× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 0fe716b2f820e4c846268e6446e377a0e97751665b699eac1dadccbdd2f0e4d4
File name: tdsskiller.exe
Detection ratio: 2 / 46
Analysis date: 2013-03-30 05:49:09 UTC ( 4 years, 1 month ago ) View latest
Antivirus Result Update
Comodo Packed.Win32.MUPX.Gen 20130330
Ikarus Trojan.Crypt 20130330
Yandex 20130329
AhnLab-V3 20130329
AntiVir 20130330
Antiy-AVL 20130330
Avast 20130330
AVG 20130330
BitDefender 20130330
ByteHero 20130322
CAT-QuickHeal 20130330
ClamAV 20130330
Commtouch 20130330
DrWeb 20130330
Emsisoft 20130330
eSafe 20130328
ESET-NOD32 20130329
F-Prot 20130330
F-Secure 20130330
Fortinet 20130330
GData 20130330
Jiangmin 20130330
K7AntiVirus 20130328
Kaspersky 20130330
Kingsoft 20130325
Malwarebytes 20130330
McAfee 20130330
McAfee-GW-Edition 20130330
Microsoft 20130330
eScan 20130330
NANO-Antivirus 20130330
Norman 20130329
nProtect 20130329
Panda 20130329
PCTools 20130330
Rising 20130328
Sophos 20130330
SUPERAntiSpyware 20130329
Symantec 20130330
TheHacker 20130330
TotalDefense 20130329
TrendMicro 20130330
TrendMicro-HouseCall 20130330
VBA32 20130328
VIPRE 20130330
ViRobot 20130330
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© 1997-2013 Kaspersky Lab ZAO.

Publisher Kaspersky Lab
Product TDSSKiller
Original name TDSSKiller.exe
Internal name TDSSKiller
File version 2.8.16.0
Description TDSS rootkit removing tool
Signature verification Signed file, verified signature
Signing date 12:55 PM 3/21/2013
Signers
[+] Kaspersky Lab
Status Valid
Issuer None
Valid from 1:00 AM 2/22/2013
Valid to 1:00 PM 4/28/2015
Valid usage Code Signing
Algorithm SHA1
Thumbprint 5698BCFAB92B567BDDFBB5B71AE1B35E2BC73571
Serial number 02 26 E6 BD A7 6D AE 71 1E 3D B2 32 1E 3B 53 08
[+] DigiCert High Assurance Code Signing CA-1
Status Valid
Issuer None
Valid from 1:00 PM 2/11/2011
Valid to 1:00 PM 2/10/2026
Valid usage Code Signing
Algorithm SHA1
Thumbprint E308F829DC77E80AF15EDD4151EA47C59399AB46
Serial number 02 C4 D1 E5 8A 4A 68 0C 56 8D A3 04 7E 7E 4D 5F
[+] DigiCert High Assurance EV Root CA
Status Valid
Issuer None
Valid from 8:20 PM 1/13/2010
Valid to 7:19 PM 9/30/2015
Valid usage All
Algorithm SHA1
Thumbprint 6751188F0E5563593233300564359411585B0C33
Serial number 07 27 58 3D
[+] GTE CyberTrust Global Root
Status Valid
Issuer None
Valid from 1:29 AM 8/13/1998
Valid to 12:59 AM 8/14/2018
Valid usage Email Protection, Client Auth, Server Auth, Code Signing
Algorithm MD5
Thumbprint 97817950D81C9670CC34D809CF794431367EF474
Serial number 01 A5
Counter signers
[+] COMODO Time Stamping Signer
Status Valid
Issuer None
Valid from 1:00 AM 5/10/2010
Valid to 12:59 AM 5/11/2015
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 3DBB6DB5085C6DD5A1CA7F9CF84ECB1A3910CAC8
Serial number 47 8A 8E FB 59 E1 D8 3F 0C E1 42 D2 A2 87 07 BE
[+] USERTrust
Status Valid
Issuer None
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm SHA1
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-03-21 11:53:21
Entry Point 0x003553DC
Number of sections 5
PE sections
PE imports
InitCommonControlsEx
CertOpenStore
BitBlt
VarUI4FromStr
UuidCreate
SetupIterateCabinetW
Ord(165)
StrStrIW
VerQueryValueW
WinHttpOpen
WinVerifyTrust
GetProcAddress
GetModuleHandleA
CoInitialize
Number of PE resources by type
RT_RCDATA 95
RT_STRING 31
RT_ICON 7
RT_DIALOG 3
RT_MANIFEST 1
RT_ACCELERATOR 1
RT_BITMAP 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
RUSSIAN 140
ENGLISH US 1
PE resources
ExifTool file metadata
CodeSize
2252800

SubsystemVersion
5.1

LinkerVersion
10.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.8.16.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
TDSS rootkit removing tool

CharacterSet
Unicode

InitializedDataSize
20480

FileOS
Windows NT 32-bit

MIMEType
application/octet-stream

LegalCopyright
1997-2013 Kaspersky Lab ZAO.

FileVersion
2.8.16.0

TimeStamp
2013:03:21 12:53:21+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
TDSSKiller

FileAccessDate
2014:11:24 23:32:21+01:00

ProductVersion
2.8.16.0

UninitializedDataSize
1216512

OSVersion
5.1

FileCreateDate
2014:11:24 23:32:21+01:00

OriginalFilename
TDSSKiller.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Kaspersky Lab ZAO

LegalTrademarks
Kaspersky Anti-Virus is registered trademark of Kaspersky Lab ZAO.

ProductName
TDSSKiller

ProductVersionNumber
2.8.16.0

EntryPoint
0x3553dc

ObjectFileType
Executable application

File identification
MD5 f840530335aa3b17defa10bc82a9cc7d
SHA1 7f9fb36d97717063fd21f9aeb8ad84f5320209ed
SHA256 0fe716b2f820e4c846268e6446e377a0e97751665b699eac1dadccbdd2f0e4d4
ssdeep
49152:2+fVlHX2BmzRc1vhLlfxh82OXoT5cEwr6hTvQJR9gbqfhyR9:vVlmwohLlD7YotcydOfq9

authentihash ae06aba93e7ef95ad064084c80fbf1164e00a962276d147e0b7333f988c1b155
imphash ee64c6ff36d8429f456c1a0ed1cb34e8
File size 2.1 MB ( 2239840 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (42.3%)
Win32 EXE Yoda's Crypter (36.7%)
Win32 Dynamic Link Library (generic) (9.1%)
Win32 Executable (generic) (6.2%)
Generic Win/DOS Executable (2.7%)
Tags
peexe signed

VirusTotal metadata
First submission 2013-03-22 20:06:17 UTC ( 4 years, 2 months ago )
Last submission 2013-06-26 20:33:46 UTC ( 3 years, 11 months ago )
File names Tyhbyuy6TTTsdsa.exe
TDSSKiller
3419E42C-AD45-4DE4-B780-ACB262CBFE63.exe
file-5347468_exe
tdsskiller.exe
KasperskyTDSSKiller-2.8.17.exe
85DB85C5-746C-4DBB-8539-10069A36138C.exe
65BD1B1A-DE15-4B00-9A0E-B11C0DFDE45E.exe
TDSSKiller.exe
tdsskiller(1).exe
tdsskiller.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications