× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 812e936091ffb33aa646adfad091486af01cc687c80973bb5314e4f820fbf179
File name: 2015-04-30-Angler-EK-Payload5.exe
Detection ratio: 16 / 56
Analysis date: 2015-05-02 18:53:36 UTC ( 2 years ago ) View latest
Antivirus Result Update
Ad-Aware Gen:Variant.Mikey.12501 20150502
ALYac Gen:Variant.Mikey.12501 20150502
AVware Trojan.Win32.Generic!BT 20150502
Baidu-International Trojan.Win32.Ransom.mhkz 20150502
BitDefender Gen:Variant.Mikey.12501 20150502
Emsisoft Gen:Variant.Mikey.12501 (B) 20150502
F-Secure Gen:Variant.Mikey.12501 20150502
Fortinet W32/Kryptik.DGXK!tr 20150502
GData Gen:Variant.Mikey.12501 20150502
eScan Gen:Variant.Mikey.12501 20150502
Panda Trj/Chgt.O 20150502
Qihoo-360 HEUR/QVM10.1.Malware.Gen 20150502
Sophos Mal/Generic-S 20150502
Symantec WS.Reputation.1 20150502
Tencent Win32.Trojan.Foreign.Huqf 20150502
VIPRE Trojan.Win32.Generic!BT 20150502
AegisLab 20150502
Yandex 20150502
AhnLab-V3 20150502
Alibaba 20150502
Antiy-AVL 20150502
Avast 20150516
AVG 20150516
Avira (no cloud) 20150515
Bkav 20150425
ByteHero 20150502
CAT-QuickHeal 20150502
ClamAV 20150502
CMC 20150501
Comodo 20150502
Cyren 20150502
DrWeb 20150516
ESET-NOD32 20150516
F-Prot 20150516
Ikarus 20150502
Jiangmin 20150515
K7AntiVirus 20150502
K7GW 20150502
Kaspersky 20150516
Kingsoft 20150502
McAfee 20150516
McAfee-GW-Edition 20150516
Microsoft 20150516
NANO-Antivirus 20150502
Norman 20150516
nProtect 20150430
Rising 20150515
SUPERAntiSpyware 20150502
TheHacker 20150501
TotalDefense 20150515
TrendMicro 20150516
TrendMicro-HouseCall 20150516
VBA32 20150501
ViRobot 20150502
Zillya 20150515
Zoner 20150430
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright (C) Alice 2002-2013

Publisher Elephant combination - www.Alice.com
Product Alice
File version 2.0.0.8
Description Herd bee
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-04-30 15:56:57
Entry Point 0x0000708F
Number of sections 4
PE sections
PE imports
GetTokenInformation
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegSetValueExA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
AdjustTokenPrivileges
EqualSid
RegCreateKeyExA
RegOpenKeyExA
RegDeleteValueA
RegQueryInfoKeyA
GetDeviceCaps
GetStdHandle
GetConsoleOutputCP
GetFileAttributesA
WaitForSingleObject
GetDriveTypeA
FreeEnvironmentStringsA
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
GetLocaleInfoA
LocalAlloc
lstrcatA
_llseek
GetLogicalDrives
FreeEnvironmentStringsW
SetStdHandle
GetTempPathA
GetCPInfo
GetStringTypeA
WriteFile
_lopen
GetSystemTimeAsFileTime
GetDiskFreeSpaceA
GetStringTypeW
SetFileAttributesA
GetExitCodeProcess
LocalFree
LoadResource
FindClose
TlsGetValue
FormatMessageA
SetLastError
IsDebuggerPresent
ExitProcess
FlushFileBuffers
RemoveDirectoryA
GetVolumeInformationA
LoadLibraryExA
GetPrivateProfileStringA
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
CreateMutexA
GetModuleHandleA
_lclose
CreateThread
SetUnhandledExceptionFilter
CreateMutexW
MulDiv
GetSystemDirectoryA
SetEnvironmentVariableA
TerminateProcess
WriteConsoleA
GlobalAlloc
LocalFileTimeToFileTime
GetCurrentThreadId
InterlockedIncrement
SetCurrentDirectoryA
WriteConsoleW
CloseHandle
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
SetHandleCount
TerminateThread
lstrcmpiA
GetOEMCP
QueryPerformanceCounter
GetTickCount
TlsAlloc
GetVersionExA
LoadLibraryA
RtlUnwind
FreeLibrary
GetStartupInfoA
GetPrivateProfileIntA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
SetEvent
GlobalLock
CompareStringW
lstrcmpA
FindNextFileW
lstrcpyA
CompareStringA
GetTempFileNameA
FindNextFileA
GetProcAddress
GetTimeZoneInformation
CreateEventA
GetFileType
TlsSetValue
CreateFileA
HeapAlloc
LeaveCriticalSection
GetLastError
DosDateTimeToFileTime
LCMapStringW
GetSystemInfo
lstrlenA
GlobalFree
GetConsoleCP
LCMapStringA
HeapReAlloc
GetEnvironmentStringsW
GlobalUnlock
IsDBCSLeadByte
GetModuleFileNameA
GetShortPathNameA
FindFirstChangeNotificationW
SizeofResource
GetCurrentProcessId
LockResource
SetFileTime
GetCurrentDirectoryA
HeapSize
GetCommandLineA
RaiseException
TlsFree
SetFilePointer
ReadFile
FindFirstFileA
lstrcpynA
GetACP
GetModuleHandleW
FreeResource
GetEnvironmentStrings
CreateProcessA
WideCharToMultiByte
IsValidCodePage
HeapCreate
VirtualFree
Sleep
FindResourceA
VirtualAlloc
ResetEvent
CharPrevA
EndDialog
ShowWindow
MessageBeep
SetWindowPos
SendDlgItemMessageA
GetWindowRect
DispatchMessageA
EnableWindow
SetDlgItemTextA
GetDlgItemTextA
MessageBoxA
PeekMessageA
SetWindowLongA
CharUpperA
LoadStringA
ReleaseDC
SetWindowTextA
GetWindowLongA
SendMessageA
GetDlgItem
wsprintfA
CharNextA
GetDesktopWindow
CallWindowProcA
GetDC
MsgWaitForMultipleObjects
SetForegroundWindow
ExitWindowsEx
DialogBoxIndirectParamA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
Number of PE resources by type
RT_DIALOG 4
RT_MANIFEST 1
RT_MESSAGETABLE 1
RT_VERSION 1
Number of PE resources by language
NEUTRAL 5
DIVEHI DEFAULT 1
MALAY MALAYSIA 1
PE resources
ExifTool file metadata
LegalTrademarks
Alice

SubsystemVersion
5.0

LinkerVersion
9.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
4.4.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Herd bee

CharacterSet
Windows, Latin1

InitializedDataSize
91136

FileOS
Windows 16-bit

EntryPoint
0x708f

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) Alice 2002-2013

FileVersion
2.0.0.8

TimeStamp
2015:04:30 16:56:57+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Australia.exe

ProductVersion
3.0

UninitializedDataSize
0

OSVersion
5.0

OriginalFilename
Australia.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Elephant combination - www.Alice.com

CodeSize
103936

ProductName
Alice

ProductVersionNumber
2.4.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

PCAP parents
File identification
MD5 2addc61d0ff1e01daa88ff553ef84204
SHA1 cc2345a170c83b15f6afd4802ad609ed835e9907
SHA256 812e936091ffb33aa646adfad091486af01cc687c80973bb5314e4f820fbf179
ssdeep
3072:6fO1bzBNcxsz827OA/LSzAg0FuR7XVPRX7+baaaaaaa8BITCgC4h8bQ17:Z3N/82aA/2zAORTJgaaaaaaa8BI2g1hv

authentihash 332d10d116ada8868c5cf79242a5892f8f6ad7b71f3d7e63245184b1c504f5a1
imphash 25738b1c1a707c24d31370860a64e428
File size 191.5 KB ( 196096 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable (generic) (52.9%)
Generic Win/DOS Executable (23.5%)
DOS Executable Generic (23.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe

VirusTotal metadata
First submission 2015-04-30 16:58:49 UTC ( 2 years ago )
Last submission 2015-05-02 18:53:36 UTC ( 2 years ago )
File names 107fjr49a.exe
107fjr48.exe
2015-04-30-Angler-EK-Payload5.exe
107fjr47.exe
107fjr49.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created processes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications