× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 347a38e615e2431e19159cf947b4e21646e1c648ba47c7512bd3e7b0444bbde0
File name: message_zdm.exe
Detection ratio: 47 / 57
Analysis date: 2015-02-15 15:37:28 UTC ( 2 months, 2 weeks ago )
Antivirus Result Update
ALYac Trojan.Generic.KD.887581 20150215
AVG Generic31.CLRM 20150215
AVware Trojan.Win32.Generic!BT 20150215
Ad-Aware Trojan.Generic.KD.887581 20150215
Agnitum Trojan.PWS.Tepfer!GQ3a40SIPFk 20150215
AhnLab-V3 Trojan/Win32.FakeAV 20150215
Antiy-AVL Trojan[PSW]/Win32.Tepfer 20150215
Avast Win32:LockScreen-SL [Trj] 20150215
Avira TR/Kazy.151233.2 20150215
Baidu-International Trojan.Win32.Katusha.FE 20150215
BitDefender Trojan.Generic.KD.887581 20150215
CAT-QuickHeal Trojan.Urausy.C 20150214
Comodo TrojWare.Win32.Kryptik.AVZX 20150215
Cyren W32/SuspPack.EX.gen!Eldorado 20150215
DrWeb Trojan.Packed.24465 20150215
ESET-NOD32 Win32/PSW.Fareit.A 20150215
Emsisoft Trojan.Generic.KD.887581 (B) 20150215
F-Prot W32/SuspPack.EX.gen!Eldorado 20150215
F-Secure Trojan.Generic.KD.887581 20150215
Fortinet W32/Tepfer.A!tr.pws 20150215
GData Trojan.Generic.KD.887581 20150215
Ikarus Trojan-PWS.Win32.Fareit 20150215
Jiangmin Trojan/PSW.Tepfer.bjdw 20150214
K7AntiVirus Riskware ( 0040eff71 ) 20150215
K7GW Riskware ( 0040eff71 ) 20150215
Kaspersky Trojan-PSW.Win32.Tepfer.gsof 20150215
Kingsoft Win32.Troj.Generic.a.(kcloud) 20150215
Malwarebytes Trojan.LameShield 20150215
McAfee BackDoor-FJW 20150215
McAfee-GW-Edition BehavesLike.Win32.FakeAlert.cc 20150214
MicroWorld-eScan Trojan.Generic.KD.887581 20150215
Microsoft PWS:Win32/Fareit 20150215
NANO-Antivirus Trojan.Win32.AgentAAIK.bvhppe 20150215
Norman Kryptik.RMX 20150215
Panda Trj/Agent.IVN 20150215
Qihoo-360 Win32/Trojan.PSW.6d5 20150215
Rising PE:Trojan.Win32.Generic.1436A19E!339124638 20150215
Sophos Troj/Zbot-ECS 20150215
Symantec W32.Qakbot 20150215
Tencent Win32.Trojan-qqpass.Qqrob.Wqdi 20150215
TotalDefense Win32/Fareit.FW 20150215
TrendMicro TSPY_FAREIT.PVR 20150215
TrendMicro-HouseCall TSPY_FAREIT.PVR 20150215
VBA32 OScope.Trojan.Hlux.01732 20150213
VIPRE Trojan.Win32.Generic!BT 20150215
Zillya Trojan.Tepfer.Win32.38366 20150215
nProtect Trojan-PWS/W32.Tepfer.130048.D 20150213
AegisLab 20150215
Alibaba 20150215
Bkav 20150213
ByteHero 20150215
CMC 20150214
ClamAV 20150215
SUPERAntiSpyware 20150215
TheHacker 20150213
ViRobot 20150215
Zoner 20150213
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-01-23 18:07:20
Link date 7:07 PM 1/23/2013
Entry Point 0x000010C0
Number of sections 4
PE sections
PE imports
RegCloseKey
DllUnregisterServer
DllGetClassObject
DllCanUnloadNow
DllRegisterServer
EnterCriticalSection
lstrlenA
GlobalFree
SetEvent
GetEnvironmentStringsW
GetTickCount
VirtualProtect
LoadLibraryA
RemoveDirectoryA
GetStartupInfoA
GetFileSize
CreateDirectoryA
DeleteFileA
CreateDirectoryW
GetCommandLineA
OpenMutexA
CloseHandle
GetModuleFileNameA
WriteConsoleA
OpenSemaphoreA
Sleep
ReadConsoleW
CreateFileA
SetLastError
SetFocus
GetWindowLongA
GetClassInfoA
DispatchMessageA
CallWindowProcW
IsZoomed
IsWindow
PeekMessageA
DestroyMenu
DrawTextW
FindWindowA
GetSysColor
Number of PE resources by type
RT_ICON 1
Number of PE resources by language
RUSSIAN 1
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2013:01:23 19:07:20+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
4096

LinkerVersion
12.0

FileAccessDate
2015:02:15 16:37:54+01:00

EntryPoint
0x10c0

InitializedDataSize
124928

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
5.0

FileCreateDate
2015:02:15 16:37:54+01:00

UninitializedDataSize
0

Compressed bundles
File identification
MD5 6e360aca1be5569a681832df8b16f320
SHA1 bdcae4d1fd952c66f9b47250506d3f58fd2db56f
SHA256 347a38e615e2431e19159cf947b4e21646e1c648ba47c7512bd3e7b0444bbde0
ssdeep
1536:ls6A7zJw7KOAmCADAFw7K6skMmH0iG8Oi3tw9QUtiFDIb3pArcvKe11fUc50K/ei:lLPhrUnvpmLw9QQssbZHv3ffd/bUQI8

authentihash 52c81ba8a523e234e2f2b744fa38cb07f85a922120466466bd16f81de52d0a65
imphash f6f3fcf5dd77969d1ec68a4585d3bbe9
File size 127.0 KB ( 130048 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
Tags
peexe

VirusTotal metadata
First submission 2013-03-05 21:40:54 UTC ( 2 years, 2 months ago )
Last submission 2013-04-04 01:44:13 UTC ( 2 years, 1 month ago )
File names message_zdm.exe
message_zdm.exe
inc_wire_report#{DIGIT[14]}.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Set keys
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications