× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: f9046c5fbdddee04dd8fbf6e187a630b88a961243b20933afcb0e36091847d59
File name: RBS_Account_Documents.scr
Detection ratio: 4 / 53
Analysis date: 2014-09-08 13:31:45 UTC ( 4 years, 8 months ago ) View latest
Antivirus Result Update
Avast Win32:Trojan-gen 20140908
Cyren W32/Trojan.LHNV-0625 20140908
Microsoft TrojanDownloader:Win32/Upatre.AA 20140908
Qihoo-360 HEUR/Malware.QVM20.Gen 20140908
Ad-Aware 20140908
AegisLab 20140908
Yandex 20140907
AhnLab-V3 20140908
Antiy-AVL 20140908
AVG 20140908
Avira (no cloud) 20140908
AVware 20140908
Baidu-International 20140908
BitDefender 20140908
Bkav 20140906
ByteHero 20140908
CAT-QuickHeal 20140904
ClamAV 20140908
CMC 20140908
Comodo 20140908
DrWeb 20140908
Emsisoft 20140908
ESET-NOD32 20140908
F-Prot 20140908
F-Secure 20140908
Fortinet 20140908
GData 20140908
Ikarus 20140908
Jiangmin 20140907
K7AntiVirus 20140908
K7GW 20140908
Kaspersky 20140908
Kingsoft 20140908
Malwarebytes 20140908
McAfee 20140908
McAfee-GW-Edition 20140908
eScan 20140908
NANO-Antivirus 20140908
Norman 20140908
nProtect 20140907
Panda 20140908
Rising 20140908
Sophos AV 20140908
SUPERAntiSpyware 20140908
Symantec 20140908
Tencent 20140908
TheHacker 20140907
TotalDefense 20140908
TrendMicro 20140908
VBA32 20140908
VIPRE 20140908
ViRobot 20140908
Zillya 20140907
Zoner 20140905
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-08-28 22:51:35
Entry Point 0x00001E00
Number of sections 4
PE sections
PE imports
InitCommonControlsEx
CreateFontIndirectA
DeleteCriticalSection
GetModuleHandleA
EnterCriticalSection
GetStartupInfoA
InitializeCriticalSection
InterlockedExchange
lstrcpyA
InterlockedDecrement
Sleep
LoadLibraryA
LeaveCriticalSection
InterlockedIncrement
_except_handler3
__p__fmode
_adjust_fdiv
_acmdln
__p__commode
__setusermatherr
exit
_XcptFilter
__getmainargs
_initterm
_exit
_controlfp
__set_app_type
GetMessageA
CreateWindowExA
LoadCursorA
LoadIconA
UpdateWindow
DispatchMessageA
LoadStringA
TranslateMessage
SendMessageA
PostQuitMessage
DefWindowProcA
ShowWindow
RegisterClassExA
DestroyWindow
Number of PE resources by type
RT_ICON 1
RT_GROUP_ICON 1
RT_VERSION 1
RT_MANIFEST 1
Number of PE resources by language
ARABIC SAUDI ARABIA 4
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
17.16

ImageVersion
4.2

FileVersionNumber
0.2.2.10

LanguageCode
Unknown (8B4C)

FileFlagsMask
0x0000

FileDescription
Buik proged

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unknown (32B1)

InitializedDataSize
13824

EntryPoint
0x1e00

OriginalFileName
Buik

MIMEType
application/octet-stream

LegalCopyright
Copyright by Nego

FileVersion
Version 2.1.1

TimeStamp
2014:08:28 23:51:35+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Buik

SubsystemVersion
5.0

OSVersion
5.0

FileOS
Windows 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Buik

CodeSize
6144

FileSubtype
0

ProductVersionNumber
0.2.2.10

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 e610e0b20ad7b1255de9ff659024c2c3
SHA1 e32ef7def60a8ccc0c051182f2103dbbfe6de625
SHA256 f9046c5fbdddee04dd8fbf6e187a630b88a961243b20933afcb0e36091847d59
ssdeep
192:KGMZyiljQX1b646k0JJLXPoEG1oynncE+zzSz93y+n98InouVK8+Z/Nes:NGjQXUe0JJLXu1Kj14s

authentihash 8db6101b620248d6ea52907170ca62011f0545f9d34e5cdf829fbcb72769daf4
imphash 051c1cddb7d7881ecff5096783449dbc
File size 20.0 KB ( 20480 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (61.7%)
Win32 Dynamic Link Library (generic) (14.7%)
Win32 Executable (generic) (10.0%)
OS/2 Executable (generic) (4.5%)
Generic Win/DOS Executable (4.4%)
Tags
peexe

VirusTotal metadata
First submission 2014-09-08 09:37:21 UTC ( 4 years, 8 months ago )
Last submission 2018-10-09 14:43:29 UTC ( 7 months, 2 weeks ago )
File names Trojan.Hoax.W32.ArchSMS.cfkdy.scr
file-7433575_scr
RBS_Account_Documents.scr
8mjT.tif
e610e0b20ad7b1255de9ff659024c2c3
WL-57d7850c955e80c8c7a54b497f3c281a-0
Lloyds-Commercial_Documents.scr
e610e0b20ad7b1255de9ff659024c2c3.scr
qjubeA.dotm
6708d842f16fa4d1eaaaffc26bb46cbbff4a5abbb25001c0056758c07a333020
GB09082014.scr
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Shell commands
Created mutexes
Opened mutexes
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications