× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1bb644f65aef308af6933253b7a8bd5e126ccf9cda234ddd29f36bee914003d3
File name: foipee.exe
Detection ratio: 50 / 57
Analysis date: 2015-03-30 20:02:33 UTC ( 3 years, 8 months ago )
Antivirus Result Update
Ad-Aware Gen:Trojan.Chinky.8 20150330
Yandex Worm.VBNA.ADYP 20150330
AhnLab-V3 Win32/Vbna4.worm.Gen 20150330
ALYac Gen:Trojan.Chinky.8 20150330
Antiy-AVL Worm/Win32.WBNA.gen 20150330
Avast Win32:AutoRun-BLX [Wrm] 20150330
AVG Worm/Generic_vb.ANV 20150330
Avira (no cloud) TR/Dldr.VB.wps 20150330
AVware Worm.Win32.VBNA.akzw (v) 20150330
BitDefender Gen:Trojan.Chinky.8 20150330
Bkav W32.LR_PeookizF.Worm 20150330
CAT-QuickHeal Worm.VBNA.gen 20150330
ClamAV Trojan.VB-47101 20150330
CMC Worm.Win32.VBNA!O 20150330
Comodo TrojWare.Win32.VB.SWA 20150330
Cyren W32/Vobfus.E.gen!Eldorado 20150330
DrWeb Trojan.MulDrop4.60439 20150330
Emsisoft Gen:Trojan.Chinky.8 (B) 20150330
ESET-NOD32 Win32/AutoRun.VB.RT 20150330
F-Prot W32/Vobfus.E.gen!Eldorado 20150330
F-Secure Worm:W32/Vobfus.gen!K 20150330
Fortinet W32/VBNA.D!tr 20150330
GData Gen:Trojan.Chinky.8 20150330
Ikarus Worm.Win32.Vobfus 20150330
Jiangmin Worm/VBNA.ftnk 20150330
K7AntiVirus P2PWorm ( 0018e41b1 ) 20150330
K7GW EmailWorm ( 0018e41b1 ) 20150330
Kaspersky Worm.Win32.VBNA.alpv 20150330
Kingsoft Win32.Malware.Heur_Generic.B.(kcloud) 20150330
Malwarebytes Trojan.Dropper 20150330
McAfee Downloader-CJX.gen.g 20150330
McAfee-GW-Edition BehavesLike.Win32.Downloader.cm 20150330
Microsoft Worm:Win32/Vobfus.AC 20150330
eScan Gen:Trojan.Chinky.8 20150330
NANO-Antivirus Trojan.Win32.MulDrop1.cctjc 20150330
Norman VBNA.BS 20150330
nProtect Trojan-Downloader/W32.Agent.138240.AD 20150330
Panda W32/Sohanat.LJ 20150330
Rising PE:Worm.VobfusEx!1.99E1 20150330
Sophos AV Mal/SillyFDC-D 20150330
SUPERAntiSpyware Trojan.Agent/Gen-FakeAlert 20150329
Symantec W32.Changeup 20150330
Tencent Trojan.Win32.Qudamah.Gen.17 20150330
TheHacker W32/VBNA.alpv 20150330
TotalDefense Win32/Vobfus.FH 20150330
TrendMicro WORM_VBNA.SMR 20150330
TrendMicro-HouseCall WORM_VBNA.SMR 20150330
VBA32 Trojan.VBRA.02242 20150330
VIPRE Worm.Win32.VBNA.akzw (v) 20150330
ViRobot Worm.Win32.VBNA.138240[h] 20150330
AegisLab 20150330
Alibaba 20150330
Baidu-International 20150330
ByteHero 20150330
Qihoo-360 20150330
Zillya 20150330
Zoner 20150330
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Product rZhCtguH
Original name rZhCtguH.exe
Internal name rZhCtguH
File version 1.42
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-07-24 13:28:50
Entry Point 0x000011F0
Number of sections 3
PE sections
PE imports
EVENT_SINK_QueryInterface
Ord(712)
Ord(518)
Ord(537)
Ord(648)
Ord(516)
Ord(527)
Ord(685)
Ord(594)
Ord(525)
EVENT_SINK_AddRef
Ord(681)
Ord(717)
Ord(583)
__vbaExceptHandler
Ord(632)
MethCallEngine
Ord(645)
Ord(578)
Ord(618)
Ord(564)
Ord(608)
Ord(570)
Ord(100)
Ord(520)
Ord(517)
Ord(542)
Ord(696)
ProcCallEngine
Ord(711)
Ord(606)
EVENT_SINK_Release
Ord(616)
Ord(600)
Ord(617)
Ord(573)
Ord(593)
Ord(528)
Ord(607)
Ord(183)
Ord(669)
Ord(644)
Ord(631)
Ord(579)
Ord(187)
Ord(619)
Ord(709)
Ord(598)
Number of PE resources by type
RT_ICON 3
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 4
ENGLISH US 1
PE resources
ExifTool file metadata
UninitializedDataSize
0

InitializedDataSize
10240

ImageVersion
1.0

ProductName
rZhCtguH

FileVersionNumber
1.0.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

LinkerVersion
6.0

FileOS
Win32

MIMEType
application/octet-stream

FileVersion
1.42

TimeStamp
2010:07:24 14:28:50+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
rZhCtguH

ProductVersion
1.42

SubsystemVersion
4.0

OSVersion
4.0

OriginalFilename
rZhCtguH.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
134656

FileSubtype
0

ProductVersionNumber
1.0.0.0

EntryPoint
0x11f0

ObjectFileType
Executable application

File identification
MD5 998242051f3de89e8c98f8bba7a7df4b
SHA1 7325474806a0023bf4398508724ca62ac5cd2222
SHA256 1bb644f65aef308af6933253b7a8bd5e126ccf9cda234ddd29f36bee914003d3
ssdeep
3072:dLlzsmUPb1WpXVxAaGBvbNvNbNJkvmhyPQbaDTUXGIDbwKDqCtrwdAxaVTtVHLkr:Bl2oIDbByGPMsMP

authentihash 7067d46c5122281d3ad2bf07ec0fb89a54a36ca31181a0e698affd0eef299180
imphash c52ed71fa72d79d8d1f275033d623f3a
File size 135.0 KB ( 138240 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe usb-autorun

VirusTotal metadata
First submission 2015-03-30 20:02:33 UTC ( 3 years, 8 months ago )
Last submission 2015-03-30 20:02:33 UTC ( 3 years, 8 months ago )
File names rZhCtguH.exe
rZhCtguH
foipee.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
DNS requests
UDP communications