× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 27366b11bdefd4002656f95801f6ef677034adff62d6b5e9060d54c3416700ed
File name: WSPDll_dump.ex_
Detection ratio: 40 / 57
Analysis date: 2015-02-23 11:29:12 UTC ( 3 years, 9 months ago )
Antivirus Result Update
Ad-Aware Trojan.PWS.VB.NDC 20150223
Yandex Riskware.PSWTool!Gz93m51QsGk 20150222
AhnLab-V3 Worm/Win32.VBNA 20150222
ALYac Trojan.PWS.VB.NDC 20150223
Antiy-AVL Trojan[PSWTool:not-a-virus]/Win32.NetPass 20150223
Avast Win32:Malware-gen 20150223
AVG Worm/Generic_vb.KM 20150223
Avira (no cloud) TR/Spy.175928 20150223
AVware Worm.Win32.Vobfus.mc (v) 20150223
BitDefender Trojan.PWS.VB.NDC 20150223
CAT-QuickHeal HackTool.BroPasView.W4 20150223
Comodo TrojWare.Win32.PSW.VB.NIS 20150223
Cyren W32/PasswView.TANC-0160 20150223
DrWeb Trojan.PWS.Multi.911 20150223
Emsisoft Trojan.PWS.VB.NDC (B) 20150223
ESET-NOD32 Win32/PSW.VB.NIS 20150223
F-Prot W32/PasswView.D 20150223
F-Secure Trojan.PWS.VB.NDC 20150223
Fortinet W32/VBInjector.AGB!tr 20150223
GData Trojan.PWS.VB.NDC 20150223
Ikarus Virus.Win32.VBInject 20150223
K7AntiVirus Trojan ( 000df1f41 ) 20150223
K7GW Trojan ( 000df1f41 ) 20150223
Kaspersky Worm.Win32.VBNA.b 20150223
Malwarebytes Trojan.VBInject 20150223
McAfee Artemis!84ABE3E34714 20150223
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.dc 20150222
Microsoft TrojanSpy:Win32/Plimrost.B 20150223
eScan Trojan.PWS.VB.NDC 20150223
NANO-Antivirus Riskware.Win32.MailPassView.cxarxp 20150223
Norman Obfuscated.FS!genr 20150223
nProtect Trojan.PWS.VB.NDC 20150223
Rising PE:Trojan.Vbex!1.99F5 20150222
Sophos AV Troj/Mdrop-FCN 20150223
SUPERAntiSpyware Trojan.Agent/Gen-Falcomp[Cont] 20150222
Symantec W32.Shadesrat 20150223
TrendMicro-HouseCall TROJ_WEBBROWSERPASSVIEW_0000001.TOMA 20150223
VBA32 Trojan.VB.Schmidti 20150220
VIPRE Worm.Win32.Vobfus.mc (v) 20150223
ViRobot Worm.Win32.A.VBNA.212992.Q[h] 20150223
AegisLab 20150223
Alibaba 20150223
Baidu-International 20150223
Bkav 20150213
ByteHero 20150223
ClamAV 20150223
CMC 20150223
Jiangmin 20150222
Kingsoft 20150223
Panda 20150223
Qihoo-360 20150223
Tencent 20150223
TheHacker 20150222
TotalDefense 20150223
TrendMicro 20150223
Zillya 20150222
Zoner 20150220
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Publisher SIMPLY THE WORST
Product msi
Original name 11.exe
Internal name 11
File version 0.04
Packers identified
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-08-10 13:01:42
Entry Point 0x00001180
Number of sections 3
PE sections
PE imports
EVENT_SINK_QueryInterface
Ord(645)
Ord(537)
Ord(648)
Ord(516)
EVENT_SINK_AddRef
Ord(525)
Ord(712)
Ord(717)
Ord(666)
__vbaExceptHandler
Ord(632)
MethCallEngine
DllFunctionCall
Ord(100)
Ord(608)
Ord(570)
Ord(594)
Ord(520)
Ord(571)
Ord(526)
ProcCallEngine
Ord(711)
Ord(660)
Ord(601)
EVENT_SINK_Release
Ord(616)
Ord(617)
Ord(593)
Ord(581)
Ord(529)
Ord(667)
Ord(607)
Ord(644)
Ord(606)
Ord(631)
Ord(619)
Number of PE resources by type
RT_ICON 3
DVCLAL 3
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 4
ROMANIAN 3
ENGLISH US 1
PE resources
ExifTool file metadata
UninitializedDataSize
0

InitializedDataSize
237568

ImageVersion
0.4

ProductName
msi

FileVersionNumber
0.4.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

LinkerVersion
6.0

FileOS
Win32

MIMEType
application/octet-stream

FileVersion
0.04

TimeStamp
2012:08:10 14:01:42+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
11

ProductVersion
0.04

SubsystemVersion
4.0

OSVersion
4.0

OriginalFilename
11.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
SIMPLY THE WORST

CodeSize
28672

FileSubtype
0

ProductVersionNumber
0.4.0.0

EntryPoint
0x1180

ObjectFileType
Executable application

File identification
MD5 2d43f3ade5ca73834b67de97a2c28d74
SHA1 b769a8fb45840eccde143346a19e55c76e348b9c
SHA256 27366b11bdefd4002656f95801f6ef677034adff62d6b5e9060d54c3416700ed
ssdeep
6144:8/Yb//1Pxw4dIKCC0ef//uXltKc+LVsz9b8R4jvLXou:8V4dFeCXuLKcCVsz6SDLXo

authentihash 332cf984fb8952e1a40d736863d44ce1ee13a33e3328cc7b7eaa57de4c9f459d
imphash 7342988ab055a1f3362c0bb541456d42
File size 264.0 KB ( 270336 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (53.1%)
UPX compressed Win32 Executable (19.8%)
Win32 EXE Yoda's Crypter (17.2%)
Win32 Dynamic Link Library (generic) (4.2%)
Win32 Executable (generic) (2.9%)
Tags
peexe upx

VirusTotal metadata
First submission 2015-02-23 11:29:12 UTC ( 3 years, 9 months ago )
Last submission 2015-02-23 11:29:12 UTC ( 3 years, 9 months ago )
File names 11
WSPDll_dump.ex_
11.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Code injections in the following processes
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.