× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 6661fbabd3c31b4291f30e390d92e6dc5eee72560a39dc4d00610b8d6c0e606c
File name: a79ab76d2451d7373d3804b59dc1dfb8
Detection ratio: 38 / 57
Analysis date: 2015-02-10 20:09:01 UTC ( 2 years, 1 month ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Jaik.361 20150210
Yandex Trojan.DR.VB!6xasTUs0Y2M 20150210
AhnLab-V3 Spyware/Win32.Zbot 20150210
ALYac Gen:Variant.Jaik.361 20150210
Antiy-AVL Trojan[Spy]/Win32.Zbot 20150210
Avast Win32:Zbot-TNS [Trj] 20150210
Avira (no cloud) TR/Dropper.VB.Gen8 20150210
AVware Trojan.Win32.Generic!BT 20150210
BitDefender Gen:Variant.Jaik.361 20150210
ByteHero Virus.Win32.Heur.p 20150210
CAT-QuickHeal VirTool.VBInject.LE3 20150205
CMC Heur.Win32.Veebee.1!O 20150209
Cyren W32/Trojan.UXSL-8574 20150210
DrWeb Trojan.PWS.Panda.786 20150210
Emsisoft Gen:Variant.Jaik.361 (B) 20150210
ESET-NOD32 Win32/Spy.Zbot.YW 20150210
F-Secure Gen:Variant.Jaik.361 20150210
Fortinet W32/VB.ALO!tr 20150210
GData Gen:Variant.Jaik.361 20150210
Ikarus Trojan-Spy.Win32.Zbot 20150210
K7AntiVirus Spyware ( 00009b291 ) 20150210
K7GW Spyware ( 00009b291 ) 20150210
Kaspersky Trojan-Spy.Win32.Zbot.ranw 20150210
Kingsoft Win32.Troj.Zbot.ra.(kcloud) 20150210
Malwarebytes Backdoor.DarkKomet 20150210
McAfee PWSZbot-FLW!A79AB76D2451 20150210
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.dc 20150210
Microsoft PWS:Win32/Zbot 20150210
eScan Gen:Variant.Jaik.361 20150210
Panda Generic Malware 20150210
Qihoo-360 HEUR/QVM03.0.Malware.Gen 20150210
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 20150210
Sophos Mal/VB-ALO 20150210
SUPERAntiSpyware Questionable.Resource 20150210
Symantec Trojan.Zbot 20150210
VBA32 TrojanSpy.Zbot 20150210
VIPRE Trojan.Win32.Generic!BT 20150210
Zillya Trojan.Zbot.Win32.144322 20150210
AegisLab 20150210
Alibaba 20150210
AVG 20150210
Baidu-International 20150210
Bkav 20150210
ClamAV 20150210
Comodo 20150210
F-Prot 20150210
Jiangmin 20150210
NANO-Antivirus 20150210
Norman 20150210
nProtect 20150210
Tencent 20150210
TheHacker 20150209
TotalDefense 20150210
TrendMicro 20150210
TrendMicro-HouseCall 20150210
ViRobot 20150210
Zoner 20150209
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright © 1998-2005 Mark Russinovich

Publisher RoseCitySoftware
Product Barbas chromato preballo unamendi
Original name Pseudobr.exe
Internal name Pseudobr
File version 1.00.0004
Description Dermaton essee
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-12-20 20:54:54
Entry Point 0x000012F4
Number of sections 3
PE sections
PE imports
_adj_fdiv_m32
__vbaChkstk
Ord(546)
EVENT_SINK_Release
__vbaEnd
EVENT_SINK_QueryInterface
_allmul
_adj_fdivr_m64
_adj_fprem
Ord(525)
_adj_fpatan
EVENT_SINK_AddRef
__vbaDateVar
__vbaInStr
_adj_fdiv_m32i
Ord(608)
__vbaExceptHandler
__vbaSetSystemError
__vbaFreeVarList
DllFunctionCall
__vbaFPException
_CIexp
__vbaStrVarMove
_adj_fdivr_m16i
Ord(618)
Ord(589)
Ord(100)
__vbaI2Var
__vbaFreeVar
__vbaBoolVarNull
_adj_fprem1
__vbaCySub
__vbaI2Str
_adj_fdiv_r
_adj_fdiv_m64
Ord(542)
__vbaFreeObj
__vbaHresultCheckObj
_CIsqrt
_CIsin
_CIlog
__vbaStrCopy
_CIcos
_adj_fptan
Ord(696)
Ord(610)
__vbaI4Var
__vbaVarCmpNe
__vbaVarMove
__vbaErrorOverflow
_CIatan
__vbaI2I4
__vbaNew2
_adj_fdivr_m32i
__vbaVarNot
__vbaStrMove
Ord(588)
_adj_fdivr_m32
_CItan
Ord(598)
__vbaFreeStr
_adj_fdiv_m16i
Number of PE resources by type
RT_ICON 4
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 5
ENGLISH US 1
PE resources
ExifTool file metadata
LegalTrademarks
Copyright 1998-2005 Mark Russinovich

FileDescription
Dermaton essee

InitializedDataSize
36864

ImageVersion
1.0

ProductName
Barbas chromato preballo unamendi

FileVersionNumber
1.0.0.4

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

LinkerVersion
6.0

OriginalFilename
Pseudobr.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
1.00.0004

TimeStamp
2013:12:20 21:54:54+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Pseudobr

SubsystemVersion
4.0

FileAccessDate
2015:02:10 21:09:13+01:00

ProductVersion
1.00.0004

UninitializedDataSize
0

OSVersion
4.0

FileCreateDate
2015:02:10 21:09:13+01:00

FileOS
Win32

LegalCopyright
Copyright 1998-2005 Mark Russinovich

MachineType
Intel 386 or later, and compatibles

CompanyName
RoseCitySoftware

CodeSize
212992

FileSubtype
0

ProductVersionNumber
1.0.0.4

EntryPoint
0x12f4

ObjectFileType
Executable application

File identification
MD5 a79ab76d2451d7373d3804b59dc1dfb8
SHA1 57fb8010fd8f614e36296b6489f5038f3bfb13f7
SHA256 6661fbabd3c31b4291f30e390d92e6dc5eee72560a39dc4d00610b8d6c0e606c
ssdeep
6144:CM/g76NFTJNvy7LHF7x0pdqIQeYzIfCidqXbFCQLNldqY/:CeU6e7LHFy/qIH1dKCGldqU

authentihash 57f84431e63a02cab08641d10a76924ba6547ca52458c155cc59eac33c67e91d
imphash 67f06160b32ce3b50b8bc230421381bd
File size 285.0 KB ( 291840 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (69.4%)
Win64 Executable (generic) (23.3%)
Win32 Executable (generic) (3.8%)
Generic Win/DOS Executable (1.6%)
DOS Executable Generic (1.6%)
Tags
peexe

VirusTotal metadata
First submission 2015-02-10 20:09:01 UTC ( 2 years, 1 month ago )
Last submission 2015-02-10 20:09:01 UTC ( 2 years, 1 month ago )
File names Pseudobr.exe
a79ab76d2451d7373d3804b59dc1dfb8
Pseudobr
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Created processes
Terminated processes
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications