× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3ee748db803e99f4756c1d72b5f1d43a3ee89215fc683f2d019f571d26bbbba7
File name: drtSrv.exe
Detection ratio: 50 / 52
Analysis date: 2016-07-19 13:38:19 UTC ( 2 years, 7 months ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.Generic.6664677 20160719
AegisLab Backdoor.W32.IRCNite.cbz!c 20160719
AhnLab-V3 Backdoor/Win32.IRCNite.N563361442 20160719
ALYac Trojan.Generic.6664677 20160719
Antiy-AVL Trojan[Backdoor]/Win32.IRCNite 20160719
Arcabit Trojan.Generic.D65B1E5 20160719
Avast Win32:Malware-gen 20160719
AVG BackDoor.Generic14.CFVT 20160719
AVware Trojan.Win32.Generic!BT 20160719
Baidu Win32.Trojan.WisdomEyes.151026.9950.9999 20160719
BitDefender Trojan.Generic.6664677 20160719
Bkav W32.0422InfectDropper.Worm 20160719
CAT-QuickHeal Trojan.Quolko.A 20160719
ClamAV Win.Trojan.IRCNite-41 20160719
CMC Backdoor.Win32.IRCNite!O 20160715
Comodo TrojWare.Win32.Kryptik.hty 20160719
Cyren W32/Agent.TX.gen!Eldorado 20160719
DrWeb Win32.Rmnet.8 20160719
Emsisoft Trojan.Generic.6664677 (B) 20160719
ESET-NOD32 Win32/Ramnit.A 20160719
F-Prot W32/Agent.TX.gen!Eldorado 20160719
F-Secure Trojan.Generic.6664677 20160719
Fortinet W32/Qbot.AEM!tr 20160719
GData Trojan.Generic.6664677 20160719
Ikarus Backdoor.Win32.Protector 20160719
Jiangmin Trojan/Generic.wteh 20160719
K7AntiVirus Trojan ( 001be9061 ) 20160719
K7GW Trojan ( 001be9061 ) 20160719
Kaspersky Backdoor.Win32.IRCNite.cbz 20160719
Kingsoft Win32.Hack.IRCNite.(kcloud) 20160719
Malwarebytes Spyware.Zbot.XGen 20160719
McAfee W32/Ramnit-FNZ!8FAD203EEB49 20160719
McAfee-GW-Edition BehavesLike.Win32.Ramnit.kc 20160719
Microsoft Worm:Win32/Ramnit.A 20160719
eScan Trojan.Generic.6664677 20160719
NANO-Antivirus Trojan.Win32.Siggen3.cvyizl 20160719
nProtect Trojan/W32.Agent.69120.RP 20160719
Panda Generic Malware 20160719
Qihoo-360 Malware.Radar01.Gen 20160719
Sophos AV Mal/Agent-IE 20160719
SUPERAntiSpyware Trojan.Agent/Gen-Kryptik 20160719
Symantec Trojan.Bamital!gen2 20160719
Tencent Backdoor.Win32.Ircnite.aaa 20160719
TheHacker Posible_Worm32 20160719
TrendMicro TROJ_GEN.R0C1C0CA716 20160719
VBA32 Trojan.MTA.01056 20160719
VIPRE Trojan.Win32.Generic!BT 20160718
ViRobot Trojan.Win32.Z.Ircnite.69120[h] 20160719
Zillya BackDoor.IRCNite.Win32.4 20160719
Zoner Worm.Ramnit.A 20160719
Alibaba 20160719
TrendMicro-HouseCall 20160719
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
Command UPX
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2006-10-27 09:44:18
Entry Point 0x0003F880
Number of sections 3
PE sections
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
SetParent
Number of PE resources by type
RT_DIALOG 1
Number of PE resources by language
RUSSIAN 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2006:10:27 10:44:18+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
65536

LinkerVersion
9.1

FileTypeExtension
exe

InitializedDataSize
4096

SubsystemVersion
4.0

EntryPoint
0x3f880

OSVersion
5.4

ImageVersion
6.3

UninitializedDataSize
192512

Execution parents
File identification
MD5 8fad203eeb49377a51d1a3bc2dd66965
SHA1 87333af54b65436f552c17c040e44f753e9f0c63
SHA256 3ee748db803e99f4756c1d72b5f1d43a3ee89215fc683f2d019f571d26bbbba7
ssdeep
1536:Du1J3s57Dw0IJ4UrsGNtewwYTNaPAm51/tEa8vHSh:m2vTIyAjtVTNaPAm51VEa8vS

authentihash deb52a3a95a12242bad7be0e5a9f84277922602356e28e98af40f342436b317a
imphash d00eba105c91071d7abbd2ebc2d1eceb
File size 67.5 KB ( 69120 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Generic Win/DOS Executable (50.0%)
DOS Executable Generic (49.9%)
Tags
peexe upx

VirusTotal metadata
First submission 2012-05-06 22:48:57 UTC ( 6 years, 9 months ago )
Last submission 2018-05-19 11:07:25 UTC ( 9 months, 1 week ago )
File names CSrv.exe
8fad203eeb49377a51d1a3bc2dd66965.exe
ag_L4C.xdp
aa
ZQT5.xlsm
01764
8fad203eeb49377a51d1a3bc2dd66965
file-4721631_exe
8fad203eeb49377a51d1a3bc2dd66965.vir
watermark.exe
7CF172DA000AAA340E9E01703270A800264018EB.exe
drtSrv.exe
WaterMark.exe
AIMP3Srv.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.R0C1C0CA716.

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Copied files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.