× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 7da089beb39100952eab81f284e14ea52c1585b3be135c41238ddf0bea083fde
File name: vt-upload-OARA7
Detection ratio: 33 / 46
Analysis date: 2013-07-10 09:11:46 UTC ( 9 months, 1 week ago )
Antivirus Result Update
AVG BackDoor.Delf 20130709
Agnitum Trojan.Yoddos!Zrf8nSLl3+M 20130710
AhnLab-V3 Trojan/Win32.Yoddos 20130710
AntiVir TR/Proxy.Horst.Gen 20130710
Antiy-AVL Trojan/Win32.Jorik 20130710
Avast Win32:Malware-gen 20130710
BitDefender Gen:Variant.Graftor.38935 20130710
CAT-QuickHeal Backdoor.Zegost.B 20130708
Commtouch W32/PcClient.A.gen!Eldorado 20130710
Comodo TrojWare.Win32.Agent.OWW 20130709
DrWeb Trojan.DownLoader7.47461 20130710
ESET-NOD32 a variant of Win32/Agent.OWW 20130710
Emsisoft Gen:Variant.Graftor.38935 (B) 20130710
F-Prot W32/PcClient.A.gen!Eldorado 20130710
F-Secure Gen:Variant.Graftor.38935 20130710
Fortinet W32/Agent.OWW!tr 20130710
GData Gen:Variant.Graftor.38935 20130710
Ikarus Trojan.Win32.SystemHijack 20130710
Jiangmin Trojan/Generic.axdne 20130710
K7AntiVirus Backdoor 20130709
Kaspersky Trojan.Win32.Jorik.Yoddos.plk 20130710
Kingsoft Win32.Troj.Agent.o.(kcloud) 20130708
Malwarebytes Trojan.Downloader 20130710
McAfee Artemis!CE744F096751 20130710
Microsoft Trojan:Win32/Dynamer!dtc 20130710
Norman Startpage.ALTD 20130708
Panda Generic Malware 20130710
Rising Trojan.Farfli!4886 20130709
Sophos Mal/Generic-S 20130710
TrendMicro TROJ_GEN.R047C0GG413 20130710
TrendMicro-HouseCall TROJ_GEN.R047C0GG413 20130710
VBA32 suspected of Trojan.Downloader.gen.h 20130709
VIPRE Trojan.Win32.Generic!BT 20130710
ByteHero 20130613
ClamAV 20130710
K7GW 20130709
McAfee-GW-Edition 20130710
MicroWorld-eScan 20130710
NANO-Antivirus 20130710
PCTools 20130710
SUPERAntiSpyware 20130710
Symantec 20130710
TheHacker 20130710
TotalDefense 20130710
ViRobot 20130710
eSafe 20130709
nProtect 20130710
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Copyright
Copyright(C) 2008-2013 Beijing Rising Information Technology Co., Ltd. All Rights Reserved.

Publisher Beijing Rising Information Technology Co., Ltd.
Product Rising AntiVirus 2013
Version 21, 0, 0, 0
Original name ravcopy.exe
Internal name Beijing Rising Information Technology Co., Ltd.
File version 21.0.0.17
Description RavCopy Module
Packers identified
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-06-26 06:19:30
Link date 7:19 AM 6/26/2013
Entry Point 0x0000336F
Number of sections 4
PE sections
PE imports
GetLastError
WriteProcessMemory
ReleaseMutex
lstrcmpiA
GlobalFree
WaitForSingleObject
FreeLibrary
CopyFileA
ExitProcess
GetVersionExA
LoadLibraryA
GlobalAlloc
GetModuleFileNameA
GetShortPathNameA
GetCurrentProcess
SetThreadPriority
GetFileSize
lstrcatA
DeleteFileA
GetWindowsDirectoryA
SetErrorMode
ReadProcessMemory
GetProcAddress
GetThreadContext
GetCurrentThread
OpenMutexA
SetFileAttributesA
CreateMutexA
SetFilePointer
RaiseException
CreateThread
GetModuleHandleA
GetSystemDefaultUILanguage
ReadFile
GetCurrentProcessId
InterlockedExchange
lstrcpyA
GetStartupInfoA
CloseHandle
GlobalMemoryStatusEx
GetSystemDirectoryA
SetPriorityClass
SetThreadContext
TerminateProcess
ResumeThread
CreateProcessA
GetEnvironmentVariableA
VirtualProtectEx
VirtualFree
VirtualQueryEx
Sleep
CreateFileA
GetTickCount
OutputDebugStringA
VirtualAlloc
LocalAlloc
_except_handler3
__p__fmode
_XcptFilter
strstr
_adjust_fdiv
strcspn
memmove
??2@YAPAXI@Z
_exit
__p__commode
??3@YAXPAX@Z
atoi
exit
sprintf
__getmainargs
_initterm
__setusermatherr
_acmdln
_controlfp
strncpy
__set_app_type
ShellExecuteA
SHDeleteKeyA
InternetReadFile
InternetOpenUrlA
InternetCloseHandle
InternetOpenA
Ord(3)
WSASocketA
Ord(11)
Ord(22)
Ord(23)
Ord(8)
Ord(20)
Ord(21)
Ord(151)
Ord(16)
WSAIoctl
Ord(4)
Ord(115)
Ord(52)
Ord(19)
Ord(18)
Ord(9)
Number of PE resources by type
RT_VERSION 1
Number of PE resources by language
CHINESE SIMPLIFIED 1
ExifTool file metadata
SpecialBuild
668531044687500

SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
21.0.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
RavCopy Module

CharacterSet
Unicode

InitializedDataSize
13824

FileOS
Windows NT 32-bit

PrivateBuild
admin@darkshellnew.com

MIMEType
application/octet-stream

LegalCopyright
Copyright(C) 2008-2013 Beijing Rising Information Technology Co., Ltd. All Rights Reserved.

FileVersion
21.0.0.17

TimeStamp
2013:06:26 07:19:30+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Beijing Rising Information Technology Co., Ltd.

ProductVersion
21, 0, 0, 0

UninitializedDataSize
0

OSVersion
4.0

OriginalFilename
ravcopy.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Beijing Rising Information Technology Co., Ltd.

CodeSize
15872

ProductName
Rising AntiVirus 2013

ProductVersionNumber
21.0.0.0

EntryPoint
0x336f

ObjectFileType
Executable application

File identification
MD5 ce744f096751d0c48b5498bb562eab59
SHA1 858d980eb169c84e840c9599371cc285e5355f43
SHA256 7da089beb39100952eab81f284e14ea52c1585b3be135c41238ddf0bea083fde
ssdeep
768:l1BefZNGbFkhZyAfZtc+qXaJWdCjnY+Y5hu6gXph:l1BE0khZpfZttqXaJCknGs

File size 25.5 KB ( 26112 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.1%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe armadillo

VirusTotal metadata
First submission 2013-07-04 13:02:34 UTC ( 9 months, 2 weeks ago )
Last submission 2013-07-10 09:11:46 UTC ( 9 months, 1 week ago )
File names Beijing Rising Information Technology Co., Ltd.
vt-upload-OARA7
ce744f096751d0c48b5498bb562eab59_qvod.exe
ravcopy.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Set keys
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections