× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3b892571387f41abcd6e0c8c6e2c2116083c5e49d7109618af245cf0de21d5bf
File name: 881e3813905ca209cace8c156ef1e4cdfa37bbf7
Detection ratio: 49 / 58
Analysis date: 2017-02-23 01:33:16 UTC ( 2 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.FakeAlert.93 20170223
AegisLab Troj.Downloader.W32.Adload!c 20170222
AhnLab-V3 Downloader/Win32.AdLoad.C1769029 20170222
Arcabit Trojan.FakeAlert.93 20170223
Avast Win32:Trojan-gen 20170223
Avira (no cloud) TR/Crypt.Xpack.kkbqa 20170222
AVware LooksLike.Win32.Upatre.mj (v) 20170223
Baidu Win32.Trojan.Kryptik.bhi 20170222
BitDefender Gen:Variant.FakeAlert.93 20170223
CAT-QuickHeal Trojan.Mupad 20170222
ClamAV Win.Trojan.Generic-5746909-0 20170223
Comodo TrojWare.Win32.Agent.DFJH 20170222
CrowdStrike Falcon (ML) malicious_confidence_91% (W) 20170130
Cyren W32/Trojan.SQIZ-1747 20170222
DrWeb Trojan.LoadMoney.2054 20170223
Emsisoft Gen:Variant.FakeAlert.93 (B) 20170223
Endgame malicious (high confidence) 20170222
ESET-NOD32 a variant of Win32/Kryptik.FNRM 20170223
F-Prot W32/S-ed0a49a9!Eldorado 20170223
F-Secure Gen:Variant.FakeAlert.93 20170222
Fortinet W32/Kryptik.COWS!tr 20170222
GData Gen:Variant.FakeAlert.93 20170223
Ikarus Trojan.Simda 20170222
Invincea backdoor.win32.simda.at 20170203
Jiangmin TrojanDownloader.Adload.ues 20170222
K7AntiVirus Trojan ( 004f58c41 ) 20170222
K7GW Trojan ( 004f58c41 ) 20170222
Kaspersky Trojan-Downloader.Win32.AdLoad.oxok 20170222
Malwarebytes Backdoor.Bot 20170223
McAfee PUP-FQH 20170223
McAfee-GW-Edition PUP-FQH 20170223
Microsoft Trojan:Win32/Mupad.A 20170223
eScan Gen:Variant.FakeAlert.93 20170223
NANO-Antivirus Trojan.Win32.AdLoad.elhpay 20170222
Panda Trj/Genetic.gen 20170222
Qihoo-360 Win32/Trojan.087 20170223
Rising Malware.Obscure/Heur!1.9E03 (cloud:nlVvgt3h1kN) 20170222
Sophos Mal/Generic-S 20170222
SUPERAntiSpyware PUP.Bundler/Variant 20170222
Symantec Trojan.Gen.2 20170222
Tencent Win32.Trojan-downloader.Adload.Ecai 20170223
TrendMicro TROJ_GEN.R021C0VB317 20170223
TrendMicro-HouseCall TROJ_GEN.R021C0VB317 20170222
VBA32 TrojanDownloader.Adload 20170222
VIPRE LooksLike.Win32.Upatre.mj (v) 20170223
ViRobot Trojan.Win32.Downloader.746496[h] 20170223
Webroot W32.Trojan.Gen 20170223
Yandex Trojan.DL.AdLoad!clUu54/+e+E 20170222
Zillya Downloader.AdLoadCRTD.Win32.10341 20170222
Alibaba 20170222
ALYac 20170223
Antiy-AVL 20170223
AVG 20170222
CMC 20170222
Kingsoft 20170223
nProtect 20170222
TheHacker 20170221
TotalDefense 20170222
Trustlook 20170223
WhiteArmor 20170222
Zoner 20170222
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification Signed file, verified signature
Signers
[+] Link-Ist
Status Valid
Issuer COMODO RSA Code Signing CA
Valid from 1:00 AM 11/11/2016
Valid to 12:59 AM 7/22/2017
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint F5B7D3C8276B44A0E36040078FD4E29F2EFAC3A6
Serial number 00 B2 A2 09 2B 4E 00 73 E8 D2 5C B8 D5 1F D0 0B 8F
[+] COMODO RSA Code Signing CA
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 5/9/2013
Valid to 12:59 AM 5/9/2028
Valid usage Code Signing
Algorithm sha384RSA
Thumbprint B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Serial number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
[+] COMODO SECURE?
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 1/19/2010
Valid to 12:59 AM 1/19/2038
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha384RSA
Thumbprint AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Serial number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-01-27 09:59:42
Entry Point 0x000015F3
Number of sections 4
PE sections
Overlays
MD5 389373eb33807bd70741827a79aa3217
File type raw G3 data
Offset 741376
Size 5120
Entropy 7.54
PE imports
LookupAccountNameA
CreatePen
GetLastError
HeapFree
GetStdHandle
SetStdHandle
SetHandleCount
GetOEMCP
LCMapStringA
HeapDestroy
HeapAlloc
GetEnvironmentStringsW
FlushFileBuffers
GetFileAttributesW
RtlUnwind
LoadLibraryA
FreeEnvironmentStringsA
GetStartupInfoA
GetEnvironmentStrings
GetCurrentDirectoryW
GetFileSize
LCMapStringW
UnhandledExceptionFilter
CreateDirectoryA
GetCurrentProcess
ExitProcess
MultiByteToWideChar
HeapSize
FreeEnvironmentStringsW
DeleteFileW
GetProcAddress
GetCurrentThread
SuspendThread
GetModuleHandleA
GetCPInfo
GetStringTypeA
SetFilePointer
WriteFile
InterlockedIncrement
CreateMutexW
CloseHandle
GetCommandLineA
GetACP
HeapReAlloc
GetStringTypeW
GetVersion
OpenSemaphoreW
TerminateProcess
GetModuleFileNameA
WideCharToMultiByte
HeapCreate
VirtualFree
FindClose
Sleep
GetFileType
SetFileAttributesW
GetTickCount
GetCurrentThreadId
GetProcessHeap
VirtualAlloc
LeaveCriticalSection
acmFormatChooseW
SysFreeString
MessageBoxA
SetProcessWindowStation
ShowWindow
IsIconic
CreateDesktopW
GetDC
DestroyWindow
SCardForgetReaderA
CoCreateInstance
CoUninitialize
Number of PE resources by type
RT_CURSOR 8
RT_ICON 3
RT_BITMAP 3
RT_GROUP_CURSOR 1
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
RUSSIAN 18
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
6.0

ImageVersion
0.0

FileVersionNumber
3.54.121.279

LanguageCode
Russian

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
684032

EntryPoint
0x15f3

MIMEType
application/octet-stream

TimeStamp
2017:01:27 10:59:42+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
61440

FileSubtype
0

ProductVersionNumber
3.54.121.279

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 8b60faf122f4d69a270e6377a1150c4e
SHA1 434cd71a1503f0dc7615f6d6cdcc2bd3e1c7f7b8
SHA256 3b892571387f41abcd6e0c8c6e2c2116083c5e49d7109618af245cf0de21d5bf
ssdeep
12288:IoyddFYwAaaxwi9SPadfkIEIYgBWxuacNiMR0GCvFaZa:IoyddLUxwOSadNEDCW3cobv6a

authentihash 254be370b3d7f1b43a316cd465be9c0d3c557b5ee8877abdd8e1e06370b1c90f
imphash 356d091e799da7d5f745495a28ca3500
File size 729.0 KB ( 746496 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe via-tor signed overlay

VirusTotal metadata
First submission 2017-02-01 11:43:54 UTC ( 2 months, 4 weeks ago )
Last submission 2017-02-23 01:33:16 UTC ( 2 months ago )
File names nethost.exe
881e3813905ca209cace8c156ef1e4cdfa37bbf7
output.106915308.txt
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Code injections in the following processes
Opened mutexes
Runtime DLLs