× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 00d1ebf87a0393eaa3fa7b2cd81c24e31e3fb1f53ac86922e736bee0f3c6a210
File name: f17b7c94167ff853ef98d5a7bf8609424d1fe6be
Detection ratio: 15 / 57
Analysis date: 2015-04-04 02:21:20 UTC ( 3 years, 11 months ago ) View latest
Antivirus Result Update
Ad-Aware Gen:Variant.Kazy.589742 20150404
ALYac Gen:Variant.Kazy.589742 20150404
BitDefender Gen:Variant.Kazy.589742 20150404
ByteHero Trojan.Malware.Obscu.Gen.004 20150404
DrWeb Trojan.Packed 20150404
Emsisoft Gen:Variant.Kazy.589742 (B) 20150404
ESET-NOD32 a variant of Win32/Kryptik.DDVX 20150403
F-Secure Gen:Variant.Kazy.589742 20150404
Fortinet W32/Kryptik.CAHR!tr 20150404
GData Gen:Variant.Kazy.589742 20150404
Malwarebytes Trojan.Agent.ED 20150404
McAfee Artemis!54077FD2B950 20150404
eScan Gen:Variant.Kazy.589742 20150404
Rising PE:Malware.XPACK-LNR/Heur!1.5594 20150403
Tencent Trojan.Win32.Qudamah.Gen.5 20150404
AegisLab 20150404
Yandex 20150403
AhnLab-V3 20150403
Alibaba 20150404
Antiy-AVL 20150403
Avast 20150404
AVG 20150404
Avira (no cloud) 20150404
AVware 20150404
Baidu-International 20150403
Bkav 20150403
CAT-QuickHeal 20150403
ClamAV 20150403
CMC 20150403
Comodo 20150403
Cyren 20150404
F-Prot 20150401
Ikarus 20150403
Jiangmin 20150403
K7AntiVirus 20150403
K7GW 20150403
Kaspersky 20150404
Kingsoft 20150404
McAfee-GW-Edition 20150403
Microsoft 20150404
NANO-Antivirus 20150404
Norman 20150403
nProtect 20150403
Panda 20150401
Qihoo-360 20150404
Sophos AV 20150404
SUPERAntiSpyware 20150403
Symantec 20150404
TheHacker 20150403
TotalDefense 20150403
TrendMicro 20150404
TrendMicro-HouseCall 20150404
VBA32 20150403
VIPRE 20150404
ViRobot 20150404
Zillya 20150403
Zoner 20150403
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2005-05-19 11:46:20
Entry Point 0x00001000
Number of sections 13
PE sections
Overlays
MD5 bf619eac0cdf3f68d496ea9344137e8b
File type ASCII text
Offset 575488
Size 512
Entropy 0.00
PE imports
LocalFree
EnumTimeFormatsW
GetStdHandle
GetUserDefaultLangID
InitializeCriticalSection
EnumResourceNamesW
DeleteCriticalSection
GetLogicalDriveStringsW
InterlockedDecrement
IsDebuggerPresent
GetStartupInfoW
ReadProcessMemory
GetEnvironmentStringsW
WriteProfileSectionW
GetTapePosition
RtlUnwind
Number of PE resources by type
RT_BITMAP 1
RT_VERSION 1
Number of PE resources by language
NEUTRAL 1
ENGLISH US 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2005:05:19 12:46:20+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
422912

LinkerVersion
0.0

EntryPoint
0x1000

InitializedDataSize
127488

SubsystemVersion
4.1

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

File identification
MD5 54077fd2b95091f732aa925e5534a2b1
SHA1 0daca33373ea6d74eb935b7b50aed9eea5f356d5
SHA256 00d1ebf87a0393eaa3fa7b2cd81c24e31e3fb1f53ac86922e736bee0f3c6a210
ssdeep
3072:kebGV+QK3gEMDc6EFXLxfI7RXjw0K0yDDxkMr:keJ3gCvFfURXjf0DDxky

authentihash 6f6bb27c17badfa521ce8860564a132520967216c4837fe171c120b4902ba9f3
imphash 74cdf3931727d9463ac344a4846873da
File size 562.5 KB ( 576000 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable (generic) (52.7%)
Generic Win/DOS Executable (23.4%)
DOS Executable Generic (23.4%)
VXD Driver (0.3%)
Tags
peexe overlay

VirusTotal metadata
First submission 2015-04-04 02:21:20 UTC ( 3 years, 11 months ago )
Last submission 2016-06-06 04:25:11 UTC ( 2 years, 9 months ago )
File names isheriff_54077fd2b95091f732aa925e5534a2b1.bin
f17b7c94167ff853ef98d5a7bf8609424d1fe6be
Advanced heuristic and reputation engines
TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.R021C0DDA15.

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Created mutexes
Opened mutexes
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications