× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 8cc4aa6ef7cb782fe390dee231a3bf456d5efd5823f8cd6b3b0a94c0d2302c3b
File name: 86fa75c6f6c7393054aaee16a76f0f26
Detection ratio: 27 / 54
Analysis date: 2014-10-16 19:22:41 UTC ( 4 years, 1 month ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Symmi.33437 20141016
AhnLab-V3 Win-Trojan/MDA.140610 20141016
Avast Win32:Malware-gen 20141016
AVG Inject2.BAJC 20141016
Avira (no cloud) TR/Dropper.VB.19992 20141016
BitDefender Gen:Variant.Symmi.33437 20141016
Bkav HW32.Packed.9791 20141015
ByteHero Virus.Win32.Heur.p 20141016
CAT-QuickHeal TrojanPWS.Zeus.r3 20141016
CMC Heur.Win32.Veebee.1!O 20141016
Emsisoft Gen:Variant.Symmi.33437 (B) 20141016
ESET-NOD32 a variant of Win32/Injector.BNFF 20141016
F-Secure Gen:Variant.Symmi.33437 20141016
Fortinet W32/Zbot.ANI!tr 20141016
GData Gen:Variant.Symmi.33437 20141016
Kaspersky Trojan-Spy.Win32.Zbot.uipv 20141016
McAfee Generic-FAUW!86FA75C6F6C7 20141016
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.hc 20141016
Microsoft PWS:Win32/Zbot 20141016
eScan Gen:Variant.Symmi.33437 20141016
Qihoo-360 Malware.QVM03.Gen 20141016
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 20141016
Sophos AV Mal/VB-ANI 20141016
Symantec Trojan.Zbot 20141016
Tencent Win32.Trojan.Inject.Auto 20141016
TrendMicro TSPY_ZBOT.YYJS 20141016
TrendMicro-HouseCall TSPY_ZBOT.YYJS 20141016
AegisLab 20141016
Yandex 20141015
Antiy-AVL 20141016
AVware 20141016
Baidu-International 20141016
ClamAV 20141016
Comodo 20141016
Cyren 20141016
DrWeb 20141016
F-Prot 20141016
Ikarus 20141016
Jiangmin 20141015
K7AntiVirus 20141016
K7GW 20141016
Kingsoft 20141016
Malwarebytes 20141016
NANO-Antivirus 20141016
Norman 20141016
nProtect 20141016
SUPERAntiSpyware 20141016
TheHacker 20141013
TotalDefense 20141016
VBA32 20141016
VIPRE 20141016
ViRobot 20141016
Zillya 20141016
Zoner 20141014
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Publisher nLite
Product Nonbodin
Original name Anatidae.exe
Internal name Anatidae
File version 1.02.0009
Description Omnitude equia
Comments nLite
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-10-08 05:39:41
Entry Point 0x00001450
Number of sections 3
PE sections
PE imports
_adj_fdiv_m32
__vbaChkstk
Ord(546)
EVENT_SINK_Release
__vbaEnd
__vbaStrCmp
Ord(648)
_allmul
__vbaStrMove
_adj_fdivr_m64
_adj_fprem
Ord(617)
__vbaR4Var
_adj_fpatan
Ord(586)
EVENT_SINK_AddRef
__vbaVarForInit
_adj_fdiv_m32i
EVENT_SINK_QueryInterface
__vbaStrCopy
Ord(583)
__vbaExceptHandler
__vbaSetSystemError
__vbaFreeVarList
DllFunctionCall
__vbaFPException
_CIexp
__vbaStrVarMove
_adj_fdivr_m16i
__vbaUbound
Ord(563)
Ord(589)
Ord(100)
__vbaI2Var
_CItan
__vbaFreeVar
_adj_fprem1
__vbaFpI4
__vbaObjSetAddref
_adj_fdiv_r
__vbaAryConstruct2
Ord(536)
_adj_fdiv_m64
__vbaFreeObj
__vbaHresultCheckObj
_CIsqrt
_CIsin
__vbaR8Str
_CIlog
__vbaVarTstGt
Ord(532)
_CIcos
Ord(595)
Ord(587)
_adj_fptan
Ord(692)
__vbaVarDup
__vbaI4Var
Ord(667)
__vbaVarMove
__vbaErrorOverflow
_CIatan
__vbaI2I4
__vbaNew2
__vbaVarForNext
__vbaOnError
_adj_fdivr_m32i
Ord(631)
__vbaAryDestruct
Ord(577)
__vbaI2Cy
Ord(588)
_adj_fdivr_m32
__vbaStrCat
Ord(543)
__vbaFreeStrList
Ord(609)
Ord(598)
__vbaFreeStr
_adj_fdiv_m16i
Number of PE resources by type
RT_ICON 9
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 10
ENGLISH US 1
PE resources
ExifTool file metadata
UninitializedDataSize
0

Comments
nLite

LinkerVersion
6.0

ImageVersion
1.2

FileSubtype
0

FileVersionNumber
1.2.0.9

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

InitializedDataSize
245760

FileOS
Win32

MIMEType
application/octet-stream

FileVersion
1.02.0009

TimeStamp
2014:10:08 06:39:41+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Anatidae

SubsystemVersion
4.0

FileAccessDate
2014:10:16 20:24:46+01:00

ProductVersion
1.02.0009

FileDescription
Omnitude equia

OSVersion
4.0

FileCreateDate
2014:10:16 20:24:46+01:00

OriginalFilename
Anatidae.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
nLite

CodeSize
274432

ProductName
Nonbodin

ProductVersionNumber
1.2.0.9

EntryPoint
0x1450

ObjectFileType
Executable application

File identification
MD5 86fa75c6f6c7393054aaee16a76f0f26
SHA1 3c12cd7712737b27d47d360c6f0a354dcf486cbe
SHA256 8cc4aa6ef7cb782fe390dee231a3bf456d5efd5823f8cd6b3b0a94c0d2302c3b
ssdeep
6144:OzSxbf+CC1eNcHYLdk3x8pzJ2rAnfXNfXEXTUo/fryumpVyrJps5bAzO3zr1F:Oz4bGnATkAJnfXFEoufry/TsybAzO3zH

authentihash c4c70f0d8b54fd518b2fab9116ff88d618ad693eb57f1d9e4e548ba59d12da16
imphash af245aa3523c14a025faa0fd44dfc0c5
File size 509.0 KB ( 521216 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (90.5%)
Win32 Executable (generic) (4.9%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe

VirusTotal metadata
First submission 2014-10-16 19:22:41 UTC ( 4 years, 1 month ago )
Last submission 2014-10-16 19:22:41 UTC ( 4 years, 1 month ago )
File names 86fa75c6f6c7393054aaee16a76f0f26
8cc4aa6ef7cb782fe390dee231a3bf456d5efd5823f8cd6b3b0a94c0d2302c3b.exe
Anatidae.exe
Anatidae
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Created processes
Terminated processes
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.