× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 02fce4ae1e1c5071280b5a5964e75e37cc37c0f0f71b2cb02160097c6258c502
File name: bestallning_20-08.14.exe
Detection ratio: 49 / 63
Analysis date: 2017-08-20 01:55:31 UTC ( 1 year, 2 months ago )
Antivirus Result Update
Ad-Aware Trojan.Agent.BESI 20170820
AegisLab Troj.Banker.W32.Shiotob.fm!c 20170820
AhnLab-V3 Trojan/Win32.Dofoil.R116599 20170819
ALYac Trojan.Agent.BESI 20170820
Antiy-AVL Trojan[Banker]/Win32.Shiotob 20170820
Avast Win32:FakeSysdef-CX [Trj] 20170820
AVG Win32:FakeSysdef-CX [Trj] 20170820
Avira (no cloud) TR/Beebone.rhwnaez 20170819
AVware Trojan.Win32.Generic!BT 20170820
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170817
BitDefender Trojan.Agent.BESI 20170820
CAT-QuickHeal Trojan.VbInject.LD3 20170819
Comodo UnclassifiedMalware 20170820
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170804
Cylance Unsafe 20170820
Cyren W32/Dofoil.GKYZ-8935 20170820
DrWeb BackDoor.Tishop.122 20170820
Emsisoft Trojan.Agent.BESI (B) 20170820
Endgame malicious (high confidence) 20170721
ESET-NOD32 a variant of Win32/Injector.BKHA 20170819
F-Prot W32/Dofoil.P 20170820
F-Secure Trojan.Agent.BESI 20170820
Fortinet W32/Injector.BJHT!tr 20170820
GData Win32.Trojan.Rallod.A 20170820
Ikarus Trojan-Spy.Zbot 20170819
Sophos ML heuristic 20170818
Jiangmin Trojan/Banker.Shiotob.c 20170820
K7AntiVirus Trojan ( 004dd4c11 ) 20170820
K7GW Trojan ( 004dd4c11 ) 20170817
Kaspersky Trojan-Banker.Win32.Shiotob.fm 20170820
Malwarebytes Spyware.Zbot.ED 20170819
MAX malware (ai score=87) 20170820
McAfee Dropper-FLK!FD75C23F2EC9 20170820
McAfee-GW-Edition BehavesLike.Win32.VBObfus.dc 20170820
Microsoft Worm:Win32/Gamarue.AN 20170820
eScan Trojan.Agent.BESI 20170820
NANO-Antivirus Trojan.Win32.Shiotob.dzxqhb 20170820
Panda Trj/Genetic.gen 20170819
Qihoo-360 HEUR/Malware.QVM03.Gen 20170820
SentinelOne (Static ML) static engine - malicious 20170806
Sophos AV Troj/VB-HNV 20170820
SUPERAntiSpyware Trojan.Agent/Gen-Shiotob 20170819
Symantec Trojan.Gen 20170819
TotalDefense Win32/Inject.fUFSUL 20170819
VBA32 TrojanBanker.Shiotob 20170818
VIPRE Trojan.Win32.Generic!BT 20170820
Yandex Trojan.PWS.Shiotob! 20170818
Zillya Trojan.Shiotob.Win32.12 20170819
ZoneAlarm by Check Point Trojan-Banker.Win32.Shiotob.fm 20170820
Alibaba 20170818
Arcabit 20170820
ClamAV 20170819
CMC 20170819
Kingsoft 20170820
nProtect 20170819
Palo Alto Networks (Known Signatures) 20170820
Symantec Mobile Insight 20170818
Tencent 20170820
TheHacker 20170817
TrendMicro 20170820
TrendMicro-HouseCall 20170820
Trustlook 20170820
ViRobot 20170819
Webroot 20170820
WhiteArmor 20170817
Zoner 20170820
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-08-20 07:54:14
Entry Point 0x00001124
Number of sections 3
PE sections
Overlays
MD5 c25c91890d2a561a91d6efe216e6f701
File type data
Offset 49152
Size 234766
Entropy 7.99
PE imports
Ord(535)
EVENT_SINK_QueryInterface
Ord(648)
Ord(616)
Ord(525)
EVENT_SINK_AddRef
Ord(717)
__vbaExceptHandler
Ord(632)
MethCallEngine
DllFunctionCall
Ord(578)
Ord(544)
Ord(100)
Ord(526)
Ord(696)
ProcCallEngine
EVENT_SINK_Release
Ord(595)
Ord(669)
Ord(644)
Ord(631)
Ord(537)
Ord(598)
NetGetDCName
SHCreateShellItem
CallWindowProcA
Number of PE resources by type
RT_ICON 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 2
ENGLISH US 1
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
6.0

ImageVersion
5.0

FileSubtype
0

FileVersionNumber
5.0.0.454

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

InitializedDataSize
16384

EntryPoint
0x1124

MIMEType
application/octet-stream

FileVersion
5.00.0454

TimeStamp
2014:08:20 08:54:14+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
70004

ProductVersion
5.00.0454

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
cvfdfgefdc

CodeSize
40960

ProductName
sdfcvfedfrr

ProductVersionNumber
5.0.0.454

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 fd75c23f2ec9d37e5a676b645fcf57a9
SHA1 1949aac92849a02cc153ede2a24eda59f72df832
SHA256 02fce4ae1e1c5071280b5a5964e75e37cc37c0f0f71b2cb02160097c6258c502
ssdeep
6144:habJvwc512LAwH7SjkwNsBV7sEi0N336bH+A:haH1A9MkwNoV73RN3qv

authentihash 079e455bb97c784b8825c019197a7e0f99aba03b257d3c7a2cdecbba0628b3c4
imphash 35444b77d5daf22cd4425ccfc53e0406
File size 277.3 KB ( 283918 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (84.4%)
Win32 Dynamic Link Library (generic) (6.7%)
Win32 Executable (generic) (4.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Tags
peexe overlay

VirusTotal metadata
First submission 2014-08-20 13:08:16 UTC ( 4 years, 2 months ago )
Last submission 2014-08-21 12:51:20 UTC ( 4 years, 2 months ago )
File names bestallning_20-08.14.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created processes
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications