× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1313dd0cb96b45cea83e3d3c641058205bec547eb50080cbed6eeaee7968ca62
File name: output.9587975.txt
Detection ratio: 39 / 46
Analysis date: 2013-03-29 13:08:07 UTC ( 1 year ago )
Antivirus Result Update
AVG Generic31.BRCI 20130329
Agnitum TrojanSpy.Zbot!DeX4zmIuYkM 20130329
AhnLab-V3 Spyware/Win32.Zbot 20130329
AntiVir TR/Spy.ZBot.1633288 20130329
BitDefender Trojan.Generic.8715292 20130329
CAT-QuickHeal TrojanPWS.Zbot.Gen 20130329
Commtouch W32/Trojan.FKEX-4969 20130329
Comodo TrojWare.Win32.Kryptik.CABC 20130329
DrWeb Trojan.PWS.Panda.3629 20130329
ESET-NOD32 a variant of Win32/Kryptik.AUZS 20130329
Emsisoft Trojan.Win32.Fareit (A) 20130329
F-Prot W32/Tepfer.C2.gen!Eldorado 20130329
F-Secure Trojan.Generic.8715292 20130329
Fortinet W32/Zbot.JFPY!tr 20130329
GData Trojan.Generic.8715292 20130329
Ikarus Trojan-PWS.Win32.Zbot 20130329
K7AntiVirus Trojan 20130328
Kaspersky Trojan-Spy.Win32.Zbot.jfpy 20130329
Kingsoft Win32.Troj.Undef.(kcloud) 20130325
Malwarebytes Trojan.Agent.ED 20130329
McAfee PWS-Zbot-FAKU!FAA3A6C7BBF5 20130329
McAfee-GW-Edition PWS-Zbot-FAKU!FAA3A6C7BBF5 20130329
MicroWorld-eScan Trojan.Generic.8715292 20130329
Microsoft PWS:Win32/Zbot.gen!AL 20130329
NANO-Antivirus Trojan.Win32.Zbot.bgxpmy 20130329
Norman Kryptik.MFC 20130329
PCTools Trojan.Zbot 20130329
Panda Trj/Dtcontx.B 20130329
SUPERAntiSpyware Trojan.Agent/Gen-Zbot 20130329
Sophos Troj/Zbot-DUZ 20130329
Symantec Trojan.Zbot!gen39 20130329
TheHacker Trojan/Kryptik.auzs 20130328
TotalDefense Win32/ZBot.AT!generic 20130328
TrendMicro TROJ_SPNR.1AC513 20130329
TrendMicro-HouseCall TROJ_SPNR.1AC513 20130329
VBA32 BScope.TrojanPSW.Zbot.2716 20130328
VIPRE Trojan.Win32.Zbot.dhnb (v) 20130329
ViRobot Trojan.Win32.A.Zbot.336384.BW 20130329
nProtect Trojan-Clicker/W32.Fakealert.336384.J 20130329
Antiy-AVL 20130329
Avast 20130329
ByteHero 20130322
ClamAV 20130329
Jiangmin 20130329
Rising 20130328
eSafe 20130328
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-02-21 15:42:47
Entry Point 0x0004E010
Number of sections 6
PE sections
PE imports
RegOpenKeyA
GetStockObject
SetThreadLocale
ReleaseMutex
FileTimeToSystemTime
GetFileAttributesA
WaitForSingleObject
HeapDestroy
lstrcmpW
GetLocalTime
DeleteCriticalSection
GetCurrentProcess
OpenFileMappingW
GetLocaleInfoA
LocalAlloc
UnhandledExceptionFilter
ExpandEnvironmentStringsA
SetErrorMode
GetLocaleInfoW
IsDBCSLeadByteEx
GetTempPathA
WideCharToMultiByte
lstrcmpiA
InterlockedExchange
FindResourceExW
GetSystemTimeAsFileTime
HeapReAlloc
SetEvent
LocalFree
FormatMessageW
ResumeThread
InitializeCriticalSection
LoadResource
FindClose
InterlockedDecrement
FormatMessageA
SetLastError
GetSystemTime
OpenEventW
GetModuleFileNameW
CopyFileA
HeapAlloc
lstrcpyW
lstrcmpiW
GetSystemDefaultLCID
MultiByteToWideChar
FlushInstructionCache
MoveFileW
CreateMutexA
SetFilePointer
GlobalMemoryStatus
CreateThread
MoveFileExW
GetSystemDefaultUILanguage
TerminateProcess
SetCurrentDirectoryW
GlobalAlloc
SearchPathA
GetVersion
InterlockedIncrement
HeapFree
EnterCriticalSection
TerminateThread
LoadLibraryW
GetVersionExW
FreeLibrary
QueryPerformanceCounter
GetTickCount
IsBadWritePtr
VirtualProtect
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetWindowsDirectoryW
GetFileSize
DeleteFileA
GetWindowsDirectoryA
GetDateFormatW
CreateDirectoryW
DeleteFileW
GetUserDefaultLCID
GetProcessHeap
GetTempFileNameW
CreateFileMappingW
GetTimeFormatW
WriteFile
ExpandEnvironmentStringsW
lstrcmpA
ResetEvent
GetTempFileNameA
CreateFileMappingA
FindFirstFileW
IsValidLocale
DuplicateHandle
WaitForMultipleObjects
GetProcAddress
CreateEventW
CreateFileW
CreateFileA
GetCurrentThreadId
LeaveCriticalSection
GetLastError
SystemTimeToFileTime
GetSystemInfo
lstrlenA
FindResourceW
CompareStringW
GetThreadLocale
GlobalUnlock
VirtualQuery
lstrlenW
VirtualFree
SizeofResource
GetCurrentDirectoryW
GetCurrentProcessId
LockResource
HeapSize
GetCurrentThread
lstrcpynW
RaiseException
MapViewOfFile
GetModuleHandleA
ReadFile
CloseHandle
lstrcpynA
GetACP
GlobalLock
GetModuleHandleW
IsBadStringPtrW
CompareFileTime
UnmapViewOfFile
GetTempPathW
CreateProcessW
Sleep
IsBadStringPtrA
FindResourceA
VirtualAlloc
CompareStringA
LoadCursorA
LoadIconA
Number of PE resources by type
RT_STRING 11
RT_DIALOG 9
RT_GROUP_CURSOR 4
RT_CURSOR 4
RT_BITMAP 3
RT_ICON 1
Struct(240) 1
RT_MANIFEST 1
RT_MENU 1
RT_ACCELERATOR 1
RT_GROUP_ICON 1
Number of PE resources by language
RUSSIAN 37
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2013:02:21 16:42:47+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
310784

LinkerVersion
9.0

EntryPoint
0x4e010

InitializedDataSize
24576

SubsystemVersion
5.0

ImageVersion
0.0

OSVersion
5.0

UninitializedDataSize
0

File identification
MD5 faa3a6c7bbf5b0449f60409c8bf63859
SHA1 521f801e9f0aa2760237802f961935726b37b3e3
SHA256 1313dd0cb96b45cea83e3d3c641058205bec547eb50080cbed6eeaee7968ca62
ssdeep
6144:2ZI5o+kLIv3ojkX+zxFhs4zQB+kKlxDVXm+Tv5p:2nLI/I/O4E+kexDo+lp

File size 328.5 KB ( 336384 bytes )
File type Win32 EXE
Magic literal
MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe

VirusTotal metadata
First submission 2013-02-21 16:25:09 UTC ( 1 year, 1 month ago )
Last submission 2013-03-29 13:08:07 UTC ( 1 year ago )
File names about.exe
faa3a6c7bbf5b0449f60409c8bf63859
1313DD0CB96B45CEA83E3D3C641058205BEC547EB50080CBED6EEAEE7968CA62
9587975
faa3a6c7bbf5b0449f60409c8bf63859
readme.exe
calc.exe
wgsdgsdgdsgsd.exe
contacts.exe
info.exe
output.9587975.txt
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Created mutexes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications