× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9
File name: 192608ff371400c1_shell.fne
Detection ratio: 19 / 67
Analysis date: 2018-08-10 07:02:57 UTC ( 6 days, 22 hours ago )
Antivirus Result Update
ALYac Worm.Autorun.RF 20180810
AVware Trojan.Win32.Generic!BT 20180810
Bkav W32.Ongame0XV.Trojan 20180807
CAT-QuickHeal Trojan.Agen 20180807
ClamAV Win.Worm.Autorun-6749 20180810
CMC Malware.Win32.Generic!O 20180810
Cylance Unsafe 20180810
Cyren W32/Agent.GFWT-5901 20180810
F-Prot W32/Agent.KET 20180810
Sophos ML heuristic 20180717
K7AntiVirus Riskware ( 0040eff71 ) 20180810
K7GW Riskware ( 0040eff71 ) 20180810
Malwarebytes Worm.AutoRun 20180810
MAX malware (ai score=99) 20180810
Sophos AV W32/SillyFDC-DX 20180810
SUPERAntiSpyware Trojan.Agent/Gen 20180810
TotalDefense Win32/Agent.BLH 20180810
VIPRE Trojan.Win32.Generic!BT 20180810
ViRobot Adware.Agent.Do.40960 20180810
Ad-Aware 20180810
AegisLab 20180810
AhnLab-V3 20180809
Alibaba 20180713
Antiy-AVL 20180810
Arcabit 20180810
Avast 20180810
Avast-Mobile 20180810
AVG 20180810
Avira (no cloud) 20180809
Babable 20180725
Baidu 20180810
BitDefender 20180810
Comodo 20180810
CrowdStrike Falcon (ML) 20180723
Cybereason 20180308
DrWeb 20180810
eGambit 20180810
Emsisoft 20180810
Endgame 20180730
ESET-NOD32 20180810
F-Secure 20180810
Fortinet 20180810
GData 20180810
Ikarus 20180809
Jiangmin 20180810
Kaspersky 20180810
Kingsoft 20180810
McAfee 20180810
McAfee-GW-Edition 20180810
Microsoft 20180810
eScan 20180810
NANO-Antivirus 20180810
Palo Alto Networks (Known Signatures) 20180810
Panda 20180809
Qihoo-360 20180810
Rising 20180810
SentinelOne (Static ML) 20180701
Symantec 20180810
Symantec Mobile Insight 20180809
TACHYON 20180810
Tencent 20180810
TheHacker 20180807
TrendMicro 20180810
TrendMicro-HouseCall 20180810
Trustlook 20180810
VBA32 20180808
Webroot 20180810
Yandex 20180808
Zillya 20180809
ZoneAlarm by Check Point 20180810
Zoner 20180809
The file being studied is a Portable Executable file! More specifically, it is a Win32 DLL file for the Windows GUI subsystem.
Packers identified
PEiD Armadillo v1.xx - v2.xx
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2008-05-24 05:19:43
Entry Point 0x00002A5F
Number of sections 4
PE sections
PE imports
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
GetLastError
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
SetHandleCount
lstrlenA
GetOEMCP
LCMapStringA
HeapDestroy
HeapAlloc
IsBadWritePtr
TlsAlloc
GetEnvironmentStringsW
GetVersionExA
LoadLibraryA
RtlUnwind
GetSystemDirectoryA
FreeEnvironmentStringsA
DeleteCriticalSection
GetCurrentProcess
GetEnvironmentStrings
GetFileType
GetWindowsDirectoryA
MultiByteToWideChar
FreeEnvironmentStringsW
GetCPInfo
GetCommandLineA
GetProcAddress
TlsFree
GetProcessHeap
GetTempPathA
WideCharToMultiByte
GetStringTypeA
SetSystemPowerState
SetUnhandledExceptionFilter
WriteFile
GetStartupInfoA
GetACP
HeapReAlloc
GetStringTypeW
GetCurrentThreadId
TerminateProcess
GetModuleFileNameA
InitializeCriticalSection
HeapCreate
VirtualFree
TlsGetValue
IsBadReadPtr
TlsSetValue
IsBadCodePtr
ExitProcess
GetVersion
VirtualAlloc
SetLastError
LeaveCriticalSection
SHGetFileInfoA
SHGetSpecialFolderPathA
SHBrowseForFolderA
SHGetPathFromIDListA
SHGetMalloc
ShellExecuteA
SHFileOperationA
IsWindow
GetParent
EnableWindow
SetActiveWindow
IsWindowEnabled
GetActiveWindow
SetForegroundWindow
GetForegroundWindow
ExitWindowsEx
CoCreateInstance
PE exports
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
dll

TimeStamp
2008:05:24 06:19:43+01:00

FileType
Win32 DLL

PEType
PE32

CodeSize
20480

LinkerVersion
6.0

ImageFileCharacteristics
Executable, No line numbers, No symbols, 32-bit, DLL

EntryPoint
0x2a5f

InitializedDataSize
45056

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
PE resource-wise parents
Compressed bundles
File identification
MD5 d54753e7fc3ea03aec0181447969c0e8
SHA1 824e7007b6569ae36f174c146ae1b7242f98f734
SHA256 192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9
ssdeep
768:Pw7QWaOn79Tm7UmuRDR73FjLo4RIqF6bw:Pw7579Tm7V4jxo4RIq0w

authentihash 820300a5977f9a9c1a630194702dabbf730f5fb7619859c4d6cff97014b2d2b4
imphash 7bfe20f314273547fb9502c64706871e
File size 40.0 KB ( 40960 bytes )
File type Win32 DLL
Magic literal
PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (64.5%)
Win32 Dynamic Link Library (generic) (13.6%)
Win32 Executable (generic) (9.3%)
OS/2 Executable (generic) (4.1%)
Generic Win/DOS Executable (4.1%)
Tags
armadillo pedll

VirusTotal metadata
First submission 2008-09-13 06:32:12 UTC ( 9 years, 11 months ago )
Last submission 2018-07-03 11:18:02 UTC ( 1 month, 2 weeks ago )
File names smona131921317733326395135
smona130846225637874420402
56814.vsz
shell.fne
shell.fne.1305017476.qtn
D54753E7FC3EA03AEC0181447969C0E8
c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f
xx
192608ff371400c1_shell.fne
smona131436432685616860465
smona130872654558124850866
smona131211906754736778382
smona132079192509285219675
smona131581560197920212347
smona132239592770205412068
smona131039586263057769618
824e7007b6569ae36f174c146ae1b7242f98f734
VirusShare_d54753e7fc3ea03aec0181447969c0e8
smona_192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9.bin
shell.dll-d54753e7fc3ea03aec0181447969c0e8
smona132030304863905189331
8e0aa700.001
shell.fne.infected
shell.fne
D54753E7FC3EA03AEC0181447969C0E8.vir
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!