× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 4fba64ad3a7e1daf8ca2d65c3f9b03a49083b7af339b995422c01a1a96532ca3
File name: sopp.exe
Detection ratio: 12 / 46
Analysis date: 2013-01-15 08:25:14 UTC ( 6 years ago ) View latest
Antivirus Result Update
AntiVir TR/Dropper.Gen 20130115
AVG unknown virus Win32/DH{MSADYQ8eJCIl} 20130115
BitDefender Gen:Trojan.Heur.PT.juW@aq4ENugi 20130115
DrWeb DLOADER.Trojan 20130115
Emsisoft Gen:Trojan.Heur.PT.juW@aq4ENugi (B) 20130115
F-Secure Gen:Trojan.Heur.PT.juW@aq4ENugi 20130115
GData Gen:Trojan.Heur.PT.juW@aq4ENugi 20130115
Kaspersky HEUR:Trojan.Win32.Generic 20130115
Microsoft Trojan:Win32/Malex.gen!E 20130115
Norman W32/Malware 20130114
Rising Suspicious 20130115
Sophos AV Mal/Behav-001 20130115
Yandex 20130114
AhnLab-V3 20130114
Antiy-AVL 20130114
Avast 20130115
ByteHero 20130107
CAT-QuickHeal 20130115
ClamAV 20130115
Commtouch 20130115
Comodo 20130115
eSafe 20130113
ESET-NOD32 20130114
F-Prot 20130115
Fortinet 20130115
Ikarus 20130115
Jiangmin 20121221
K7AntiVirus 20130114
Kingsoft 20130115
Malwarebytes 20130115
McAfee 20130115
McAfee-GW-Edition 20130115
eScan 20130115
NANO-Antivirus 20130115
nProtect 20130115
Panda 20130114
PCTools 20130115
SUPERAntiSpyware 20130115
Symantec 20130115
TheHacker 20130115
TotalDefense 20130115
TrendMicro 20130115
TrendMicro-HouseCall 20130115
VBA32 20130114
VIPRE 20130115
ViRobot 20130115
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-12-21 23:30:50
Entry Point 0x00009D12
Number of sections 5
PE sections
PE imports
GetTokenInformation
GetUserNameA
LookupPrivilegeValueA
RegOpenKeyA
RegCloseKey
OpenProcessToken
RegSetValueExA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
AdjustTokenPrivileges
EqualSid
RegCreateKeyExA
GetStdHandle
GetDriveTypeA
EncodePointer
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
GetLocaleInfoA
FreeEnvironmentStringsW
GetLocaleInfoW
SetStdHandle
CheckRemoteDebuggerPresent
WideCharToMultiByte
WriteFile
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
ResumeThread
GetLogicalDriveStringsA
InitializeCriticalSection
FatalExit
TlsGetValue
SetLastError
GetModuleFileNameW
CopyFileA
ExitProcess
FlushFileBuffers
GetModuleFileNameA
HeapSetInformation
GetVolumeInformationA
SetHandleCount
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
CreateMutexA
SetFilePointer
CreateThread
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
ExitThread
DecodePointer
TerminateProcess
VirtualQueryEx
SetEndOfFile
GetCurrentThreadId
LeaveCriticalSection
WriteConsoleW
CreateToolhelp32Snapshot
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
Process32First
LoadLibraryW
GetOEMCP
QueryPerformanceCounter
GetTickCount
TlsAlloc
GetVersionExA
RtlUnwind
Process32Next
OpenProcess
GetStartupInfoW
ReadProcessMemory
GetUserDefaultLCID
GetProcessHeap
CompareStringW
GetComputerNameA
IsValidLocale
GetProcAddress
CreateFileW
IsDebuggerPresent
GetFileType
TlsSetValue
CreateFileA
HeapAlloc
InterlockedIncrement
GetLastError
LCMapStringW
lstrlenA
GetConsoleCP
GetEnvironmentStringsW
GetShortPathNameA
GetCurrentProcessId
GetCPInfo
HeapSize
GetCommandLineA
RaiseException
TlsFree
GetModuleHandleA
ReadFile
CloseHandle
EnumSystemLocalesA
GetACP
GetModuleHandleW
IsValidCodePage
HeapCreate
Sleep
ShellExecuteA
SHGetFolderPathA
MessageBoxA
socket
closesocket
send
WSAStartup
gethostbyname
connect
htons
recv
URLDownloadToFileA
Number of PE resources by type
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2012:12:22 00:30:50+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
112128

LinkerVersion
10.0

EntryPoint
0x9d12

InitializedDataSize
43008

SubsystemVersion
5.1

ImageVersion
0.0

OSVersion
5.1

UninitializedDataSize
0

Compressed bundles
File identification
MD5 6f0de63e7831c715e1bff9556777ea55
SHA1 9425dd45b2f46865279b5319897117e1e306fc90
SHA256 4fba64ad3a7e1daf8ca2d65c3f9b03a49083b7af339b995422c01a1a96532ca3
ssdeep
3072:P7Jkvd/Sy6dEvtz0pYl+jbzi8TumnR5WQwQN9N6yQ7nBpi:P7Jk116dE5tQbzi8hnLXNHqpi

authentihash c7b8c618853a7c50a7b88198e5ead8a63e15336986fb1e05f805091731300c66
imphash e223bc75bf477198e195d47873373c0f
File size 152.5 KB ( 156160 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.4%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe

VirusTotal metadata
First submission 2013-01-15 08:25:14 UTC ( 6 years ago )
Last submission 2016-08-17 14:00:59 UTC ( 2 years, 5 months ago )
File names 6f0de63e7831c715e1bff9556777ea55
sopp.exe
vti-rescan
4fba64ad3a7e1daf8ca2d65c3f9b03a49083b7af339b995422c01a1a96532ca3
samp_ (18)
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Copied files
Created processes
Shell commands
Created mutexes
Opened mutexes
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
DNS requests
UDP communications