× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1ad32d2881a1a8c40808a3174c6caf7f267e5ad2dc94fe8a376b229767bab9c8
File name: a15b196471bec6d2b17c91b0319a5bfc
Detection ratio: 49 / 57
Analysis date: 2016-05-01 00:16:15 UTC ( 11 months ago )
Antivirus Result Update
Ad-Aware Trojan.GenericKD.1761316 20160501
AhnLab-V3 Backdoor/Win32.Sharik 20160430
ALYac Trojan.GenericKD.1761316 20160501
Antiy-AVL Trojan[Spy]/Win32.Zbot 20160501
Arcabit Trojan.Generic.D1AE024 20160501
Avast Win32:Necurs-S [Trj] 20160501
AVG Zbot.LLO 20160501
Avira (no cloud) TR/Crypt.ZPACK.65715 20160430
AVware Trojan.Win32.Generic!BT 20160501
Baidu Win32.Trojan.Kryptik.ho 20160429
Baidu-International Trojan.Win32.Zbot.tmlh 20160430
BitDefender Trojan.GenericKD.1761316 20160501
Bkav HW32.Packed.84D6 20160429
CAT-QuickHeal Trojan.Zbot.AM4 20160430
Comodo UnclassifiedMalware 20160430
Cyren W32/Trojan.JEYC-3014 20160501
DrWeb Trojan.PWS.Panda.2977 20160501
Emsisoft Trojan.GenericKD.1761316 (B) 20160501
ESET-NOD32 Win32/Spy.Zbot.AAO 20160430
F-Prot W32/Trojan2.OKZO 20160430
F-Secure Trojan.GenericKD.1761316 20160430
Fortinet W32/Zbot.AAU!tr 20160430
GData Trojan.GenericKD.1761316 20160430
Ikarus Trojan-Spy.Win32.Zbot 20160430
Jiangmin TrojanSpy.Zbot.eftm 20160430
K7AntiVirus Trojan ( 0040f8c71 ) 20160430
K7GW Trojan ( 0040f8c71 ) 20160430
Kaspersky Trojan-Spy.Win32.Zbot.tmlh 20160430
Malwarebytes Spyware.Zbot.VXGen 20160430
McAfee Generic.ub 20160430
McAfee-GW-Edition BehavesLike.Win32.Downloader.dh 20160430
Microsoft PWS:Win32/Zbot 20160430
eScan Trojan.GenericKD.1761316 20160430
NANO-Antivirus Trojan.Win32.Zbot.eaipjl 20160430
nProtect Trojan.GenericKD.1761316 20160429
Panda Trj/WLT.B 20160430
Qihoo-360 HEUR/Malware.QVM20.Gen 20160501
Rising Trjoan.Generic-TxunuRc60T (Cloud) 20160430
Sophos Mal/Ransom-CV 20160430
Symantec Infostealer 20160430
Tencent Win32.Trojan.Bp-qqthief.Ixrn 20160501
TotalDefense Win32/Zbot.INK 20160430
TrendMicro BKDR_SHARIK.SMA3 20160430
TrendMicro-HouseCall BKDR_SHARIK.SMA3 20160430
VIPRE Trojan.Win32.Generic!BT 20160430
ViRobot Trojan.Win32.Z.Zbot.262144.B[h] 20160430
Yandex TrojanSpy.Zbot!jQzbrmgp+P4 20160501
Zillya Trojan.Zbot.Win32.160508 20160430
Zoner Trojan.Zbot.AAO 20160430
AegisLab 20160430
Alibaba 20160429
ClamAV 20160430
CMC 20160429
Kingsoft 20160501
SUPERAntiSpyware 20160430
TheHacker 20160430
VBA32 20160430
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-01-31 00:06:44
Entry Point 0x00028E60
Number of sections 4
PE sections
PE imports
CreatePatternBrush
GetCharWidthI
StrokePath
SetBrushOrgEx
EnableEUDC
Pie
GetPath
GetPolyFillMode
GetGlyphIndicesW
GetTextColor
SetDeviceGammaRamp
FillPath
SetTextAlign
GdiPlayEMF
SetRectRgn
CreateSolidBrush
ImmIsUIMessageA
ImmGetImeMenuItemsW
ImmSetConversionStatus
ImmRequestMessageW
ImmGetVirtualKey
ImmDestroyContext
ImmAssociateContextEx
ImmGetContext
ImmGetImeMenuItemsA
ImmEnumRegisterWordA
ImmEscapeA
ImmGetIMEFileNameW
ImmCreateContext
ImmAssociateContext
ImmUnlockIMC
ImmGetCompositionFontW
ExitProcess
EnumLanguageGroupLocalesA
FoldStringW
CreateFileMappingA
DeleteTimerQueueEx
DefineDosDeviceA
GetModuleHandleW
GetLocaleInfoW
WNetGetConnectionW
WNetGetLastErrorA
WNetOpenEnumA
WNetOpenEnumW
WNetDisconnectDialog1W
WNetGetNetworkInformationA
WNetSetLastErrorA
WNetGetNetworkInformationW
MultinetGetConnectionPerformanceA
WNetSetLastErrorW
MultinetGetConnectionPerformanceW
WNetGetResourceInformationA
WNetDisconnectDialog1A
WNetGetProviderNameA
I_NetServerPasswordGet
NetUserGetGroups
NetUserModalsSet
NetShareEnum
NetGroupSetInfo
NetGetJoinInformation
NetMessageNameDel
NetUserGetLocalGroups
NetMessageNameAdd
NetServerTransportDel
NetFileClose
NetDfsManagerInitialize
NetReplGetInfo
NetGroupDel
NetWkstaUserEnum
RxNetAccessGetUserPerms
NetUserChangePassword
I_NetServerPasswordSet2
NetUseGetInfo
NetRemoteTOD
NetGroupGetUsers
NetGetDisplayInformationIndex
NetShareDelSticky
NetWkstaGetInfo
NetErrorLogRead
NetFileGetInfo
NetUseAdd
NetErrorLogClear
I_BrowserResetNetlogonState
GetDeviceDriverBaseNameW
GetDeviceDriverFileNameA
GetModuleFileNameExA
QueryWorkingSet
GetMappedFileNameW
EnumProcesses
GetModuleInformation
GetDeviceDriverFileNameW
EmptyWorkingSet
GetProcessMemoryInfo
InitializeProcessForWsWatch
GetWsChanges
RasFreeEapUserIdentityA
RasGetCountryInfoA
RasClearConnectionStatistics
DwCloneEntry
RasValidateEntryNameA
DDMGetPhonebookInfo
RasAutodialEntryToNetwork
UnInitializeRAS
RasGetEntryPropertiesW
RasSetAutodialParamA
RasGetErrorStringA
RasGetConnectStatusA
RasSetSubEntryPropertiesW
RasQuerySharedConnection
RasGetAutodialEnableW
RasGetSubEntryPropertiesW
RasGetAutodialAddressW
RasGetEapUserDataW
CM_Get_Class_Name_ExW
CM_Open_Class_Key_ExW
SetupDiOpenDeviceInfoA
CM_Is_Dock_Station_Present_Ex
CM_Delete_DevNode_Key_Ex
SetupDiGetSelectedDriverA
CM_Set_HW_Prof
CM_Get_Device_Interface_List_ExA
SetupGetInfFileListA
SetupDiGetHwProfileFriendlyNameExW
SetupDiSetSelectedDriverW
SetupGetTargetPathW
CM_Request_Device_EjectW
CM_Request_Eject_PC_Ex
SetupDiInstallDriverFiles
SetupDiGetDeviceInterfaceAlias
CM_Set_DevNode_Problem_Ex
CM_Get_Version_Ex
CM_Get_Next_Log_Conf_Ex
CM_Free_Res_Des_Ex
CM_Locate_DevNodeW
CM_Get_First_Log_Conf_Ex
SetupDiClassNameFromGuidA
CM_Get_Device_ID_Size
SetupInstallFileExW
SetupDiMoveDuplicateDevice
CM_Get_Res_Des_Data_Ex
SetupDiGetClassDevsExW
CM_Get_Device_Interface_ListA
ExtractIconA
ExtractAssociatedIconExW
SHBrowseForFolderW
DragQueryFileW
SHFileOperationW
SHGetSettings
InternalExtractIconListW
RealShellExecuteExW
SHLoadNonloadedIconOverlayIdentifiers
SHGetFileInfoA
DuplicateIcon
ShellExecuteExW
SHUpdateRecycleBinIcon
SHFileOperationA
ShellAboutW
SHGetDiskFreeSpaceExA
ExtractAssociatedIconA
DragQueryFileAorW
SHGetFolderPathW
SHGetDataFromIDListW
SHAddToRecentDocs
ExtractIconExA
DoEnvironmentSubstA
FreeIconList
SHGetDataFromIDListA
PathGetCharTypeA
PathStripPathW
PathRemoveBackslashA
PathMakeSystemFolderA
PathStripPathA
UrlGetLocationW
PathIsRootA
PathParseIconLocationW
wvnsprintfW
PathGetCharTypeW
UrlGetLocationA
PathIsRelativeW
PathFindSuffixArrayW
StrToIntExW
SHRegDeleteUSValueA
StrTrimW
PathRemoveExtensionA
SHOpenRegStreamW
StrChrA
PathAddExtensionW
AssocQueryKeyW
PathSetDlgItemPathA
AssocQueryStringA
SHRegQueryUSValueW
SHGetThreadRef
SHRegCreateUSKeyA
PathRenameExtensionA
SHRegEnumUSValueW
SHQueryInfoKeyA
PathIsSameRootW
SHRegQueryInfoUSKeyA
SetPropA
SetWindowsHookW
ArrangeIconicWindows
SetDebugErrorLevel
wvsprintfW
DdeCreateStringHandleA
DdePostAdvise
ShowWindowAsync
OemToCharBuffW
CharLowerW
DdeCreateStringHandleW
SendMessageCallbackW
GetAsyncKeyState
GetDlgCtrlID
SetClassWord
GetClipCursor
SetCursorPos
ClientToScreen
GetKeyNameTextW
InsertMenuA
GetSubMenu
GetDCEx
LoadImageW
PostThreadMessageW
AdjustWindowRect
CreateAcceleratorTableW
CopyAcceleratorTableW
IsDialogMessageA
CharNextW
DdeQueryStringA
CryptCATCDFEnumMembersByCDFTagEx
mssip32DllRegisterServer
CryptCATCatalogInfoFromContext
MsCatFreeHashTag
mscat32DllRegisterServer
WVTAsn1SpcIndirectDataContentEncode
HTTPSFinalProv
WTHelperProvDataFromStateData
WTHelperIsInRootStore
WTHelperCertIsSelfSigned
AddPersonalTrustDBPages
WTHelperOpenKnownStores
CryptCATCDFEnumMembers
CryptSIPRemoveSignedDataMsg
CryptCATEnumerateCatAttr
CryptCATStoreFromHandle
WVTAsn1SpcSpOpusInfoDecode
WintrustGetRegPolicyFlags
CryptSIPPutSignedDataMsg
CryptSIPVerifyIndirectData
SoftpubInitialize
CryptCATPersistStore
SoftpubDllRegisterServer
WVTAsn1SpcSpOpusInfoEncode
CryptCATCDFEnumAttributes
CatalogCompactHashDatabase
Number of PE resources by type
RT_MESSAGETABLE 24
RT_DIALOG 20
RT_FONT 14
RT_STRING 11
Struct(13) 10
RT_ICON 6
RT_VERSION 1
Number of PE resources by language
GERMAN LUXEMBOURG 56
ENGLISH AUS 30
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2011:01:31 01:06:44+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
175104

LinkerVersion
6.0

EntryPoint
0x28e60

InitializedDataSize
86016

SubsystemVersion
4.0

ImageVersion
7.4

OSVersion
4.0

UninitializedDataSize
0

File identification
MD5 a15b196471bec6d2b17c91b0319a5bfc
SHA1 0a0e3f158b2a91922ea635c203053f78f8d9aa44
SHA256 1ad32d2881a1a8c40808a3174c6caf7f267e5ad2dc94fe8a376b229767bab9c8
ssdeep
6144:cDIKrCLkeWPJNtTTNa/e7chDluAOCq8f4H:csQLeWPJNXHy8gb4H

authentihash 85ec03c2031788efe64d54b1790e3ead48e6e3d2faede5478c42b8dfe82a8f74
imphash 5dab69c87bb78f965e4fe7fea00bf70c
File size 256.0 KB ( 262144 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.4%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe

VirusTotal metadata
First submission 2014-07-15 10:46:58 UTC ( 2 years, 8 months ago )
Last submission 2014-07-30 00:05:19 UTC ( 2 years, 8 months ago )
File names vt-upload-_tpUr
a15b196471bec6d2b17c91b0319a5bfc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Moved files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
DNS requests