× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 2b9f47a91c2e828d639105b2f88ed7970f9e5f27553b3882722d190b4341cf37
File name: 2015-04-26-Angler-EK-Payload-TeslaCrypt.exe
Detection ratio: 23 / 56
Analysis date: 2015-04-27 23:38:14 UTC ( 2 years, 6 months ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.GenericKD.2326342 20150427
AhnLab-V3 Win-Trojan/Cryptowall.Gen 20150427
Avast Win32:Dropper-gen [Drp] 20150427
AVG Inject2.CAKA 20150427
Avira (no cloud) TR/Crypt.Xpack.177660 20150428
Baidu-International Trojan.Win32.Ransom.jx 20150426
BitDefender Trojan.GenericKD.2326342 20150428
DrWeb Trojan.Inject1.55081 20150427
Emsisoft Trojan.GenericKD.2326342 (B) 20150427
ESET-NOD32 a variant of Win32/Injector.BZFN 20150427
Fortinet W32/BZFN!tr 20150427
GData Trojan.GenericKD.2326342 20150427
K7AntiVirus Riskware ( 0040eff71 ) 20150427
K7GW Riskware ( 0040eff71 ) 20150427
Kaspersky Trojan-Ransom.Win32.Bitman.jx 20150427
eScan Trojan.GenericKD.2326342 20150427
Panda Trj/CryptoWall.A 20150427
Qihoo-360 HEUR/QVM07.1.Malware.Gen 20150428
Rising PE:Malware.Obscure/Heur!1.9E03 20150427
Sophos AV Troj/Ransom-ATP 20150427
Symantec WS.Reputation.1 20150427
Tencent Win32.Trojan.Bp-ransomware.Ejqz 20150428
TrendMicro-HouseCall Suspicious_GEN.F47V0427 20150427
AegisLab 20150427
Yandex 20150427
Alibaba 20150427
ALYac 20150427
Antiy-AVL 20150427
AVware 20150427
Bkav 20150425
ByteHero 20150428
CAT-QuickHeal 20150427
ClamAV 20150428
CMC 20150423
Comodo 20150428
Cyren 20150427
F-Prot 20150427
F-Secure 20150428
Ikarus 20150427
Jiangmin 20150427
Kingsoft 20150428
McAfee 20150427
McAfee-GW-Edition 20150427
Microsoft 20150427
NANO-Antivirus 20150427
Norman 20150427
nProtect 20150427
SUPERAntiSpyware 20150427
TheHacker 20150426
TotalDefense 20150427
TrendMicro 20150427
VBA32 20150427
VIPRE 20150427
ViRobot 20150427
Zillya 20150427
Zoner 20150427
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
(C) 2015

Product LeastSquare
Original name LeastSquare.exe
Internal name LeastSquare
File version 1, 0, 0, 1
Description LeastSquare
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-04-25 18:27:55
Entry Point 0x00003BD2
Number of sections 5
PE sections
PE imports
RegDeleteValueW
FreeEnvironmentStringsA
LCMapStringA
ExitProcess
GetStartupInfoW
CreateFileA
GetModuleFileNameA
GetModuleHandleW
Ord(3820)
Ord(2406)
Ord(6113)
Ord(4621)
Ord(5298)
Ord(2980)
Ord(6371)
Ord(2438)
Ord(5237)
Ord(4073)
Ord(4128)
Ord(6048)
Ord(5996)
Ord(5278)
Ord(5257)
Ord(3733)
Ord(5736)
Ord(5236)
Ord(4523)
Ord(5727)
Ord(3744)
Ord(4616)
Ord(3167)
Ord(6332)
Ord(2873)
Ord(3917)
Ord(4717)
Ord(4852)
Ord(1569)
Ord(4539)
Ord(6370)
Ord(815)
Ord(4525)
Ord(3257)
Ord(5208)
Ord(641)
Ord(4292)
Ord(3449)
Ord(2388)
Ord(5256)
Ord(338)
Ord(4343)
Ord(2502)
Ord(3076)
Ord(4414)
Ord(4233)
Ord(1739)
Ord(4430)
Ord(3142)
Ord(3060)
Ord(3193)
Ord(5285)
Ord(4617)
Ord(5233)
Ord(1165)
Ord(2486)
Ord(617)
Ord(366)
Ord(4154)
Ord(4604)
Ord(5710)
Ord(5276)
Ord(4146)
Ord(4401)
Ord(2874)
Ord(540)
Ord(4606)
Ord(4335)
Ord(4692)
Ord(4886)
Ord(1767)
Ord(2371)
Ord(975)
Ord(4480)
Ord(4229)
Ord(823)
Ord(529)
Ord(2047)
Ord(4537)
Ord(4958)
Ord(813)
Ord(2504)
Ord(5006)
Ord(800)
Ord(5157)
Ord(4298)
Ord(6051)
Ord(5261)
Ord(3074)
Ord(3345)
Ord(2613)
Ord(3592)
Ord(4884)
Ord(4459)
Ord(554)
Ord(4381)
Ord(2109)
Ord(2619)
Ord(3688)
Ord(2977)
Ord(2116)
Ord(4418)
Ord(5784)
Ord(2641)
Ord(1834)
Ord(4268)
Ord(3053)
Ord(796)
Ord(1937)
Ord(2382)
Ord(4831)
Ord(5070)
Ord(2618)
Ord(5573)
Ord(6076)
Ord(2715)
Ord(4426)
Ord(3398)
Ord(3614)
Ord(4269)
Ord(4992)
Ord(5297)
Ord(4461)
Ord(520)
Ord(4817)
Ord(3743)
Ord(986)
Ord(2377)
Ord(4893)
Ord(3825)
Ord(4419)
Ord(4074)
Ord(1719)
Ord(2640)
Ord(1089)
Ord(4421)
Ord(807)
Ord(4520)
Ord(3254)
Ord(2506)
Ord(4947)
Ord(3341)
Ord(4237)
Ord(4451)
Ord(5273)
Ord(472)
Ord(4582)
Ord(2971)
Ord(2534)
Ord(1817)
Ord(4347)
Ord(5248)
Ord(1658)
Ord(324)
Ord(560)
Ord(2391)
Ord(5296)
Ord(4158)
Ord(1768)
Ord(4704)
Ord(3793)
Ord(4955)
Ord(3826)
Ord(5193)
Ord(4847)
Ord(5468)
Ord(1720)
Ord(4075)
Ord(652)
Ord(5094)
Ord(4420)
Ord(5097)
Ord(1131)
Ord(4364)
Ord(2546)
Ord(4435)
Ord(5303)
Ord(4518)
Ord(6171)
Ord(2717)
Ord(4583)
Ord(6617)
Ord(561)
Ord(3054)
Ord(3658)
Ord(6372)
Ord(3131)
Ord(825)
Ord(5059)
Ord(6211)
Ord(4072)
Ord(4103)
Ord(674)
Ord(4370)
Ord(296)
Ord(5649)
Ord(5239)
Ord(5286)
Ord(4690)
Ord(3621)
_except_handler3
__p__fmode
fabs
__CxxFrameHandler
__wgetmainargs
_exit
_adjust_fdiv
__p__commode
__dllonexit
_onexit
exit
_XcptFilter
_ftol
_initterm
_controlfp
_wcmdln
__setusermatherr
__set_app_type
IsDialogMessageW
EnableWindow
InvalidateRect
GetSysColor
UpdateWindow
Number of PE resources by type
RT_STRING 13
RT_DIALOG 1
21 1
RT_ICON 1
Struct(241) 1
RT_MENU 1
RT_ACCELERATOR 1
RT_BITMAP 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
CHINESE SIMPLIFIED 18
NEUTRAL 3
FINNISH DEFAULT 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

InitializedDataSize
372736

ImageVersion
0.0

ProductName
LeastSquare

FileVersionNumber
1.0.0.1

UninitializedDataSize
0

LanguageCode
French (Swiss)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
6.0

FileTypeExtension
exe

OriginalFileName
LeastSquare.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
1, 0, 0, 1

TimeStamp
2015:04:25 19:27:55+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
LeastSquare

ProductVersion
1, 0, 0, 1

FileDescription
LeastSquare

OSVersion
4.0

FileOS
Windows NT 32-bit

LegalCopyright
(C) 2015

MachineType
Intel 386 or later, and compatibles

CodeSize
12288

FileSubtype
0

ProductVersionNumber
1.0.0.1

EntryPoint
0x3bd2

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 21cda6635f0cd902abfaa56250028324
SHA1 1d61f2a41abee9b4c3b43703d12e0bfcae7d6131
SHA256 2b9f47a91c2e828d639105b2f88ed7970f9e5f27553b3882722d190b4341cf37
ssdeep
6144:AI4qrZvJWz3BRtvVf9AOM7EwBRu9Lj3ErR4sSmN71672Dw3nid:AILwztvV1AjDu93wOsSmNR5Z

authentihash 37f5c4517397571337433f6473f2c6f3337d60cdc620ebe5e18f940f473c11d4
imphash 42b781492adeb409b3104da39d2fade0
File size 384.0 KB ( 393216 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Tags
peexe

VirusTotal metadata
First submission 2015-04-27 04:04:42 UTC ( 2 years, 6 months ago )
Last submission 2017-04-28 03:56:07 UTC ( 6 months, 3 weeks ago )
File names CRYPTOTESLA.EXE
nou teslacrypt.exe
Malware (10).exe
gdxfctx.exe
2b9f47a91c2e828d639105b2f88ed7970f9e5f27553b3882722d190b4341cf37.exe
TeslaCrypt.exe
rcnrxpc.exe
21CDA6635F0CD902ABFAA56250028324.@
2b9f47a91c2e828d639105b2f88ed7970f9e5f27553b3882722d190b4341cf37.exe
teslacrypt.exe
2015-04-26-Angler-EK-Payload-TeslaCrypt.exe
2b9f47a91c2e828d639105b2f88ed7970f9e5f27553b3882722d190b4341cf37.bin
LeastSquare.exe
LeastSquare
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Code injections in the following processes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications