× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 71ff5e3c9e74f6cad1d405b2172a76527396b05fa7767cf85be58da06c68fd28
File name: report2104.exe
Detection ratio: 23 / 57
Analysis date: 2015-04-21 20:58:11 UTC ( 4 years, 1 month ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.GenericKD.2314271 20150421
AVG Crypt4.RRA 20150421
Avira (no cloud) TR/Zbot.A.1910 20150421
AVware Win32.Malware!Drop 20150421
BitDefender Trojan.GenericKD.2314271 20150421
Cyren W32/Trojan.WFQX-2426 20150421
DrWeb Trojan.Click3.11310 20150421
Emsisoft Trojan-Downloader.Win32.Agent (A) 20150421
ESET-NOD32 Win32/TrojanDownloader.Agent.BEL 20150421
F-Prot W32/Trojan3.PAX 20150421
Fortinet W32/Tinba.BI!tr 20150421
GData Trojan.GenericKD.2314271 20150421
Ikarus Trojan.Inject 20150421
K7AntiVirus Trojan-Downloader ( 004be37a1 ) 20150421
K7GW Trojan-Downloader ( 004be37a1 ) 20150421
Kaspersky UDS:DangerousObject.Multi.Generic 20150421
McAfee BackDoor-FCNO!86F527B81668 20150421
eScan Trojan.GenericKD.2314271 20150421
Sophos AV Troj/DwnLdr-MLE 20150421
Tencent Trojan.Win32.YY.Gen.7 20150421
TrendMicro TROJ_BARTALEX.PWT 20150421
TrendMicro-HouseCall TROJ_BARTALEX.PWT 20150421
VIPRE Win32.Malware!Drop 20150421
AegisLab 20150421
Yandex 20150421
AhnLab-V3 20150421
Alibaba 20150421
ALYac 20150421
Antiy-AVL 20150421
Avast 20150421
Baidu-International 20150421
Bkav 20150421
ByteHero 20150421
CAT-QuickHeal 20150421
ClamAV 20150421
CMC 20150421
Comodo 20150421
F-Secure 20150421
Jiangmin 20150421
Kingsoft 20150421
Malwarebytes 20150421
McAfee-GW-Edition 20150421
Microsoft 20150421
NANO-Antivirus 20150421
Norman 20150421
nProtect 20150421
Panda 20150421
Qihoo-360 20150421
Rising 20150421
SUPERAntiSpyware 20150421
Symantec 20150421
TheHacker 20150421
TotalDefense 20150421
VBA32 20150420
ViRobot 20150421
Zillya 20150421
Zoner 20150420
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification A certificate was explicitly revoked by its issuer.
Signing date 10:17 AM 4/21/2015
Signers
[+] KONSALTING PLYUS OOO
Status This certificate or one of the certificates in the certificate chain is not time valid., Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer COMODO RSA Code Signing CA
Valid from 1:00 AM 4/17/2015
Valid to 12:59 AM 4/17/2016
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint F2DAEDD9EFA306C7F7FF2DC5885870AA06947ADD
Serial number 00 88 07 06 DC AA 0C B0 F2 4B 51 F7 F2 AB 7A 9B 9E
[+] COMODO RSA Code Signing CA
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 5/9/2013
Valid to 12:59 AM 5/9/2028
Valid usage Code Signing
Algorithm sha384RSA
Thumbprint B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Serial number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
[+] COMODO SECURE™
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 1/19/2010
Valid to 12:59 AM 1/19/2038
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha384RSA
Thumbprint AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Serial number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
Counter signers
[+] COMODO Time Stamping Signer
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer UTN-USERFirst-Object
Valid from 1:00 AM 5/10/2010
Valid to 12:59 AM 5/11/2015
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 3DBB6DB5085C6DD5A1CA7F9CF84ECB1A3910CAC8
Serial number 47 8A 8E FB 59 E1 D8 3F 0C E1 42 D2 A2 87 07 BE
[+] USERTrust (Code Signing)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-04-21 09:03:35
Entry Point 0x00008A97
Number of sections 5
PE sections
Overlays
MD5 729f42118abc444d94b38938c145d25c
File type data
Offset 135680
Size 23656
Entropy 7.95
PE imports
GetTextCharset
GetLastError
InitializeCriticalSectionAndSpinCount
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
SetHandleCount
lstrlenA
GetModuleFileNameW
GetOEMCP
QueryPerformanceCounter
IsDebuggerPresent
ExitProcess
TlsAlloc
GetEnvironmentStringsW
GetModuleFileNameA
RtlUnwind
HeapSetInformation
GetCurrentProcess
GetStringTypeW
GetCurrentProcessId
GetCPInfo
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
GetStartupInfoW
FreeEnvironmentStringsW
GetCommandLineA
GetProcAddress
EncodePointer
HeapSize
RaiseException
WideCharToMultiByte
LoadLibraryW
TlsFree
GetModuleHandleA
GetSystemTimeAsFileTime
DeleteCriticalSection
SetUnhandledExceptionFilter
WriteFile
IsProcessorFeaturePresent
lstrcmpA
GetACP
HeapReAlloc
DecodePointer
GetModuleHandleW
TerminateProcess
IsValidCodePage
HeapCreate
InterlockedDecrement
Sleep
GetFileType
GetTickCount
TlsSetValue
HeapAlloc
GetCurrentThreadId
InterlockedIncrement
SetLastError
LeaveCriticalSection
SHFreeNameMappings
GetMenuItemCount
KillTimer
Number of PE resources by type
RT_ICON 13
RT_GROUP_ICON 3
Number of PE resources by language
FRENCH 14
NEUTRAL 2
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2015:04:21 10:03:35+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
70656

LinkerVersion
10.0

ImageFileCharacteristics
Executable, 32-bit

EntryPoint
0x8a97

InitializedDataSize
64000

SubsystemVersion
5.1

ImageVersion
0.0

OSVersion
5.1

UninitializedDataSize
0

Execution parents
Compressed bundles
File identification
MD5 86f527b816684141f25d7e0ea42c7d8b
SHA1 dbd58b6c65a6c3b21aafa2e019aa9fe415f39f6e
SHA256 71ff5e3c9e74f6cad1d405b2172a76527396b05fa7767cf85be58da06c68fd28
ssdeep
3072:WtMzIunXFFuJQ7H9tTpNvdvfAg0FuH/xLPekxJN6:WuImFFs6H9tTpFdvfAOZbE

authentihash e8e30c074a78c8f6223450ee016a6c08c5a083936b03424bf7d46f193d9dbec6
imphash ac5aa37419365704ecdcae48c9a55bef
File size 155.6 KB ( 159336 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
revoked-cert peexe signed overlay

VirusTotal metadata
First submission 2015-04-21 09:44:26 UTC ( 4 years, 1 month ago )
Last submission 2018-09-24 11:47:49 UTC ( 7 months, 4 weeks ago )
File names 86f527b816684141f25d7e0ea42c7d8b.exe
FAX_117_849721.exe--
report2104.exe
Exchange.ex0
Exchange_exe
86f527b816684141f25d7e0ea42c7d8b.bin
71FF5E3C9E74F6CAD1D405B2172A76527396B05FA7767CF85BE58DA06C68FD28.EXE
Exchange.exe
Exchange.exe
Virus.exe
2.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created processes
Terminated processes
Opened mutexes
Runtime DLLs
UDP communications