× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 750479827e53b7644a643d65933588d5c937da89cad1e0bdf1fa7b70202d13a4
File name: 435578
Detection ratio: 0 / 67
Analysis date: 2018-08-11 01:17:05 UTC ( 2 months, 1 week ago )
Antivirus Result Update
Ad-Aware 20180810
AegisLab 20180810
AhnLab-V3 20180810
Alibaba 20180713
ALYac 20180810
Antiy-AVL 20180811
Arcabit 20180811
Avast 20180810
Avast-Mobile 20180810
AVG 20180810
Avira (no cloud) 20180810
AVware 20180810
Babable 20180725
Baidu 20180810
BitDefender 20180811
Bkav 20180810
CAT-QuickHeal 20180810
ClamAV 20180810
CMC 20180810
Comodo 20180810
CrowdStrike Falcon (ML) 20180202
Cybereason 20180225
Cylance 20180811
Cyren 20180811
DrWeb 20180810
eGambit 20180811
Emsisoft 20180811
Endgame 20180730
ESET-NOD32 20180811
F-Prot 20180811
F-Secure 20180811
Fortinet 20180811
GData 20180811
Sophos ML 20180717
Jiangmin 20180810
K7AntiVirus 20180810
K7GW 20180810
Kaspersky 20180811
Kingsoft 20180811
Malwarebytes 20180810
MAX 20180811
McAfee 20180810
McAfee-GW-Edition 20180810
Microsoft 20180810
eScan 20180811
NANO-Antivirus 20180811
Palo Alto Networks (Known Signatures) 20180811
Panda 20180810
Qihoo-360 20180811
Rising 20180811
SentinelOne (Static ML) 20180701
Sophos AV 20180811
SUPERAntiSpyware 20180810
Symantec 20180810
Symantec Mobile Insight 20180809
TACHYON 20180810
Tencent 20180811
TheHacker 20180807
TotalDefense 20180810
TrendMicro 20180811
TrendMicro-HouseCall 20180811
Trustlook 20180811
VBA32 20180810
VIPRE 20180810
ViRobot 20180810
Webroot 20180811
Yandex 20180810
Zillya 20180810
ZoneAlarm by Check Point 20180810
Zoner 20180810
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x000EBFA0
Number of sections 3
PE sections
Overlays
MD5 3a9639d804c45bb02fb2b8bf2538ad8a
File type data
Offset 379392
Size 993
Entropy 4.14
PE imports
LoadLibraryA
ExitProcess
GetProcAddress
ReleaseBindInfo
RegCloseKey
ImageList_Add
SaveDC
OleDraw
LoadTypeLib
ShellExecuteA
InternetCanonicalizeUrlA
Number of PE resources by type
RT_STRING 21
RT_BITMAP 21
RT_RCDATA 9
RT_GROUP_CURSOR 7
RT_CURSOR 7
TYPELIB 1
RT_MANIFEST 1
RT_ICON 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 68
ENGLISH US 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
1992:06:19 23:22:17+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
372736

LinkerVersion
2.25

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi

EntryPoint
0xebfa0

InitializedDataSize
12288

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
1.0

UninitializedDataSize
593920

File identification
MD5 f79f8056cfbb76b0c647b103be4def8e
SHA1 3fd2b79ffcdb229f060681107b854264131d5a97
SHA256 750479827e53b7644a643d65933588d5c937da89cad1e0bdf1fa7b70202d13a4
ssdeep
6144:KUnAU3oLSIfprFMtl3gI3IJLK5Aau701p6rKg/yXXJ65/9k4qLEhPoZZ/9lYPh99:KEAIJEQtlwI34LUu7jV/yXo5/9YYhPo+

authentihash 896970bbb93899294ddf25b3c9086746d2241f7b757977971ac91b2a026f882f
imphash 32aa242e2b7cfad5b2ac9812bcf80d01
File size 371.5 KB ( 380385 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (32.6%)
Win32 EXE Yoda's Crypter (32.0%)
DOS Borland compiled Executable (generic) (12.0%)
Win32 Dynamic Link Library (generic) (7.9%)
Win32 Executable (generic) (5.4%)
Tags
peexe upx overlay

VirusTotal metadata
First submission 2011-03-31 07:24:47 UTC ( 7 years, 6 months ago )
Last submission 2016-03-19 01:04:48 UTC ( 2 years, 7 months ago )
File names file-2044607_swat
BestLoveLetters.exe
1282930143-Best-LoveLetters.exe
435578
octet-stream
Best-LoveLetters.exe
Best-LoveLetters.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created mutexes
Opened mutexes
Searched windows
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications