× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 6b0a8cd4d77641afe5337a263b46a8a5d02bc20cc67c893006cac2502298c4e8
File name: 0.09_0_Zbot_Zbot_1_C_Users_Cindy_Geldmach__ntent.IE5_ENFIMFPR_5_2...
Detection ratio: 25 / 54
Analysis date: 2014-08-15 07:56:13 UTC ( 4 years, 7 months ago )
Antivirus Result Update
Ad-Aware Trojan.GenericKD.1797308 20140815
AntiVir TR/Agent.CIKD 20140815
Antiy-AVL Trojan[Spy]/Win32.Zbot 20140815
AVware Trojan.Win32.Generic!BT 20140815
Baidu-International Trojan.Win32.Kryptik.BCIKD 20140815
BitDefender Trojan.GenericKD.1797308 20140815
Comodo UnclassifiedMalware 20140815
Emsisoft Trojan.GenericKD.1797308 (B) 20140815
ESET-NOD32 a variant of Win32/Kryptik.CIKD 20140815
F-Secure Trojan.GenericKD.1797308 20140815
Fortinet W32/Kryptik.CIKD!tr 20140815
GData Trojan.GenericKD.1797308 20140815
Ikarus Trojan-Spy.Win32.Zbot 20140815
K7AntiVirus Trojan ( 0049fd851 ) 20140814
K7GW Trojan ( 0049fd851 ) 20140814
Kaspersky Trojan-Spy.Win32.Zbot.tswe 20140815
Malwarebytes Trojan.Agent.ED 20140815
eScan Trojan.GenericKD.1797308 20140815
nProtect Trojan.GenericKD.1797308 20140814
Panda Trj/Chgt.B 20140814
Qihoo-360 Win32/Trojan.70d 20140815
Sophos AV Mal/Generic-S 20140815
Tencent Win32.Trojan.Bp-qqthief.Iqpl 20140815
TrendMicro-HouseCall Suspicious_GEN.F47V0808 20140815
VIPRE Trojan.Win32.Generic!BT 20140815
AegisLab 20140815
Yandex 20140814
AhnLab-V3 20140814
Avast 20140815
AVG 20140815
Bkav 20140814
ByteHero 20140815
CAT-QuickHeal 20140814
ClamAV 20140814
CMC 20140814
Commtouch 20140815
DrWeb 20140815
F-Prot 20140815
Jiangmin 20140815
Kingsoft 20140815
McAfee 20140815
McAfee-GW-Edition 20140814
Microsoft 20140815
NANO-Antivirus 20140815
Norman 20140815
Rising 20140814
SUPERAntiSpyware 20140814
Symantec 20140815
TheHacker 20140814
TotalDefense 20140814
TrendMicro 20140815
VBA32 20140814
ViRobot 20140815
Zoner 20140811
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright (C) 2013 Spencer Kimball, Peter Mattis and the GIMP Development Team

Publisher Spencer Kimball, Peter Mattis and the GIMP Development Team
Product GNU Image Manipulation Program
Original name web-browser.exe
Internal name web-browser
File version 2.8.6.3
Description GNU Image Manipulation Program Plug-In
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-08-07 09:45:21
Entry Point 0x000065B0
Number of sections 6
PE sections
PE imports
SetSecurityDescriptorDacl
LookupAccountNameA
RegCloseKey
OpenProcessToken
RegSetValueExW
FreeSid
AddAccessAllowedAce
RegOpenKeyExW
InitializeSecurityDescriptor
OpenThreadToken
InitializeAcl
AllocateAndInitializeSid
GetTokenInformation
SetFileSecurityA
RegQueryValueExW
CreateToolbarEx
CreatePropertySheetPageW
PageSetupDlgA
GetSaveFileNameA
CommDlgExtendedError
ChooseFontA
GetEnhMetaFileA
DeleteEnhMetaFile
Polygon
CreatePen
TextOutA
CreateFontIndirectA
GetEnhMetaFileW
GetEnhMetaFilePaletteEntries
CombineRgn
GetBitmapBits
Rectangle
SetMapMode
GetDeviceCaps
PlayEnhMetaFile
LineTo
DeleteDC
SetBkMode
EndDoc
StartPage
GetObjectW
SetTextColor
GetObjectA
GetCurrentObject
CreateEnhMetaFileW
CreateEllipticRgn
MoveToEx
CreatePalette
GetStockObject
SetViewportOrgEx
CreateEnhMetaFileA
SetTextAlign
CreateCompatibleDC
StretchBlt
GetTextFaceA
CloseEnhMetaFile
EndPage
CreateRectRgn
SelectObject
GetTextExtentPoint32A
Pie
GetEnhMetaFileHeader
CreateSolidBrush
DPtoLP
DeleteObject
StartDocA
GetStdHandle
EncodePointer
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
GetLocaleInfoA
SetTimeZoneInformation
lstrcatA
FreeEnvironmentStringsW
SetStdHandle
GetCPInfo
lstrcmpiA
WriteFile
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
TlsGetValue
SetLastError
GetModuleFileNameW
IsDebuggerPresent
ExitProcess
GetModuleFileNameA
QueryPerformanceFrequency
HeapSetInformation
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
GetModuleHandleA
SetUnhandledExceptionFilter
MulDiv
IsProcessorFeaturePresent
DecodePointer
SetEnvironmentVariableA
TerminateProcess
GlobalAlloc
GetVersion
InterlockedIncrement
WriteConsoleW
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
SetHandleCount
LoadLibraryW
GetOEMCP
QueryPerformanceCounter
GetTickCount
TlsAlloc
FlushFileBuffers
LoadLibraryA
RtlUnwind
CreateDirectoryA
GetStartupInfoW
GetProcAddress
GetProcessHeap
CompareStringW
GlobalReAlloc
GetCurrentThreadId
lstrcpyA
GlobalLock
GetTimeZoneInformation
CreateFileW
GetFileType
TlsSetValue
HeapAlloc
LeaveCriticalSection
GetLastError
LCMapStringW
GetSystemInfo
lstrlenA
GlobalFree
GetConsoleCP
GetEnvironmentStringsW
GlobalUnlock
GetCurrentProcessId
WideCharToMultiByte
HeapSize
GetCommandLineA
GetCurrentThread
RaiseException
TlsFree
SetFilePointer
CloseHandle
GetACP
GetModuleHandleW
IsValidCodePage
HeapCreate
Sleep
CallNtPowerInformation
GetMessagePos
PostQuitMessage
DestroyMenu
ShowWindow
DefWindowProcA
EnumDesktopsA
LoadBitmapA
GetClipboardData
RemoveMenu
GetSystemMetrics
IsWindow
DispatchMessageA
EndPaint
MessageBoxIndirectA
GetDialogBaseUnits
MessageBoxA
PeekMessageA
TranslateMessage
GetDC
CreateDialogParamW
DrawTextA
BeginPaint
CheckMenuItem
GetMenu
GetWindowLongA
IsClipboardFormatAvailable
SendMessageA
GetWindowTextA
GetClientRect
GetDlgItem
MessageBoxW
EnableMenuItem
GetSubMenu
GetWindowTextLengthA
CreateWindowExA
LoadImageW
GetMenuItemInfoA
LoadImageA
GetFocus
CreateWindowExW
InsertMenuW
FillRect
CloseClipboard
OpenClipboard
DestroyWindow
InternetQueryOptionA
timeEndPeriod
timeSetEvent
timeGetTime
timeBeginPeriod
timeGetDevCaps
OpenPrinterA
EnumMonitorsA
EnumPortsA
EnumJobsA
ClosePrinter
Direct3DCreate9
CoCreateInstance
Number of PE resources by type
RT_ICON 2
RT_DIALOG 1
RT_MANIFEST 1
RT_BITMAP 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 4
RUSSIAN 3
PE resources
ExifTool file metadata
SubsystemVersion
5.1

LinkerVersion
10.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.8.6.3

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
190464

FileOS
Windows NT 32-bit

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) 2013 Spencer Kimball, Peter Mattis and the GIMP Development Team

FileVersion
2.8.6.3

TimeStamp
2014:08:07 10:45:21+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
web-browser

FileAccessDate
2014:08:08 08:56:02+01:00

ProductVersion
2.8.6.3

FileDescription
GNU Image Manipulation Program Plug-In

OSVersion
5.1

FileCreateDate
2014:08:08 08:56:02+01:00

OriginalFilename
web-browser.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Spencer Kimball, Peter Mattis and the GIMP Development Team

CodeSize
109568

ProductName
GNU Image Manipulation Program

ProductVersionNumber
2.8.6.3

EntryPoint
0x65b0

ObjectFileType
Executable application

File identification
MD5 e9f100effd872864ae30db803d85bd24
SHA1 3b900c3b5242ce4a198aed6226b82eef6a3c8eb7
SHA256 6b0a8cd4d77641afe5337a263b46a8a5d02bc20cc67c893006cac2502298c4e8
ssdeep
6144:NHpktQSTQ1JUvcurNlsxdEXQNdDX616L85Yewdc:NHpktQGQ12vcurNE6jr

imphash e6cbad11401c09ba721efd042be10de5
File size 294.0 KB ( 301056 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.1%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe

VirusTotal metadata
First submission 2014-08-08 07:55:50 UTC ( 4 years, 7 months ago )
Last submission 2014-08-08 07:55:50 UTC ( 4 years, 7 months ago )
File names web-browser.exe
0.09_0_Zbot_Zbot_1_C_Users_Cindy_Geldmach__ntent.IE5_ENFIMFPR_5_2_.exe.cld
web-browser
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Moved files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.