× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 0ba12dda7bb559933281b9465753d6ea2baf3135104698b670afb2971188b56e
File name: 2015-05-20-Angler-EK-Payload.exe
Detection ratio: 12 / 57
Analysis date: 2015-05-21 05:46:10 UTC ( 2 years, 6 months ago ) View latest
Antivirus Result Update
Avira (no cloud) TR/Drop.Rovnix.594432 20150521
AVware Trojan.Win32.Generic.pak!cobra 20150521
Baidu-International Trojan.Win32.Rovnix.AB 20150520
ESET-NOD32 Win32/Rovnix.AB 20150521
Malwarebytes Spyware.Password 20150521
McAfee Artemis!28751EF09DF8 20150521
Qihoo-360 HEUR/QVM10.1.Malware.Gen 20150521
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 20150520
Symantec WS.Reputation.1 20150521
Tencent Trojan.Win32.Qudamah.Gen.2 20150521
TrendMicro-HouseCall Suspicious_GEN.F47V0520 20150521
VIPRE Trojan.Win32.Generic.pak!cobra 20150521
Ad-Aware 20150521
AegisLab 20150521
Yandex 20150520
AhnLab-V3 20150520
Alibaba 20150521
ALYac 20150521
Antiy-AVL 20150521
Avast 20150521
AVG 20150521
BitDefender 20150521
Bkav 20150520
ByteHero 20150521
CAT-QuickHeal 20150520
ClamAV 20150521
CMC 20150520
Comodo 20150521
Cyren 20150521
DrWeb 20150521
Emsisoft 20150521
F-Prot 20150521
F-Secure 20150521
Fortinet 20150521
GData 20150521
Ikarus 20150521
Jiangmin 20150519
K7AntiVirus 20150521
K7GW 20150521
Kaspersky 20150521
Kingsoft 20150521
McAfee-GW-Edition 20150521
Microsoft 20150520
eScan 20150521
NANO-Antivirus 20150521
Norman 20150521
nProtect 20150520
Panda 20150520
Sophos AV 20150520
SUPERAntiSpyware 20150521
TheHacker 20150520
TotalDefense 20150520
TrendMicro 20150521
VBA32 20150520
ViRobot 20150521
Zillya 20150520
Zoner 20150520
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright 2012 Dongle Inc. All rights reserved.

Publisher Dongle Inc.
Product Workstation Builder
Internal name Workstation Builder
File version 2.0.2311.135
Description Workstation Builder
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-05-20 10:18:48
Entry Point 0x00003260
Number of sections 5
PE sections
PE imports
CredDeleteA
ConvertSidToStringSidA
GetFileTitleA
GetDeviceCaps
GetObjectA
CreateBitmapIndirect
CreateICA
DeleteDC
SetAbortProc
SelectObject
CreatePen
Pie
StartPage
CreateCompatibleDC
DeleteObject
StretchBlt
EndPage
GetLastError
InitializeCriticalSection
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
HeapValidate
LoadResource
lstrlenA
LoadLibraryW
GetConsoleCP
GetOEMCP
QueryPerformanceCounter
IsDebuggerPresent
HeapAlloc
TlsAlloc
GetEnvironmentStringsW
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetModuleFileNameA
IsProcessorFeaturePresent
DeleteCriticalSection
GetCurrentProcess
GetStartupInfoW
GetFileType
GetConsoleMode
FreeEnvironmentStringsW
GetCurrentProcessId
lstrcatA
HeapQueryInformation
WideCharToMultiByte
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
HeapSize
GetTickCount
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetCommandLineA
GetProcAddress
EncodePointer
GetProcessHeap
SetStdHandle
RaiseException
GetCPInfo
GetModuleFileNameW
TlsFree
SetFilePointer
HeapSetInformation
GetCurrentThreadId
SetUnhandledExceptionFilter
WriteFile
DecodePointer
CloseHandle
GetSystemTimeAsFileTime
GetACP
HeapReAlloc
GetStringTypeW
GetModuleHandleW
FreeLibrary
TerminateProcess
IsValidCodePage
HeapCreate
CreateFileW
OutputDebugStringW
TlsGetValue
SetLastError
IsBadReadPtr
TlsSetValue
ExitProcess
OutputDebugStringA
LeaveCriticalSection
WriteConsoleW
InterlockedIncrement
VariantChangeType
VariantClear
VariantInit
SysAllocStringLen
GetProcessMemoryInfo
PathGetDriveNumberA
PathIsRelativeA
GetMessageA
PostQuitMessage
IsWindow
DispatchMessageA
EnableWindow
SetMenuItemInfoA
EnumChildWindows
MessageBoxA
SetWindowLongA
LookupIconIdFromDirectoryEx
GetWindow
RegisterClassExA
GetClassInfoA
GetMenu
TranslateMessage
DefFrameProcA
DrawMenuBar
CreateDialogParamA
GetWindowLongA
IsClipboardFormatAvailable
CreateWindowExA
LoadCursorA
LoadIconA
SendMessageA
CreateIconFromResource
GetDialogBaseUnits
DestroyWindow
waveOutGetNumDevs
mmioWrite
mmioCreateChunk
mmioOpenA
mmioClose
WSAAsyncGetProtoByNumber
Number of PE resources by type
RT_STRING 8
RT_CURSOR 8
RT_GROUP_CURSOR 7
RT_ICON 3
RT_DIALOG 2
RT_MANIFEST 1
RT_BITMAP 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 32
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
5.1

LinkerVersion
10.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.0.2311.135

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
101376

EntryPoint
0x3260

MIMEType
application/octet-stream

LegalCopyright
Copyright 2012 Dongle Inc. All rights reserved.

FileVersion
2.0.2311.135

TimeStamp
2015:05:20 11:18:48+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Workstation Builder

ProductVersion
2.0.2311.135

FileDescription
Workstation Builder

OSVersion
5.1

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Dongle Inc.

CodeSize
492032

ProductName
Workstation Builder

ProductVersionNumber
2.0.2311.135

FileTypeExtension
exe

ObjectFileType
Executable application

PCAP parents
File identification
MD5 28751ef09df87a0d3609452bf5489d98
SHA1 1194db47ca24bf9ca059899479cd5c491b1d262d
SHA256 0ba12dda7bb559933281b9465753d6ea2baf3135104698b670afb2971188b56e
ssdeep
12288:Dn7r7PWfwSAx3+5HwJUudYO5enjpR1Js3PXTOzsuWaC15eagqZ6YnI:j7PWfjS+5HyDdYO5enjZZzvWl2aRI

authentihash 4f2e3f603b05f4d7f0e59a7b8db5971de709f38830a0729038d49caa7575034e
imphash 515c3f12ecab523d3837fafa5a40a107
File size 580.5 KB ( 594432 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.3%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe

VirusTotal metadata
First submission 2015-05-20 12:31:26 UTC ( 2 years, 6 months ago )
Last submission 2015-05-21 05:46:10 UTC ( 2 years, 6 months ago )
File names 0BA12DDA7BB559933281B9465753D6EA2BAF3135104698B670AFB2971188B56E.exe
2015-05-20-Angler-EK-Payload.exe
e.exe
Workstation Builder
Advanced heuristic and reputation engines
TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.R01TC0DF515.

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.