× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: afb912f62363bdbbd667a3ef6ae5eff9adfd47c6e78171459306681dd8b04a50
File name: a1.exe
Detection ratio: 16 / 47
Analysis date: 2013-11-12 14:13:25 UTC ( 5 years, 6 months ago ) View latest
Antivirus Result Update
AhnLab-V3 Spyware/Win32.Zbot 20131112
AntiVir TR/Rogue.AI.11123 20131112
Avast Win32:Malware-gen 20131112
DrWeb Trojan.DownLoader9.22851 20131112
ESET-NOD32 a variant of Win32/Injector.AQVC 20131112
Fortinet W32/Tepfer.RWAZ!tr.pws 20131112
Ikarus Trojan-PWS.Win32.Fareit 20131112
Kaspersky Trojan-PSW.Win32.Tepfer.rwaz 20131112
Malwarebytes Malware.Packer 20131112
McAfee Artemis!1ED514235780 20131112
McAfee-GW-Edition Artemis!1ED514235780 20131111
Microsoft PWS:Win32/Fareit 20131112
Panda Trj/Genetic.gen 20131111
Sophos AV Mal/Generic-S 20131112
Symantec WS.Reputation.1 20131112
TrendMicro-HouseCall TROJ_GEN.F47V1111 20131112
Yandex 20131111
Antiy-AVL 20131112
AVG 20131112
Baidu-International 20131112
BitDefender 20131112
Bkav 20131112
ByteHero 20131111
CAT-QuickHeal 20131112
ClamAV 20131112
Commtouch 20131112
Comodo 20131112
Emsisoft 20131112
F-Prot 20131112
F-Secure 20131112
GData 20131112
Jiangmin 20131112
K7AntiVirus 20131111
K7GW 20131111
Kingsoft 20130829
eScan 20131112
NANO-Antivirus 20131111
Norman 20131112
nProtect 20131112
Rising 20131112
SUPERAntiSpyware 20131112
TheHacker 20131112
TotalDefense 20131111
TrendMicro 20131112
VBA32 20131112
VIPRE 20131112
ViRobot 20131112
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-11-09 17:52:38
Entry Point 0x00001BB1
Number of sections 4
PE sections
Overlays
MD5 06647496de43cfdde48e15dcfb488d05
File type data
Offset 44544
Size 58681
Entropy 7.99
PE imports
GetUserNameA
TextOutA
SelectObject
RealizePalette
DeleteDC
FindFirstFileW
FreeEnvironmentStringsA
GetLocaleInfoA
VirtualQuery
DeleteFileA
HeapAlloc
GetEnvironmentStringsW
DeleteFileW
GetVersionExW
SetCurrentDirectoryA
Ord(4483)
Ord(1775)
Ord(4860)
Ord(4080)
Ord(266)
Ord(4710)
Ord(6032)
Ord(3597)
Ord(1730)
Ord(815)
Ord(2120)
Ord(780)
Ord(3136)
Ord(4524)
Ord(4591)
Ord(4468)
Ord(5237)
Ord(5455)
Ord(5289)
Ord(5577)
Ord(3350)
Ord(1089)
Ord(3261)
Ord(5257)
Ord(5092)
Ord(4589)
Ord(3798)
Ord(4387)
Ord(2621)
Ord(5508)
Ord(3259)
Ord(3298)
Ord(1665)
Ord(3353)
Ord(4303)
Ord(4547)
Ord(5214)
Ord(5105)
Ord(1915)
Ord(5301)
Ord(2383)
Ord(4163)
Ord(3449)
Ord(4964)
Ord(5652)
Ord(3282)
Ord(6215)
Ord(4492)
Ord(4245)
Ord(4494)
Ord(3869)
Ord(4898)
Ord(4647)
Ord(2385)
Ord(2723)
Ord(4345)
Ord(641)
Ord(4155)
Ord(5627)
Ord(2494)
Ord(4428)
Ord(4605)
Ord(3351)
Ord(4532)
Ord(5277)
Ord(2514)
Ord(4382)
Ord(4425)
Ord(4669)
Ord(514)
Ord(3454)
Ord(4353)
Ord(4441)
Ord(1134)
Ord(4465)
Ord(4430)
Ord(5104)
Ord(3060)
Ord(5300)
Ord(5284)
Ord(5914)
Ord(2437)
Ord(4462)
Ord(4587)
Ord(4627)
Ord(5022)
Ord(3738)
Ord(4853)
Ord(2127)
Ord(4517)
Ord(617)
Ord(3172)
Ord(4900)
Ord(5714)
Ord(4495)
Ord(4526)
Ord(4234)
Ord(4628)
Ord(2995)
Ord(825)
Ord(2371)
Ord(5199)
Ord(5307)
Ord(2171)
Ord(4531)
Ord(4697)
Ord(5000)
Ord(5090)
Ord(2542)
Ord(4424)
Ord(4610)
Ord(2059)
Ord(3106)
Ord(5245)
Ord(2858)
Ord(4491)
Ord(4078)
Ord(4640)
Ord(3059)
Ord(2554)
Ord(3417)
Ord(2510)
Ord(4630)
Ord(5106)
Ord(1859)
Ord(6376)
Ord(4614)
Ord(2403)
Ord(2117)
Ord(401)
Ord(1727)
Ord(5025)
Ord(823)
Ord(4107)
Ord(4825)
Ord(4657)
Ord(515)
Ord(2379)
Ord(4512)
Ord(640)
Ord(4941)
Ord(3853)
Ord(4998)
Ord(5472)
Ord(4436)
Ord(4457)
Ord(800)
Ord(4950)
Ord(3749)
Ord(1199)
Ord(2512)
Ord(4427)
Ord(972)
Ord(4939)
Ord(5261)
Ord(4416)
Ord(4486)
Ord(4079)
Ord(4467)
Ord(5076)
Ord(4437)
Ord(554)
Ord(1858)
Ord(2124)
Ord(5283)
Ord(6052)
Ord(6177)
Ord(4722)
Ord(4652)
Ord(1726)
Ord(6375)
Ord(4077)
Ord(5824)
Ord(5101)
Ord(6336)
Ord(1747)
Ord(4730)
Ord(796)
Ord(1918)
Ord(4957)
Ord(674)
Ord(975)
Ord(4504)
Ord(5957)
Ord(4655)
Ord(3262)
Ord(2880)
Ord(813)
Ord(4261)
Ord(3748)
Ord(2957)
Ord(5065)
Ord(5002)
Ord(5290)
Ord(4407)
Ord(6381)
Ord(3922)
Ord(6117)
Ord(4389)
Ord(6453)
Ord(2725)
Ord(3346)
Ord(2446)
Ord(4490)
Ord(2396)
Ord(2101)
Ord(4159)
Ord(4093)
Ord(3831)
Ord(5100)
Ord(6374)
Ord(5280)
Ord(986)
Ord(4612)
Ord(4888)
Ord(5828)
Ord(3825)
Ord(4595)
Ord(2985)
Ord(4916)
Ord(2991)
Ord(2404)
Ord(2964)
Ord(4613)
Ord(3198)
Ord(4736)
Ord(4369)
Ord(807)
Ord(5003)
Ord(4683)
Ord(3187)
Ord(5654)
Ord(2445)
Ord(6345)
Ord(2649)
Ord(5742)
Ord(976)
Ord(4349)
Ord(5062)
Ord(4376)
Ord(6395)
Ord(2626)
Ord(1776)
Ord(402)
Ord(1781)
Ord(5827)
Ord(6000)
Ord(4623)
Ord(324)
Ord(296)
Ord(2391)
Ord(2982)
Ord(4882)
Ord(5341)
Ord(3830)
Ord(1205)
__CxxFrameHandler
_EH_prolog
GetWindowLongA
SetWindowTextA
UpdateWindow
EnableWindow
EnableMenuItem
DispatchMessageW
InvalidateRect
Number of PE resources by type
RT_STRING 16
RT_MENU 3
RT_ACCELERATOR 2
RT_DIALOG 1
RT_ICON 1
Struct(241) 1
RT_BITMAP 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
SPANISH MODERN 24
NEUTRAL 2
CHINESE SIMPLIFIED 1
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
5.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.0.0.1

LanguageCode
German (Swiss)

FileFlagsMask
0x003f

FileDescription
M0

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Windows, Greek

InitializedDataSize
18944

EntryPoint
0x1bb1

OriginalFileName
M0.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright ? 2013

FileVersion
1, 0, 0, 1

TimeStamp
2013:11:09 18:52:38+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
M0

ProductVersion
1, 0, 0, 1

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
24576

ProductName
M0

ProductVersionNumber
1.0.0.1

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 1ed5142357806c4fa927406676e11c5c
SHA1 fd4c153f1a03e6e8047f622ea5b003252992997f
SHA256 afb912f62363bdbbd667a3ef6ae5eff9adfd47c6e78171459306681dd8b04a50
ssdeep
1536:9WUst2oYlD9SD/Y5FT1Iv/QEmJbG1n/bCSpKjqAC2/HK0C7:0itLnFcIEmJmn/bRId/KZ7

authentihash 23dcb609560a8057caeb92089197048245c7996b968429f56d6330d7bc1f19ed
imphash 614dc8d84604ebf112011c4766ef3e95
File size 100.8 KB ( 103225 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ 4.x (87.5%)
Win32 Dynamic Link Library (generic) (4.2%)
Win32 Executable (generic) (2.9%)
Win16/32 Executable Delphi generic (1.3%)
OS/2 Executable (generic) (1.3%)
Tags
peexe overlay

VirusTotal metadata
First submission 2013-11-11 19:59:25 UTC ( 5 years, 6 months ago )
Last submission 2018-10-09 16:55:54 UTC ( 7 months, 2 weeks ago )
File names test.exe
02f3203ff57401b369c99588072a03dd81589274
1ed5142357806c4fa927406676e11c5c.exe
FXY_r95.pps
afb912f62363bdbbd667a3ef6ae5eff9adfd47c6e78171459306681dd8b04a50
fd4c153f1a03e6e8047f622ea5b003252992997f
a1.exe
a1.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.