× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 7a40f3629cb35aa0030dbe4a4ce294e2cf7ad01eda10ea0f66d910ce35da8aff
File name: utrswsb.exe
Detection ratio: 58 / 64
Analysis date: 2017-09-06 01:41:33 UTC ( 2 weeks, 6 days ago )
Antivirus Result Update
Ad-Aware Trojan.CTBLockerKD.2095075 20170905
AegisLab Troj.Ransom.W32!c 20170906
AhnLab-V3 Win-Trojan/CTBLocker.Gen 20170905
ALYac Trojan.Ransom.CTBLocker 20170906
Antiy-AVL Trojan[Ransom]/Win32.Onion 20170906
Arcabit Trojan.CTBLockerKD.D1FF7E3 20170906
Avast Sf:Crypt-HC [Trj] 20170906
AVG Sf:Crypt-HC [Trj] 20170906
Avira (no cloud) TR/Crypt.ZPACK.htrez 20170905
AVware Ransom.Win32.Critroni 20170905
Baidu Win32.Trojan.Elenoocka.a 20170831
BitDefender Trojan.CTBLockerKD.2095075 20170906
Bkav W32.Patidoc.Trojan 20170905
CAT-QuickHeal TrojanRansom.Critroni.A3 20170905
ClamAV Win.Trojan.Ransom-9021 20170906
CMC Trojan.Win32.Cryptor!O 20170902
Comodo UnclassifiedMalware 20170906
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170804
Cylance Unsafe 20170906
Cyren W32/Ransom.NPPA-3365 20170906
DrWeb Trojan.Encoder.686 20170906
Emsisoft Trojan.CTBLockerKD.2095075 (B) 20170906
Endgame malicious (high confidence) 20170821
ESET-NOD32 Win32/Filecoder.CTBLocker.A 20170906
F-Prot W32/Ransom.GI 20170906
F-Secure Trojan.CTBLockerKD.2095075 20170906
Fortinet W32/CRYPCTB.YN!tr 20170906
GData Win32.Trojan-Ransom.Cryptolocker.F@susp 20170906
Ikarus Trojan-Ransom.CTBLocker 20170905
Sophos ML heuristic 20170822
Jiangmin Trojan/Onion.d 20170906
K7AntiVirus Trojan ( 0049d83b1 ) 20170905
K7GW Trojan ( 0049d83b1 ) 20170905
Kaspersky Trojan-Ransom.Win32.Onion.aa 20170905
MAX malware (ai score=83) 20170905
McAfee Generic.vj 20170905
McAfee-GW-Edition BehavesLike.Win32.Dropper.jc 20170906
Microsoft Ransom:Win32/Critroni.A 20170906
eScan Trojan.CTBLockerKD.2095075 20170906
NANO-Antivirus Trojan.Win32.Vimditator.eopefo 20170906
nProtect Trojan/W32.CTBLocker.704512 20170906
Palo Alto Networks (Known Signatures) generic.ml 20170906
Panda Trj/WLT.B 20170905
Qihoo-360 Trojan.Win32.CTBLocker.A 20170906
Rising Trojan.Generic (cloud:f5A8hopriOK) 20170901
SentinelOne (Static ML) static engine - malicious 20170806
Sophos AV Troj/Agent-AIRO 20170906
Symantec Ransom.CTBLocker 20170905
Tencent Trojan.Win32.CTB-Locker.b 20170906
TheHacker Trojan/Kryptik.cvsp 20170904
TotalDefense Win32/Critroni.A 20170905
TrendMicro TROJ_CRYPCTB.YN 20170906
TrendMicro-HouseCall TROJ_CRYPCTB.YN 20170905
VBA32 Trojan.FakeAV.01657 20170905
VIPRE Ransom.Win32.Critroni 20170906
ViRobot Trojan.Win32.CTB-Locker.704512 20170905
Yandex Trojan.Vimditator! 20170904
ZoneAlarm by Check Point Trojan-Ransom.Win32.Onion.aa 20170906
Alibaba 20170905
Kingsoft 20170906
Malwarebytes 20170905
SUPERAntiSpyware 20170906
Symantec Mobile Insight 20170901
Trustlook 20170906
WhiteArmor 20170829
Zillya 20170905
Zoner 20170906
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-12-14 22:15:40
Entry Point 0x00006583
Number of sections 3
PE sections
PE imports
DeviceIoControl
GetPrivateProfileStructA
lstrcmpiA
WaitForSingleObject
GetVersionExA
CreateNamedPipeA
UpdateResourceA
GetCurrentProcess
CreateDirectoryA
GetLongPathNameA
GetProcAddress
GetProcessHeap
CompareStringW
SetEnvironmentVariableW
GetStringTypeA
SetFilePointer
GetAtomNameA
HeapValidate
CloseHandle
lstrcpynA
GetBinaryTypeA
ReadConsoleA
GetEnvironmentVariableA
TlsGetValue
QueryDosDeviceW
FormatMessageA
GetPrivateProfileSectionA
FindResourceA
GetModuleHandleA
WTSQuerySessionInformationA
WTSQueryUserToken
WTSVirtualChannelClose
WTSVirtualChannelRead
WTSSendMessageA
WTSFreeMemory
WTSLogoffSession
WTSSetSessionInformationW
WTSEnumerateSessionsW
WTSVirtualChannelWrite
WTSEnumerateProcessesA
WTSWaitSystemEvent
WTSOpenServerW
Ctl3dRegister
Ctl3dGetVer
Ctl3dEnabled
Ctl3dCtlColor
vSetDdrawflag
DllInitialize
GradientFill
GetMessageA
CreateWindowExA
IsWindow
wsprintfA
GetWindowLongA
DrawIcon
IsZoomed
LoadImageA
PeekMessageA
SetCursorPos
GetPropA
CharToOemA
Number of PE resources by type
RT_ICON 3
RT_GROUP_ICON 1
RT_RCDATA 1
Number of PE resources by language
ENGLISH US 5
PE resources
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2014:12:14 23:15:40+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
27136

LinkerVersion
7.0

EntryPoint
0x6583

InitializedDataSize
676352

SubsystemVersion
5.1

ImageVersion
0.0

OSVersion
5.1

UninitializedDataSize
0

Execution parents
Compressed bundles
File identification
MD5 14c0558c757c93465eccbbd77d58bbf3
SHA1 6810f392ca6daa1278b0a97629021401c14f3235
SHA256 7a40f3629cb35aa0030dbe4a4ce294e2cf7ad01eda10ea0f66d910ce35da8aff
ssdeep
12288:WoxEdD8BBtW5lanZREsFREqUsKDr1MALIODuhBogRyy3rBl/VoFx:WoxEtknClaFFRE3s8fNDuhaS

authentihash e3f3a223618fab8313df58d8c048bc6487ea5c61cc8e7ab781a4c3bd9ec7a830
imphash d5354418ee484eb31366ff821b8ebd8b
File size 688.0 KB ( 704512 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Tags
peexe via-tor

VirusTotal metadata
First submission 2015-01-20 08:55:35 UTC ( 2 years, 8 months ago )
Last submission 2017-07-20 17:22:32 UTC ( 2 months, 1 week ago )
File names CTB-LOCKER (3).bin
1379421.exe
224830151.e
893344.exe
14C0558C757C93465ECCBBD77D58BBF3.exe
1278240.exe
6518182.exe
7523943.exe_
lticqib.exe
25643984.exe
5973371.exe
6620776.exe
6448187.exe_
VIRUSONE.pippo.noncambiare.nudda
324159765.exe
5461189.exe
qklcfkf.14C0558C757C93465ECCBBD77D58BBF3_over
file-7933712_exe_
12934620.exe
zbzulok.ex_
7a40f3629cb35aa0030dbe4a4ce294e2cf7ad01eda10ea0f66d910ce35da8aff.bin
csajmte.exe
708438.exe
6810f392ca6daa1278b0a97629021401c14f3235_9776484.ex
536347.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Moved files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.