Antivirus scan for 740fe58819953b42871f9fea9a2c9951b294f83166b532d5c4edd1bfe38ca6d1 at 2015-04-24 13:59:44 UTC

Antivirus	Result	Update
Ad-Aware	Backdoor.Agent.ABHW	20150424
Yandex	Trojan.Kryptik!2KhajVvOffQ	20150423
AhnLab-V3	Win-Trojan/Bamital.Gen	20150424
ALYac	Backdoor.Agent.ABHW	20150424
Antiy-AVL	Trojan/Win32.Pakes	20150424
Avast	Win32:Ramnit-AN	20150424
AVG	Generic22.BPCM	20150424
Avira (no cloud)	TR/Krypt.lkfna	20150424
AVware	Trojan.Win32.Encpk.aak (v)	20150424
Baidu-International	Trojan.W32.Autorun.BMC	20150421
BitDefender	Backdoor.Agent.ABHW	20150424
CAT-QuickHeal	Trojan.Quolko.A	20150424
ClamAV	WIN.Ransom.Lockscreen	20150424
Comodo	Virus.Win32.Virut.Ce	20150424
Cyren	W32/Bamital.N.gen!Eldorado	20150424
DrWeb	Trojan.MulDrop3.45645	20150424
Emsisoft	Backdoor.Agent.ABHW (B)	20150424
ESET-NOD32	Win32/Ramnit.AY	20150424
F-Prot	W32/Bamital.N.gen!Eldorado	20150424
F-Secure	Backdoor.Agent.ABHW	20150424
Fortinet	W32/Drooptroop.SMY!tr	20150423
GData	Backdoor.Agent.ABHW	20150424
Ikarus	Trojan-Ransom.Win32.PornoBlocker	20150424
Jiangmin	Trojan/PornoBlocker.aua	20150423
K7AntiVirus	Trojan ( 0038b1be1 )	20150424
K7GW	Trojan ( 0038b1be1 )	20150424
Kaspersky	Trojan.Win32.Pakes.tyi	20150424
Kingsoft	Win32.Troj.Undef.(kcloud)	20150424
Malwarebytes	Backdoor.IRCBot	20150424
McAfee	Generic BackDoor.ya	20150424
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.cm	20150423
Microsoft	Trojan:Win32/Ramnit.A	20150424
eScan	Backdoor.Agent.ABHW	20150424
NANO-Antivirus	Trojan.Win32.PornoBlocker.ebkls	20150424
Norman	Ramnit.O	20150424
nProtect	Trojan/W32.Agent.156672.JJ	20150424
Panda	Trj/Bamital.E	20150424
Qihoo-360	Malware.Radar02.Gen	20150424
Rising	PE:Trojan.Win32.Generic.1288BDE6!310951398	20150424
Sophos AV	W32/Ramnit-A	20150424
SUPERAntiSpyware	Trojan.Agent/Gen-Ransom	20150424
Symantec	Trojan.Bamital!gen2	20150424
Tencent	Trojan.Win32.Pakes.aac	20150424
TheHacker	Trojan/Pakes.tyi	20150423
TrendMicro	TROJ_DYER.BMC	20150424
TrendMicro-HouseCall	TROJ_FAKEAV.SMUP	20150424
VBA32	Trojan.Pakes	20150424
VIPRE	Trojan.Win32.Encpk.aak (v)	20150424
Zoner	Win32.Ramnit.AY	20150424
AegisLab		20150424
Alibaba		20150424
Bkav		20150423
ByteHero		20150424
CMC		20150423
TotalDefense		20150424
ViRobot		20150424
Zillya		20150424

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.

Packers identified

Command UPX

F-PROT UPX

PE header basic information

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2083-08-12 19:43:46

Entry Point 0x0004D240

Number of sections 3

PE sections

Name Virtual address Virtual size Raw size Entropy MD5

UPX0 4096 237568 0 0.00 d41d8cd98f00b204e9800998ecf8427e

UPX1 241664 77824 74752 7.97 2ae15328de9332a80531f95a318cbbdd

.rsrc 319488 81920 81408 2.88 40d9afc3993315c61b30a32491df849b

PE imports

[+] KERNEL32.DLL

[+] user32.dll

Number of PE resources by type

RT_ICON 12

RT_DIALOG 2

RT_MENU 1

RT_GROUP_ICON 1

Number of PE resources by language

RUSSIAN 16

PE resources

0250c077f348b303e1f46d6db1fed067eae76b2f35b76357f3d0e6f824614a90 data

025d633f8603efbba7418a7d4baa475a1bf9787fc8adc3ba1fbbb3a4cce8fe69 data

05dbbed33bb09a5d5c6bd48e88ecd5b111ad12c3363c4b683ca8d6106cc4bb15 data

1ccaf968be495d1df2d697323431e3510234ace7d56035bdc041cc7ac519a372 data

42554c522642fbb9bb7da9a609b9299a9161d6872912a5c2a2dcec0efc66ff32 data

527d531ffdd22ec3451149121aff34691830fcb3adba5184903707cf8688c848 data

56c5d168dfc6ca10e5d2d44389fd43176e979afc0e8860902272e978bb6a9d3a data

6158d288c7d8630ea5b6bbbdfa00e97421d8c47833c0cb363d5290585e8adb47 data

77d0d61bb4fa2a71ccf7765fc742157f028cc170fcad9c2f81f64e6e865e4fcb data

82ca49409ca8aba4e82cb238215016abc4789ace6804d283161075a107cfcd96 data

ExifTool file metadata

MIMEType

application/octet-stream

Subsystem

Windows GUI

MachineType

Intel 386 or later, and compatibles

FileTypeExtension

exe

TimeStamp

2083:08:12 20:43:46+01:00

FileType

Win32 EXE

PEType

PE32

CodeSize

77824

LinkerVersion

7.4

ImageFileCharacteristics

No relocs, Executable, No line numbers, No symbols, 32-bit

EntryPoint

0x4d240

InitializedDataSize

32768

SubsystemVersion

4.0

ImageVersion

7.2

OSVersion

5.0

UninitializedDataSize

237568

Execution parents

This file was created during the sandboxed execution of the following files.

b924ce2f83ad01e85df34f5bd93201eb0898049aa9eaabc354161cfba7fd9af4

bc6248d20308b28cf00893efb292451ab22a86a81a17e304d7a553a58abb69fe

a8174710769383461b05a5d5ad78f4f2605c50db260c2487a58c5e8fd562e233

7a6fae89be3e539515048a7c09c49ff75bbe61f58255ed6aedf07f58f8e92cf9

e39e3e961e75058557e2e52ce4f5acd1d41180461b307cbb5cc98668cb70fed1

df51f141c34609fa3954a81d5adef3873a91c2e9a02a5244416b1949cc1f326f

feeaa9bc05aa15634e766a5d88aa5743e03e71e0276b20668ccc65a35145df80

8ec8c6c7e28f1a92f1a943d738c3fd4d9852aa78016ec3c6f67ebdda8cd90c1d

0f844629e2b82cc310827083b1b8f5ef87ea0548b54e134af916151564838a2d

bbdfda5ab3250348694bb82ede83b8aba1369ccee4c9cfc2805b1fe0d483e037

File identification

MD5 16131fdc5093db54f60f124e36c3942a

SHA1 87f2136409b958fb57d26bb9fa0a94e8294399dd

SHA256 740fe58819953b42871f9fea9a2c9951b294f83166b532d5c4edd1bfe38ca6d1

ssdeep

3072:KwV4OgSzBmh04eZFkz3Rr0gwGj9Tf8x2:KMzzILGFkzhr0pGj9o

authentihash fe0eb26ddddd060a55258429be0a43d81e141be3d3ad1b790c415ecad44c3b2c

imphash 7197d8f25970cc6df2d2b302df40eb11

File size 153.0 KB ( 156672 bytes )

File type Win32 EXE

Magic literal

PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID	OS/2 Executable (generic) (25.2%) Clipper DOS Executable (25.0%) Generic Win/DOS Executable (24.8%) DOS Executable Generic (24.8%)

VirusTotal metadata

First submission 2012-04-25 04:48:23 UTC ( 6 years, 10 months ago )

Last submission 2018-09-04 12:20:22 UTC ( 5 months, 2 weeks ago )

File names

SVCHOSTMGR.EXE
jyityvbx.exe
c11493c45d3cd46c393ead9739ac5fb96d5d5b994fd56316238306b6647e8d6ec943cdd42b914708ea04b85a0fc142473bd60ce41433fb686212f8e4e4fe6de8

Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

Opened files

\\.\PIPE\lsarpc (successful)

C:\Program (failed)

C:\Program Files\Internet (failed)

C:\Program Files\Internet Explorer\IEXPLORE.EXE (successful)

Created processes

C:\Program Files\Internet Explorer\iexplore.exe (failed)

Opened mutexes

ShimCacheMutex (successful)

{65D186C1-BACE-614C-7239-5ABDD5E947B0} (failed)

Runtime DLLs

kernel32.dll (successful)

user32.dll (successful)

advapi32.dll (successful)

ntdll.dll (successful)

rpcrt4.dll (successful)

version.dll (successful)

UDP communications

23.101.187.68:123

SHA256:	740fe58819953b42871f9fea9a2c9951b294f83166b532d5c4edd1bfe38ca6d1
File name:	jyityvbx.exe
Detection ratio:	49 / 57
Analysis date:	2015-04-24 13:59:44 UTC ( 3 years, 10 months ago ) View latest

Ciphered bundle