× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 6028cf4c09da8a082ef19e29074d565f465a04bc4275e7c578e367139dc138cf
File name: bbm.exe
Detection ratio: 43 / 57
Analysis date: 2016-05-03 03:48:43 UTC ( 2 years, 9 months ago )
Antivirus Result Update
Ad-Aware Trojan.Generic.11339398 20160503
ALYac Trojan.Generic.11339398 20160503
Arcabit Trojan.Generic.DAD0686 20160503
Avast MSIL:GenMalicious-ANI [Trj] 20160503
AVG Autoit 20160503
Avira (no cloud) TR/Spy.Gen 20160502
AVware Trojan.Win32.Generic!BT 20160503
Baidu AutoIt.Worm.Agent.c 20160429
Baidu-International Trojan.Win32.Dropper.aclym 20160502
BitDefender Trojan.Generic.11339398 20160503
ClamAV Win.Trojan.Generickd-283 20160502
CMC Trojan.Win32.Generic!O 20160429
Comodo UnclassifiedMalware 20160502
Cyren W32/GenBl.A0511114!Olympus 20160502
DrWeb Trojan.Siggen6.8000 20160503
Emsisoft Trojan.Generic.11339398 (B) 20160503
ESET-NOD32 Win32/Autoit.KD 20160503
F-Secure Trojan.Generic.11339398 20160503
Fortinet W32/FrauDrop.ACLYM!tr 20160503
GData Trojan.Generic.11339398 20160503
Ikarus Trojan.Win32.Comitsproc 20160502
K7AntiVirus Trojan ( 700000111 ) 20160502
K7GW Trojan ( 700000111 ) 20160503
Kaspersky Trojan-Dropper.Win32.FrauDrop.aclym 20160503
Malwarebytes Backdoor.Agent.AI 20160503
McAfee Generic Dropper.p 20160503
McAfee-GW-Edition BehavesLike.Win32.TrojanXtreme.tc 20160502
Microsoft Worm:Win32/Jenxcus.N 20160503
eScan Trojan.Generic.11339398 20160503
NANO-Antivirus Trojan.Win32.FrauDrop.cuupcy 20160503
nProtect Trojan.Generic.11339398 20160502
Panda Trj/Dropper.JUW 20160502
Qihoo-360 Malware.Radar01.Gen 20160503
Rising Trjoan.Generic-O1s6KqadoWQ (Cloud) 20160503
Sophos AV Troj/Agent-AJPF 20160503
Symantec Suspicious.Cloud.9 20160503
Tencent Win32.Trojan.Spy.Ljjl 20160503
TrendMicro TROJ_SPNR.11B714 20160503
TrendMicro-HouseCall TROJ_SPNR.11B714 20160503
VBA32 Trojan.Autoit.Wirus 20160502
VIPRE Trojan.Win32.Generic!BT 20160503
ViRobot Dropper.A.FrauDrop.1766400[h] 20160503
Zillya Dropper.FrauDrop.Win32.9991 20160502
AegisLab 20160502
AhnLab-V3 20160502
Alibaba 20160503
Antiy-AVL 20160503
Bkav 20160429
CAT-QuickHeal 20160502
F-Prot 20160502
Jiangmin 20160503
Kingsoft 20160503
SUPERAntiSpyware 20160503
TheHacker 20160502
TotalDefense 20160502
Yandex 20160502
Zoner 20160503
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
File version 3, 3, 8, 1
Packers identified
F-PROT AutoIt, UTF-8, UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-01-29 21:32:28
Entry Point 0x000E8EF0
Number of sections 3
PE sections
Overlays
MD5 696a00dedda6174cf017b4de1d0052ba
File type data
Offset 501760
Size 1264640
Entropy 8.00
PE imports
ImageList_Remove
GetSaveFileNameW
LineTo
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
WNetGetConnectionW
VariantInit
EnumProcesses
DragFinish
LoadUserProfileW
VerQueryValueW
FtpOpenFileW
timeGetTime
CoInitialize
Number of PE resources by type
RT_ICON 12
RT_STRING 7
RT_GROUP_ICON 4
RT_DIALOG 1
RT_MANIFEST 1
RT_MENU 1
RT_VERSION 1
Number of PE resources by language
ENGLISH UK 25
ENGLISH US 2
PE resources
ExifTool file metadata
UninitializedDataSize
679936

LinkerVersion
10.0

ImageVersion
0.0

FileVersionNumber
3.3.8.1

LanguageCode
English (British)

FileFlagsMask
0x0017

CharacterSet
Unicode

InitializedDataSize
233472

EntryPoint
0xe8ef0

MIMEType
application/octet-stream

FileVersion
3, 3, 8, 1

TimeStamp
2012:01:29 22:32:28+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
5.0

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

CompiledScript
AutoIt v3 Script: 3, 3, 8, 1

MachineType
Intel 386 or later, and compatibles

CodeSize
274432

FileSubtype
0

ProductVersionNumber
3.3.8.1

FileTypeExtension
exe

ObjectFileType
Unknown

File identification
MD5 a0511114a5012fc9689d354ba904b6fa
SHA1 a41b8ea89ea6320206f0af29769bf3a5f8226c7a
SHA256 6028cf4c09da8a082ef19e29074d565f465a04bc4275e7c578e367139dc138cf
ssdeep
49152:HEVUcrmPwn5ImGJz9EuYsaukThVrdd7VIu:HE3rHn5ImGzThaukFVrH7Vn

authentihash 626b1a2b72363a41065153c1f46416cf4859be5173038b8542332c229bcd98c6
imphash 890e522b31701e079a367b89393329e6
File size 1.7 MB ( 1766400 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID AutoIt3 compiled script executable (87.6%)
UPX compressed Win32 Executable (5.2%)
Win32 EXE Yoda's Crypter (4.5%)
Win32 Dynamic Link Library (generic) (1.1%)
Win32 Executable (generic) (0.7%)
Tags
peexe usb-autorun upx overlay

VirusTotal metadata
First submission 2014-01-14 16:41:59 UTC ( 5 years, 1 month ago )
Last submission 2014-02-06 08:52:03 UTC ( 5 years ago )
File names bbm.exe
vt-upload-I8VQj
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Shell commands
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
DNS requests
TCP connections