× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 8ec26b0dcb93e17a4c0ed79a88b520dc411ce75254f9fd1f9dc22cd1a385589e
File name: Extramor
Detection ratio: 41 / 62
Analysis date: 2017-04-30 01:51:10 UTC ( 1 year, 9 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Symmi.50586 20170430
AhnLab-V3 Trojan/Win32.ZBot.R131038 20170429
ALYac Gen:Variant.Symmi.50586 20170429
Antiy-AVL Trojan[Backdoor]/Win32.NetWiredRC.gd 20170429
Arcabit Trojan.Symmi.DC59A 20170430
Avast Win32:Agent-AUKV [Trj] 20170430
AVG Inject2.BHBP 20170430
Avira (no cloud) BDS/NetWiredRC.263313 20170429
AVware Trojan.Win32.Generic!BT 20170430
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170428
BitDefender Gen:Variant.Symmi.50586 20170430
CAT-QuickHeal VirTool.VBInject.LE3 20170429
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170130
Cyren W32/Injector.HJ.gen!Eldorado 20170429
Emsisoft Gen:Variant.Symmi.50586 (B) 20170430
Endgame malicious (moderate confidence) 20170419
ESET-NOD32 a variant of Win32/Injector.BQTK 20170429
F-Prot W32/Injector.HJ.gen!Eldorado 20170429
F-Secure Gen:Variant.Symmi.50586 20170429
Fortinet W32/Injector.BQPX!tr 20170430
GData Gen:Variant.Symmi.50586 20170429
Ikarus Trojan-Spy.Win32.Zbot 20170429
Sophos ML virus.win32.parite.b 20170413
K7AntiVirus Trojan ( 004b20021 ) 20170429
K7GW Trojan ( 004b20021 ) 20170426
Kaspersky Backdoor.Win32.NetWiredRC.gd 20170429
McAfee Generic-FAVL!39E80644D53C 20170429
McAfee-GW-Edition Generic-FAVL!39E80644D53C 20170429
Microsoft PWS:Win32/Zbot!CI 20170430
eScan Gen:Variant.Symmi.50586 20170430
NANO-Antivirus Trojan.Win32.NetWiredRC.djymyh 20170430
Panda Trj/Genetic.gen 20170429
Qihoo-360 HEUR/QVM03.0.Malware.Gen 20170430
Rising Trojan.Generic (cloud:7G0OvSEUWkI) 20170430
SentinelOne (Static ML) static engine - malicious 20170330
Sophos AV Troj/VBInj-MJ 20170430
Symantec Infostealer.Banker.C 20170429
Tencent Win32.Backdoor.Netwiredrc.Lnoq 20170430
VIPRE Trojan.Win32.Generic!BT 20170430
Yandex Backdoor.NetWiredRC!Cn0C8xBqXJc 20170428
ZoneAlarm by Check Point Backdoor.Win32.NetWiredRC.gd 20170430
AegisLab 20170430
Alibaba 20170428
Bkav 20170428
ClamAV 20170429
CMC 20170427
Comodo 20170429
DrWeb 20170429
Jiangmin 20170428
Kingsoft 20170430
Malwarebytes 20170429
nProtect 20170430
Palo Alto Networks (Known Signatures) 20170430
SUPERAntiSpyware 20170429
Symantec Mobile Insight 20170428
TheHacker 20170429
TotalDefense 20170426
TrendMicro 20170430
TrendMicro-HouseCall 20170430
Trustlook 20170430
VBA32 20170429
ViRobot 20170429
Webroot 20170430
WhiteArmor 20170409
Zillya 20170428
Zoner 20170430
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Product Dispensa
Original name Extramor.exe
Internal name Extramor
File version 1.04.0007
Description Autoplag super
Comments ® Psycotrack 2014
Signature verification The digital signature of the object did not verify.
Signing date 2:51 AM 4/30/2017
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-12-05 14:47:08
Entry Point 0x00001464
Number of sections 3
PE sections
Overlays
MD5 087077fba349625d405c9b072d3ea6e4
File type data
Offset 253952
Size 9361
Entropy 7.50
PE imports
_adj_fdivr_m64
Ord(546)
_allmul
_adj_fprem
Ord(558)
Ord(714)
Ord(673)
__vbaRedim
_adj_fdiv_r
__vbaChkstk
__vbaObjSetAddref
Ord(517)
__vbaHresultCheckObj
__vbaI2Var
__vbaR8Str
_CIlog
Ord(595)
_adj_fptan
__vbaFileClose
__vbaI4Var
__vbaFreeStr
Ord(588)
__vbaFreeStrList
_adj_fdiv_m16i
EVENT_SINK_QueryInterface
Ord(689)
Ord(648)
Ord(617)
Ord(553)
_adj_fdiv_m32i
Ord(717)
__vbaExceptHandler
__vbaSetSystemError
DllFunctionCall
__vbaDerefAry1
__vbaFreeVar
__vbaLbound
__vbaFileOpen
Ord(571)
__vbaAryLock
EVENT_SINK_Release
Ord(610)
_adj_fdivr_m32i
__vbaStrCat
__vbaVarDup
_adj_fdiv_m32
__vbaAryUnlock
__vbaFreeObjList
__vbaFreeVarList
__vbaStrVarMove
__vbaFreeObj
_adj_fdivr_m32
__vbaVarIdiv
_CIcos
__vbaDateVar
Ord(628)
__vbaVarMove
__vbaErrorOverflow
__vbaNew2
__vbaAryDestruct
__vbaStrMove
_adj_fprem1
_adj_fdiv_m64
Ord(543)
Ord(563)
__vbaWriteFile
Ord(512)
__vbaEnd
Ord(685)
_adj_fpatan
EVENT_SINK_AddRef
__vbaStrCopy
__vbaFPException
_adj_fdivr_m16i
Ord(100)
_CIsin
_CIsqrt
Ord(614)
_CIatan
Ord(692)
__vbaR8Var
__vbaObjSet
_CIexp
_CItan
__vbaFpI4
Ord(598)
Number of PE resources by type
RT_ICON 4
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 5
ENGLISH US 1
PE resources
ExifTool file metadata
UninitializedDataSize
0

Comments
Psycotrack 2014

LinkerVersion
6.0

ImageVersion
1.4

FileSubtype
0

FileVersionNumber
1.4.0.7

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

InitializedDataSize
16384

EntryPoint
0x1464

OriginalFileName
Extramor.exe

MIMEType
application/octet-stream

FileVersion
1.04.0007

TimeStamp
2014:12:05 15:47:08+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Extramor

SubsystemVersion
4.0

ProductVersion
1.04.0007

FileDescription
Autoplag super

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
TeraByte Unlimited

CodeSize
237568

ProductName
Dispensa

ProductVersionNumber
1.4.0.7

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 39e80644d53c68c84f21b98f6e556afa
SHA1 31d5c1514476b19d822239416cac4c0c949e7277
SHA256 8ec26b0dcb93e17a4c0ed79a88b520dc411ce75254f9fd1f9dc22cd1a385589e
ssdeep
3072:1TjvcUPBmn8pDn0ujMVn1/FgSKeLTS3MIvgfYaYDqrIwcDfenFICSGoQQxW19cou:pgU5Y+BmizmTS3MIvgpytwi73x1k9QLZ

authentihash 69445d7fa47bb1c243c684354945f22a9975c7ee23169c827bb4a2613ae39d96
imphash b140287ab98feb10fbf3c615e4e1ccdb
File size 257.1 KB ( 263313 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (90.6%)
Win32 Executable (generic) (4.9%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Tags
peexe overlay

VirusTotal metadata
First submission 2014-12-06 04:09:05 UTC ( 4 years, 2 months ago )
Last submission 2014-12-06 04:09:05 UTC ( 4 years, 2 months ago )
File names Extramor
Payment_Copy_pdf..exe
Extramor.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Created processes
Terminated processes
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.