× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 11c64ffa432ae10650f8661bc9a3e0b5e18f93539faa5f24e79fc217f7248d29
File name: 2015-04-03-paying-days-net-malware-payload.exe
Detection ratio: 43 / 56
Analysis date: 2015-05-31 22:56:42 UTC ( 2 years, 5 months ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.GenericKD.2271403 20150531
Yandex Trojan.Blocker!odTg6p6IZ1E 20150531
AhnLab-V3 Trojan/Win32.MDA 20150531
ALYac Trojan.GenericKD.2271403 20150531
Antiy-AVL Trojan[Dropper]/Win32.Injector 20150531
Avast Win32:Agent-AYPR [Trj] 20150531
AVG Generic36.BGSN 20150531
Avira (no cloud) TR/Crowti.282624 20150531
AVware Trojan.Win32.Generic!BT 20150531
Baidu-International Trojan.Win32.Ransomlock.gvkd 20150531
BitDefender Trojan.GenericKD.2271403 20150531
Bkav W32.GenericCrowtiI.Trojan 20150529
CAT-QuickHeal Ransom.Crowti.AB5 20150530
ClamAV Win.Trojan.Agent-868402 20150531
Cyren W32/Trojan.NSGD-2954 20150531
DrWeb Trojan.PWS.Multi.1701 20150531
Emsisoft Trojan.GenericKD.2271403 (B) 20150531
ESET-NOD32 Win32/Filecoder.CO 20150531
F-Secure Trojan.GenericKD.2271403 20150531
Fortinet W32/Filecoder.CO!tr 20150531
GData Trojan.GenericKD.2271403 20150531
Ikarus Trojan.Win32.Boaxxe 20150531
Jiangmin TrojanDropper.Injector.brlb 20150529
K7AntiVirus Trojan ( 00498ab51 ) 20150531
K7GW Trojan ( 00498ab51 ) 20150531
Kaspersky Trojan-Ransom.Win32.Blocker.gvkd 20150531
Malwarebytes Trojan.Inject 20150531
McAfee Packed-EM!CBBBA16B1249 20150531
McAfee-GW-Edition Packed-EM!CBBBA16B1249 20150531
Microsoft Ransom:Win32/Crowti.A 20150531
eScan Trojan.GenericKD.2271403 20150531
NANO-Antivirus Trojan.Win32.Blocker.dqctwh 20150531
nProtect Trojan.GenericKD.2271403 20150529
Panda Trj/Genetic.gen 20150531
Qihoo-360 HEUR/QVM07.1.Malware.Gen 20150531
Sophos AV Troj/Fondu-EO 20150531
Symantec Trojan.Gen 20150531
Tencent Trojan.Win32.YY.Gen.24 20150531
TrendMicro TROJ_CRYPWALL.CX 20150531
TrendMicro-HouseCall TROJ_CRYPWALL.CX 20150531
VIPRE Trojan.Win32.Generic!BT 20150531
ViRobot Trojan.Win32.A.Blocker.282624.M[h] 20150531
Zillya Trojan.Blocker.Win32.28041 20150531
AegisLab 20150531
Alibaba 20150531
ByteHero 20150531
CMC 20150530
Comodo 20150531
F-Prot 20150531
Kingsoft 20150531
Rising 20150531
SUPERAntiSpyware 20150530
TheHacker 20150529
TotalDefense 20150531
VBA32 20150529
Zoner 20150526
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright (C) 2004

Product ButtonST
Original name ButtonST.EXE
Internal name ButtonST
File version 1, 0, 0, 1
Description ButtonST
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-04-02 16:23:20
Entry Point 0x0000BAE8
Number of sections 4
PE sections
PE imports
RegDeleteValueA
RegCloseKey
RegQueryValueW
RegOpenKeyExW
RegQueryValueExW
ImageList_GetImageCount
_TrackMouseEvent
ImageList_Draw
ImageList_AddMasked
ImageList_GetIcon
ImageList_ReplaceIcon
GetDIBColorTable
TextOutW
CreateFontIndirectW
PatBlt
CreatePen
GetBkMode
CreateHalftonePalette
GetTextMetricsA
GetPixel
Rectangle
GetDeviceCaps
CreateCompatibleDC
DeleteDC
SetPixel
DeleteObject
GetObjectW
BitBlt
CreateDIBSection
SetTextColor
ExtTextOutW
CreateBitmap
RectVisible
CreatePalette
GetStockObject
PtVisible
RoundRect
SelectObject
Ellipse
CreateSolidBrush
Escape
SetBkColor
GetTextExtentPoint32W
CreateCompatibleBitmap
GetStdHandle
SetCommBreak
LoadLibraryW
GetVersionExW
SetEvent
lstrcmpiW
lstrlenW
GetLocalTime
GetWindowsDirectoryW
LockResource
GetCPInfo
WinExec
lstrcatW
GetStartupInfoW
lstrcpynW
lstrcpyW
WideCharToMultiByte
SetEnvironmentVariableW
FindNextFileW
MulDiv
GetStringTypeW
GetModuleHandleW
FreeLibrary
GlobalMemoryStatus
LoadResource
FindResourceW
GetVersion
Ord(3820)
Ord(2406)
Ord(4197)
Ord(6365)
Ord(2438)
Ord(4621)
Ord(537)
Ord(5298)
Ord(1634)
Ord(2980)
Ord(1854)
Ord(6371)
Ord(2112)
Ord(5058)
Ord(5237)
Ord(4073)
Ord(5852)
Ord(5257)
Ord(3733)
Ord(2606)
Ord(2430)
Ord(5436)
Ord(922)
Ord(5727)
Ord(940)
Ord(2579)
Ord(3744)
Ord(4616)
Ord(3917)
Ord(536)
Ord(2915)
Ord(5869)
Ord(809)
Ord(6057)
Ord(3390)
Ord(815)
Ord(6354)
Ord(3257)
Ord(2717)
Ord(641)
Ord(4292)
Ord(289)
Ord(2088)
Ord(1165)
Ord(2388)
Ord(3716)
Ord(3566)
Ord(6379)
Ord(686)
Ord(4272)
Ord(3341)
Ord(5244)
Ord(3076)
Ord(941)
Ord(2522)
Ord(6390)
Ord(4324)
Ord(1614)
Ord(5790)
Ord(2381)
Ord(3569)
Ord(6195)
Ord(3649)
Ord(2293)
Ord(2914)
Ord(3696)
Ord(5602)
Ord(500)
Ord(3688)
Ord(1708)
Ord(825)
Ord(6188)
Ord(5710)
Ord(4124)
Ord(5276)
Ord(567)
Ord(4401)
Ord(540)
Ord(2858)
Ord(4692)
Ord(4078)
Ord(942)
Ord(5047)
Ord(556)
Ord(6017)
Ord(1767)
Ord(384)
Ord(2371)
Ord(3568)
Ord(4480)
Ord(4229)
Ord(2294)
Ord(3658)
Ord(823)
Ord(5785)
Ord(3087)
Ord(2966)
Ord(5674)
Ord(2047)
Ord(283)
Ord(6597)
Ord(795)
Ord(2504)
Ord(6048)
Ord(3142)
Ord(4219)
Ord(800)
Ord(5157)
Ord(6182)
Ord(5275)
Ord(4347)
Ord(3284)
Ord(4400)
Ord(5752)
Ord(6051)
Ord(5261)
Ord(3724)
Ord(3074)
Ord(5575)
Ord(3592)
Ord(2910)
Ord(1197)
Ord(554)
Ord(4269)
Ord(5285)
Ord(2755)
Ord(6193)
Ord(2977)
Ord(2116)
Ord(4418)
Ord(6185)
Ord(6266)
Ord(2559)
Ord(6138)
Ord(1088)
Ord(2400)
Ord(3687)
Ord(4831)
Ord(5080)
Ord(538)
Ord(2004)
Ord(6150)
Ord(2746)
Ord(5860)
Ord(5856)
Ord(1633)
Ord(5732)
Ord(5977)
Ord(3725)
Ord(3614)
Ord(2397)
Ord(858)
Ord(5783)
Ord(4992)
Ord(1637)
Ord(3290)
Ord(4459)
Ord(1569)
Ord(2810)
Ord(2377)
Ord(3825)
Ord(4419)
Ord(323)
Ord(4074)
Ord(2640)
Ord(1089)
Ord(5446)
Ord(5467)
Ord(5879)
Ord(5784)
Ord(807)
Ord(3254)
Ord(2506)
Ord(4128)
Ord(4390)
Ord(5193)
Ord(5273)
Ord(472)
Ord(5871)
Ord(4847)
Ord(4116)
Ord(2114)
Ord(324)
Ord(4262)
Ord(5296)
Ord(4158)
Ord(1073)
Ord(1768)
Ord(4704)
Ord(3793)
Ord(3826)
Ord(4051)
Ord(2971)
Ord(5568)
Ord(1720)
Ord(4075)
Ord(2854)
Ord(2859)
Ord(5679)
Ord(535)
Ord(5755)
Ord(3591)
Ord(2436)
Ord(2756)
Ord(3871)
Ord(6871)
Ord(4768)
Ord(2444)
Ord(4435)
Ord(1172)
Ord(5303)
Ord(772)
Ord(2546)
Ord(861)
Ord(6168)
Ord(2576)
Ord(561)
Ord(5781)
Ord(3792)
Ord(1143)
Ord(1192)
Ord(4215)
Ord(6372)
Ord(3131)
Ord(4279)
Ord(6190)
Ord(5059)
Ord(3397)
Ord(5567)
Ord(5230)
Ord(6211)
Ord(2855)
Ord(4370)
Ord(613)
Ord(6142)
Ord(4360)
Ord(4270)
Ord(860)
Ord(2567)
Ord(2634)
Ord(609)
Ord(2745)
Ord(804)
Ord(5286)
Ord(1703)
Ord(3621)
Ord(640)
Ord(6370)
rand
malloc
__p__fmode
_ftol
memset
__dllonexit
_controlfp
_onexit
_except_handler3
?terminate@@YAXXZ
__p__commode
memcpy
wcslen
wcscmp
exit
_XcptFilter
__setusermatherr
wcsncpy
_wcmdln
__CxxFrameHandler
_adjust_fdiv
free
__wgetmainargs
_exit
memmove
wcscpy
wcsstr
_initterm
__set_app_type
ShellExecuteW
ShellExecuteExW
DrawEdge
GetMessagePos
GetParent
EnableWindow
UpdateWindow
DrawTextW
OffsetRect
CopyRect
CopyIcon
GetMenuState
KillTimer
CreatePopupMenu
GetNextDlgTabItem
MessageBeep
DrawStateW
LoadBitmapW
GetSysColorBrush
GetSystemMetrics
SetWindowLongW
IsWindow
SendMessageW
GrayStringW
GetWindowRect
InflateRect
ScreenToClient
IsMenu
WindowFromPoint
AppendMenuW
CreateIconIndirect
DestroyCursor
PostMessageW
GetSysColor
SetScrollInfo
ReleaseDC
GetMenuStringW
GetIconInfo
DestroyIcon
GetSubMenu
RegisterClassW
GetWindowLongW
DrawIconEx
GetClientRect
CreateMenu
SystemParametersInfoW
SetCursor
IsIconic
FrameRect
SetRect
InvalidateRect
DrawFocusRect
GetWindowTextLengthA
SetTimer
LoadImageW
GetActiveWindow
ClientToScreen
GetMenuItemCount
ModifyMenuW
GetMenuItemID
GetDesktopWindow
LoadCursorW
LoadIconW
GetDC
TabbedTextOutW
FillRect
GetMenuItemInfoW
IsDialogMessageA
PtInRect
Number of PE resources by type
RT_DIALOG 6
RT_GROUP_CURSOR 1
RT_ICON 1
Struct(241) 1
RT_MENU 1
RT_BITMAP 1
RT_CURSOR 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 13
ENGLISH US 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.0.0.1

UninitializedDataSize
0

LanguageCode
Spanish (Mexican)

FileFlagsMask
0x003f

CharacterSet
Windows, Hebrew

InitializedDataSize
229376

EntryPoint
0xbae8

OriginalFileName
ButtonST.EXE

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) 2004

FileVersion
1, 0, 0, 1

TimeStamp
2015:04:02 17:23:20+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
ButtonST

ProductVersion
1, 0, 0, 1

FileDescription
ButtonST

OSVersion
4.0

FileOS
Windows NT

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
49152

ProductName
ButtonST

ProductVersionNumber
1.0.0.1

FileTypeExtension
exe

ObjectFileType
Executable application

PCAP parents
File identification
MD5 cbbba16b1249318d028697cb1c0d8a11
SHA1 69f953704db832691d5e6efddc2141593e7fe227
SHA256 11c64ffa432ae10650f8661bc9a3e0b5e18f93539faa5f24e79fc217f7248d29
ssdeep
6144:sWOGf5uxRqrB3Fp7wMW6g92eAtLEBRo4R0pffuhEGUqCqzY+pbjQ:DOhR+B3F90CtLSRo4ap+ZCuY+m

authentihash c80d0d7732da4593c5e397aca7e56afd32940c0944311166c2a4581554e99457
imphash a6c2f9a17efe1d16ddf4443a13a97097
File size 276.0 KB ( 282624 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (46.3%)
Win64 Executable (generic) (41.0%)
Win32 Executable (generic) (6.6%)
Generic Win/DOS Executable (2.9%)
DOS Executable Generic (2.9%)
Tags
peexe

VirusTotal metadata
First submission 2015-04-03 22:42:39 UTC ( 2 years, 7 months ago )
Last submission 2015-05-31 22:56:42 UTC ( 2 years, 5 months ago )
File names ButtonST
11C64FFA432AE10650F8661BC9A3E0B5E18F93539FAA5F24E79FC217F7248D29.EXE
ButtonST.EXE
3A4E.tmp
2015-04-03-paying-days-net-malware-payload.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Code injections in the following processes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications