× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 551e895ead962dd174a54db156ce4e3e54b36b39b23dc80699742900f0a64a95
File name: 9568.exe
Detection ratio: 42 / 54
Analysis date: 2014-10-18 00:12:01 UTC ( 4 years, 4 months ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.GenericKD.1624130 20141017
Yandex Worm.Ngrbot!lA51l/DsdZ8 20141017
AhnLab-V3 Spyware/Win32.Zbot 20141017
Antiy-AVL Worm/Win32.Ngrbot 20141017
Avast Win32:VB-AIKU [Trj] 20141017
AVG Dropper.Generic9.TZB 20141017
Avira (no cloud) Worm/Ngrbot.adpp 20141018
AVware Trojan.Win32.Generic!BT 20141018
Baidu-International Worm.Win32.Ngrbot.AI 20141017
BitDefender Trojan.GenericKD.1624130 20141017
ByteHero Virus.Win32.Heur.p 20141018
CAT-QuickHeal Worm.Ngrbot.r3 20141017
Comodo UnclassifiedMalware 20141017
DrWeb Trojan.VbCrypt.380 20141018
Emsisoft Trojan.GenericKD.1624130 (B) 20141018
ESET-NOD32 Win32/TrojanClicker.VB.NZZ 20141017
F-Secure Trojan.GenericKD.1624130 20141017
Fortinet W32/Dorkbot.B!tr 20141018
GData Trojan.GenericKD.1624130 20141017
Ikarus Trojan.Backdoor.SmallX 20141017
K7AntiVirus Spyware ( 004062ed1 ) 20141017
K7GW Spyware ( 004062ed1 ) 20141017
Kaspersky Worm.Win32.Ngrbot.adof 20141017
Kingsoft Worm.Ngrbot.ac.(kcloud) 20141018
Malwarebytes Backdoor.Ruskill 20141017
McAfee PWSZbot-FWN!916216504C1B 20141017
McAfee-GW-Edition BehavesLike.Win32.Autorun.cm 20141017
Microsoft TrojanClicker:Win32/Tolouge 20141018
eScan Trojan.GenericKD.1624130 20141017
NANO-Antivirus Trojan.Win32.Ngrbot.cvypuw 20141017
Norman Injector.GHNY 20141017
nProtect Worm/W32.Ngrbot.162416.E 20141017
Qihoo-360 Win32/Trojan.Dropper.d36 20141018
Sophos AV Mal/Generic-S 20141017
SUPERAntiSpyware Trojan.Agent/Gen-Kazy 20141018
Symantec Downloader 20141017
Tencent Win32.Worm.Ngrbot.Hreo 20141018
TrendMicro TROJ_GEN.R0CBC0FD114 20141018
TrendMicro-HouseCall TROJ_GEN.R0CBC0FD114 20141018
VBA32 Worm.Ngrbot 20141017
VIPRE Trojan.Win32.Generic!BT 20141018
Zillya Worm.Ngrbot.Win32.4924 20141016
AegisLab 20141018
Bkav 20141017
ClamAV 20141017
CMC 20141017
Cyren 20141018
F-Prot 20141017
Jiangmin 20141017
Rising 20141017
TheHacker 20141017
TotalDefense 20141017
ViRobot 20141017
Zoner 20141014
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1970-07-13 09:14:16
Entry Point 0x000015A0
Number of sections 3
PE sections
Overlays
MD5 2e913a936f1d1f1a987e1b95907b47ef
File type data
Offset 50688
Size 111728
Entropy 5.49
PE imports
_adj_fdivr_m64
Ord(546)
__vbaGenerateBoundsError
_allmul
__vbaGet3
_adj_fprem
__vbaAryMove
__vbaRedim
_adj_fdiv_r
__vbaUI1I2
__vbaObjSetAddref
__vbaLineInputStr
Ord(100)
__vbaHresultCheckObj
_CIlog
Ord(595)
_adj_fptan
__vbaFileClose
__vbaI4Var
__vbaLateIdCall
__vbaAryCopy
__vbaFreeStr
__vbaLateIdCallLd
__vbaUI1Str
__vbaStrI2
__vbaFreeStrList
__vbaI2I4
_adj_fdiv_m16i
EVENT_SINK_QueryInterface
Ord(648)
__vbaLenBstr
__vbaStrToUnicode
__vbaInStr
_adj_fdiv_m32i
Ord(717)
__vbaExceptHandler
__vbaSetSystemError
DllFunctionCall
__vbaFreeVar
__vbaFileOpen
Ord(571)
Ord(526)
Ord(711)
Ord(606)
_CIsqrt
EVENT_SINK_Release
__vbaVarTstEq
_adj_fdivr_m32i
__vbaStrCat
__vbaVarDup
__vbaChkstk
__vbaPrintFile
__vbaAryUnlock
__vbaStrVarCopy
__vbaFreeObjList
__vbaVar2Vec
__vbaVarForNext
__vbaFreeVarList
Ord(631)
__vbaStrVarMove
Ord(578)
__vbaVarTstNe
__vbaFreeObj
_adj_fdivr_m32
__vbaStrVarVal
__vbaVarSub
_CIcos
__vbaVarMove
__vbaErrorOverflow
__vbaNew2
__vbaAryDestruct
__vbaStrMove
_adj_fprem1
_adj_fdiv_m32
__vbaLenVar
EVENT_SINK_AddRef
_adj_fpatan
Ord(712)
__vbaVarForInit
__vbaStrCopy
__vbaFPException
__vbaAryVar
_adj_fdivr_m16i
__vbaVarAdd
_adj_fdiv_m64
__vbaUI1I4
_CIsin
__vbaAryLock
__vbaVarCopy
_CIatan
__vbaObjSet
Ord(644)
__vbaVarCat
_CIexp
__vbaStrToAnsi
_CItan
Number of PE resources by type
Struct(36880) 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 1
ENGLISH US 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

SubsystemVersion
4.256

MachineType
Intel 386 or later, and compatibles

TimeStamp
1970:07:13 10:14:16+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
40960

LinkerVersion
9.0

FileTypeExtension
exe

InitializedDataSize
8192

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit, Removable run from swap

EntryPoint
0x15a0

OSVersion
4.0

ImageVersion
1.0

UninitializedDataSize
0

File identification
MD5 916216504c1b3689ec7a35dba84278d3
SHA1 7bafc7fd450ec22812c33ce11102c874c6d6510f
SHA256 551e895ead962dd174a54db156ce4e3e54b36b39b23dc80699742900f0a64a95
ssdeep
1536:9IZC7ru4Ch0Fa9s7DOXxCVA2qkbmjfPKHbuXpmRVXwcCLHk:95r3a9s7DkCVWkCjfPeC5mRVgcCLH

authentihash 0377f8554f00ea73e35e4c1dcc217c9e531d51c7df0ed41b73567f95cc7e9e82
imphash 6f7ba14508931a693d9a87d21c9e433f
File size 158.6 KB ( 162416 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable (generic) (42.7%)
OS/2 Executable (generic) (19.2%)
Generic Win/DOS Executable (18.9%)
DOS Executable Generic (18.9%)
Tags
peexe usb-autorun overlay

VirusTotal metadata
First submission 2014-03-29 01:10:25 UTC ( 4 years, 10 months ago )
Last submission 2018-07-21 10:40:22 UTC ( 7 months ago )
File names hgdf234.lik
aa
9568.exe
916216504c1b3689ec7a35dba84278d3.vir
720B.exe
guPeLL.mht
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.