× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 5b29aad543f2e008b7f07d9b598231ba023fb86d47430cbf096bc9b7e65e7954
File name: Grammatite6
Detection ratio: 52 / 68
Analysis date: 2017-11-27 02:09:08 UTC ( 1 month, 3 weeks ago )
Antivirus Result Update
Ad-Aware Trojan.GenericKD.5733714 20171126
AegisLab Backdoor.Msil.Bladabindi!c 20171127
AhnLab-V3 Trojan/Win32.Bladabindi.C2081755 20171127
ALYac Trojan.GenericKD.5733714 20171127
Antiy-AVL Trojan[Backdoor]/MSIL.Bladabindi 20171127
Arcabit Trojan.Generic.D577D52 20171127
Avast Win32:Malware-gen 20171127
AVG Win32:Malware-gen 20171127
Avira (no cloud) TR/Dropper.VB.zkvgk 20171126
AVware Trojan.Win32.Generic!BT 20171127
BitDefender Trojan.GenericKD.5733714 20171127
CAT-QuickHeal Backdoor.MSIL 20171125
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20171016
Cybereason malicious.1b8fb7 20171103
Cylance Unsafe 20171127
Cyren W32/VBInject.LC.gen!Eldorado 20171127
DrWeb Trojan.Nanocore.23 20171127
Emsisoft Trojan.GenericKD.5733714 (B) 20171127
Endgame malicious (high confidence) 20171024
ESET-NOD32 a variant of Win32/Injector.DQKQ 20171127
F-Prot W32/VBInject.LC.gen!Eldorado 20171127
F-Secure Trojan.GenericKD.5733714 20171127
Fortinet W32/Injector.CIHA!tr 20171127
GData Trojan.GenericKD.5733714 20171127
Ikarus Trojan.Dropper 20171126
Sophos ML heuristic 20170914
Jiangmin Backdoor.MSIL.pat 20171127
K7AntiVirus Trojan ( 005136ec1 ) 20171124
K7GW Trojan ( 005136ec1 ) 20171127
Kaspersky Backdoor.MSIL.Bladabindi.swk 20171127
Malwarebytes Backdoor.NanoCore 20171127
MAX malware (ai score=100) 20171127
McAfee Packed-MO!5E28AA7D4E48 20171127
McAfee-GW-Edition Packed-MO!5E28AA7D4E48 20171127
Microsoft VirTool:Win32/VBInject 20171127
eScan Trojan.GenericKD.5733714 20171127
NANO-Antivirus Trojan.Win32.Bladabindi.ermtss 20171127
nProtect Backdoor/W32.Bladabindi.638976 20171127
Palo Alto Networks (Known Signatures) generic.ml 20171127
Panda Trj/GdSda.A 20171126
SentinelOne (Static ML) static engine - malicious 20171113
Sophos AV Mal/FareitVB-M 20171127
Symantec Trojan.Nancrat 20171126
Tencent Msil.Backdoor.Bladabindi.Swuy 20171127
TrendMicro TROJ_GEN.R0E9C0OH217 20171126
TrendMicro-HouseCall BKDR_TOFSEE.SMF 20171127
VBA32 Backdoor.MSIL.Bladabindi 20171124
VIPRE Trojan.Win32.Generic!BT 20171127
Webroot W32.Trojan.Gen 20171127
Yandex Backdoor.Bladabindi!dT8YE3WoITM 20171120
Zillya Trojan.Injector.Win32.550866 20171124
ZoneAlarm by Check Point Backdoor.MSIL.Bladabindi.swk 20171126
Alibaba 20171124
Avast-Mobile 20171126
Baidu 20171124
Bkav 20171124
ClamAV 20171127
CMC 20171126
Comodo 20171127
eGambit 20171127
Kingsoft 20171127
Qihoo-360 20171127
Rising 20171127
SUPERAntiSpyware 20171126
Symantec Mobile Insight 20171124
TheHacker 20171126
TotalDefense 20171126
Trustlook 20171127
ViRobot 20171126
WhiteArmor 20171104
Zoner 20171127
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Product https:\\Xaai.NeO
Original name Grammatite6.exe
Internal name Grammatite6
File version 1.00.0005
Description Xiae
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-07-31 10:15:05
Entry Point 0x000010B8
Number of sections 3
PE sections
PE imports
EVENT_SINK_QueryInterface
Ord(616)
Ord(582)
Ord(600)
Ord(539)
__vbaExceptHandler
Ord(100)
MethCallEngine
DllFunctionCall
Ord(542)
Ord(519)
EVENT_SINK_Release
Ord(713)
EVENT_SINK_AddRef
Ord(608)
Ord(544)
Ord(581)
Number of PE resources by type
RT_ICON 3
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 4
FINNISH DEFAULT 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
1.0

FileSubtype
0

FileVersionNumber
1.0.0.5

UninitializedDataSize
0

LanguageCode
Finnish

FileFlagsMask
0x0000

CharacterSet
Unicode

InitializedDataSize
16384

EntryPoint
0x10b8

OriginalFileName
Grammatite6.exe

MIMEType
application/octet-stream

FileVersion
1.00.0005

TimeStamp
2017:07:31 11:15:05+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Grammatite6

ProductVersion
1.00.0005

FileDescription
Xiae

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
630784

ProductName
https:\\Xaai.NeO

ProductVersionNumber
1.0.0.5

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 5e28aa7d4e48c41841852a991720e0c9
SHA1 948f892c05afe8380cdfc6126291f9ba202b7f84
SHA256 5b29aad543f2e008b7f07d9b598231ba023fb86d47430cbf096bc9b7e65e7954
ssdeep
12288:Ef75rGBZc4LryBvVKggsFxZlC7ash0jC:qOZX0tLT/sM

authentihash e930f52028d4d437a28e0b2d06c5b9494515c3ed3c294f7ad789bb1ab90ca3a1
imphash a60a8fef8a15cc73e0287d30a151b623
File size 624.0 KB ( 638976 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Tags
peexe

VirusTotal metadata
First submission 2017-07-31 10:39:14 UTC ( 5 months, 3 weeks ago )
Last submission 2017-10-31 09:10:34 UTC ( 2 months, 2 weeks ago )
File names Grammatite6.exe
e1c952ab-7e6b-11e7-819f-80e65024849a.file
5e28aa7d4e48c41841852a991720e0c9
output.111849346.txt
2732a987-77be-11e7-8d54-80e65024849a.exe
wiree.exe
2732a987-77be-11e7-8d54-80e65024849a.file
wiree.exe
wiree.exe
wiree.exe.vir
2732a987-77be-11e7-8d54-80e65024849a.file.exe
efb93511-7f42-11e7-b5e4-80e65024849a.file
wiree.exe
5e28aa7d4e48c41841852a991720e0c9
output.111849346.txt
5e28aa7d4e48c41841852a991720e0c9.exe.bin
Grammatite6
wiree.exe.ubqu
Malware 29.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications