× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 33e59ca297a8a51007846a52213d6cf2106360d6a49ab970877d80feb950fea3
File name: BACKDOOR.EXE
Detection ratio: 39 / 67
Analysis date: 2017-10-31 03:53:20 UTC ( 1 year, 5 months ago ) View latest
Antivirus Result Update
Ad-Aware Generic.Malware.SL!.CF98CCF8 20171031
AhnLab-V3 Trojan/Win32.Generic.C2228896 20171030
ALYac Generic.Malware.SL!.CF98CCF8 20171031
Antiy-AVL Trojan/Win32.AGeneric 20171031
Arcabit Generic.Malware.SL!.CF98CCF8 20171031
Avast Win32:RemcosRAT-A [Trj] 20171031
AVG Win32:RemcosRAT-A [Trj] 20171031
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9998 20171030
BitDefender Generic.Malware.SL!.CF98CCF8 20171031
Bkav W32.NarakaDGAD.Trojan 20171030
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20171016
Cybereason malicious.1b8fb7 20170628
Cylance Unsafe 20171031
DrWeb Trojan.MulDrop7.39399 20171031
eGambit Unsafe.AI_Score_100% 20171031
Emsisoft Generic.Malware.SL!.CF98CCF8 (B) 20171031
Endgame malicious (high confidence) 20171024
ESET-NOD32 a variant of Win32/Agent.RXL 20171031
F-Secure Generic.Malware.SL!.CF98CCF8 20171031
GData Win32.Malware.Bucaspys.B 20171031
Sophos ML heuristic 20170914
Jiangmin Trojan.Generic.bmkav 20171031
K7AntiVirus Trojan ( 004f67651 ) 20171030
K7GW Trojan ( 004f67651 ) 20171031
Kaspersky HEUR:Trojan.Win32.Generic 20171031
MAX malware (ai score=86) 20171031
McAfee Trojan-FOFQ!56E77BEB39D1 20171031
McAfee-GW-Edition BehavesLike.Win32.Dropper.ch 20171031
Microsoft Backdoor:Win32/Rescoms.B 20171030
eScan Generic.Malware.SL!.CF98CCF8 20171031
NANO-Antivirus Trojan.Win32.AD.etpals 20171031
Qihoo-360 HEUR/QVM07.1.DD7A.Malware.Gen 20171031
SentinelOne (Static ML) static engine - malicious 20171019
Sophos AV Mal/Emogen-Y 20171031
Symantec Infostealer!im 20171030
TrendMicro BKDR_SOCMER.SM 20171031
TrendMicro-HouseCall BKDR_SOCMER.SM 20171031
Zillya Trojan.Agent.Win32.850641 20171030
ZoneAlarm by Check Point HEUR:Trojan.Win32.Generic 20171031
AegisLab 20171031
Alibaba 20170911
Avast-Mobile 20171030
Avira (no cloud) 20171030
AVware 20171031
CAT-QuickHeal 20171030
ClamAV 20171030
CMC 20171030
Comodo 20171031
Cyren 20171031
F-Prot 20171031
Fortinet 20171031
Kingsoft 20171031
Malwarebytes 20171031
nProtect 20171031
Palo Alto Networks (Known Signatures) 20171031
Panda 20171030
Rising 20171031
SUPERAntiSpyware 20171030
Symantec Mobile Insight 20171027
Tencent 20171031
TheHacker 20171028
TotalDefense 20171030
Trustlook 20171031
VBA32 20171030
VIPRE 20171031
ViRobot 20171031
Webroot 20171031
WhiteArmor 20171024
Yandex 20171030
Zoner 20171031
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-10-09 14:37:08
Entry Point 0x0001167F
Number of sections 5
PE sections
PE imports
RegDeleteKeyA
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegSetValueExW
RegQueryValueExA
RegDeleteValueW
RegOpenKeyExW
RegCreateKeyW
AdjustTokenPrivileges
RegSetValueExA
RegEnumValueA
RegCreateKeyExA
RegOpenKeyExA
RegCreateKeyA
GetUserNameW
RegEnumKeyExA
RegQueryInfoKeyA
RegQueryValueExW
GetDeviceCaps
CreateDCA
DeleteDC
SelectObject
StretchBlt
GetDIBits
CreateCompatibleDC
DeleteObject
CreateCompatibleBitmap
GetObjectA
CreateToolhelp32Snapshot
GetTempFileNameW
GetLastError
HeapFree
GetStdHandle
WaitForSingleObject
WriteProcessMemory
VirtualAllocEx
TerminateThread
lstrlenA
GetModuleFileNameW
GlobalFree
SetEvent
GetDriveTypeA
FindFirstFileW
LocalAlloc
GetTickCount
GlobalUnlock
GetModuleFileNameA
DeleteFileA
LoadLibraryA
WinExec
CopyFileW
Process32NextW
CreatePipe
GetStartupInfoA
CreateThread
RemoveDirectoryW
SizeofResource
PeekNamedPipe
GetLocaleInfoA
GetCurrentProcessId
OpenProcess
LockResource
ExpandEnvironmentStringsA
FindClose
GetLocalTime
ReadProcessMemory
GetFileAttributesW
DeleteFileW
lstrcatW
GetThreadContext
Process32FirstW
GetCurrentThread
OpenMutexA
CreateMutexA
GetModuleHandleA
ExitThread
GetProcAddress
SetFilePointer
FindNextFileW
ReadFile
CreateDirectoryW
GetTempPathW
GetCurrentProcess
FindFirstFileA
lstrcpynA
FindNextFileA
DuplicateHandle
HeapCreate
GlobalLock
ResumeThread
SetThreadContext
TerminateProcess
GetLongPathNameW
CreateProcessA
GetLogicalDriveStringsA
LoadResource
WriteFile
CreateFileW
GlobalAlloc
CreateProcessW
CreateEventA
AllocConsole
Sleep
SetFileAttributesW
CreateFileMappingA
ExitProcess
MapViewOfFileEx
FindResourceA
VirtualAlloc
GetFileSize
CloseHandle
?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z
?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
??1out_of_range@std@@UAE@XZ
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z
??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z
?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??0_Winit@std@@QAE@XZ
?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGIABV?$allocator@G@1@@Z
??0out_of_range@std@@QAE@ABV01@@Z
??0logic_error@std@@QAE@ABV01@@Z
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ
??1Init@ios_base@std@@QAE@XZ
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ
??_D?$basic_fstream@DU?$char_traits@D@std@@@std@@QAEXXZ
?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ
??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z
??0Init@ios_base@std@@QAE@XZ
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z
?find_last_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z
?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z
?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z
??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z
?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ
?resize@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEXI@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??0?$basic_fstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z
?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z
??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@DABV10@@Z
?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z
?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ
??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z
?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
??1_Winit@std@@QAE@XZ
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z
?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ
?seekp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z
?close@?$basic_fstream@DU?$char_traits@D@std@@@std@@QAEXXZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
strncmp
__p__fmode
malloc
??0exception@@QAE@ABV0@@Z
rand
??1type_info@@UAE@XZ
srand
__dllonexit
toupper
printf
_except_handler3
wcslen
puts
_wgetenv
??2@YAPAXI@Z
__p__commode
_onexit
_wrename
wcscmp
exit
_XcptFilter
_ftol
__setusermatherr
_controlfp
sprintf
_acmdln
_CxxThrowException
tolower
_itoa
_adjust_fdiv
free
getenv
wcscat
atoi
__getmainargs
_initterm
__CxxFrameHandler
localtime
wcscpy
freopen
time
_exit
__set_app_type
strftime
_iob
ExtractIconA
ShellExecuteExA
ShellExecuteW
Shell_NotifyIconA
PathFileExistsW
PathFileExistsA
EmptyClipboard
GetForegroundWindow
GetKeyboardLayoutNameA
EnumWindows
SendInput
DefWindowProcA
FindWindowA
CreatePopupMenu
ShowWindow
GetClipboardData
GetWindowThreadProcessId
MessageBoxW
AppendMenuA
DispatchMessageA
UnhookWindowsHookEx
DrawIcon
TranslateMessage
GetKeyState
GetCursorPos
GetIconInfo
SetClipboardData
IsWindowVisible
GetWindowTextA
CloseWindow
SetForegroundWindow
SystemParametersInfoW
CallNextHookEx
GetWindowTextLengthA
CreateWindowExA
TrackPopupMenu
SetWindowsHookExA
GetKeyboardLayout
GetWindowTextW
CloseClipboard
RegisterClassExA
GetMessageA
ExitWindowsEx
OpenClipboard
InternetReadFile
InternetOpenUrlA
InternetCloseHandle
InternetOpenA
waveInOpen
waveInPrepareHeader
waveInAddBuffer
waveInClose
waveInUnprepareHeader
waveInStop
waveInStart
socket
recv
send
WSAStartup
gethostbyname
connect
inet_ntoa
htons
closesocket
WSAGetLastError
GdipLoadImageFromStreamICM
GdipSaveImageToStream
GdipGetImageEncoders
GdipLoadImageFromStream
GdipFree
GdipSaveImageToFile
GdipAlloc
GdipDisposeImage
GdipCloneImage
GdiplusStartup
GdipGetImageEncodersSize
URLOpenBlockingStreamW
URLDownloadToFileW
Number of PE resources by type
RT_ICON 1
RT_RCDATA 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 2
NEUTRAL 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2017:10:09 15:37:08+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
69632

LinkerVersion
6.0

ImageFileCharacteristics
Executable, No line numbers, No symbols, 32-bit

EntryPoint
0x1167f

InitializedDataSize
45056

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

Compressed bundles
File identification
MD5 56e77beb39d10ca1f8b5c19099bcbc71
SHA1 fd8ec8d31c647f1a52d039d08e443908c5601f35
SHA256 33e59ca297a8a51007846a52213d6cf2106360d6a49ab970877d80feb950fea3
ssdeep
3072:EPQu0Bk3a2TV38f+tt8s3PoM77YzkG2Gkz2t9+zGXoKrlw:EP50zsVsf+t60P1UzgGkan+zGXoyl

authentihash c26dd27c48a5cd721c9e81ce7210a571d6af0e7716587e563c3746b774e8419e
imphash f47e62eda1366730ec1af0eb5395be07
File size 116.0 KB ( 118784 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (35.0%)
Win64 Executable (generic) (31.0%)
Windows screen saver (14.7%)
Win32 Dynamic Link Library (generic) (7.3%)
Win32 Executable (generic) (5.0%)
Tags
peexe

VirusTotal metadata
First submission 2017-10-31 03:53:20 UTC ( 1 year, 5 months ago )
Last submission 2017-11-05 05:22:40 UTC ( 1 year, 5 months ago )
File names BACKDOOR.EXE
1024-fd8ec8d31c647f1a52d039d08e443908c5601f35
BACKDOOR.EXE
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Written files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
DNS requests
TCP connections
UDP communications