SemanticsAV Intelligence Report

Generated on 2025-10-24T16:54:56.663675

Detection Summary

File Hashes
MD5
4c0e74e9f94dff611226cd1619cb1e1d
SHA1
a7703d68e4ae4ada31fd1fb01c4169d8da56e4b7
SHA256
6d59bb6a9874b9b03ce6ab998def5b93f68dadedccad9b14433840c2c5c3a34e
Verdict (Confidence)
malicious (100.0%)
File Type
pe
Signature
Gunra
Tags
exe ransomware

Intelligence Statistics

Label Distribution

Total Samples
5
Malicious
5
Max: 100.0% | Avg: 97.0%
Suspicious
0
Clean
0
Unknown
0

Top Signatures

1
Samples
Gunra
Max Similarity
100.0%
Avg Similarity
100.0%
4
Samples
Conti
Max Similarity
96.5%
Avg Similarity
96.2%

Attribute Comparison Matrix

Compare static attributes between the target file and 5 similar samples from our threat intelligence database.

Legend:
† = Confirmed label (verified malicious/clean from intelligence)
Attribute
Target
Baseline
MALICIOUS†
Gunra
exe ransomware
Sample #1
100.0%
MALICIOUS
Gunra
exe ransomware
Sample #2
96.5%
MALICIOUS
Conti
exe ransomware
Sample #3
96.2%
MALICIOUS
Conti
EAGLE Ransomware
Sample #4
96.2%
MALICIOUS
Conti
dll exe
Sample #5
96.1%
MALICIOUS
Conti
exe Ransomware
compilation_datetime 2025-04-15 2025-04-10 2021-04-16 2021-04-20 2021-04-20 2022-10-22
Target Sample #1 (100.0%) Sample #2 (96.5%) Sample #3 (96.2%) Sample #4 (96.2%) Sample #5 (96.1%) 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "EXCEPTION_TABLE",
  "BASE_RELOCATION_TABLE",
  "DEBUG_DIR",
  "LOAD_CONFIG_TABLE",
  "IAT"
]
 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "EXCEPTION_TABLE",
  "BASE_RELOCATION_TABLE",
  "DEBUG_DIR",
  "LOAD_CONFIG_TABLE",
  "IAT"
]
 
[
  "EXPORT_TABLE",
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "EXCEPTION_TABLE",
  "BASE_RELOCATION_TABLE",
  "DEBUG_DIR",
  "LOAD_CONFIG_TABLE",
  "IAT"
]
 
[
  "EXPORT_TABLE",
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "EXCEPTION_TABLE",
  "BASE_RELOCATION_TABLE",
  "DEBUG_DIR",
  "LOAD_CONFIG_TABLE",
  "IAT"
]
 
[
  "EXPORT_TABLE",
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "EXCEPTION_TABLE",
  "BASE_RELOCATION_TABLE",
  "DEBUG_DIR",
  "LOAD_CONFIG_TABLE",
  "IAT"
]
 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "EXCEPTION_TABLE",
  "BASE_RELOCATION_TABLE",
  "DEBUG_DIR",
  "LOAD_CONFIG_TABLE",
  "IAT"
]
debug.by_type.ILTCG 1 1 1 1 1 1
debug.by_type.POGO 1 1 1 1 1 1
debug.entries_count 2 2 2 2 2 2
delay_imports.dll_count 0 0 0 0 0 0
delay_imports.total_functions 0 0 0 0 0 0
dll_characteristics.DYNAMIC_BASE Yes Yes Yes Yes Yes Yes
dll_characteristics.HIGH_ENTROPY_VA Yes Yes Yes Yes Yes Yes
dll_characteristics.NX_COMPAT Yes Yes Yes Yes Yes Yes
dll_characteristics.TERMINAL_SERVER_AWARE Yes Yes N/A N/A N/A Yes
entry_point 92268 92268 119144 121640 121640 128832
exports N/A N/A N/A N/A N/A N/A
exports.name N/A N/A conti_v3.dll conti_v3.dll conti_v3.dll N/A
exports.number_of_functions N/A N/A 3 3 3 N/A
exports.timestamp N/A N/A 4294967295 4294967295 4294967295 N/A
file_size 199168 199168 217600 220160 220160 228352
image_size 225280 225280 237568 241664 241664 249856
Target Sample #1 (100.0%) Sample #2 (96.5%) Sample #3 (96.2%) Sample #4 (96.2%) Sample #5 (96.1%) 
[
  {
    "name": "KERNEL32.dll",
    "number_of_functions": 70
  },
  {
    "name": "USER32.dll",
    "number_of_functions": 1
  }
]
 
[
  {
    "name": "KERNEL32.dll",
    "number_of_functions": 70
  },
  {
    "name": "USER32.dll",
    "number_of_functions": 1
  }
]
 
[
  {
    "name": "KERNEL32.dll",
    "number_of_functions": 71
  },
  {
    "name": "USER32.dll",
    "number_of_functions": 2
  },
  {
    "name": "SHLWAPI.dll",
    "number_of_functions": 1
  }
]
 
[
  {
    "name": "KERNEL32.dll",
    "number_of_functions": 72
  },
  {
    "name": "USER32.dll",
    "number_of_functions": 1
  },
  {
    "name": "SHLWAPI.dll",
    "number_of_functions": 1
  }
]
 
[
  {
    "name": "KERNEL32.dll",
    "number_of_functions": 72
  },
  {
    "name": "USER32.dll",
    "number_of_functions": 1
  },
  {
    "name": "SHLWAPI.dll",
    "number_of_functions": 1
  }
]
 
[
  {
    "name": "KERNEL32.dll",
    "number_of_functions": 67
  },
  {
    "name": "USER32.dll",
    "number_of_functions": 1
  },
  {
    "name": "WS2_32.dll",
    "number_of_functions": 2
  }
]
is_dll No No Yes Yes Yes No
linker_version 14.21 14.21 14.16 14.16 14.16 14.16
load_configuration.fields.has_editlist No No No No No No
load_configuration.fields.has_lock_prefix_table No No No No No No
load_configuration.fields.has_security_cookie Yes Yes Yes Yes Yes Yes
load_configuration.present Yes Yes Yes Yes Yes Yes
machine AMD64 AMD64 AMD64 AMD64 AMD64 AMD64
relocations.by_type.ABS 3 3 4 4 4 1
relocations.by_type.DIR64 773 773 766 766 766 769
relocations.total_blocks 8 8 8 8 8 8
relocations.total_entries 776 776 770 770 770 770
resources.has_manifest Yes Yes Yes Yes Yes Yes
resources.has_version_info No No No No No No
resources.number_of_dialogs 0 0 0 0 0 0
resources.number_of_icons 0 0 0 0 0 0
resources.number_of_string_tables 0 0 0 0 0 0
rich_header_present Yes Yes Yes Yes Yes Yes
Target Sample #1 (100.0%) Sample #2 (96.5%) Sample #3 (96.2%) Sample #4 (96.2%) Sample #5 (96.1%) 
[
  ".text",
  ".rdata",
  ".data",
  ".pdata",
  "_RDATA",
  ".rsrc",
  ".reloc"
]
 
[
  ".text",
  ".rdata",
  ".data",
  ".pdata",
  "_RDATA",
  ".rsrc",
  ".reloc"
]
 
[
  ".text",
  ".rdata",
  ".data",
  ".pdata",
  ".rsrc",
  ".reloc"
]
 
[
  ".text",
  ".rdata",
  ".data",
  ".pdata",
  ".rsrc",
  ".reloc"
]
 
[
  ".text",
  ".rdata",
  ".data",
  ".pdata",
  ".rsrc",
  ".reloc"
]
 
[
  ".text",
  ".rdata",
  ".data",
  ".pdata",
  ".rsrc",
  ".reloc"
]
signature.number_of_signatures 0 0 0 0 0 0
signature.signed No No No No No No
Target Sample #1 (100.0%) Sample #2 (96.5%) Sample #3 (96.2%) Sample #4 (96.2%) Sample #5 (96.1%) 
[]
 
[]
 
[]
 
[]
 
[]
 
[]
subsystem WINDOWS_GUI WINDOWS_GUI WINDOWS_GUI WINDOWS_GUI WINDOWS_GUI WINDOWS_GUI
symbols.total_count 0 0 0 0 0 0
tls.callbacks_count 0 0 0 0 0 0
tls.present No No No No No No
version_info N/A N/A N/A N/A N/A N/A
Natural Language Report

Executive Verdict Summary

The SemanticsAV Engine identifies this file with 100.0% certainty as MALICIOUS, exhibiting characteristics consistent with ransomware. Our analysis indicates a strong genetic link to the "Gunra" family, with significant structural overlap and a high degree of similarity to previously analyzed samples. This suggests a potential campaign leveraging evolved or polymorphic variants of this threat.

Technical Analysis

Structural analysis reveals a Portable Executable (PE) file compiled on April 15, 2025, with a Windows GUI subsystem and AMD64 architecture. Key structural indicators include the presence of import tables for KERNEL32.dll and USER32.dll, a HIGH_ENTROPY_VA characteristic, and a DYNAMIC_BASE enabled. The LOAD_CONFIG_TABLE is present and includes a security cookie, a common feature for software resilience, but its presence in malicious samples can also be a byproduct of compilation tooling. The debug directory contains ILTCG and POGO entries, often observed in software development toolchains, but can also be present in compiled malware to obfuscate origins or implement specific functionalities.

The data directories present, including IMPORT_TABLE, RESOURCE_TABLE, EXCEPTION_TABLE, BASE_RELOCATION_TABLE, DEBUG_DIR, LOAD_CONFIG_TABLE, and IAT, are typical for many Windows applications. However, the absence of exports and delay imports, combined with the specific import counts, points towards a self-contained executable designed for direct execution. The presence of relocation entries (ABS and DIR64) suggests dynamic loading capabilities or position-independent code, common in malware for evading static analysis and ensuring execution in various environments. The sections list shows standard executable segments (.text, .rdata, .data, etc.) along with .rsrc and .reloc, indicating resource embedding and relocation information.

When cross-referenced with similar samples, the target file exhibits a 100.0% geometric similarity to samples attributed to the "Gunra" ransomware family. Minor differences in compilation timestamps and specific import function counts may indicate minor code modifications or iterative development within the "Gunra" lineage, rather than a complete divergence. The structural patterns, including the import structure, load configuration presence, and debug directory entries, are highly conserved across these similar samples, underscoring a shared genetic blueprint and development tooling.

Threat Intelligence Context

The analysis firmly positions this sample within the "Gunra" ransomware family, characterized by its malicious intent and executable nature. Samples exhibiting this high degree of structural similarity to the target are consistently identified as "Gunra" ransomware. The "Gunra" family has been associated with broad-scale attacks, aiming to encrypt victim data and demand ransom payments. Its operational tactics typically involve compromising systems through phishing, exploit kits, or compromised credentials, followed by rapid deployment of the ransomware to encrypt critical files.

Further intelligence reveals a notable convergence with samples tagged under the "Conti" ransomware family, with similarities ranging from 96.1% to 96.5%. This cross-family overlap suggests a potential evolution or collaboration between threat actors, or that "Gunra" may have originated from or shares significant codebase with earlier Conti variants. The Conti ransomware group was a prolific and sophisticated threat actor known for its high-profile attacks on critical infrastructure and large enterprises. Its modular design allowed for adaptability, and its affiliates were known to leverage a variety of exploit and evasion techniques. The observed structural patterns, such as the specific debug entries (ILTCG, POGO) and the load configuration fields, are consistent with tooling used by both "Gunra" and "Conti" groups, further supporting a shared development lineage or toolset.

The presence of the "Gunra" signature on this sample, with 100% similarity to other "Gunra" samples, while also showing high similarity to "Conti" samples, indicates that this malware may represent an evolution or fork of the Conti codebase, now operating under a distinct "Gunra" identifier. This genetic relationship between distinct ransomware families is not uncommon and points to a dynamic threat landscape where malware codebases are often shared, modified, and re-branded. The target's inclusion of HIGH_ENTROPY_VA and NX_COMPAT characteristics are common anti-analysis and security features found in modern malware to hinder detection and exploitation.

Recommendations and Response Strategy

Given the high confidence identification as "Gunra" ransomware with genetic ties to "Conti," immediate response priorities should focus on containment and eradication. Network segmentation to isolate potentially infected systems and prevent lateral movement is critical. Implement enhanced endpoint detection and response (EDR) strategies to monitor for known indicators of compromise (IOCs) associated with "Gunra" and "Conti" ransomware, including specific file paths, registry modifications, and network communication patterns. Prioritize the restoration of critical data from secure, offline backups. For systems confirmed to be infected, a full forensic analysis to understand the initial access vector and extent of compromise is advised before system reimaging. Continuous monitoring for any recurrence or similar genetic variants is paramount.

File Hashes