× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 4ec91d8bd1cee6d1c9518f50d02354398a98871cf139b5801859bb21a23b2404
File name: Documento_PDF.scr
Detection ratio: 20 / 44
Analysis date: 2012-12-05 01:12:08 UTC ( 1 year, 4 months ago ) View latest
Antivirus Result Update
AVG Suspicion: unknown virus 20121205
AntiVir TR/Dropper.Gen 20121205
BitDefender Gen:Variant.Kazy.82512 20121204
ESET-NOD32 probably a variant of Win32/TrojanDownloader.VB.POZ 20121205
Emsisoft Gen:Variant.Kazy.82949 (B) 20121205
F-Secure Gen:Variant.Kazy.82512 20121205
GData Gen:Variant.Kazy.82512 20121204
Ikarus Backdoor.Win32.Hostposer 20121204
Kaspersky Trojan-Downloader.Win32.VB.axvh 20121205
Kingsoft Win32.Troj.Undef.(kcloud) 20121119
MicroWorld-eScan Gen:Variant.Kazy.82512 20121204
Microsoft Backdoor:Win32/Hostposer.A 20121205
Panda Trj/Genetic.gen 20121204
Rising Trojan.VB!4A56 20121204
Symantec Trojan.Gen.2 20121205
TheHacker Posible_Worm32 20121203
TrendMicro TROJ_GEN.R47CDL4 20121205
TrendMicro-HouseCall TROJ_GEN.R47CDL4 20121205
VIPRE Trojan.Win32.Generic.pak!cobra 20121205
ViRobot Trojan.Win32.A.Downloader.28672.AXR[UPX] 20121204
Agnitum 20121204
Antiy-AVL 20121204
Avast 20121204
CAT-QuickHeal 20121204
ClamAV 20121205
Commtouch 20121204
Comodo 20121204
DrWeb 20121205
F-Prot 20121204
Fortinet 20121205
Jiangmin 20121204
K7AntiVirus 20121204
Malwarebytes 20121205
McAfee 20121205
McAfee-GW-Edition 20121204
NANO-Antivirus 20121205
Norman 20121204
PCTools 20121204
SUPERAntiSpyware 20121205
Sophos 20121205
TotalDefense 20121204
VBA32 20121204
eSafe 20121202
nProtect 20121204
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
F-PROT UPX
PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-12-04 16:04:53
Entry Point 0x00016670
Number of sections 3
PE sections
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
Ord(581)
Number of PE resources by type
RT_ICON 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 2
ENGLISH US 1
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
1.0

FileSubtype
0

FileVersionNumber
1.0.0.0

UninitializedDataSize
69632

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

InitializedDataSize
12288

FileOS
Win32

MIMEType
application/octet-stream

LegalCopyright
2000-2012 DT Soft Ltd.

FileVersion
1.0

TimeStamp
2012:12:04 17:04:53+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
loucaaaa_3

ProductVersion
1.0

FileDescription
DAEMON Tools Lite

OSVersion
4.0

OriginalFilename
loucaaaa_3.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
DT Soft Ltd

CodeSize
20480

ProductName
DAEMON Tools Lite

ProductVersionNumber
1.0.0.0

EntryPoint
0x16670

ObjectFileType
Executable application

File identification
MD5 3caa414b0dba32b0a19361a8da207d66
SHA1 c958ee8228ccd757b241d0d5fd95b5d625e0ce98
SHA256 4ec91d8bd1cee6d1c9518f50d02354398a98871cf139b5801859bb21a23b2404
ssdeep
384:l0DPvGwmhlS5dce9TS7VWNnFGUyVcuNlIepP36gLw7M69iRf2YOziBh/A2HO:l0DIrSHWVWlFByVcuzcaGzulAm

File size 28.0 KB ( 28672 bytes )
File type Win32 EXE
Magic literal
MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit, UPX compressed

TrID UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
Tags
peexe upx

VirusTotal metadata
First submission 2012-12-04 18:00:00 UTC ( 1 year, 4 months ago )
Last submission 2012-12-12 16:40:08 UTC ( 1 year, 4 months ago )
File names Documento_PDF.scr
3caa414b0dba32b0a19361a8da2
Advanced heuristic and reputation engines
ClamAV PUA
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/index.php?s=pua&lang=en .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Set keys
Deleted keys
Code injections in the following processes
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
DNS requests
TCP connections
UDP communications