× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 29d0c73a1e84d3cb74cf0225319142ebf1a6027a2f220c1f552d59427e19ce8c
File name: 335b8bd22e08f3827c8c9f61394b48e0
Detection ratio: 46 / 52
Analysis date: 2014-05-15 18:33:38 UTC ( 4 years, 9 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Symmi.7365 20140515
Yandex TrojanSpy.Zbot!yNfkdrjqFxw 20140515
AhnLab-V3 Spyware/Win32.Zbot 20140515
AntiVir Rkit/Agent.182272 20140515
Antiy-AVL Trojan[Spy]/Win32.Zbot 20140515
Avast Win32:Rootkit-gen [Rtk] 20140515
AVG PSW.Generic10.AQYS 20140515
Baidu-International Trojan.Win32.Generic.aI 20140515
BitDefender Gen:Variant.Symmi.7365 20140515
Bkav W32.Clod870.Trojan.b5ec 20140515
CAT-QuickHeal TrojanSpy.Zbot.r4 20140515
ClamAV Win.Trojan.Zbot-6769 20140515
Commtouch W32/Trojan.UPTJ-1176 20140515
Comodo UnclassifiedMalware 20140515
DrWeb Trojan.PWS.Panda.2401 20140515
Emsisoft Gen:Variant.Symmi.8057 (B) 20140515
ESET-NOD32 Win32/Spy.Zbot.AAO 20140515
F-Secure Gen:Variant.Symmi.8057 20140515
Fortinet W32/Zbot.ASJ!tr 20140515
GData Gen:Variant.Symmi.8057 20140515
Ikarus Trojan-Spy.Win32.Zbot 20140515
Jiangmin TrojanSpy.Zbot.csut 20140515
K7AntiVirus Spyware ( 0029a43a1 ) 20140515
K7GW Spyware ( 0029a43a1 ) 20140515
Kaspersky HEUR:Trojan.Win32.Generic 20140515
Malwarebytes Virus.Expiro 20140515
McAfee PWS-Zbot.gen.ath 20140515
McAfee-GW-Edition PWS-Zbot.gen.ath 20140515
Microsoft PWS:Win32/Zbot.gen!AJ 20140515
eScan Gen:Variant.Symmi.9411 20140515
NANO-Antivirus Trojan.Win32.Zbot.btxcgy 20140515
Norman ZBot.RHWH 20140515
nProtect Trojan-Spy/W32.ZBot.182272.AQ 20140515
Panda Trj/Genetic.gen 20140515
Qihoo-360 HEUR/Malware.QVM07.Gen 20140515
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 20140507
Sophos AV Mal/Generic-S 20140515
SUPERAntiSpyware Trojan.Agent/Gen-Festo 20140515
Symantec Trojan.Gen 20140515
Tencent Win32.Exploit.Agent.Lhxb 20140515
TheHacker Trojan/Spy.Zbot.aao 20140515
TrendMicro-HouseCall HV_SINOWAL_CI05323E.RDXN 20140515
VBA32 TScope.Malware-Cryptor.SB 20140514
VIPRE Trojan.Win32.EncPk.ain (v) 20140515
ViRobot Trojan.Win32.A.Zbot.182272.BN 20140515
Zillya Trojan.Zbot.Win32.88143 20140514
AegisLab 20140515
ByteHero 20140227
CMC 20140512
F-Prot 20140515
Kingsoft 20140515
TotalDefense 20140515
TrendMicro 20140515
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2008-12-06 22:33:52
Entry Point 0x00027504
Number of sections 4
PE sections
PE imports
GlobalGetAtomNameW
HeapFree
GetStdHandle
GlobalDeleteAtom
ReadFile
SetHandleCount
lstrlenA
GlobalFree
ScrollConsoleScreenBufferA
GetOEMCP
GetEnvironmentStringsW
HeapDestroy
ExitProcess
GetHandleInformation
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetModuleFileNameA
WinExec
FindFirstChangeNotificationW
FreeEnvironmentStringsA
GetStartupInfoA
Module32FirstW
GetEnvironmentStrings
CompareFileTime
GetPrivateProfileStringA
WritePrivateProfileStringA
LCMapStringW
CopyFileExA
GetCPInfo
UnhandledExceptionFilter
MultiByteToWideChar
SetStdHandle
FreeEnvironmentStringsW
WritePrivateProfileSectionA
GetCommandLineA
GetProcAddress
GetThreadContext
EnumResourceLanguagesW
SetFilePointer
WideCharToMultiByte
GetStringTypeA
GetModuleHandleA
SetSystemPowerState
WriteFile
GetCurrentProcess
CreateHardLinkW
GetMailslotInfo
GetACP
HeapReAlloc
GetStringTypeW
SetThreadExecutionState
ReadConsoleA
MoveFileA
TerminateProcess
LCMapStringA
HeapCreate
AddAtomW
VirtualFree
AllocConsole
TransactNamedPipe
GetFileType
ReadFileEx
HeapAlloc
GetVersion
VirtualAlloc
GetLastError
CloseHandle
Number of PE resources by type
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2008:12:06 23:33:52+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
173568

LinkerVersion
6.0

FileAccessDate
2014:05:15 19:39:36+01:00

EntryPoint
0x27504

InitializedDataSize
253952

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

FileCreateDate
2014:05:15 19:39:36+01:00

UninitializedDataSize
0

File identification
MD5 335b8bd22e08f3827c8c9f61394b48e0
SHA1 cdd3f045bb9157ff22fd2ff9b775208547018d0e
SHA256 29d0c73a1e84d3cb74cf0225319142ebf1a6027a2f220c1f552d59427e19ce8c
ssdeep
3072:1gGS6ldsn9/7IDi+hHgRMEJilL3OMVVoSbFK+lsQj8SR/Vk9+n3+RKXoEkK:1gGhds9sDtHOME+LPHZKesi8SwAuJK

imphash deac10062945dc3360632128e447f7fb
File size 178.0 KB ( 182272 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe armadillo

VirusTotal metadata
First submission 2012-12-14 04:14:05 UTC ( 6 years, 2 months ago )
Last submission 2014-05-15 18:33:38 UTC ( 4 years, 9 months ago )
File names lSeo3d.bmp
335b8bd22e08f3827c8c9f61394b48e0
kptKHgmS.reg
aa
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
DNS requests
UDP communications