× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 7a40f3629cb35aa0030dbe4a4ce294e2cf7ad01eda10ea0f66d910ce35da8aff
File name: utrswsb.exe
Detection ratio: 61 / 68
Analysis date: 2018-06-23 18:16:48 UTC ( 3 weeks, 2 days ago )
Antivirus Result Update
Ad-Aware Trojan.CTBLockerKD.2095075 20180623
AegisLab Troj.Ransom.W32!c 20180622
AhnLab-V3 Win-Trojan/CTBLocker.Gen 20180623
ALYac Trojan.Ransom.CTBLocker 20180623
Antiy-AVL Trojan[Ransom]/Win32.Onion 20180623
Arcabit Trojan.CTBLockerKD.D1FF7E3 20180623
Avast Sf:Crypt-HC [Trj] 20180623
AVG Sf:Crypt-HC [Trj] 20180623
Avira (no cloud) TR/Crypt.ZPACK.htrez 20180623
AVware Ransom.Win32.Critroni 20180623
Baidu Win32.Trojan.Elenoocka.a 20180622
BitDefender Trojan.CTBLockerKD.2095075 20180623
Bkav W32.Patidoc.Trojan 20180623
CAT-QuickHeal TrojanRansom.Critroni.A3 20180622
ClamAV Win.Trojan.Ransom-9021 20180623
CMC Trojan.Win32.Cryptor!O 20180623
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20180530
Cybereason malicious.c757c9 20180225
Cylance Unsafe 20180623
Cyren W32/Trojan.NPPA-3365 20180623
DrWeb Trojan.Encoder.686 20180623
Emsisoft Trojan.CTBLockerKD.2095075 (B) 20180623
Endgame malicious (high confidence) 20180612
ESET-NOD32 Win32/Filecoder.CTBLocker.A 20180623
F-Prot W32/Ransom.GI 20180623
F-Secure Trojan.CTBLockerKD.2095075 20180622
Fortinet W32/CRYPCTB.YN!tr 20180623
GData Win32.Trojan-Ransom.Cryptolocker.F@susp 20180623
Ikarus Trojan-Ransom.CTBLocker 20180623
Sophos ML heuristic 20180601
Jiangmin Trojan/Onion.d 20180623
K7AntiVirus Trojan ( 004b43c51 ) 20180623
K7GW Trojan ( 004b43c51 ) 20180623
Kaspersky Trojan-Ransom.Win32.Onion.aa 20180623
Malwarebytes Ransom.CTBLocker 20180623
MAX malware (ai score=100) 20180623
McAfee Generic.vj 20180623
McAfee-GW-Edition BehavesLike.Win32.Ransomware.jc 20180623
Microsoft Ransom:Win32/Critroni.A 20180623
eScan Trojan.CTBLockerKD.2095075 20180623
NANO-Antivirus Trojan.Win32.Vimditator.eopefo 20180623
Palo Alto Networks (Known Signatures) generic.ml 20180623
Panda Trj/WLT.B 20180623
Qihoo-360 Trojan.Win32.CTBLocker.A 20180623
Rising Trojan.Spy.Win32.Critroni.w (CLOUD) 20180623
SentinelOne (Static ML) static engine - malicious 20180618
Sophos AV Troj/Agent-AIRO 20180623
Symantec Ransom.CTBLocker 20180623
TACHYON Trojan/W32.CTBLocker.704512 20180623
Tencent Trojan.Win32.CTB-Locker.b 20180623
TheHacker Trojan/Kryptik.cvsp 20180622
TotalDefense Win32/Critroni.A 20180623
TrendMicro TROJ_CRYPCTB.YN 20180623
TrendMicro-HouseCall TROJ_CRYPCTB.YN 20180623
VBA32 Trojan.FakeAV.01657 20180622
VIPRE Ransom.Win32.Critroni 20180623
ViRobot Trojan.Win32.CTB-Locker.704512 20180623
Webroot Trojan.Dropper.Gen 20180623
Yandex Trojan.Vimditator! 20180622
Zillya Trojan.FileCryptor.Win32.2 20180622
ZoneAlarm by Check Point Trojan-Ransom.Win32.Onion.aa 20180623
Alibaba 20180622
Avast-Mobile 20180623
Babable 20180406
Comodo 20180623
eGambit 20180623
Kingsoft 20180623
SUPERAntiSpyware 20180623
Symantec Mobile Insight 20180619
Trustlook 20180623
Zoner 20180622
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-12-14 22:15:40
Entry Point 0x00006583
Number of sections 3
PE sections
PE imports
DeviceIoControl
GetPrivateProfileStructA
lstrcmpiA
WaitForSingleObject
GetVersionExA
CreateNamedPipeA
UpdateResourceA
GetCurrentProcess
CreateDirectoryA
GetLongPathNameA
GetProcAddress
GetProcessHeap
CompareStringW
SetEnvironmentVariableW
GetStringTypeA
SetFilePointer
GetAtomNameA
HeapValidate
CloseHandle
lstrcpynA
GetBinaryTypeA
ReadConsoleA
GetEnvironmentVariableA
TlsGetValue
QueryDosDeviceW
FormatMessageA
GetPrivateProfileSectionA
FindResourceA
GetModuleHandleA
WTSQuerySessionInformationA
WTSQueryUserToken
WTSVirtualChannelClose
WTSVirtualChannelRead
WTSSendMessageA
WTSFreeMemory
WTSLogoffSession
WTSSetSessionInformationW
WTSEnumerateSessionsW
WTSVirtualChannelWrite
WTSEnumerateProcessesA
WTSWaitSystemEvent
WTSOpenServerW
Ctl3dRegister
Ctl3dGetVer
Ctl3dEnabled
Ctl3dCtlColor
vSetDdrawflag
DllInitialize
GradientFill
GetMessageA
CreateWindowExA
IsWindow
wsprintfA
GetWindowLongA
DrawIcon
IsZoomed
LoadImageA
PeekMessageA
SetCursorPos
GetPropA
CharToOemA
Number of PE resources by type
RT_ICON 3
RT_RCDATA 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 5
PE resources
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2014:12:14 23:15:40+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
27136

LinkerVersion
7.0

EntryPoint
0x6583

InitializedDataSize
676352

SubsystemVersion
5.1

ImageVersion
0.0

OSVersion
5.1

UninitializedDataSize
0

Execution parents
Compressed bundles
File identification
MD5 14c0558c757c93465eccbbd77d58bbf3
SHA1 6810f392ca6daa1278b0a97629021401c14f3235
SHA256 7a40f3629cb35aa0030dbe4a4ce294e2cf7ad01eda10ea0f66d910ce35da8aff
ssdeep
12288:WoxEdD8BBtW5lanZREsFREqUsKDr1MALIODuhBogRyy3rBl/VoFx:WoxEtknClaFFRE3s8fNDuhaS

authentihash e3f3a223618fab8313df58d8c048bc6487ea5c61cc8e7ab781a4c3bd9ec7a830
imphash d5354418ee484eb31366ff821b8ebd8b
File size 688.0 KB ( 704512 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (38.4%)
Win32 Executable (generic) (26.3%)
OS/2 Executable (generic) (11.8%)
Generic Win/DOS Executable (11.6%)
DOS Executable Generic (11.6%)
Tags
peexe via-tor

VirusTotal metadata
First submission 2015-01-20 08:55:35 UTC ( 3 years, 5 months ago )
Last submission 2018-05-24 17:58:31 UTC ( 1 month, 3 weeks ago )
File names CTB-LOCKER (3).bin
1379421.exe
224830151.e
893344.exe
14C0558C757C93465ECCBBD77D58BBF3.exe
1278240.exe
6518182.exe
7523943.exe_
lticqib.exe
25643984.exe
5973371.exe
6620776.exe
6448187.exe_
VIRUSONE.pippo.noncambiare.nudda
324159765.exe
5461189.exe
qklcfkf.14C0558C757C93465ECCBBD77D58BBF3_over
file-7933712_exe_
12934620.exe
zbzulok.ex_
7a40f3629cb35aa0030dbe4a4ce294e2cf7ad01eda10ea0f66d910ce35da8aff.bin
csajmte.exe
708438.exe
6810f392ca6daa1278b0a97629021401c14f3235_9776484.ex
536347.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Moved files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.