× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3a6baa238e2660ff4e95adcd16575d69e51b1d8e339a0f4cd2cad8e1573f7018
File name: 97980226fad9f65b1936295905a8ffe5.exe
Detection ratio: 57 / 65
Analysis date: 2017-12-06 17:37:03 UTC ( 1 year, 1 month ago )
Antivirus Result Update
Ad-Aware Trojan.Encpk.Gen.4 20171206
AegisLab Troj.Spy.W32.Zbot.njxu!c 20171206
AhnLab-V3 Trojan/Win32.Zbot.R74795 20171206
ALYac Trojan.Encpk.Gen.4 20171206
Antiy-AVL Trojan[Spy]/Win32.Zbot 20171206
Arcabit Trojan.Encpk.Gen.4 20171206
Avast Win32:Injector-BGH [Trj] 20171206
AVG Win32:Injector-BGH [Trj] 20171206
Avira (no cloud) TR/Dldr.Recslurp.cln 20171206
AVware TrojanPWS.Win32.Fareit.aa (v) 20171206
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9962 20171206
BitDefender Trojan.Encpk.Gen.4 20171206
Bkav W32.TevolayLTG.Trojan 20171206
CAT-QuickHeal Trojan.Generic 20171206
ClamAV Win.Trojan.Zbot-57715 20171206
Comodo TrojWare.Win32.Injector.AKLC 20171206
CrowdStrike Falcon (ML) malicious_confidence_90% (W) 20171016
Cybereason malicious.1b8fb7 20171103
Cylance Unsafe 20171206
Cyren W32/S-5e76b6eb!Eldorado 20171206
DrWeb Trojan.DownLoad3.8872 20171206
Emsisoft Trojan.Encpk.Gen.4 (B) 20171206
Endgame malicious (high confidence) 20171130
ESET-NOD32 a variant of Win32/Injector.AOWP 20171206
F-Prot W32/S-5e76b6eb!Eldorado 20171206
F-Secure Trojan.Encpk.Gen.4 20171206
Fortinet W32/Kryptik.ADF!tr 20171206
GData Trojan.Encpk.Gen.4 20171206
Ikarus Trojan-Downloader.Win32.Cutwail 20171206
Sophos ML heuristic 20170914
Jiangmin TrojanSpy.Zbot.doan 20171206
K7AntiVirus Riskware ( 0040eff71 ) 20171205
K7GW Riskware ( 0040eff71 ) 20171206
Kaspersky HEUR:Trojan.Win32.Generic 20171206
Kingsoft Win32.HeurC.KVMH008.a.(kcloud) 20171206
Malwarebytes Trojan.Injector 20171206
MAX malware (ai score=100) 20171206
McAfee Generic-FANR!97980226FAD9 20171206
McAfee-GW-Edition BehavesLike.Win32.Generic.cc 20171206
Microsoft TrojanDownloader:Win32/Cutwail 20171206
eScan Trojan.Encpk.Gen.4 20171206
NANO-Antivirus Trojan.Win32.Zbot.cqzfqi 20171206
Panda Trj/Genetic.gen 20171206
Qihoo-360 Win32/Trojan.271 20171206
SentinelOne (Static ML) static engine - malicious 20171113
Sophos AV Troj/Zbot-FTB 20171206
SUPERAntiSpyware Trojan.Agent/Gen-Dropper 20171206
Symantec Packed.Generic.436 20171206
Tencent Win32.Trojan.Generic.Hupk 20171206
TheHacker Trojan/Injector.ajxz 20171205
VBA32 BScope.Malware-Cryptor.Dubadryn 20171206
VIPRE TrojanPWS.Win32.Fareit.aa (v) 20171206
ViRobot Spyware.Zbot.109388 20171206
Webroot W32.Malware.Gen 20171206
Yandex TrojanSpy.Zbot!Or6RZao3biI 20171205
Zillya Trojan.Zbot.Win32.127308 20171206
ZoneAlarm by Check Point HEUR:Trojan.Win32.Generic 20171206
Alibaba 20171206
Avast-Mobile 20171206
CMC 20171206
eGambit 20171206
nProtect 20171206
Palo Alto Networks (Known Signatures) 20171206
Rising 20171206
Symantec Mobile Insight 20171206
Trustlook 20171206
WhiteArmor 20171204
Zoner 20171206
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-07-16 15:51:11
Entry Point 0x00024C10
Number of sections 3
PE sections
Overlays
MD5 bc7eaa77d59cd883e8df4e303d053611
File type data
Offset 60928
Size 48460
Entropy 7.97
PE imports
InitCommonControlsEx
ChooseColorA
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
CoInitialize
EnumWindows
Number of PE resources by type
RT_ICON 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 3
PE resources
ExifTool file metadata
UninitializedDataSize
90112

InitializedDataSize
4096

ImageVersion
0.0

FileVersionNumber
0.0.0.0

FileFlagsMask
0x0000

LinkerVersion
2.5

EntryPoint
0x24c10

MIMEType
application/octet-stream

TimeStamp
2013:07:16 16:51:11+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
4.0

OSVersion
4.0

FileOS
DOS

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
57344

FileSubtype
0

ProductVersionNumber
0.0.0.0

Warning
Possibly corrupt Version resource

FileTypeExtension
exe

ObjectFileType
Dynamic link library

File identification
MD5 97980226fad9f65b1936295905a8ffe5
SHA1 ba9087d74bc3ccb0b8b1b8bfe233f5be10dea073
SHA256 3a6baa238e2660ff4e95adcd16575d69e51b1d8e339a0f4cd2cad8e1573f7018
ssdeep
3072:5ArpJd5YCr+s/wghwJQP/0fNfJQzLb3EXxPR+gOknzK:5ArTdaCys/8C6NaAX2gOoK

authentihash ec367f89200e96ac69b56019d048ec2870aa542df15f0543dda4fe1c942e783a
imphash ab100b506f78c2ea16cf07574117a12c
File size 106.8 KB ( 109388 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 EXE Yoda's Crypter (75.6%)
Win32 Executable (generic) (12.8%)
Generic Win/DOS Executable (5.7%)
DOS Executable Generic (5.6%)
VXD Driver (0.0%)
Tags
peexe upx overlay

VirusTotal metadata
First submission 2013-07-17 06:30:27 UTC ( 5 years, 6 months ago )
Last submission 2017-12-06 17:37:03 UTC ( 1 year, 1 month ago )
File names 6-b1712.exe
vt-upload-BGxLt
aa
3ce4a83d69390399a55d44a7db381f53-3ce4a83d69390399a55d44a7db381f53-1374042602
output.13139932.txt
97980226fad9f65b1936295905a8ffe5.exe
13139932
vt-upload-K4EYO
vt-upload-rN4i0
vt-upload-j64AW
malekal_97980226fad9f65b1936295905a8ffe5
file-5822753_exe
vt-upload-HkUY3
vt-upload-FRy3q
vt-upload-YAWMd
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications