× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 8f2e005588030c7bad4d3d7cfbec0fff8da6df90e0abc101e7b2b5e9c118ce62
File name: read.php
Detection ratio: 8 / 56
Analysis date: 2017-01-17 09:41:30 UTC ( 2 years, 3 months ago ) View latest
Antivirus Result Update
Avira (no cloud) TR/Crypt.ZPACK.Gen2 20170117
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170117
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20161024
Fortinet W32/Kryptik.FMZC!tr 20170117
Sophos ML worm.win32.gamarue.f 20170111
Qihoo-360 HEUR/QVM08.0.0000.Malware.Gen 20170117
Rising Malware.XPACK-HIE/Heur!1.9C48 (classic) 20170117
Symantec ML.Attribute.VeryHighConfidence [Heur.AdvML.B] 20170116
Ad-Aware 20170117
AegisLab 20170117
AhnLab-V3 20170117
Alibaba 20170117
ALYac 20170117
Antiy-AVL 20170117
Arcabit 20170117
Avast 20170117
AVG 20170117
AVware 20170117
BitDefender 20170117
CAT-QuickHeal 20170117
ClamAV 20170117
CMC 20170117
Comodo 20170117
Cyren 20170117
DrWeb 20170117
Emsisoft 20170117
ESET-NOD32 20170117
F-Prot 20170117
F-Secure 20170117
GData 20170117
Ikarus 20170117
Jiangmin 20170117
K7AntiVirus 20170117
K7GW 20170117
Kaspersky 20170117
Kingsoft 20170117
Malwarebytes 20170117
McAfee 20170108
McAfee-GW-Edition 20170117
Microsoft 20170117
eScan 20170117
NANO-Antivirus 20170117
nProtect 20170117
Panda 20170116
Sophos AV 20170117
SUPERAntiSpyware 20170117
Tencent 20170117
TheHacker 20170117
TotalDefense 20170117
TrendMicro 20170117
TrendMicro-HouseCall 20170117
Trustlook 20170117
VBA32 20170116
VIPRE 20170117
ViRobot 20170117
WhiteArmor 20170117
Yandex 20170116
Zillya 20170116
Zoner 20170117
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
©Iendoilo ewfaniretoykge egenejanalt

Product KEHEHECUI
Original name kehehecui.exe
Internal name KEHEHECUI.EXE
File version 2.8.0.3
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-01-16 14:16:08
Entry Point 0x0005D279
Number of sections 4
PE sections
Overlays
MD5 3b6871bf59b5ee375799e25839ac4857
File type data
Offset 417792
Size 628
Entropy 7.64
PE imports
JetTerm
JetCommitTransaction
JetMove
JetMakeKey
ImmSetConversionStatus
ImmSetCompositionFontW
ImmEscapeW
ImmGetConversionStatus
ImmGetCompositionStringW
SetThreadLocale
GetStdHandle
HeapDestroy
GetFileAttributesW
FreeEnvironmentStringsA
DeleteCriticalSection
GetLocaleInfoA
GetConsoleCursorInfo
FreeEnvironmentStringsW
GetCPInfo
GetStringTypeA
GetTempPathW
HeapReAlloc
GetStringTypeW
ConnectNamedPipe
LocalFree
GetProfileIntW
AddVectoredExceptionHandler
InitializeCriticalSection
TlsGetValue
SetLastError
GetSystemTime
GlobalFindAtomW
WriteProcessMemory
GetModuleFileNameW
HeapAlloc
GetModuleFileNameA
FillConsoleOutputCharacterW
UnhandledExceptionFilter
OpenWaitableTimerW
MultiByteToWideChar
FoldStringW
_lclose
VirtualQuery
GetCurrentThreadId
GetSystemWow64DirectoryW
HeapFree
EnterCriticalSection
SetHandleCount
FindVolumeClose
GetOEMCP
TlsAlloc
VirtualProtect
GetVersionExA
LoadLibraryA
RtlUnwind
Process32Next
CreateRemoteThread
GetStartupInfoA
GetFileSize
GetGeoInfoW
GetStartupInfoW
ReadProcessMemory
GetUserDefaultLCID
FindNextFileW
lstrcmpW
GetProcAddress
GetFileType
TlsSetValue
ExitProcess
LeaveCriticalSection
GetLastError
AttachConsole
LCMapStringW
GetSystemInfo
GetConsoleCP
LCMapStringA
GetProcessTimes
GetThreadLocale
GetEnvironmentStringsW
CancelWaitableTimer
GetEnvironmentStrings
CompareFileTime
VirtualFreeEx
CreateIoCompletionPort
GetCommandLineW
WideCharToMultiByte
QueryActCtxW
GetCommandLineA
MapViewOfFile
TlsFree
GetModuleHandleA
RtlCaptureContext
GetACP
GetModuleHandleW
GetCurrentDirectoryW
HeapCreate
WriteFile
VirtualFree
IsBadCodePtr
OpenSemaphoreW
VirtualAlloc
CallNtPowerInformation
CreateURLMoniker
Number of PE resources by type
RT_BITMAP 2
RT_DIALOG 2
RT_STRING 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 6
PE resources
ExifTool file metadata
UninitializedDataSize
0

InitializedDataSize
21504

ImageVersion
0.0

ProductName
KEHEHECUI

FileVersionNumber
2.8.0.3

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Windows, Latin1

LinkerVersion
12.0

FileTypeExtension
exe

OriginalFileName
kehehecui.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
2.8.0.3

TimeStamp
2015:01:16 15:16:08+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
KEHEHECUI.EXE

ProductVersion
2.8.0.3

SubsystemVersion
5.1

OSVersion
5.1

FileOS
Windows NT 32-bit

LegalCopyright
Iendoilo ewfaniretoykge egenejanalt

MachineType
Intel 386 or later, and compatibles

CompanyName
Iendoilo ewfaniretoykge egenejanalt

CodeSize
397312

FileSubtype
0

ProductVersionNumber
2.8.0.3

EntryPoint
0x5d279

ObjectFileType
Unknown

Compressed bundles
File identification
MD5 afa0bd0b2bae45ce94bd3a7357be4080
SHA1 e108bc8b491abb07121dd634aaabb72833cf7360
SHA256 8f2e005588030c7bad4d3d7cfbec0fff8da6df90e0abc101e7b2b5e9c118ce62
ssdeep
6144:XzjHwi5S0Klc7J0CHEcdK60bKsj8YO0yYEqypdOai7vJF7GSjsLUEbHAUUll+:Dsi5ilOdKxKsjeiEOai7f0jql+

authentihash de73b3320d80e5d27362141826d48fe1346c7a8221aaaa8edcd3a4b8645c0dfd
imphash 227ca6d8d3a9b2b96ed683a9ee8b8fe3
File size 408.6 KB ( 418420 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe suspicious-udp overlay

VirusTotal metadata
First submission 2017-01-17 09:41:30 UTC ( 2 years, 3 months ago )
Last submission 2017-08-03 13:04:22 UTC ( 1 year, 8 months ago )
File names 8f2e005588030c7bad4d3d7cfbec0fff8da6df90e0abc101e7b2b5e9c118ce62
KEHEHECUI.EXE
read.php
kehehecui.exe
8f2e005588030c7bad4d3d7cfbec0fff8da6df90e0abc101e7b2b5e9c118ce62.bin
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Moved files
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
UDP communications