Antivirus scan for 52130a636355f8c08f88c015359406e6d18f7a168e833f6e807de6d223db348b at 2018-07-18 23:34:28 UTC

Antivirus	Result	Update
Ad-Aware	Gen:Trojan.Heur2.FU.fyW@amshF4gO	20180718
AegisLab	Gen.Troj.Heur2!c	20180718
AhnLab-V3	Trojan/Win32.Emotet.R231895	20180718
Arcabit	Trojan.Heur2.FU.E982FB	20180718
Avast	Win32:Malware-gen	20180718
AVG	Win32:Malware-gen	20180718
AVware	Trojan.Win32.Generic!BT	20180718
Baidu	Win32.Trojan.WisdomEyes.16070401.9500.9999	20180717
BitDefender	Gen:Trojan.Heur2.FU.fyW@amshF4gO	20180718
Bkav	HW32.Packed.FFE3	20180718
CrowdStrike Falcon (ML)	malicious_confidence_90% (D)	20180530
Cybereason	malicious.aad0e9	20180225
Cylance	Unsafe	20180719
Cyren	W32/Trojan.NMCN-8691	20180718
DrWeb	Trojan.DownLoader26.58324	20180718
Emsisoft	Trojan.Emotet (A)	20180718
Endgame	malicious (high confidence)	20180711
ESET-NOD32	a variant of Win32/Kryptik.GIYA	20180718
F-Secure	Gen:Trojan.Heur2.FU.fyW@amshF4gO	20180718
Fortinet	W32/Kryptik.GIYA!tr	20180718
GData	Gen:Trojan.Heur2.FU.fyW@amshF4gO	20180718
Ikarus	Trojan.Win32.Crypt	20180718
Sophos ML	heuristic	20180717
K7AntiVirus	Trojan ( 00537f351 )	20180718
K7GW	Trojan ( 00537f351 )	20180718
Kaspersky	Trojan.Win32.Dovs.pjd	20180718
Malwarebytes	Spyware.Emotet	20180718
MAX	malware (ai score=98)	20180719
McAfee	Emotet-FHR!03772B3AAD0E	20180718
McAfee-GW-Edition	BehavesLike.Win32.Downloader.nc	20180718
eScan	Gen:Trojan.Heur2.FU.fyW@amshF4gO	20180718
NANO-Antivirus	Trojan.Win32.Dovs.fflgrg	20180719
Palo Alto Networks (Known Signatures)	generic.ml	20180719
Panda	Trj/GdSda.A	20180718
Qihoo-360	Win32/Trojan.901	20180719
Rising	Trojan.Kryptik!8.8 (CLOUD)	20180718
SentinelOne (Static ML)	static engine - malicious	20180701
Sophos AV	Mal/EncPk-ANX	20180718
Symantec	Packed.Generic.517	20180718
TrendMicro-HouseCall	TROJ_GEN.R002H05GI18	20180718
VBA32	BScope.TrojanBanker.Emotet	20180718
VIPRE	Trojan.Win32.Generic!BT	20180718
ViRobot	Trojan.Win32.Z.Kryptik.93696.HP	20180718
Webroot	W32.Trojan.Emotet	20180719
ZoneAlarm by Check Point	Trojan.Win32.Dovs.pjd	20180718
Alibaba		20180713
ALYac		20180719
Antiy-AVL		20180718
Avast-Mobile		20180718
Avira (no cloud)		20180718
Babable		20180406
CAT-QuickHeal		20180718
ClamAV		20180718
CMC		20180718
Comodo		20180718
eGambit		20180719
F-Prot		20180718
Jiangmin		20180718
Kingsoft		20180719
Microsoft		20180718
SUPERAntiSpyware		20180718
TACHYON		20180718
Tencent		20180719
TheHacker		20180718
TotalDefense		20180718
TrendMicro		20180718
Trustlook		20180719
Yandex		20180717
Zillya		20180718
Zoner		20180718

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.

PE header basic information

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2018-07-17 21:01:39

Entry Point 0x00011FFB

Number of sections 6

PE sections

Name Virtual address Virtual size Raw size Entropy MD5

.text 4096 74344 74752 7.61 2a26c9b89b4aac5192114a3b983c0a23

.data 81920 6880 3072 6.08 a60dd7a28932a8df8505287f2d79c458

.idata 90112 410 512 3.63 575291535c734da4ebcfca880ce06f16

.CRT 94208 4 512 0.06 42e21699b45934817c87e31a4a300f23

.rsrc 98304 12848 13312 3.71 e30a7bf3cc2e7c4df4d6c1fccd31b0ae

.reloc 114688 208 512 2.81 d1c6291fd799d0c1fdfbbb4b7798ab4b

PE imports

Number of PE resources by type

RT_DIALOG 21

RT_MANIFEST 1

RT_VERSION 1

Number of PE resources by language

ENGLISH US 2

HEBREW DEFAULT 1

HUNGARIAN DEFAULT 1

VIETNAMESE DEFAULT 1

CHINESE SIMPLIFIED 1

SLOVENIAN DEFAULT 1

CZECH DEFAULT 1

FINNISH DEFAULT 1

KOREAN 1

NEUTRAL DEFAULT 1

PORTUGUESE 1

POLISH DEFAULT 1

JAPANESE DEFAULT 1

DANISH DEFAULT 1

SLOVAK DEFAULT 1

GREEK DEFAULT 1

TURKISH DEFAULT 1

ROMANIAN 1

THAI DEFAULT 1

SERBIAN DEFAULT 1

NEUTRAL 1

RUSSIAN 1

PE resources

04a996eba648a3625572df91e920bdebd3cb3a6a85fdf915cf39e7cc19402083 data

0abc7004ed789223b95787c40a31a73628c56bf107893e3717d886f3f44b3f30 data

19a7a1da7f9d70a37126f8627aa6f2b33debec0569f6145942b54b3ad7538c5e data

1a0295f4bf5986c5f74eca9153a6a4cb10b073a01a76ba4a457fd862c78966a4 ASCII text

1cc21e501af578cf31816c51e4acb7744fa33d32ba66a42aced687ef42c12325 data

261bb880056d6b961343fc1618828618ff09e4f16b0b3fdee6d191f27b432301 data

30c8ed24ed66369af16d7e6e51e65583a7c29df6ef4464032473913355c0fa07 data

388f75e900f0c15fd66249d7b2e7edf6e14eeefb859e6f766b75058e44f27af6 ASCII text

4123a368821236ba995c5dd1884548f0d62168a08b7a15431f3fb88cf6179569 data

4194517b8138c799413ff5c46850bdd610755748c869c44bd1868544555e1ffd data

Debug information

Type Timestamp Offset Size

IMAGE_DEBUG_TYPE_CODEVIEW (2) Tue Jul 17 21:01:39 2018 1392 39 Bytes

12 (12) Tue Jul 17 21:01:39 2018 1516 20 Bytes

ExifTool file metadata

MIMEType

application/octet-stream

Subsystem

Windows GUI

MachineType

Intel 386 or later, and compatibles

FileTypeExtension

exe

TimeStamp

2018:07:17 22:01:39+01:00

FileType

Win32 EXE

PEType

PE32

CodeSize

74752

LinkerVersion

12.0

Warning

Possibly corrupt Version resource

EntryPoint

0x11ffb

InitializedDataSize

22016

SubsystemVersion

5.0

ImageVersion

0.0

OSVersion

5.1

UninitializedDataSize

File identification

MD5 03772b3aad0e97d1a34680c11533848c

SHA1 4f2c914ad9d367baeb05045a9d70974ba12aecc8

SHA256 52130a636355f8c08f88c015359406e6d18f7a168e833f6e807de6d223db348b

ssdeep

1536:DE0ky5G9W18R5RphFcon/f45Ut8a6bq8AN33maoP:DEr1982rh1f45UF2Ho3j

authentihash 074ab9af7000993067048dca226b86978bb1d232e215bb4f1ff165b8411ffdf9

imphash 140676f00c48f787fb7da8229f04929c

File size 91.5 KB ( 93696 bytes )

File type Win32 EXE

Magic literal

PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID	OS/2 Executable (generic) (33.6%) Generic Win/DOS Executable (33.1%) DOS Executable Generic (33.1%)

VirusTotal metadata

First submission 2018-07-17 23:44:37 UTC ( 7 months ago )

Last submission 2018-07-17 23:44:37 UTC ( 7 months ago )

File names

DIAGRAMPOWR.EXE

Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

Opened files

\\.\PIPE\ROUTER (successful)

\\.\Ip (successful)

\\.\PIPE\lsarpc (successful)

c:\autoexec.bat (successful)

C:\52130a636355f8c08f88c015359406e6d18f7a168e833f6e807de6d223db348b (successful)

\\.\MountPointManager (successful)

Read files

c:\autoexec.bat (successful)

Moved files

SRC: C:\52130a636355f8c08f88c015359406e6d18f7a168e833f6e807de6d223db348b
DST: C:\WINDOWS\system32\tracestyles.exe (successful)

Deleted files

C:\WINDOWS\system32\justprivate.exe (failed)

C:\WINDOWS\system32\tracestyles.exe:Zone.Identifier (failed)

Created processes

C:\52130a636355f8c08f88c015359406e6d18f7a168e833f6e807de6d223db348b (successful)

Created mutexes

PEMF4 (successful)

PEM578 (successful)

Global\I6C78A9C3 (successful)

Global\M6C78A9C3 (successful)

Opened mutexes

ShimCacheMutex (successful)

Opened service managers

MACHINE: localhost
DATABASE: SERVICES_ACTIVE_DATABASE (successful)

Opened services

RASMAN (successful)

aspnet_state (successful)

Runtime DLLs

rtutils.dll (successful)

rasman.dll (successful)

rpcrt4.dll (successful)

secur32.dll (successful)

c:\windows\system32\msv1_0.dll (successful)

shell32.dll (successful)

userenv.dll (successful)

netapi32.dll (successful)

shlwapi.dll (successful)

kernel32.dll (successful)

SHA256:	52130a636355f8c08f88c015359406e6d18f7a168e833f6e807de6d223db348b
File name:	DIAGRAMPOWR.EXE
Detection ratio:	45 / 68
Analysis date:	2018-07-18 23:34:28 UTC ( 7 months ago ) View latest

Ciphered bundle