× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 7a40f3629cb35aa0030dbe4a4ce294e2cf7ad01eda10ea0f66d910ce35da8aff
File name: utrswsb.exe
Detection ratio: 59 / 66
Analysis date: 2017-10-10 01:38:05 UTC ( 4 months, 1 week ago )
Antivirus Result Update
Ad-Aware Trojan.CTBLockerKD.2095075 20171010
AegisLab Troj.Ransom.W32!c 20171010
AhnLab-V3 Win-Trojan/CTBLocker.Gen 20171010
ALYac Trojan.Ransom.CTBLocker 20171010
Antiy-AVL Trojan[Ransom]/Win32.Onion 20171010
Arcabit Trojan.CTBLockerKD.D1FF7E3 20171010
Avast Sf:Crypt-HC [Trj] 20171010
AVG Sf:Crypt-HC [Trj] 20171010
Avira (no cloud) TR/Crypt.ZPACK.htrez 20171009
AVware Ransom.Win32.Critroni 20171009
Baidu Win32.Trojan.Elenoocka.a 20170930
BitDefender Trojan.CTBLockerKD.2095075 20171010
Bkav W32.Patidoc.Trojan 20171009
CAT-QuickHeal TrojanRansom.Critroni.A3 20171009
ClamAV Win.Trojan.Ransom-9021 20171010
CMC Trojan.Win32.Cryptor!O 20171009
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170804
Cylance Unsafe 20171010
Cyren W32/Ransom.NPPA-3365 20171009
DrWeb Trojan.Encoder.686 20171010
Emsisoft Trojan.CTBLockerKD.2095075 (B) 20171010
Endgame malicious (high confidence) 20170821
ESET-NOD32 Win32/Filecoder.CTBLocker.A 20171009
F-Prot W32/Ransom.GI 20171010
F-Secure Trojan.CTBLockerKD.2095075 20171010
Fortinet W32/CRYPCTB.YN!tr 20171010
GData Win32.Trojan-Ransom.Cryptolocker.F@susp 20171010
Ikarus Trojan-Ransom.CTBLocker 20171009
Sophos ML heuristic 20170914
Jiangmin Trojan/Onion.d 20171010
K7AntiVirus Trojan ( 0049d83b1 ) 20171009
K7GW Trojan ( 0049d83b1 ) 20171010
Kaspersky Trojan-Ransom.Win32.Onion.aa 20171009
MAX malware (ai score=83) 20171010
McAfee Generic.vj 20171010
McAfee-GW-Edition BehavesLike.Win32.Ransomware.jc 20171009
Microsoft Ransom:Win32/Critroni.A 20171009
eScan Trojan.CTBLockerKD.2095075 20171009
NANO-Antivirus Trojan.Win32.Vimditator.eopefo 20171009
nProtect Trojan/W32.CTBLocker.704512 20171009
Palo Alto Networks (Known Signatures) generic.ml 20171010
Panda Trj/WLT.B 20171009
Qihoo-360 Trojan.Win32.CTBLocker.A 20171010
Rising Malware.Heuristic!ET#100% (RDM+:cmRtazrXNPlYrFPcXgLe7I+ivHrc) 20171009
SentinelOne (Static ML) static engine - malicious 20171001
Sophos AV Troj/Agent-AIRO 20171010
Symantec Ransom.CTBLocker 20171009
Tencent Trojan.Win32.CTB-Locker.b 20171010
TheHacker Trojan/Kryptik.cvsp 20171007
TotalDefense Win32/Critroni.A 20171009
TrendMicro TROJ_CRYPCTB.YN 20171009
TrendMicro-HouseCall TROJ_CRYPCTB.YN 20171009
VBA32 Trojan.FakeAV.01657 20171009
VIPRE Ransom.Win32.Critroni 20171009
ViRobot Trojan.Win32.CTB-Locker.704512 20171009
Webroot Trojan.Dropper.Gen 20171010
Yandex Trojan.Vimditator! 20171009
Zillya Trojan.FileCryptor.Win32.2 20171009
ZoneAlarm by Check Point Trojan-Ransom.Win32.Onion.aa 20171010
Alibaba 20170911
Avast-Mobile 20171009
Comodo 20171010
Kingsoft 20171010
Malwarebytes 20171010
SUPERAntiSpyware 20171010
Symantec Mobile Insight 20171006
Trustlook 20171010
WhiteArmor 20170927
Zoner 20171010
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-12-14 22:15:40
Entry Point 0x00006583
Number of sections 3
PE sections
PE imports
DeviceIoControl
GetPrivateProfileStructA
lstrcmpiA
WaitForSingleObject
GetVersionExA
CreateNamedPipeA
UpdateResourceA
GetCurrentProcess
CreateDirectoryA
GetLongPathNameA
GetProcAddress
GetProcessHeap
CompareStringW
SetEnvironmentVariableW
GetStringTypeA
SetFilePointer
GetAtomNameA
HeapValidate
CloseHandle
lstrcpynA
GetBinaryTypeA
ReadConsoleA
GetEnvironmentVariableA
TlsGetValue
QueryDosDeviceW
FormatMessageA
GetPrivateProfileSectionA
FindResourceA
GetModuleHandleA
WTSQuerySessionInformationA
WTSQueryUserToken
WTSVirtualChannelClose
WTSVirtualChannelRead
WTSSendMessageA
WTSFreeMemory
WTSLogoffSession
WTSSetSessionInformationW
WTSEnumerateSessionsW
WTSVirtualChannelWrite
WTSEnumerateProcessesA
WTSWaitSystemEvent
WTSOpenServerW
Ctl3dRegister
Ctl3dGetVer
Ctl3dEnabled
Ctl3dCtlColor
vSetDdrawflag
DllInitialize
GradientFill
GetMessageA
CreateWindowExA
IsWindow
wsprintfA
GetWindowLongA
DrawIcon
IsZoomed
LoadImageA
PeekMessageA
SetCursorPos
GetPropA
CharToOemA
Number of PE resources by type
RT_ICON 3
RT_GROUP_ICON 1
RT_RCDATA 1
Number of PE resources by language
ENGLISH US 5
PE resources
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2014:12:14 23:15:40+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
27136

LinkerVersion
7.0

EntryPoint
0x6583

InitializedDataSize
676352

SubsystemVersion
5.1

ImageVersion
0.0

OSVersion
5.1

UninitializedDataSize
0

Execution parents
Compressed bundles
File identification
MD5 14c0558c757c93465eccbbd77d58bbf3
SHA1 6810f392ca6daa1278b0a97629021401c14f3235
SHA256 7a40f3629cb35aa0030dbe4a4ce294e2cf7ad01eda10ea0f66d910ce35da8aff
ssdeep
12288:WoxEdD8BBtW5lanZREsFREqUsKDr1MALIODuhBogRyy3rBl/VoFx:WoxEtknClaFFRE3s8fNDuhaS

imphash d5354418ee484eb31366ff821b8ebd8b
File size 688.0 KB ( 704512 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Tags
peexe via-tor

VirusTotal metadata
First submission 2015-01-20 08:55:35 UTC ( 3 years ago )
Last submission 2017-07-20 17:22:32 UTC ( 7 months ago )
File names CTB-LOCKER (3).bin
1379421.exe
224830151.e
893344.exe
14C0558C757C93465ECCBBD77D58BBF3.exe
1278240.exe
6518182.exe
7523943.exe_
lticqib.exe
25643984.exe
5973371.exe
6620776.exe
6448187.exe_
VIRUSONE.pippo.noncambiare.nudda
324159765.exe
5461189.exe
qklcfkf.14C0558C757C93465ECCBBD77D58BBF3_over
file-7933712_exe_
12934620.exe
zbzulok.ex_
7a40f3629cb35aa0030dbe4a4ce294e2cf7ad01eda10ea0f66d910ce35da8aff.bin
csajmte.exe
708438.exe
6810f392ca6daa1278b0a97629021401c14f3235_9776484.ex
536347.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Moved files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.