× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 82e6d0f100bcc4b126765a03b245fe7a9c75548946053e1ef644706351f3f838
File name: PAYMENT_RECEIPT.exe
Detection ratio: 31 / 46
Analysis date: 2013-04-25 14:12:58 UTC ( 11 months, 4 weeks ago ) View latest
Antivirus Result Update
AVG Generic32.CAJJ 20130425
AhnLab-V3 Trojan/Win32.Zbot 20130424
AntiVir TR/Spy.ZBot.kulh 20130425
Avast Win32:Malware-gen 20130425
BitDefender Trojan.GenericKD.962648 20130425
Commtouch W32/Trojan.JGKP-7971 20130425
Comodo TrojWare.Win32.Trojan.Agent.Gen 20130425
DrWeb Trojan.PWS.Panda.3734 20130425
ESET-NOD32 Win32/Spy.Zbot.AAU 20130425
Emsisoft Trojan.Win32.Zbot (A) 20130425
F-Prot W32/Trojan3.CDP 20130425
F-Secure Trojan.GenericKD.962648 20130425
Fortinet W32/Zbot.KULH!tr 20130425
GData Trojan.GenericKD.962648 20130425
Ikarus Trojan-PWS.Tepfer 20130425
K7AntiVirus Spyware 20130425
K7GW Backdoor 20130425
Kaspersky Trojan-Spy.Win32.Zbot.kulh 20130425
Kingsoft Win32.Troj.Zbot.ku.(kcloud) 20130422
Malwarebytes Trojan.ModifiedUPX 20130425
McAfee RDN/PWS-Zbot.apr!d 20130425
McAfee-GW-Edition Artemis!C671D0896A24 20130425
MicroWorld-eScan Trojan.GenericKD.962648 20130425
Norman Troj_Generic.KPEXX 20130425
PCTools Trojan.Zbot 20130425
Sophos Troj/Zbot-ETG 20130425
Symantec Trojan.Zbot 20130425
TrendMicro TSPY_ZBOT.AKO 20130425
TrendMicro-HouseCall TROJ_GEN.F47V0424 20130425
VIPRE Trojan.Win32.Generic!BT 20130425
nProtect Trojan.GenericKD.962648 20130425
Agnitum 20130424
Antiy-AVL 20130425
ByteHero 20130424
CAT-QuickHeal 20130425
ClamAV 20130425
Jiangmin 20130425
Microsoft 20130425
NANO-Antivirus 20130424
Panda 20130425
SUPERAntiSpyware 20130425
TheHacker 20130424
TotalDefense 20130425
VBA32 20130425
ViRobot 20130425
eSafe 20130423
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Copyright
© 2000 Cudysuh Gafapo. Oqyj Tumi Ylam.

Product Akusete
Original name Mnvw57ch.exe
Internal name Otowa
Description Tidan Yditaz Mefyjyb
Packers identified
PEiD UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-02-18 20:33:32
Entry Point 0x000C56F0
Number of sections 3
PE sections
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
ShellExecuteW
DrawIcon
AddPrintProcessorA
Number of PE resources by type
RT_DIALOG 14
RT_ACCELERATOR 11
RT_STRING 3
RT_ICON 2
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
FAEROESE DEFAULT 33
ExifTool file metadata
AxSeeXNMWrIV
O441HfrvTHr4821iX

UninitializedDataSize
585728

SWCNEipafSvyupQ2l
8535i1qvNCWuV

LinkerVersion
4.0

Tag2TmYlx7OYKvUYd
lVcfKU6kih

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.8.0.0

SUwqwqCsiWBdQnl4Lv4D
5LGlcfECX3YQwTsnX

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Tidan Yditaz Mefyjyb

CharacterSet
Unicode

InitializedDataSize
12288

Tag3gNhpvnyH3LuUkS
pbCCQPlYbM2l5

FileOS
Windows NT 32-bit

jh3iQ68sdCnjjKiIlASq
lcsgElxEaxaBtRH4m

ObjectFileType
Executable application

MIMEType
application/octet-stream

LegalCopyright
2000 Cudysuh Gafapo. Oqyj Tumi Ylam.

RQgO4nRPaX
kxAOy2AlPWU

Tag4Nv3WO2wiIO5PR5u
TFAERxMlgKi3kp

SaRHI77cJDskMdOYeV
DBrMdH3dp1N7tc1isFB

TimeStamp
2011:02:18 21:33:32+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Otowa

FileAccessDate
2013:04:30 01:23:15+01:00

SubsystemVersion
4.0

UwWRviSLvsN2B5Gy47
q8lbXyVEy6sX

OSVersion
4.0

FileCreateDate
2013:04:30 01:23:15+01:00

ProductVersionNumber
2.8.0.0

OriginalFilename
Mnvw57ch.exe

ciBjPjS3YqyV
tJsmD6nDiu

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
225280

ProductName
Akusete

qAfFPp8JdM4
4X43mAx6bL

EntryPoint
0xc56f0

GmIulhxGG2G7vRjDN
YQR5E2gRWgh

vbw7feKDo1EGeG4HWtLA
QJFRnE5eIOOxllkFab

Compressed bundles
File identification
MD5 c671d0896a2412b42e1abad4be9d43a8
SHA1 c4a739bd51a0364fba0c51b55482f14f41fbfabc
SHA256 82e6d0f100bcc4b126765a03b245fe7a9c75548946053e1ef644706351f3f838
ssdeep
6144:xLjYF5VhF3w5eO1QJZuZ7/+6k1iIm3DT5qZ3YeTE7o2Jeom:ljYF5VhGr1QJsz+n4xqhY6Yeom

File size 228.0 KB ( 233472 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe upx

VirusTotal metadata
First submission 2013-04-24 13:22:46 UTC ( 11 months, 4 weeks ago )
Last submission 2013-06-08 14:59:04 UTC ( 10 months, 2 weeks ago )
File names file-5421776_exe
PAYMENT RECEIPT 24-04-2013-GBK-75.exe
Mnvw57ch.exe
c671d0896a2412b42e1abad4be9d43a8
Otowa
PAYMENT_RECEIPT.exe
c671d0896a2412b42e1abad4be9d43a8.virus
Advanced heuristic and reputation engines
ClamAV PUA
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/index.php?s=pua&lang=en .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Moved files
Deleted files
Set keys
Deleted keys
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications