× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 27fa65a3166def75feb75f8feb25dd9784b8f2518c73defcc4ed3e9f46868e76
File name: el-bretzel.exe
Detection ratio: 10 / 57
Analysis date: 2015-04-25 00:28:00 UTC ( 2 years, 7 months ago )
Antivirus Result Update
AhnLab-V3 Trojan/Win32.Mepaow 20150424
Avira (no cloud) TR/Agent.150528.136 20150424
Baidu-International Trojan.Win32.Laziok.B 20150421
CMC Packed.Win32.Zcrypt.3!O 20150423
ESET-NOD32 a variant of Win32/Laziok.B 20150425
McAfee Artemis!7B2E56424C67 20150425
Microsoft Trojan:Win32/Laziok.gen.A!dha 20150425
Sophos AV Mal/Generic-S 20150424
TrendMicro TROJ_FORUCON.BMC 20150425
TrendMicro-HouseCall TROJ_FORUCON.BMC 20150424
Ad-Aware 20150425
AegisLab 20150425
Yandex 20150424
Alibaba 20150424
ALYac 20150424
Antiy-AVL 20150424
Avast 20150424
AVG 20150425
AVware 20150425
BitDefender 20150425
Bkav 20150423
ByteHero 20150425
CAT-QuickHeal 20150424
ClamAV 20150425
Comodo 20150425
Cyren 20150425
DrWeb 20150424
Emsisoft 20150425
F-Prot 20150425
F-Secure 20150425
Fortinet 20150423
GData 20150425
Ikarus 20150424
Jiangmin 20150424
K7AntiVirus 20150424
K7GW 20150424
Kaspersky 20150424
Kingsoft 20150425
Malwarebytes 20150424
McAfee-GW-Edition 20150424
eScan 20150424
NANO-Antivirus 20150425
Norman 20150424
nProtect 20150424
Panda 20150424
Qihoo-360 20150425
Rising 20150424
SUPERAntiSpyware 20150424
Symantec 20150425
Tencent 20150425
TheHacker 20150423
TotalDefense 20150424
VBA32 20150424
VIPRE 20150425
ViRobot 20150424
Zillya 20150424
Zoner 20150424
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-04-19 19:56:29
Entry Point 0x00001000
Number of sections 5
PE sections
PE imports
RegDeleteValueW
RegCloseKey
OpenProcessToken
RegSetValueExW
RegOpenKeyExW
RegCreateKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
RegOpenKeyW
RegDeleteKeyW
GetCurrentHwProfileW
CreateToolhelp32Snapshot
GetLastError
HeapFree
GetStdHandle
EnterCriticalSection
GetModuleFileNameW
WaitForSingleObject
FreeLibrary
HeapDestroy
ExitProcess
TlsAlloc
GlobalUnlock
GetVersionExA
LoadLibraryA
GetFileAttributesW
GetLocalTime
CopyFileW
Process32NextW
IsWow64Process
CreatePipe
GetCurrentProcess
GetDriveTypeW
FindNextFileW
GlobalLock
ReleaseSemaphore
OpenProcess
FindClose
WideCharToMultiByte
MultiByteToWideChar
CreateDirectoryW
Sleep
GetProcAddress
Process32FirstW
GetCurrentThread
GetComputerNameW
RemoveDirectoryW
SetFileAttributesW
CreateSemaphoreA
CreateThread
SetEnvironmentVariableW
TlsFree
SetFilePointer
DeleteCriticalSection
ReadFile
WriteFile
CreateMutexW
CloseHandle
DeleteFileW
FindFirstFileW
TerminateProcess
DuplicateHandle
HeapReAlloc
GetModuleHandleW
GlobalMemoryStatus
LoadLibraryW
WaitForMultipleObjects
InitializeCriticalSection
HeapCreate
CreateFileW
GlobalAlloc
CreateProcessW
GetLogicalDriveStringsW
GetDiskFreeSpaceExW
TlsGetValue
QueryDosDeviceW
GetTickCount
TlsSetValue
HeapAlloc
GetCurrentThreadId
GetEnvironmentVariableW
SetLastError
LeaveCriticalSection
malloc
memset
_wcsnicmp
strlen
_vsnwprintf
strncpy
wcslen
mktime
_wcsdup
wcscmp
sprintf
localtime
_strnicmp
wcsncpy
free
wcscat
atoi
wcsncmp
memcpy
strstr
memmove
wcscpy
_isnan
strcpy
wcsstr
strcmp
ShellExecuteW
ShellExecuteExW
EmptyClipboard
SendMessageW
CharLowerW
SetClipboardData
GetWindowTextW
FindWindowW
GetDesktopWindow
GetWindowTextLengthW
CloseClipboard
GetWindow
GetClipboardData
OpenClipboard
timeEndPeriod
timeBeginPeriod
__WSAFDIsSet
ioctlsocket
recv
socket
bind
inet_addr
send
WSACleanup
WSAStartup
gethostbyname
select
ntohs
connect
getsockname
sendto
recvfrom
htons
closesocket
accept
WSAGetLastError
listen
Number of PE resources by type
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2015:04:19 20:56:29+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
112640

LinkerVersion
2.5

EntryPoint
0x1000

InitializedDataSize
38912

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

File identification
MD5 7b2e56424c67ba79ccade96dd16c9444
SHA1 690b375fa8e568c280e0c21626ceb7db98ae7622
SHA256 27fa65a3166def75feb75f8feb25dd9784b8f2518c73defcc4ed3e9f46868e76
ssdeep
3072:SaofRiZ6GTu1lZoZemJLIpM2xBJk2qNnTrC:CkZ6GTutoZemJLI3xb9qJC

authentihash f0b777d8056c798123cec7d97ff7ec96d0f029263b867b2ec2b63f14f0fd79d2
imphash 8332f720776c2d9cb27198cc7b589c6f
File size 147.0 KB ( 150528 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (64.4%)
Win32 Dynamic Link Library (generic) (13.5%)
Win32 Executable (generic) (9.3%)
Win16/32 Executable Delphi generic (4.2%)
Generic Win/DOS Executable (4.1%)
Tags
peexe

VirusTotal metadata
First submission 2015-04-24 19:09:54 UTC ( 2 years, 7 months ago )
Last submission 2015-04-25 00:28:00 UTC ( 2 years, 7 months ago )
File names el-bretzel.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
TCP connections
UDP communications