× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 5f304e310a75cb985674b544b3e274480e08f22bc3ca852ea813184a2be76c2a
File name: 0x29ACAAD1.exe
Detection ratio: 35 / 42
Analysis date: 2011-05-16 07:59:26 UTC ( 3 years, 10 months ago ) View latest
Antivirus Result Update
AVG SHeur3.BUQW 20110515
AhnLab-V3 Win-Trojan/Injector.144384.AI 20110515
AntiVir TR/VBKrypt.cvcu 20110516
Antiy-AVL Trojan/win32.agent.gen 20110516
Avast Win32:Malware-gen 20110515
Avast5 Win32:Malware-gen 20110515
BitDefender Trojan.Generic.5791779 20110516
CAT-QuickHeal Trojan.VBKrypt.cvcu 20110516
Comodo TrojWare.Win32.Trojan.Agent.Gen 20110516
DrWeb Trojan.DownLoader2.34671 20110516
F-Secure Trojan.Generic.5791779 20110516
Fortinet W32/VBKrypt.CVCU!tr 20110514
GData Trojan.Generic.5791779 20110516
Ikarus Trojan.Injector 20110516
Jiangmin Trojan/Generic.espl 20110515
K7AntiVirus Trojan 20110514
Kaspersky Trojan.Win32.VBKrypt.cvcu 20110511
McAfee Generic.dx!yvn 20110516
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Downloader.A 20110515
Microsoft Trojan:Win32/Malagent 20110516
NOD32 Win32/Dorkbot.A 20110516
Norman W32/Suspicious_Gen2.LIBTE 20110515
PCTools Trojan.IRCBot 20110513
Panda Trj/VB.ALFOOW 20110515
Prevx Medium Risk Malware 20110516
Sophos Mal/Generic-L 20110516
Symantec W32.IRCBot.NG 20110516
TheHacker Trojan/Injector.fuk 20110516
TrendMicro WORM_DORKBOT.MJM 20110516
TrendMicro-HouseCall WORM_DORKBOT.MJM 20110516
VBA32 Trojan.VBKrypt.cvcu 20110512
VIPRE Trojan.Win32.Generic!BT 20110516
ViRobot Trojan.Win32.S.VBKrypt.144384 20110516
VirusBuster Trojan.VBKrypt!z6P79ubcaBo 20110515
nProtect Trojan.Generic.5791779 20110516
ClamAV 20110516
Commtouch 20110516
F-Prot 20110516
Rising 20110514
SUPERAntiSpyware 20110516
eSafe 20110515
eTrust-Vet 20110513
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Developer metadata
Copyright
qndhvqdbtpgtxzj

Publisher ZHPYZFPKJBXNVCLMDBEQVQPHTM
Product YZHPYZFPKJBXN
Original name oznsskai.exe
Internal name oznsskai
File version 18.29.0029
Description GDIDLWOUJKGSIOA
Comments YXBSRSMKTNREUVFWCAG
Packers identified
F-PROT UPX_LZMA
PEiD UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-04-14 12:11:09
Link date 1:11 PM 4/14/2011
Entry Point 0x00207990
Number of sections 3
PE sections
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
Ord(100)
Number of PE resources by type
RT_ICON 4
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 5
ENGLISH US 1
ExifTool file metadata
LegalTrademarks
aphfbvljueefg

SubsystemVersion
4.0

Comments
YXBSRSMKTNREUVFWCAG

InitializedDataSize
8192

ImageVersion
18.29

ProductName
YZHPYZFPKJBXN

FileVersionNumber
18.29.0.29

UninitializedDataSize
1990656

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

LinkerVersion
6.0

OriginalFilename
oznsskai.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
18.29.0029

TimeStamp
2011:04:14 13:11:09+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
oznsskai

FileAccessDate
2014:07:15 20:34:20+01:00

ProductVersion
18.29.0029

FileDescription
GDIDLWOUJKGSIOA

OSVersion
4.0

FileCreateDate
2014:07:15 20:34:20+01:00

FileOS
Win32

LegalCopyright
qndhvqdbtpgtxzj

MachineType
Intel 386 or later, and compatibles

CompanyName
ZHPYZFPKJBXNVCLMDBEQVQPHTM

CodeSize
139264

FileSubtype
0

ProductVersionNumber
18.29.0.29

EntryPoint
0x207990

ObjectFileType
Executable application

File identification
MD5 49169f698ea8c8d724b47c43a92863ef
SHA1 ec799cecfe18167a826633774f68401bc852bc65
SHA256 5f304e310a75cb985674b544b3e274480e08f22bc3ca852ea813184a2be76c2a
ssdeep
3072:/lz9T3+K7AjQJABzvUxCFGtlQSTg8vZ9aw0yeuDpGQFoutk:/fT3+q2fxl6v8K9awMuDFFoS

imphash be19e18d6a8b41631d40059031a928bb
File size 141.0 KB ( 144384 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (42.3%)
Win32 EXE Yoda's Crypter (36.7%)
Win32 Dynamic Link Library (generic) (9.1%)
Win32 Executable (generic) (6.2%)
Generic Win/DOS Executable (2.7%)
Tags
peexe upx usb-autorun

VirusTotal metadata
First submission 2011-04-14 14:02:24 UTC ( 3 years, 11 months ago )
Last submission 2011-05-16 07:59:26 UTC ( 3 years, 10 months ago )
File names oznsskai.exe
file-2149156_fil
oznsskai
Aiusus.exe
cc204afd79b962b02670fd6f8ed05f53
0x29ACAAD1.exe
49169f698ea8c8d724b47c43a92863ef
[14335]1.exe.#
9FA2AC8B00807F24343F028B834C7A0042CF126C.tmp
834300
49169f698ea8c8d724b47c43a92863ef.exe
Advanced heuristic and reputation engines
ClamAV PUA
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/doc/pua.html .

Behaviour characterization
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Created processes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.