× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 340f274aa31eedb83d7189dc27cdfe17456cead3135934d7e8f1fe14618decc0
File name: Groundwa
Detection ratio: 43 / 57
Analysis date: 2015-06-08 19:47:12 UTC ( 2 years ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Symmi.47165 20150608
Yandex TrojanSpy.Zbot!DF5qpstr/7A 20150608
AhnLab-V3 Trojan/Win32.VBKrypt 20150608
ALYac Gen:Variant.Symmi.47165 20150608
Antiy-AVL Trojan[Spy]/Win32.Zbot 20150608
Arcabit Trojan.Symmi.DB83D 20150608
Avast Win32:Injector-CIQ [Trj] 20150608
AVG Luhe.Gen.C 20150608
Avira (no cloud) TR/Spy.ZBot.258560.4 20150608
AVware Trojan.Win32.Generic!BT 20150608
Baidu-International Trojan.Win32.Zbot.uqwz 20150608
BitDefender Gen:Variant.Symmi.47165 20150608
CAT-QuickHeal VirTool.VBInject.LE3 20150608
Comodo TrojWare.Win32.Trojan.Zbot.~A 20150608
Cyren W32/Trojan.WLSU-2399 20150608
DrWeb Trojan.PWS.Panda.655 20150608
Emsisoft Gen:Variant.Symmi.47165 (B) 20150608
ESET-NOD32 a variant of Win32/Injector.BQTK 20150608
F-Secure Gen:Variant.Symmi.47165 20150608
Fortinet W32/Injector.BQPX!tr 20150608
GData Gen:Variant.Symmi.47165 20150608
Ikarus Trojan-Spy.Zbot 20150608
K7AntiVirus Trojan ( 004b1e011 ) 20150608
K7GW Trojan ( 004b1e011 ) 20150608
Kaspersky Trojan-Spy.Win32.Zbot.uqwz 20150608
Malwarebytes Trojan.Zbot.gen 20150608
McAfee Generic-FAVL!704551440192 20150608
McAfee-GW-Edition Generic-FAVL!704551440192 20150608
Microsoft Trojan:Win32/Bagsu!rfn 20150608
eScan Gen:Variant.Symmi.47165 20150608
nProtect Trojan-Spy/W32.ZBot.258560.BM 20150608
Panda Trj/CI.A 20150608
Qihoo-360 HEUR/QVM03.0.Malware.Gen 20150608
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 20150608
Sophos Mal/Generic-S 20150608
Symantec Trojan.Gen.2 20150608
Tencent Trojan.Win32.Qudamah.Gen.17 20150608
TheHacker Trojan/Injector.bqtk 20150607
TrendMicro TROJ_FRS.BMA000L914 20150608
TrendMicro-HouseCall TROJ_FRS.BMA000L914 20150608
VBA32 TrojanSpy.Zbot 20150608
VIPRE Trojan.Win32.Generic!BT 20150608
ViRobot Trojan.Win32.S.Zbot.258560.Z[h] 20150608
AegisLab 20150608
Alibaba 20150608
Bkav 20150608
ByteHero 20150608
ClamAV 20150608
CMC 20150604
F-Prot 20150608
Jiangmin 20150608
Kingsoft 20150608
NANO-Antivirus 20150608
SUPERAntiSpyware 20150608
TotalDefense 20150608
Zillya 20150608
Zoner 20150608
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Publisher TeraByte Unlimited
Product Fauterer
Original name Groundwa.exe
Internal name Groundwa
File version 1.01.0007
Description Callipho vodum
Comments ® Psycotrack 2014
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-12-04 18:31:40
Entry Point 0x00001478
Number of sections 3
PE sections
Overlays
MD5 90e23f04d4dcfbebdce4d4102b1c0633
File type data
Offset 258048
Size 512
Entropy 7.61
PE imports
_adj_fdivr_m64
_allmul
Ord(527)
_adj_fprem
Ord(714)
__vbaRedim
_adj_fdiv_r
__vbaChkstk
__vbaObjSetAddref
Ord(517)
__vbaHresultCheckObj
__vbaR8Str
_CIlog
Ord(595)
_adj_fptan
__vbaFileClose
__vbaI4Var
__vbaFreeStr
__vbaFreeStrList
Ord(609)
_adj_fdiv_m16i
EVENT_SINK_QueryInterface
Ord(648)
Ord(617)
Ord(707)
__vbaInStr
_adj_fdiv_m32i
__vbaExceptHandler
__vbaSetSystemError
DllFunctionCall
Ord(589)
__vbaDerefAry1
__vbaFreeVar
__vbaLbound
__vbaFileOpen
Ord(571)
__vbaAryLock
EVENT_SINK_Release
Ord(704)
_adj_fdivr_m32i
Ord(541)
__vbaStrCat
__vbaVarDup
_adj_fdiv_m32
Ord(523)
__vbaStrCmp
__vbaAryUnlock
__vbaFreeObjList
Ord(538)
__vbaFreeVarList
__vbaStrVarMove
Ord(618)
__vbaFreeObj
_adj_fdivr_m32
Ord(660)
__vbaVarIdiv
_CIcos
Ord(713)
__vbaDateVar
__vbaObjSet
__vbaVarMove
__vbaErrorOverflow
__vbaNew2
__vbaAryDestruct
__vbaStrMove
_adj_fprem1
_adj_fdiv_m64
Ord(563)
__vbaWriteFile
Ord(691)
__vbaEnd
Ord(685)
_adj_fpatan
EVENT_SINK_AddRef
__vbaStrCopy
__vbaFPException
_adj_fdivr_m16i
Ord(100)
Ord(599)
_CIsin
_CIsqrt
_CIatan
Ord(587)
__vbaR8Var
Ord(672)
_CIexp
_CItan
__vbaFpI4
Ord(598)
Number of PE resources by type
RT_ICON 8
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 9
ENGLISH US 1
PE resources
ExifTool file metadata
UninitializedDataSize
0

Comments
Psycotrack 2014

LinkerVersion
6.0

ImageVersion
1.1

FileSubtype
0

FileVersionNumber
1.1.0.7

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

InitializedDataSize
32768

EntryPoint
0x1478

OriginalFileName
Groundwa.exe

MIMEType
application/octet-stream

FileVersion
1.01.0007

TimeStamp
2014:12:04 19:31:40+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Groundwa

SubsystemVersion
4.0

ProductVersion
1.01.0007

FileDescription
Callipho vodum

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
TeraByte Unlimited

CodeSize
225280

ProductName
Fauterer

ProductVersionNumber
1.1.0.7

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 70455144019254c1e663305c2f429893
SHA1 41d62f2c95bb660392aaf6f10867aca0cdbf6e53
SHA256 340f274aa31eedb83d7189dc27cdfe17456cead3135934d7e8f1fe14618decc0
ssdeep
6144:VHZDCpIl1eM0e+NSWfUh417GD4Cd/0UcBk:hYuLJU7GxdsUci

authentihash 6132b73c4bd6ccbc99b1d0728bbd320cecd911fb9384fb27ae3bdd89daeefaa5
imphash 241d5c59c2bd8f7ba4a341ea2e6a86c1
File size 252.5 KB ( 258560 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (69.4%)
Win64 Executable (generic) (23.3%)
Win32 Executable (generic) (3.8%)
Generic Win/DOS Executable (1.6%)
DOS Executable Generic (1.6%)
Tags
peexe overlay

VirusTotal metadata
First submission 2014-12-05 13:48:16 UTC ( 2 years, 6 months ago )
Last submission 2014-12-12 17:04:50 UTC ( 2 years, 6 months ago )
File names 70455144019254c1e663305c2f429893
Groundwa.exe
Groundwa
Malware (14).scr
file-7776135_scr
340f274aa31eedb83d7189dc27cdfe17456cead3135934d7e8f1fe14618decc0.exe
Malware (14).scr
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Created processes
Terminated processes
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.