× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 11d111ea0068865d6b29b0952592dc36a3061878f9bcfa11512c3f7c8a7d8910
File name: 2015-03-06-payingdays-me-malware-payload.exe
Detection ratio: 45 / 56
Analysis date: 2015-05-31 22:45:52 UTC ( 2 years, 5 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Kazy.569499 20150531
Yandex Trojan.Foreign!f0uwTjLAF1E 20150531
AhnLab-V3 Worm/Win32.Ngrbot 20150531
ALYac Gen:Variant.Kazy.569499 20150531
Antiy-AVL Trojan/Win32.Neurevt 20150531
Avast Win32:Injector-CNW [Trj] 20150531
AVG Crypt3.CKJU 20150531
Avira (no cloud) TR/Crypt.Xpack.160326 20150531
AVware Trojan.Win32.Generic!BT 20150531
Baidu-International Trojan.Win32.Ransom.lxnp 20150531
BitDefender Gen:Variant.Kazy.569499 20150531
Bkav HW32.Packed.CA55 20150529
CAT-QuickHeal TrojanRansom.Foreign.r4 20150530
Comodo UnclassifiedMalware 20150531
Cyren W32/S-0b92b060!Eldorado 20150531
DrWeb BackDoor.IRC.NgrBot.449 20150531
Emsisoft Gen:Variant.Kazy.569499 (B) 20150531
ESET-NOD32 a variant of Win32/Kryptik.DBAC 20150531
F-Prot W32/S-0b92b060!Eldorado 20150531
F-Secure Gen:Variant.Kazy.569499 20150531
Fortinet W32/Foreign.AS!tr 20150531
GData Gen:Variant.Kazy.569499 20150531
Ikarus Trojan.Win32.Injector 20150531
Jiangmin TrojanProxy.Lethic.gi 20150529
K7AntiVirus Trojan ( 004b787d1 ) 20150531
K7GW Trojan ( 004b787d1 ) 20150531
Kaspersky Trojan-Ransom.Win32.Foreign.lxnp 20150531
Malwarebytes Trojan.Agent.DED 20150531
McAfee Generic.vm 20150531
McAfee-GW-Edition Generic.vm 20150531
Microsoft Ransom:Win32/Crowti 20150531
eScan Gen:Variant.Kazy.569499 20150531
NANO-Antivirus Trojan.Win32.Lethic.dovxsi 20150531
Panda Trj/Chgt.O 20150531
Qihoo-360 HEUR/QVM10.1.Malware.Gen 20150531
Sophos AV Mal/Wonton-AS 20150531
SUPERAntiSpyware Trojan.Agent/Gen-Dropper 20150530
Symantec Trojan.Gen.2 20150531
Tencent Trojan.Win32.Qudamah.Gen.30 20150531
TotalDefense Win32/Crowti.YXBAOUC 20150531
TrendMicro TROJ_GEN.R000C0CCD15 20150531
TrendMicro-HouseCall TROJ_GEN.R000C0CCD15 20150531
VBA32 OScope.Malware-Cryptor.Ngrbot 20150529
VIPRE Trojan.Win32.Generic!BT 20150531
Zillya Trojan.Neurevt.Win32.1011 20150531
AegisLab 20150531
Alibaba 20150531
ByteHero 20150531
ClamAV 20150531
CMC 20150530
Kingsoft 20150531
nProtect 20150529
Rising 20150531
TheHacker 20150529
ViRobot 20150531
Zoner 20150526
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright (C) Construction 2005-2013

Publisher Obtain Johnson - www.Construction.com
Product Construction
File version 2.0.0.4
Description Repeat connected failed organized
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-03-06 17:41:02
Entry Point 0x00002CD2
Number of sections 4
PE sections
PE imports
GetTokenInformation
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegSetValueExA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
AdjustTokenPrivileges
EqualSid
RegCreateKeyExA
RegOpenKeyExA
RegDeleteValueA
RegQueryInfoKeyA
GetDeviceCaps
GetStdHandle
GetConsoleOutputCP
GetFileAttributesA
WaitForSingleObject
FreeEnvironmentStringsA
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
GetLocaleInfoA
lstrcatA
SetErrorMode
FreeEnvironmentStringsW
SetStdHandle
GetTempPathA
GetCPInfo
GetStringTypeA
WriteFile
GetSystemTimeAsFileTime
GetDiskFreeSpaceA
GetStringTypeW
GetFullPathNameA
GetExitCodeProcess
MoveFileA
FindClose
TlsGetValue
SetLastError
CopyFileA
HeapAlloc
RemoveDirectoryA
LoadLibraryExA
GetPrivateProfileStringA
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
SetFilePointer
CreateThread
SetFileAttributesA
SetUnhandledExceptionFilter
MulDiv
GetSystemDirectoryA
TerminateProcess
WriteConsoleA
GlobalAlloc
SearchPathA
GetVersion
InterlockedIncrement
SetCurrentDirectoryA
WriteConsoleW
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
SetHandleCount
lstrcmpiA
FreeLibrary
QueryPerformanceCounter
GetTickCount
TlsAlloc
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetStartupInfoA
GetFileSize
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
GetProcAddress
lstrcmpA
FindFirstFileA
GetCurrentThreadId
GetTempFileNameA
FindNextFileA
ExpandEnvironmentStringsA
IsDebuggerPresent
GetFileType
TlsSetValue
CreateFileA
ExitProcess
LeaveCriticalSection
GetLastError
LCMapStringW
lstrlenA
GlobalFree
GetConsoleCP
LCMapStringA
HeapReAlloc
GetEnvironmentStringsW
GlobalUnlock
GetModuleFileNameA
GetShortPathNameA
GetEnvironmentStrings
CompareFileTime
WritePrivateProfileStringA
GetCurrentProcessId
SetFileTime
WideCharToMultiByte
HeapSize
GetCommandLineA
RaiseException
TlsFree
GetModuleHandleA
ReadFile
CloseHandle
lstrcpynA
GetACP
GlobalLock
GetModuleHandleW
CreateProcessA
IsValidCodePage
HeapCreate
VirtualFree
Sleep
VirtualAlloc
GetOEMCP
CharPrevA
SetDlgItemTextA
EndDialog
ShowWindow
MessageBeep
SetWindowPos
SendDlgItemMessageA
GetWindowRect
DispatchMessageA
EnableWindow
LoadStringA
GetDlgItemTextA
MessageBoxA
PeekMessageA
SetWindowLongA
CharUpperA
GetDC
ReleaseDC
SetWindowTextA
GetWindowLongA
SendMessageA
GetDlgItem
wsprintfA
CharNextA
GetDesktopWindow
CallWindowProcA
MsgWaitForMultipleObjects
SetForegroundWindow
ExitWindowsEx
DialogBoxIndirectParamA
Number of PE resources by type
RT_DIALOG 8
RT_MANIFEST 1
RT_MESSAGETABLE 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 7
NEUTRAL 1
LITHUANIAN 1
ASSAMESE DEFAULT 1
CHINESE SIMPLIFIED 1
PE resources
ExifTool file metadata
LegalTrademarks
Construction

SubsystemVersion
5.0

LinkerVersion
9.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
5.6.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Repeat connected failed organized

CharacterSet
Windows, Latin1

InitializedDataSize
136704

FileOS
Windows 16-bit

EntryPoint
0x2cd2

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) Construction 2005-2013

FileVersion
2.0.0.4

TimeStamp
2015:03:06 18:41:02+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Blanket.exe

ProductVersion
8.0

UninitializedDataSize
0

OSVersion
5.0

OriginalFilename
Blanket.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Obtain Johnson - www.Construction.com

CodeSize
77312

ProductName
Construction

ProductVersionNumber
6.2.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

PCAP parents
File identification
MD5 63ed048e22d49c4359e84811ab12db3b
SHA1 13b15de577c564d582ed3c61b54c1c94defb0488
SHA256 11d111ea0068865d6b29b0952592dc36a3061878f9bcfa11512c3f7c8a7d8910
ssdeep
3072:pDfjJsocjWUmoRNCxVBNwAg0FulYXXHu+OVTDlU4vF9UrBgutnl4RrF5r5:pKWUmoRAx7OAOls3iflUy8Bguhl4RrP1

authentihash cf73f99e7225233a2b2dc593f665b792b089bf300953b2fa6988fd844cc781af
imphash ad8216e439c35456a26f5b5738794260
File size 210.0 KB ( 215040 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.3%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe

VirusTotal metadata
First submission 2015-03-10 14:52:12 UTC ( 2 years, 8 months ago )
Last submission 2015-05-31 22:45:52 UTC ( 2 years, 5 months ago )
File names 2015-03-06-payingdays-me-malware-payload.exe
11d111ea0068865d6b29b0952592dc36a3061878f9bcfa11512c3f7c8a7d8910.exe
7f775c05.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created processes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.