× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 2037fbfb658a228ada3506ea72c4e6daa64c84eb18c1d620bc55581b67c165ae
File name: D1EE.exe
Detection ratio: 45 / 56
Analysis date: 2015-04-01 03:10:38 UTC ( 3 years, 10 months ago ) View latest
Antivirus Result Update
Ad-Aware Gen:Variant.Symmi.44974 20150401
Yandex Worm.Ngrbot!yObynb+RPIk 20150331
AhnLab-V3 Trojan/Win32.NgrBot 20150331
ALYac Gen:Variant.Symmi.44974 20150401
Antiy-AVL Worm/Win32.Ngrbot 20150401
Avast Win32:Inject-BJO [Trj] 20150401
AVG BackDoor.VB.20.L 20150331
AVware Trojan.Win32.Clicker!BT 20150401
Baidu-International Worm.Win32.Ngrbot.agdl 20150331
BitDefender Gen:Variant.Symmi.44974 20150401
ByteHero Virus.Win32.Heur.p 20150401
CAT-QuickHeal Worm.Ngrbot.r3 20150331
Comodo UnclassifiedMalware 20150401
Cyren W32/S-1166245a!Eldorado 20150401
Emsisoft Gen:Variant.Symmi.44974 (B) 20150401
ESET-NOD32 a variant of Win32/Injector.BISN 20150331
F-Prot W32/S-1166245a!Eldorado 20150401
F-Secure Gen:Variant.Symmi.44974 20150401
Fortinet W32/Injector.ADYQ!tr 20150401
GData Gen:Variant.Symmi.44974 20150401
Ikarus Worm.Win32.Ngrbot 20150401
Jiangmin Worm/Ngrbot.cck 20150331
K7AntiVirus Trojan ( 0049ecf61 ) 20150331
K7GW Trojan ( 0049ecf61 ) 20150331
Kaspersky Worm.Win32.Ngrbot.agdl 20150401
Kingsoft Worm.Ngrbot.ag.(kcloud) 20150401
Malwarebytes Trojan.Ransom.ED 20150401
McAfee Dorkbot-FAN!9B55CF3DBABA 20150401
McAfee-GW-Edition BehavesLike.Win32.VBObfus.ch 20150331
Microsoft TrojanClicker:Win32/Tolouge 20150331
eScan Gen:Variant.Symmi.44974 20150331
NANO-Antivirus Trojan.Win32.Ngrbot.ddinry 20150401
Norman Injector.HDEZ 20150331
Panda Trj/Genetic.gen 20150331
Qihoo-360 HEUR/Malware.QVM03.Gen 20150401
Sophos AV Mal/Generic-S 20150331
SUPERAntiSpyware Trojan.Agent/Gen-Symmi 20150401
Symantec Trojan.ADH.2 20150401
Tencent Win32.Worm.Ngrbot.Huph 20150401
TrendMicro TROJ_SPNR.11I014 20150401
TrendMicro-HouseCall TROJ_SPNR.11I014 20150401
VBA32 Worm.Ngrbot 20150331
VIPRE Trojan.Win32.Clicker!BT 20150401
ViRobot Trojan.Win32.S.Agent.183327.I[h] 20150331
Zillya Worm.Ngrbot.Win32.5618 20150401
AegisLab 20150401
Alibaba 20150401
Avira (no cloud) 20150401
Bkav 20150331
ClamAV 20150401
CMC 20150401
DrWeb 20150401
nProtect 20150331
Rising 20150331
TheHacker 20150330
TotalDefense 20150331
Zoner 20150330
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-08-24 15:48:56
Entry Point 0x000013E4
Number of sections 3
PE sections
Overlays
MD5 c0aee5568e28e975345db97e85c24f22
File type ASCII text
Offset 180224
Size 3103
Entropy 0.00
PE imports
_adj_fdiv_m32
_adj_fdiv_m32i
DllFunctionCall
__vbaVarDup
__vbaEnd
__vbaGenerateBoundsError
_allmul
Ord(516)
__vbaPutOwner4
__vbaErase
_adj_fprem
Ord(712)
__vbaLenBstr
__vbaFreeStrList
_CIatan
__vbaFreeObjList
Ord(681)
__vbaUI1Str
Ord(717)
__vbaExceptHandler
__vbaSetSystemError
__vbaFreeVarList
Ord(632)
__vbaRedim
__vbaStrCmp
__vbaFPException
__vbaAryVar
__vbaStrVarMove
__vbaFileOpen
Ord(578)
__vbaVar2Vec
_adj_fdiv_r
__vbaFreeObj
__vbaFreeVar
__vbaVarTstNe
__vbaChkstk
Ord(619)
__vbaMidStmtBstr
__vbaI4Var
__vbaVarLateMemCallLd
Ord(100)
__vbaAryUnlock
__vbaHresultCheckObj
__vbaStrVarVal
__vbaGet3
Ord(711)
Ord(606)
__vbaStrCopy
__vbaAryLock
_CIsin
Ord(595)
EVENT_SINK_QueryInterface
_adj_fptan
Ord(685)
__vbaFileClose
Ord(581)
__vbaLineInputStr
_CIcos
__vbaObjSet
__vbaAryCopy
_CIsqrt
Ord(608)
__vbaNew2
Ord(644)
__vbaVarCat
_adj_fdivr_m32i
Ord(631)
__vbaAryDestruct
_CIexp
__vbaStrMove
_adj_fprem1
_adj_fdivr_m32
__vbaStrCat
Ord(537)
_CItan
__vbaFpI4
__vbaFreeStr
_adj_fdiv_m16i
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2013:08:24 16:48:56+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
45056

LinkerVersion
6.21

EntryPoint
0x13e4

InitializedDataSize
135168

SubsystemVersion
4.41456

ImageVersion
45.6

OSVersion
4.1772

UninitializedDataSize
0

File identification
MD5 9b55cf3dbaba3d96386fa9b0ba6cea02
SHA1 7fdf20b16d0176ea8a4d218a04971deba14e5343
SHA256 2037fbfb658a228ada3506ea72c4e6daa64c84eb18c1d620bc55581b67c165ae
ssdeep
3072:mGOBVbMaWrjT120pUoS5qA/XYWnLbm0D9xZTz9Xi3BRRFl72Lq0QQ08YSEPo:mhVbkrjsf7qA/oM/55H8BRZ2q0re

authentihash ce2bfd874508ea62e6530944ace1683241db390986dbc876785e3f284fe1d10a
imphash c3b133bd0152d46dba6da68b162e5d16
File size 179.0 KB ( 183327 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit system file

TrID Win32 Executable (generic) (52.9%)
Generic Win/DOS Executable (23.5%)
DOS Executable Generic (23.5%)
Tags
peexe overlay

VirusTotal metadata
First submission 2014-07-26 00:23:51 UTC ( 4 years, 7 months ago )
Last submission 2014-10-01 22:57:00 UTC ( 4 years, 4 months ago )
File names D1EE.exe
2AA8.exe
2.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.