× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6
File name: 11.exe
Detection ratio: 9 / 58
Analysis date: 2017-02-20 02:39:37 UTC ( 1 year, 12 months ago ) View latest
Antivirus Result Update
AegisLab Ml.Attribute.Gen!c 20170220
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9996 20170217
CrowdStrike Falcon (ML) malicious_confidence_67% (D) 20170130
Endgame malicious (moderate confidence) 20170217
Sophos ML virtool.win32.injector.ge 20170203
Kaspersky UDS:DangerousObject.Multi.Generic 20170219
McAfee-GW-Edition BehavesLike.Win32.LiveSoftAction.fc 20170219
Qihoo-360 HEUR/QVM10.1.0000.Malware.Gen 20170220
Symantec ML.Attribute.HighConfidence 20170219
Ad-Aware 20170220
AhnLab-V3 20170219
Alibaba 20170220
ALYac 20170220
Antiy-AVL 20170220
Arcabit 20170220
Avast 20170220
AVG 20170220
Avira (no cloud) 20170219
AVware 20170220
BitDefender 20170220
Bkav 20170218
CAT-QuickHeal 20170218
ClamAV 20170220
CMC 20170219
Comodo 20170220
Cyren 20170220
DrWeb 20170220
Emsisoft 20170220
ESET-NOD32 20170219
F-Prot 20170220
F-Secure 20170220
Fortinet 20170220
GData 20170220
Ikarus 20170219
Jiangmin 20170218
K7AntiVirus 20170219
K7GW 20170220
Kingsoft 20170220
Malwarebytes 20170220
McAfee 20170220
Microsoft 20170220
eScan 20170220
NANO-Antivirus 20170220
nProtect 20170220
Panda 20170219
Rising 20170220
Sophos AV 20170220
SUPERAntiSpyware 20170219
Tencent 20170220
TheHacker 20170218
TrendMicro 20170220
TrendMicro-HouseCall 20170220
Trustlook 20170220
VBA32 20170217
VIPRE 20170220
ViRobot 20170219
Webroot 20170220
WhiteArmor 20170215
Yandex 20170219
Zillya 20170218
Zoner 20170220
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright (c) 2006-2014 Lavasoft

Product Withhold
Original name Withhold
File version 6.3.5.7
Description We've Lqtm
Comments We've Lqtm
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-02-19 17:56:19
Entry Point 0x00009B26
Number of sections 5
PE sections
PE imports
GetTokenInformation
SetSecurityDescriptorDacl
SetNamedSecurityInfoA
RegCloseKey
RegQueryValueExA
FreeSid
MakeSelfRelativeSD
AddAccessAllowedAce
AllocateAndInitializeSid
InitializeSecurityDescriptor
InitializeAcl
SetEntriesInAclA
IsValidSecurityDescriptor
GetNamedSecurityInfoA
GetLengthSid
RegCreateKeyA
GetAce
GetSecurityDescriptorLength
capGetDriverDescriptionA
Ord(412)
InitCommonControlsEx
GetOpenFileNameA
ChooseColorA
CommDlgExtendedError
GetDeviceCaps
CreateDCA
FillRgn
SetBrushOrgEx
DeleteDC
CreateEllipticRgn
ExcludeClipRect
SelectObject
CreatePen
SetPixel
CreateSolidBrush
CreateRectRgnIndirect
CombineRgn
CreateCompatibleDC
DeleteObject
CreateCompatibleBitmap
Rectangle
ImmReleaseContext
ImmSetCompositionWindow
ImmIsIME
ImmGetContext
GetStdHandle
GetDriveTypeA
EncodePointer
SetConsoleCursorPosition
GetLocalTime
FreeEnvironmentStringsA
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
GetLocaleInfoA
LocalAlloc
GetLogicalDrives
GetFileInformationByHandle
GetLocaleInfoW
SetStdHandle
GetCPInfo
lstrcmpiA
WriteFile
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
LocalFree
GetLogicalDriveStringsA
FindClose
InterlockedDecrement
FormatMessageA
EnumDateFormatsA
SetLastError
ReadConsoleInputA
GetUserDefaultLangID
GetModuleFileNameW
IsDebuggerPresent
HeapAlloc
GetModuleFileNameA
HeapSetInformation
EnumSystemLocalesA
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
DecodePointer
SetEnvironmentVariableA
TerminateProcess
GlobalAlloc
SearchPathA
VirtualQueryEx
SetEndOfFile
GetCurrentThreadId
InterlockedIncrement
WriteConsoleW
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
SetHandleCount
LoadLibraryW
GetOEMCP
QueryPerformanceCounter
GetTickCount
TlsAlloc
FlushFileBuffers
RtlUnwind
GetFileSize
OpenProcess
GetPrivateProfileIntA
GetStartupInfoW
ReadProcessMemory
GetUserDefaultLCID
GetConsoleScreenBufferInfo
GetProcessHeap
CompareStringW
lstrcpyW
FreeEnvironmentStringsW
FindFirstFileA
lstrcpyA
FindNextFileA
IsValidLocale
GetProcAddress
CreateFileW
GetConsoleWindow
GetFileType
TlsSetValue
CreateFileA
ExitProcess
LeaveCriticalSection
GetLastError
LCMapStringW
HeapCreate
lstrlenA
GetConsoleCP
GetEnvironmentStringsW
GlobalUnlock
GetCurrentProcessId
WideCharToMultiByte
HeapSize
GetCommandLineA
RaiseException
TlsFree
SetFilePointer
ReadFile
CloseHandle
GetACP
GlobalLock
GetModuleHandleW
IsValidCodePage
SetConsoleMode
Sleep
NetShareGetInfo
Ord(61)
Ord(62)
SysAllocStringLen
GetModuleInformation
GetProcessMemoryInfo
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList
SHQueryRecycleBinA
SHEmptyRecycleBinA
PathFindFileNameA
PathFindExtensionW
PathFindFileNameW
MapWindowPoints
GetDlgItem
SetDlgItemTextA
GetForegroundWindow
GetParent
UpdateWindow
GetWindowPlacement
EndDialog
BeginPaint
OffsetRect
KillTimer
GetIconInfo
ClipCursor
PostQuitMessage
DefWindowProcA
FindWindowA
GetClipboardData
GetWindowThreadProcessId
GetDesktopWindow
GetSystemMetrics
GetClipboardFormatNameA
SendMessageW
GetWindowRect
EnableWindow
SetWindowPlacement
MoveWindow
MessageBoxA
GetSystemMenu
ChildWindowFromPoint
SetWindowLongA
AdjustWindowRectEx
LoadKeyboardLayoutA
SetKeyboardState
ActivateKeyboardLayout
CheckDlgButton
GetDC
InsertMenuItemA
GetCursorPos
CreatePopupMenu
SetWindowTextA
GetClipCursor
GetMenu
wsprintfA
ShowWindow
IsWindowVisible
EnumWindows
SendMessageA
GetWindowTextA
GetClientRect
SetTimer
GetKeyboardLayoutList
GetWindow
IsWindow
SetWindowPos
SetScrollPos
RegisterClassA
SetRect
GetScrollInfo
InvalidateRect
LoadAcceleratorsA
GetWindowLongA
IsClipboardFormatAvailable
CreateWindowExA
LoadCursorA
LoadIconA
GetMenuItemCount
RegisterHotKey
AttachThreadInput
GetSysColorBrush
EnumClipboardFormats
GetClassNameA
GetFocus
CreateWindowExW
ReleaseDC
EndPaint
CloseClipboard
SetCursorPos
RegisterClassExA
OpenClipboard
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
midiInGetID
midiInMessage
Ord(201)
WTSEnumerateProcessesA
GdiplusStartup
CreateStreamOnHGlobal
CoInitialize
CoInitializeEx
RegisterDragDrop
CoCreateInstance
StgCreateDocfile
SnmpUtilAsnAnyCpy
Number of PE resources by type
RT_DIALOG 14
RT_GROUP_CURSOR 9
RCDATA 8
RT_STRING 8
RT_BITMAP 6
PNG 6
RT_ICON 5
RT_CURSOR 4
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 63
PE resources
ExifTool file metadata
UninitializedDataSize
0

Comments
We've Lqtm

LinkerVersion
10.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
6.3.5.7

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
261632

EntryPoint
0x9b26

OriginalFileName
Withhold

MIMEType
application/octet-stream

LegalCopyright
Copyright (c) 2006-2014 Lavasoft

FileVersion
6.3.5.7

TimeStamp
2017:02:19 18:56:19+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
5.1

ProductVersion
6.3.5.7

FileDescription
We've Lqtm

OSVersion
5.1

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Lavasoft

CodeSize
118784

ProductName
Withhold

ProductVersionNumber
6.3.5.7

FileTypeExtension
exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 e3b3e285390c0e2f7d04bd040bec790d
SHA1 dbee71535e9f1fb23b3f01e25989d22d51237e68
SHA256 21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6
ssdeep
6144:C9dswuuW1sVyO6x5x6bQ5PJIgNdsalkFrgikCxEwdrDY2AotYSNlx4:CtuuiswO696bQXIqSa2FjJG0Y2AotYW4

authentihash 9f64481da1a7167e81499918777f19967da42a8cc27fbd0a2dd0b647c61b0480
imphash 09079191e32ab271df88d26a787c56c2
File size 372.5 KB ( 381440 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
peexe

VirusTotal metadata
First submission 2017-02-20 00:24:24 UTC ( 1 year, 12 months ago )
Last submission 2017-02-22 21:10:08 UTC ( 1 year, 11 months ago )
File names Win32.Ransom.Locky@21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.bin
11.exe
Withhold
localfile~
locky.exe
locky.exe
Locky.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Moved files
Deleted files
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications