× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 8add3ed5f52e068df9e81c2138bba3b9a0225747238fd0bc49274c2a2c47a78c
File name: 328_11_07_2016_15_34_40_inst.exe.malware.MRG
Detection ratio: 35 / 57
Analysis date: 2016-11-30 00:13:44 UTC ( 2 years, 4 months ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.GenericKD.3783389 20161130
AegisLab Heur.Advml.Gen!c 20161129
ALYac Trojan.GenericKD.3783389 20161130
Arcabit Trojan.Generic.D39BADD 20161129
Avast Win32:Malware-gen 20161129
AVG Generic38.AAOD 20161129
Avira (no cloud) TR/Pennelas.nfhyz 20161129
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20161129
BitDefender Trojan.GenericKD.3783389 20161129
Bkav W32.eHeur.Malware03 20161129
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024
DrWeb Trojan.PWS.Papras.2166 20161129
Emsisoft Trojan.GenericKD.3783389 (B) 20161129
ESET-NOD32 Win32/PSW.Papras.EJ 20161129
F-Secure Trojan.GenericKD.3783389 20161129
GData Trojan.GenericKD.3783389 20161129
Ikarus Trojan.Win32.PSW 20161129
Sophos ML trojan.win32.skeeyah.a!rfn 20161128
K7AntiVirus Password-Stealer ( 004cfc431 ) 20161129
K7GW Password-Stealer ( 004cfc431 ) 20161129
Kaspersky Trojan.Win32.Bublik.etxt 20161129
Malwarebytes Spyware.PasswordStealer 20161129
McAfee Artemis!6239A5AAA8D2 20161129
McAfee-GW-Edition BehavesLike.Win32.VTFlooder.cc 20161129
Microsoft TrojanSpy:Win32/Skeeyah.A!rfn 20161129
eScan Trojan.GenericKD.3783389 20161129
Panda Trj/GdSda.A 20161129
Qihoo-360 HEUR/QVM20.1.796F.Malware.Gen 20161130
Rising Malware.Generic!OAw6WdigNPO@2 (thunder) 20161129
Sophos AV Mal/Generic-S 20161129
Symantec Trojan.Snifula.F 20161129
Tencent Win32.Trojan.Inject.Auto 20161130
TrendMicro TROJ_FRS.0NA003KT16 20161129
TrendMicro-HouseCall TROJ_FRS.0NA003KT16 20161129
ViRobot Trojan.Win32.Agent.199680.R[h] 20161129
AhnLab-V3 20161129
Alibaba 20161129
Antiy-AVL 20161129
AVware 20161129
CAT-QuickHeal 20161129
ClamAV 20161129
CMC 20161129
Comodo 20161129
Cyren 20161129
F-Prot 20161129
Fortinet 20161129
Jiangmin 20161129
Kingsoft 20161130
NANO-Antivirus 20161129
nProtect 20161129
SUPERAntiSpyware 20161129
TheHacker 20161126
TotalDefense 20161129
Trustlook 20161130
VBA32 20161129
VIPRE 20161129
WhiteArmor 20161125
Yandex 20161128
Zillya 20161129
Zoner 20161129
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-06-06 23:30:20
Entry Point 0x00006A26
Number of sections 7
PE sections
PE imports
GetSidSubAuthorityCount
InitiateSystemShutdownA
CryptReleaseContext
ConvertStringSidToSidW
CreateWellKnownSid
CryptAcquireContextA
AreAllAccessesGranted
CryptDuplicateHash
CredFree
GetSidLengthRequired
CredMarshalCredentialA
CryptDestroyHash
CryptCreateHash
GetStockObject
ImmShowSoftKeyboard
ImmGetIMCCSize
ImmGetHotKey
ImmGetConversionStatus
ImmNotifyIME
ImmGetCandidateListCountW
ImmDestroyIMCC
ImmGetIMEFileNameA
ImmGetImeMenuItemsA
ImmGetIMCLockCount
ImmSetCompositionStringA
ImmGetIMEFileNameW
ImmGetStatusWindowPos
ImmSimulateHotKey
ImmGetCandidateListCountA
ImmGetDescriptionA
ImmEscapeW
ImmIsIME
ImmEnumInputContext
ImmSetCompositionStringW
ImmCreateSoftKeyboard
ImmGetCompositionStringA
ImmAssociateContextEx
ImmReSizeIMCC
ImmEscapeA
ImmGenerateMessage
ImmGetProperty
ImmUnlockIMC
ImmGetCompositionStringW
ImmLockIMCC
ImmRequestMessageW
ImmGetCompositionWindow
ImmGetVirtualKey
ImmEnumRegisterWordW
ImmGetGuideLineA
ImmSetHotKey
ImmRequestMessageA
ImmGetRegisterWordStyleW
ImmSetCandidateWindow
ImmLockIMC
ImmRegisterWordA
ImmGetContext
ImmUnlockIMCC
ImmDestroySoftKeyboard
ImmSetCompositionFontW
ImmSetCompositionWindow
ImmDestroyContext
ImmIsUIMessageW
ImmConfigureIMEW
ImmCreateContext
ImmGetConversionListW
ImmSetStatusWindowPos
ImmDisableIME
ImmUnregisterWordA
ImmAssociateContext
CreateToolhelp32Snapshot
GetUserDefaultUILanguage
GetLastError
CreateJobObjectA
GlobalFree
GetExitCodeThread
CreateJobObjectW
GetProcessTimes
IsBadWritePtr
VirtualProtect
IsDBCSLeadByte
LockFile
SetThreadIdealProcessor
CreateRemoteThread
UnlockFile
SetThreadPriority
LocalAlloc
OpenProcess
GetVolumeInformationW
ActivateActCtx
SetProcessPriorityBoost
GetWindowsDirectoryA
ClearCommBreak
MultiByteToWideChar
CloseHandle
GetFileType
GetTimeFormatW
GetSystemDirectoryW
SetFilePointer
IsSystemResumeAutomatic
ReadFile
GlobalFlags
WriteFile
MulDiv
IsProcessorFeaturePresent
GetDateFormatA
DeleteVolumeMountPointA
GlobalAlloc
LocalFree
MoveFileA
GlobalMemoryStatus
GetLongPathNameW
GetCurrencyFormatA
ConvertDefaultLocale
CreateFileW
GetNumberFormatW
CopyFileA
MoveFileW
GetVersion
GetCurrencyFormatW
GetModuleHandleA
DisableThreadLibraryCalls
ASN1BEREncEoid
ASN1BERDecUTCTime
ASN1intx2int32
ASN1BEREncZeroMultibyteString
ASN1BERDecCheck
ASN1DecSetError
ASN1char32string_free
ASN1EncSetError
ASN1BEREncU32
ASN1intxisuint32
ASN1BEREncDouble
ASN1_Encode
ASN1char16string_cmp
ASN1octetstring_cmp
ASN1BERDecSXVal
ASN1utctime_cmp
ASN1BERDecExplicitTag
ASN1objectidentifier_free
ASN1generalizedtime_cmp
ASN1BERDecObjectIdentifier
ASN1intx_free
ASN1CEREncOctetString
ASN1_CreateDecoderEx
ASN1BERDecS8Val
ASN1BERDecDouble
ASN1BEREncBitString
ASN1BEREncChar32String
ASN1ztchar16string_cmp
ASN1_CloseDecoder
ASN1BERDecUTF8String
ASN1BEREncGeneralizedTime
GetForegroundWindow
GetCursorInfo
IntersectRect
LoadMenuA
GetCapture
GetClipboardOwner
LoadMenuW
GetClassNameA
GetLastInputInfo
GetWindowRect
MoveWindow
LoadIconW
GetFocus
GetMenuDefaultItem
GetLastActivePopup
GetMenu
GetClassLongW
RegisterClassW
AnyPopup
GetWindow
GetSubMenu
FindWindowExA
LoadCursorA
LoadIconA
GetTopWindow
CopyRect
GetDesktopWindow
GetDialogBaseUnits
IsMenu
GetWindowTextLengthW
GetMenuContextHelpId
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2014:06:07 00:30:20+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
29184

LinkerVersion
12.0

FileTypeExtension
exe

InitializedDataSize
169472

SubsystemVersion
5.0

EntryPoint
0x6a26

OSVersion
5.0

ImageVersion
0.0

UninitializedDataSize
0

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
File identification
MD5 6239a5aaa8d2ad5df942e719eabe5447
SHA1 a58cc39df6c57a9402b728657c7b477b1a5b4e1b
SHA256 8add3ed5f52e068df9e81c2138bba3b9a0225747238fd0bc49274c2a2c47a78c
ssdeep
3072:Rn0e8ziuk16r9k6wMxrW8L+V9xcDI2kLKkPp7WiZqh5KO0ukl:VlU9krIrWEGTQkPVWiZqWSkl

authentihash a2f7236b18da092d292c24194607a560c7026e7b85c9ecec0665b68842f32fa9
imphash 8a3d4972b91291f7de379f9929863eb4
File size 195.0 KB ( 199680 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (53.5%)
DOS Borland compiled Executable (generic) (17.1%)
Win32 Dynamic Link Library (generic) (11.2%)
Win32 Executable (generic) (7.7%)
OS/2 Executable (generic) (3.4%)
Tags
peexe

VirusTotal metadata
First submission 2016-11-28 15:16:42 UTC ( 2 years, 4 months ago )
Last submission 2018-01-25 18:20:33 UTC ( 1 year, 2 months ago )
File names inst.exe
FayxOdbaq.exe
BahDugz.exe.hidethis
oZA7R_.dll
vaxsurqos.exe
BN4.tmp
output.104568084.txt
VirusShare_6239a5aaa8d2ad5df942e719eabe5447
LingUzda.exe
aa
8add3ed5f52e068df9e81c2138bba3b9a0225747238fd0bc49274c2a2c47a78c
BN4.exe
328_11_07_2016_15_34_40_inst.exe.malware.MRG
VOGPAH.EXE
Advanced heuristic and reputation engines
TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: Suspicious_GEN.F47V1129.

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Moved files
Code injections in the following processes
Created mutexes
Runtime DLLs
UDP communications