× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 739b90a457df9f5976023a0843241ec53944a70224d1e2818c4cc134b00323f1
File name: bot.exe
Detection ratio: 49 / 56
Analysis date: 2014-11-28 00:42:30 UTC ( 2 years, 11 months ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.Spy.Zbot.FJB 20141128
Yandex TrojanSpy.Zbot!qUJJ0yYBW6I 20141126
AhnLab-V3 Trojan/Win32.Zbot 20141127
ALYac Trojan.Spy.Zbot.FJB 20141128
Antiy-AVL Trojan[Spy]/Win32.Zbot 20141127
Avast Win32:Zbot-NRC [Trj] 20141128
AVG PSW.Generic9.PLX 20141128
Avira (no cloud) TR/Spy.ZBot.aoqb.5 20141128
AVware Trojan-PWS.Win32.Zbot.aac (v) 20141121
Baidu-International Trojan.Win32.Zbot.aDYB 20141127
BitDefender Trojan.Spy.Zbot.FJB 20141128
Bkav W32.BlazreckF.Trojan 20141127
CAT-QuickHeal TrojanPWS.Zbot.Y3 20141127
ClamAV Trojan.Spy.Zbot-142 20141128
Comodo TrojWare.Win32.Kazy.MKD 20141128
Cyren W32/Zbot.BR.gen!Eldorado 20141127
Emsisoft Trojan.Spy.Zbot.FJB (B) 20141128
ESET-NOD32 Win32/Spy.Zbot.ZR 20141127
F-Prot W32/Zbot.BR.gen!Eldorado 20141128
F-Secure Trojan-Spy:W32/Zbot.AVTH 20141128
Fortinet W32/Zbot.AT!tr 20141127
GData Trojan.Spy.Zbot.FJB 20141127
Ikarus Trojan-Spy.Zbot 20141127
Jiangmin Trojan/Generic.luiz 20141127
K7AntiVirus Spyware ( 002891031 ) 20141127
K7GW Spyware ( 002891031 ) 20141126
Kaspersky Trojan-Spy.Win32.Zbot.rzil 20141127
Kingsoft Win32.Troj.Undef.(kcloud) 20141128
Malwarebytes Spyware.Zbot 20141127
McAfee PWS-Zbot.gen.ds 20141127
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.ch 20141127
Microsoft PWS:Win32/Zbot.gen!ZA 20141128
eScan Trojan.Spy.Zbot.FJB 20141128
NANO-Antivirus Trojan.Win32.Zbot.tvyua 20141128
Norman Crypt.BAJJ 20141127
nProtect Trojan/W32.Agent.141312.HM 20141127
Panda Trj/Genetic.gen 20141127
Qihoo-360 HEUR/QVM20.1.Malware.Gen 20141128
Rising PE:Stealer.Zbot!1.648A 20141126
Sophos AV Troj/PWS-BSF 20141128
SUPERAntiSpyware Trojan.Agent/Gen-FakeAlert 20141127
Tencent Win32.Trojan-spy.Zbot.Hqlm 20141128
TheHacker Trojan/Spy.Zbot.dhep 20141124
TotalDefense Win32/Zbot.GPW 20141127
TrendMicro TSPY_ZBOT.SMIG 20141127
VBA32 SScope.Trojan.FakeAV.01110 20141127
VIPRE Win32.Malware!Drop 20141127
ViRobot Trojan.Win32.A.Zbot.140800.BK 20141127
Zoner Trojan.Zbot.ZR 20141127
AegisLab 20141127
ByteHero 20141128
CMC 20141127
DrWeb 20141128
Symantec 20141128
TrendMicro-HouseCall 20141128
Zillya 20141127
The file being studied is a Portable Executable file! More specifically, it is a DOS EXE file.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-08-25 23:13:25
Entry Point 0x00015748
Number of sections 3
PE sections
Overlays
MD5 9d1049a23f89dcb5ee9cddc412b7a194
File type data
Offset 140800
Size 512
Entropy 7.61
PE imports
RegCreateKeyExW
RegCloseKey
ConvertSidToStringSidW
AdjustTokenPrivileges
LookupPrivilegeValueW
CryptHashData
InitializeSecurityDescriptor
RegQueryValueExW
CryptCreateHash
SetSecurityDescriptorDacl
GetSidSubAuthorityCount
GetSidSubAuthority
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenProcessToken
RegOpenKeyExW
SetSecurityDescriptorSacl
GetTokenInformation
CryptReleaseContext
RegEnumKeyExW
OpenThreadToken
GetSecurityDescriptorSacl
GetLengthSid
CreateProcessAsUserW
CryptDestroyHash
CryptAcquireContextW
RegSetValueExW
CryptGetHashParam
InitiateSystemShutdownExW
EqualSid
IsWellKnownSid
SetNamedSecurityInfoW
CertEnumCertificatesInStore
CryptUnprotectData
PFXImportCertStore
CertCloseStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertDuplicateCertificateContext
PFXExportCertStoreEx
GetDeviceCaps
DeleteDC
RestoreDC
SelectObject
SaveDC
SetViewportOrgEx
GetDIBits
CreateCompatibleBitmap
GdiFlush
CreateDIBSection
CreateCompatibleDC
DeleteObject
SetRectRgn
FileTimeToDosDateTime
ReleaseMutex
WaitForSingleObject
Thread32Next
HeapDestroy
GetFileAttributesW
GetLocalTime
GetProcessId
SetErrorMode
GetFileInformationByHandle
GetThreadContext
GetFileTime
WideCharToMultiByte
LoadLibraryW
GetTempPathW
Thread32First
HeapReAlloc
SetEvent
LocalFree
GetTimeZoneInformation
FindClose
TlsGetValue
SetFileAttributesW
GetEnvironmentVariableW
SetLastError
GetUserDefaultUILanguage
GetSystemTime
InitializeCriticalSection
WriteProcessMemory
RemoveDirectoryW
ExitProcess
lstrcmpiW
SetThreadPriority
MultiByteToWideChar
SetFilePointerEx
GetPrivateProfileStringW
CreateThread
MoveFileExW
CreateMutexW
GetVolumeNameForVolumeMountPointW
SetThreadContext
TerminateProcess
VirtualQueryEx
SetEndOfFile
GetCurrentThreadId
HeapCreate
CreateToolhelp32Snapshot
HeapFree
EnterCriticalSection
lstrcmpiA
GetVersionExW
FreeLibrary
GetTickCount
TlsAlloc
VirtualProtect
FlushFileBuffers
LoadLibraryA
CreateRemoteThread
OpenProcess
ReadProcessMemory
CreateDirectoryW
DeleteFileW
WaitForMultipleObjects
GetPrivateProfileIntW
VirtualProtectEx
GetProcessHeap
GetTempFileNameW
GetComputerNameW
WriteFile
GetFileSizeEx
GetModuleFileNameW
ExpandEnvironmentStringsW
FindNextFileW
WTSGetActiveConsoleSessionId
ResetEvent
FindFirstFileW
DuplicateHandle
GetProcAddress
CreateEventW
CreateFileW
TlsSetValue
HeapAlloc
LeaveCriticalSection
GetNativeSystemInfo
GetLastError
SystemTimeToFileTime
CreateFileMappingW
VirtualAllocEx
GlobalUnlock
Process32NextW
VirtualFree
FileTimeToLocalFileTime
VirtualFreeEx
GetCurrentProcessId
SetFileTime
GetCommandLineW
Process32FirstW
GetCurrentThread
MapViewOfFile
TlsFree
ReadFile
CloseHandle
OpenMutexW
GlobalLock
GetModuleHandleW
GetFileAttributesExW
UnmapViewOfFile
OpenEventW
CreateProcessW
Sleep
IsBadReadPtr
VirtualAlloc
NetUserEnum
NetUserGetInfo
NetApiBufferFree
SysFreeString
VariantClear
VariantInit
SysAllocString
SHGetFolderPathW
ShellExecuteW
CommandLineToArgvW
StrCmpNIW
wvnsprintfA
StrCmpNIA
wvnsprintfW
SHDeleteKeyW
PathIsDirectoryW
PathRemoveBackslashW
PathIsURLW
PathAddBackslashW
UrlUnescapeA
SHDeleteValueW
PathCombineW
PathRenameExtensionW
StrStrIA
PathRemoveFileSpecW
StrStrIW
PathMatchSpecW
PathUnquoteSpacesW
PathFindFileNameW
PathQuoteSpacesW
PathAddExtensionW
PathSkipRootW
GetUserNameExW
GetMessagePos
SetWindowPos
IsWindow
EndPaint
OpenWindowStationW
WindowFromPoint
CreateDesktopW
GetMenuItemID
GetCursorPos
ReleaseDC
GetMenu
EndMenu
DefFrameProcA
DefMDIChildProcW
CharLowerBuffA
GetThreadDesktop
LoadImageW
GetTopWindow
GetUpdateRgn
MsgWaitForMultipleObjects
CharToOemW
GetMessageA
GetUserObjectInformationW
GetParent
EqualRect
DefMDIChildProcA
GetMessageW
PeekMessageW
CharUpperW
PeekMessageA
TranslateMessage
SetThreadDesktop
GetWindow
GetIconInfo
GetMenuItemRect
RegisterClassW
OpenDesktopW
CharLowerA
RegisterClassA
TrackPopupMenuEx
GetSubMenu
GetDCEx
FillRect
ToUnicode
GetWindowLongW
GetUpdateRect
GetWindowInfo
MapWindowPoints
RegisterWindowMessageW
OpenInputDesktop
DrawEdge
SwitchDesktop
BeginPaint
DefWindowProcW
ReleaseCapture
MapVirtualKeyW
DefWindowProcA
GetClipboardData
GetSystemMetrics
SetWindowLongW
GetWindowRect
SetCapture
DrawIcon
CharLowerW
SetProcessWindowStation
GetProcessWindowStation
GetClassLongW
CreateWindowStationW
PostMessageW
CloseWindowStation
GetKeyboardState
PostThreadMessageW
GetMenuItemCount
GetMenuState
GetDC
SetKeyboardState
ExitWindowsEx
IntersectRect
GetCapture
GetShellWindow
GetWindowThreadProcessId
HiliteMenuItem
SendMessageW
RegisterClassExW
CallWindowProcA
GetWindowDC
RegisterClassExA
MenuItemFromPoint
PrintWindow
DefFrameProcW
SetCursorPos
SystemParametersInfoW
DispatchMessageW
CallWindowProcW
GetClassNameW
DefDlgProcW
DefDlgProcA
CloseDesktop
IsRectEmpty
SendMessageTimeoutW
GetAncestor
HttpSendRequestA
InternetSetStatusCallbackW
InternetReadFileExA
InternetSetOptionA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestExW
InternetCloseHandle
InternetOpenA
InternetConnectA
InternetQueryOptionA
HttpSendRequestW
GetUrlCacheEntryInfoW
HttpQueryInfoA
InternetReadFile
InternetQueryDataAvailable
InternetCrackUrlA
HttpAddRequestHeadersW
HttpSendRequestExA
InternetQueryOptionW
getaddrinfo
shutdown
accept
WSAAddressToStringW
WSAStartup
freeaddrinfo
connect
getsockname
WSASetLastError
select
recv
send
WSASend
WSAGetLastError
listen
WSAEventSelect
getpeername
closesocket
WSAIoctl
setsockopt
socket
bind
recvfrom
sendto
CoUninitialize
CoInitializeEx
CoCreateInstance
CLSIDFromString
StringFromGUID2
ExifTool file metadata
FileAccessDate
2015:02:17 16:13:46+01:00

FileCreateDate
2015:02:17 16:13:46+01:00

Execution parents
File identification
MD5 2c0244c28036f9cb5f9a703c8b329f2f
SHA1 7f5b28d845552209887dfbf0148bd6d1b4e9d11b
SHA256 739b90a457df9f5976023a0843241ec53944a70224d1e2818c4cc134b00323f1
ssdeep
3072:uA2AZqZ3hlTrDj/vXhO27U0WDfC+iT6qeS/mNf5KeNpzRsSwrl/Y:uA2zhRrP/fhO27Uji7e995bN0rlg

authentihash c5c71d2a0754b651cde4b9ca171e27fa0fcaeb5f9696644c66caf792b1a440d3
imphash 2854fcbe57607f76b0bbbd856d26b70c
File size 138.0 KB ( 141312 bytes )
File type DOS EXE
Magic literal
MS-DOS executable

TrID Win32 Executable (generic) (42.5%)
DOS Executable Borland Pascal 7.0x (19.2%)
Generic Win/DOS Executable (18.8%)
DOS Executable Generic (18.8%)
VXD Driver (0.2%)
Tags
overlay mz

VirusTotal metadata
First submission 2014-11-27 07:57:24 UTC ( 2 years, 11 months ago )
Last submission 2016-09-01 16:06:41 UTC ( 1 year, 2 months ago )
File names cc9b294f277960af7e3d381c76612fb5d4204b93
739b90a457df9f5976023a0843241ec53944a70224d1e2818c4cc134b00323f1.exe
ZeuS_binary_2c0244c28036f9cb5f9a703c8b329f2f.exe
RwXhjoKS.dot
2c0244c28036f9cb5f9a703c8b329f2f.exe
739b90a457df9f5976023a0843241ec53944a70224d1e2818c4cc134b00323f1.exe
bot.exe
2c0244c28036f9cb5f9a703c8b329f2f
bot.exe
file-7747770_exe
2C0244C28036F9CB5F9A703C8B329F2F
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications