× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 0fbcf007f230bf0c3ab424c805312b1234c442336ab081af7d6b0ea072df717d
File name: trickbot.exe
Detection ratio: 21 / 56
Analysis date: 2016-11-15 14:12:22 UTC ( 2 years, 5 months ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.GenericKD.3708491 20161115
AegisLab Uds.Dangerousobject.Multi!c 20161115
AhnLab-V3 Trojan/Win32.Androm.N2155054031 20161115
ALYac Backdoor.Agent.Trickbot 20161115
AVG Generic_vb.NPX 20161115
Avira (no cloud) TR/Dropper.VB.ulnnu 20161115
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9905 20161115
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024
Cyren W32/Trojan.HDQI-8849 20161115
DrWeb Trojan.DownLoader22.63827 20161115
Emsisoft Trojan.Trickster (A) 20161115
ESET-NOD32 Win32/Agent.RYE 20161115
Sophos ML trojan.win32.skeeyah.a!rfn 20161018
Kaspersky Trojan.Win32.Trickster.af 20161115
McAfee Downloader-FBKJ!8972AF743006 20161115
McAfee-GW-Edition BehavesLike.Win32.VBObfus.fh 20161115
Microsoft Trojan:Win32/Totbrick.A 20161115
Qihoo-360 HEUR/QVM03.0.0000.Malware.Gen 20161115
Sophos AV Mal/Generic-S 20161115
Symantec Trojan Horse 20161115
ViRobot Trojan.Win32.Agent.378406[h] 20161115
Alibaba 20161115
Antiy-AVL 20161115
Arcabit 20161115
Avast 20161115
AVware 20161115
BitDefender 20161115
Bkav 20161112
CAT-QuickHeal 20161115
ClamAV 20161115
CMC 20161115
Comodo 20161115
F-Prot 20161115
F-Secure 20161115
Fortinet 20161115
GData 20161115
Ikarus 20161115
Jiangmin 20161115
K7AntiVirus 20161115
K7GW 20161115
Kingsoft 20161115
Malwarebytes 20161115
eScan 20161115
NANO-Antivirus 20161115
nProtect 20161115
Panda 20161114
Rising 20161115
SUPERAntiSpyware 20161115
Tencent 20161115
TheHacker 20161115
TrendMicro 20161115
TrendMicro-HouseCall 20161115
VBA32 20161115
VIPRE 20161115
Yandex 20161114
Zillya 20161115
Zoner 20161115
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Retractable stock Steel bolt carrier High compression nozzle ...

Product Retractable stock Steel bolt carrier High compression nozzle ...
Original name CPUMonitor.exe
Internal name CPUMonitor
File version 1.00.0136
Description Retractable stock Steel bolt carrier High compression nozzle ...
Comments Retractable stock Steel bolt carrier High compression nozzle ...
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-11-12 13:27:34
Entry Point 0x00001130
Number of sections 3
PE sections
Overlays
MD5 cf0e845c98518608d6132ee7c9093b32
File type data
Offset 172032
Size 206374
Entropy 7.96
PE imports
EVENT_SINK_QueryInterface
Ord(689)
Ord(537)
Ord(648)
Ord(570)
Ord(594)
Ord(525)
Ord(663)
EVENT_SINK_AddRef
Ord(707)
Ord(681)
Ord(717)
__vbaExceptHandler
Ord(632)
MethCallEngine
DllFunctionCall
Ord(552)
Ord(520)
Ord(100)
ProcCallEngine
Ord(711)
Ord(690)
EVENT_SINK_Release
Ord(595)
Ord(706)
Ord(593)
Ord(581)
Ord(631)
Ord(545)
Number of PE resources by type
RT_ICON 7
01 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 8
RUSSIAN 1
ENGLISH US 1
PE resources
ExifTool file metadata
CodeSize
139264

SubsystemVersion
4.0

Comments
Retractable stock Steel bolt carrier High compression nozzle ...

LinkerVersion
6.0

ImageVersion
1.0

FileSubtype
0

FileVersionNumber
1.0.0.136

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

FileDescription
Retractable stock Steel bolt carrier High compression nozzle ...

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
49152

EntryPoint
0x1130

OriginalFileName
CPUMonitor.exe

MIMEType
application/octet-stream

LegalCopyright
Retractable stock Steel bolt carrier High compression nozzle ...

FileVersion
1.00.0136

TimeStamp
2016:11:12 14:27:34+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
CPUMonitor

ProductVersion
1.00.0136

UninitializedDataSize
0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
flAsh

LegalTrademarks
Retractable stock Steel bolt carrier High compression nozzle ...

ProductName
Retractable stock Steel bolt carrier High compression nozzle ...

ProductVersionNumber
1.0.0.136

FileTypeExtension
exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 8972af7430067a15b40dda9f7bc81dd4
SHA1 e294701b7a0909efedde771444316e86ac9226bc
SHA256 0fbcf007f230bf0c3ab424c805312b1234c442336ab081af7d6b0ea072df717d
ssdeep
6144:xkcm1Rw3xi8WG+DkxM0OJhJTq06GTvNSBQcxrygWqa2Yo0yXPB8z0iRx+SdV/v/8:xZ3xdWn045SrygWq9uz0i6So

authentihash 70c0a4e99b818141369df91f93108d7cce1eb401e0520aa0ad62096d7fd1f03a
imphash 664b43a4f13e5f9dfcb2752b2fbe19a8
File size 369.5 KB ( 378406 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (88.6%)
Win32 Executable (generic) (4.8%)
OS/2 Executable (generic) (2.1%)
Generic Win/DOS Executable (2.1%)
DOS Executable Generic (2.1%)
Tags
peexe overlay

VirusTotal metadata
First submission 2016-11-15 02:52:27 UTC ( 2 years, 5 months ago )
Last submission 2018-08-13 18:05:18 UTC ( 8 months, 1 week ago )
File names trickbot.exe
wer5.exe
CPUMonitor
wer5.exe
0fbcf007f230bf0c3ab424c805312b1234c442336ab081af7d6b0ea072df717d_20161115-10_50_01_ldjslfjsnot.png.vir
wer5.exe.bin
ldjslfjsnot.png
CPUMonitor.exe
wer5.exe
0FBCF007F230BF0C3AB424C805312B1234C442336AB081AF7D6B0EA072DF717D.EXE
wer5.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Deleted files
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications