× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 12ff8aa8f9319b87a70835670c97205be8ed81e859c78a0b5e37b724a9c52554
File name: vti-rescan
Detection ratio: 16 / 57
Analysis date: 2016-03-28 23:02:57 UTC ( 2 years, 10 months ago ) View latest
Antivirus Result Update
Avast Win32:Trojan-gen 20160328
Avira (no cloud) TR/Crypt.ZPACK.dzkw 20160328
Bkav HW32.Packed.51D5 20160328
Cyren W32/Dridex.IVWW-7111 20160328
Emsisoft Trojan.Win32.Dridex (A) 20160328
ESET-NOD32 Win32/Dridex.AA 20160328
F-Prot W32/Dridex.HV 20160328
Kaspersky HEUR:Trojan.Win32.Generic 20160328
Malwarebytes Trojan.Dridex 20160328
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.dh 20160328
Qihoo-360 HEUR/QVM07.1.Malware.Gen 20160329
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 [F] 20160328
Sophos AV Mal/Generic-S 20160328
Symantec Trojan.Cridex 20160328
TrendMicro TSPY_DRIDEX.YYSSK 20160328
TrendMicro-HouseCall TSPY_DRIDEX.YYSSK 20160328
Ad-Aware 20160328
AegisLab 20160328
Yandex 20160316
AhnLab-V3 20160328
Alibaba 20160323
ALYac 20160328
Antiy-AVL 20160328
Arcabit 20160328
AVG 20160328
AVware 20160328
Baidu 20160328
Baidu-International 20160328
BitDefender 20160328
ByteHero 20160329
CAT-QuickHeal 20160328
ClamAV 20160328
CMC 20160322
Comodo 20160328
DrWeb 20160328
F-Secure 20160328
Fortinet 20160328
GData 20160328
Ikarus 20160328
Jiangmin 20160328
K7AntiVirus 20160328
K7GW 20160323
Kingsoft 20160329
McAfee 20160328
Microsoft 20160328
eScan 20160328
NANO-Antivirus 20160328
nProtect 20160328
Panda 20160328
SUPERAntiSpyware 20160328
Tencent 20160329
TheHacker 20160328
VBA32 20160326
VIPRE 20160328
ViRobot 20160328
Zillya 20160328
Zoner 20160328
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2006-04-28 03:11:25
Entry Point 0x000238F8
Number of sections 4
PE sections
PE imports
RegDeleteKeyA
SetSecurityDescriptorOwner
RegCloseKey
GetAce
AdjustTokenPrivileges
LookupPrivilegeValueW
RegCreateKeyA
CloseServiceHandle
RegisterServiceCtrlHandlerA
RegisterEventSourceA
LookupAccountNameW
RegOpenKeyExA
RegConnectRegistryA
CreateServiceW
InitiateSystemShutdownA
GetKernelObjectSecurity
GetSidIdentifierAuthority
RegQueryInfoKeyW
LsaFreeMemory
RegCreateKeyExW
EnumServicesStatusA
SetEntriesInAclW
StartServiceCtrlDispatcherA
AllocateAndInitializeSid
SetSecurityDescriptorSacl
StartServiceA
ReadEventLogW
OpenSCManagerA
ReportEventA
AddAce
PropertySheetA
ImageList_GetImageCount
ImageList_SetBkColor
ImageList_GetImageInfo
PropertySheetW
Ord(17)
ImageList_Create
ImageList_DrawEx
ImageList_SetIconSize
CreateToolbarEx
ImageList_GetIconSize
ImageList_SetOverlayImage
ImageList_Destroy
ImageList_AddMasked
ImageList_Draw
DestroyPropertySheetPage
Ord(6)
ImageList_GetIcon
FlatSB_SetScrollPos
ImageList_ReplaceIcon
ImageList_Add
InitializeFlatSB
ImageList_LoadImageA
CreatePropertySheetPageW
FlatSB_GetScrollPos
ImageList_Remove
Ord(16)
CreatePropertySheetPageA
ImageList_LoadImageW
GetBrushOrgEx
CreateDCA
GetTextAlign
CreateEllipticRgn
DeleteDC
GetTextCharsetInfo
GetBkColor
GetNearestPaletteIndex
GetStockObject
GetRgnBox
ResizePalette
CreatePenIndirect
CreateSolidBrush
LPtoDP
ExtCreatePen
GdiFlush
GetTextExtentPoint32W
CreateFontW
Rectangle
SymGetLineFromAddr
FindExecutableImage
ImageDirectoryEntryToData
SymCleanup
MapDebugInformation
ImageEnumerateCertificates
ImageNtHeader
ImageGetCertificateData
CreateProcessW
CreateThread
RtlFillMemory
GetModuleHandleA
FindResourceExW
GetOEMCP
AllocConsole
GetFileAttributesExA
GetConsoleScreenBufferInfo
VarUI1FromR8
SafeArrayAllocDescriptor
VarI2FromDisp
VarBoolFromR8
RasEnumDevicesW
InternetCanonicalizeUrlW
InternetSetCookieA
InternetGoOnline
HttpEndRequestW
CreateUrlCacheEntryA
InternetFindNextFileW
HttpSendRequestExA
CreateUrlCacheGroup
GopherOpenFileA
GopherFindFirstFileW
FtpDeleteFileW
InternetReadFileExW
FtpDeleteFileA
GopherFindFirstFileA
HttpQueryInfoW
InternetCreateUrlW
InternetLockRequestFile
FtpSetCurrentDirectoryA
CommitUrlCacheEntryW
GopherGetLocatorTypeW
InternetCheckConnectionA
FtpSetCurrentDirectoryW
HttpSendRequestA
FtpOpenFileW
FtpGetCurrentDirectoryA
FtpPutFileA
FindFirstUrlCacheEntryA
FtpOpenFileA
FindNextUrlCacheEntryA
InternetSetOptionW
FindNextUrlCacheEntryW
DeleteUrlCacheEntry
FindFirstUrlCacheEntryW
InternetOpenW
FindNextUrlCacheEntryExA
mmioOpenA
PrintDlgA
GetOpenFileNameW
PageSetupDlgA
GetOpenFileNameA
CommDlgExtendedError
GetSaveFileNameA
ChooseFontA
HMENU_UserSize
IsAccelerator
CoBuildVersion
CoTaskMemRealloc
CLSIDFromProgID
StgGetIFillLockBytesOnILockBytes
CoMarshalInterface
HPALETTE_UserUnmarshal
OleDoAutoConvert
CoLoadLibrary
CoDisconnectObject
CoFreeUnusedLibraries
OleCreateLinkToFile
CoReleaseServerProcess
CreatePointerMoniker
HGLOBAL_UserUnmarshal
CoTreatAsClass
HBITMAP_UserSize
CoCreateFreeThreadedMarshaler
Number of PE resources by type
RT_DIALOG 7
RT_MENU 5
RT_ACCELERATOR 1
RT_VERSION 1
Number of PE resources by language
TATAR DEFAULT 14
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
8.0

ImageVersion
0.0

FileVersionNumber
0.250.244.8

UninitializedDataSize
0

LanguageCode
Neutral

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
180224

EntryPoint
0x238f8

OriginalFileName
Disconnects.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright 2010

FileVersion
168, 82, 91, 212

TimeStamp
2006:04:28 04:11:25+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Combatant

ProductVersion
236, 82, 176, 15

FileDescription
Elitist

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows command line

MachineType
Intel 386 or later, and compatibles

CompanyName
Michael Walter

CodeSize
143360

FileSubtype
0

ProductVersionNumber
0.0.62.130

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
File identification
MD5 879ba935e7b0f0dfdc62150be81af5f0
SHA1 0f42223f37cad9beba8e977f98cd4bb78cd11d11
SHA256 12ff8aa8f9319b87a70835670c97205be8ed81e859c78a0b5e37b724a9c52554
ssdeep
3072:R0zD0eHJbdpvj8RX7+EDD+8w6/8t28xXSjNIeJR2Z3XnmcvPCo/7T:SfbJbdpYRVDD+p0W284jNI62hXnpPj7

authentihash f7d4ea8452287cf22db018feec6a36b979801f7720084a4614d3a1f73ab1a5cc
imphash 633a6f25449d9ecbd5eac412688df3ea
File size 204.0 KB ( 208896 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (console) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Tags
peexe

VirusTotal metadata
First submission 2016-03-28 15:03:06 UTC ( 2 years, 10 months ago )
Last submission 2016-12-15 18:37:48 UTC ( 2 years, 2 months ago )
File names cdsadd l4488600.exe
iphones.wav
122[1].wav
122.exe
malwarz.exe
122.wav
cdsadd.exe
cdsadd.exe
iphonese.php
HTTP-F4ZDeN1ykVa9sdBU4b.exe
cdsadd.exe
12ff8aa8f9319b87a70835670c97205be8ed81e859c78a0b5e37b724a9c52554.exe.000
cdsadd.exe
filedata
122.wav
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created mutexes
Opened mutexes
Opened service managers
Runtime DLLs
UDP communications