComponentModel
AssemblyCopyrightAttribute
GroupBox
g*UUU
krWTF
P'%%
EditorBrowsableAttribute
trr}
Empty
lxjf\
width
>>>%
{k>ff3
~lqhcW
Compute
resourceMan
~kyvul
System.Collections.Generic
lxUSL
}kzhf]
}j`hcU
System.Diagnostics
lxJGB
Attribute
set_StartPosition
ltfff
System.Drawing
System.Windows.Forms
pathBuild
lxz{v
~kCmmI
set_Name
=myz
EMyPID_8234_
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
DebuggableAttribute
lxuso
GeneratedCodeAttribute
disposing
InitializeComponent
Reverse
z777
ProtectedByAttribute
qqq6hhjsaab
PCFH
~myxug
Ilvhu
KeyGen.Form1.resources
set_Location
CreateBuild
lxdb^
Sleep
ComponentResourceManager
qqU |uf#
KeyGen.Properties.Resources.resources
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
2018-01-01 13:25:24 2018-01-01 13:25:24

5 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
2018-01-01 13:25:24 2018-01-01 13:25:24

5 Summary items with data

Files

\Device\KsecDD

Read Files

\Device\KsecDD

Write Files

Nothing to display

Delete Files

Nothing to display

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

Resolved APIs

rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
cryptbase.dll.SystemFunction036
rpcrt4.dll.RpcBindingFree

Execute Commands

Nothing to display

Started Services

Nothing to display

Created Services

Nothing to display
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
2018-01-01 13:25:24 2018-01-01 13:25:24

1 HTTP Request(s) detected

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
  • Hostname: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • IP Address: 104.17.37.137
  • Port: 80
  • Count: 1

GET / HTTP/1.1
Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cache-Control: no-cache

#infosec #automation

TheSystem Itself @ 2018-01-01 13:33:04

Detected family: #Wannacry

TheSystem Itself @ 2018-01-01 13:34:01