× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 9160a3608bdec0c3d6746b3d2bdf1679616112d09fad59c9d49a2aff0ca8b68c
File name: WMI_Scripting
Detection ratio: 45 / 57
Analysis date: 2016-09-26 12:32:41 UTC ( 2 years, 6 months ago )
Antivirus Result Update
Ad-Aware Trojan.Generic.6106025 20160926
AegisLab Troj.Downloader.W32.VB.aiuu!c 20160926
AhnLab-V3 Downloader/Win32.VB.N341418066 20160926
ALYac Trojan.Generic.6106025 20160926
Antiy-AVL Trojan[:HEUR]/Win32.AGeneric 20160926
Arcabit Trojan.Generic.D5D2BA9 20160926
Avast Win32:Agent-BBIT [Trj] 20160926
AVG Luhe.Malum.A 20160926
Avira (no cloud) TR/Dldr.VB.aiuu.2 20160926
AVware Trojan.Win32.Generic.pak!cobra 20160926
BitDefender Trojan.Generic.6106025 20160926
Comodo Worm.Win32.Autorun.eb0 20160926
CrowdStrike Falcon (ML) malicious_confidence_69% (D) 20160725
Cyren W32/VB.DN.gen!Eldorado 20160926
DrWeb Trojan.Siggen2.40139 20160926
Emsisoft Trojan.Generic.6106025 (B) 20160926
ESET-NOD32 a variant of Win32/Spy.Bancos.OPR 20160926
F-Prot W32/VB.DN.gen!Eldorado 20160926
F-Secure Trojan.Generic.6106025 20160926
Fortinet W32/Generic.AC.2B2E7E!tr 20160926
GData Trojan.Generic.6106025 20160926
Ikarus Trojan.Win32.Camec 20160926
Sophos ML backdoor.win32.zegost.ds 20160917
Jiangmin TrojanDownloader.VB.dqwh 20160926
K7AntiVirus P2PWorm ( 0026d7d71 ) 20160926
K7GW P2PWorm ( 0026d7d71 ) 20160926
Kaspersky Trojan-Downloader.Win32.VB.aiuu 20160926
Malwarebytes Spyware.Banker 20160926
McAfee Generic.dx!96412AC32EE2 20160923
McAfee-GW-Edition BehavesLike.Win32.Trojan.kc 20160926
Microsoft Trojan:Win32/Camec.B 20160926
eScan Trojan.Generic.6106025 20160926
NANO-Antivirus Trojan.Win32.Siggen2.edluda 20160926
Panda Generic Malware 20160925
Qihoo-360 Win32/Trojan.6a6 20160926
Rising Malware.Heuristic!ET (rdm+) 20160926
Sophos AV Mal/Generic-S 20160926
Symantec Suspicious.Cloud.2 20160926
Tencent Win32.Trojan-downloader.Vb.Hsib 20160926
TheHacker Trojan/Downloader.VB.aiuu 20160926
TrendMicro TROJ_DLOADER.QZY 20160926
TrendMicro-HouseCall TROJ_DLOADER.QZY 20160926
VIPRE Trojan.Win32.Generic.pak!cobra 20160926
Yandex Trojan.DL.VB!2YZCYUECsPU 20160925
Zillya Trojan.VB.Win32.55994 20160924
Alibaba 20160926
Baidu 20160926
Bkav 20160926
CAT-QuickHeal 20160926
ClamAV 20160926
CMC 20160921
Kingsoft 20160926
nProtect 20160926
SUPERAntiSpyware 20160926
VBA32 20160923
ViRobot 20160926
Zoner 20160926
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Script Sammer Bitys.

Product WMI_Scripting.exe
Original name WMI_Scripting.exe
Internal name WMI_Scripting
File version 1.00.0002
Description WMI Scripting The Machine.
Comments WMI Scripting S/A.
Packers identified
Command UPX
F-PROT UPX
PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-06-03 19:23:26
Entry Point 0x0001B420
Number of sections 3
PE sections
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
Ord(581)
Number of PE resources by type
RT_ICON 10
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 11
SPANISH MODERN 1
PE resources
ExifTool file metadata
LegalTrademarks
Torps Scripting Corporation S/A.

SubsystemVersion
4.0

Comments
WMI Scripting S/A.

LinkerVersion
6.0

ImageVersion
1.0

FileSubtype
0

FileVersionNumber
1.0.0.2

LanguageCode
Spanish (Modern)

FileFlagsMask
0x0000

FileDescription
WMI Scripting The Machine.

CharacterSet
Unicode

InitializedDataSize
32768

EntryPoint
0x1b420

OriginalFileName
WMI_Scripting.exe

MIMEType
application/octet-stream

LegalCopyright
Script Sammer Bitys.

FileVersion
1.00.0002

TimeStamp
2011:06:03 20:23:26+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
WMI_Scripting

ProductVersion
1.00.0002

UninitializedDataSize
77824

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Win Mister Intercooler Corporation S/A.

CodeSize
32768

ProductName
WMI_Scripting.exe

ProductVersionNumber
1.0.0.2

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 96412ac32ee27fb37c3f7cb1ae552c25
SHA1 99e91a586855878795ca3df199ae93d01e8b15bb
SHA256 9160a3608bdec0c3d6746b3d2bdf1679616112d09fad59c9d49a2aff0ca8b68c
ssdeep
768:HYLlKC2jYu+TRyWAj7ZxzR6wss6eyWDU//Rx43RneVujlwJhnG+rN7a0T9OEgDMU:H3dAT/AHL658hnKXh1rpa0sDa3+

authentihash 97725a26eb39c7615f441d6c7533bb2ed729f4e5bad577467bf0fff52849c416
imphash 3243b13e562279ab7fbe2f31e45d3a95
File size 60.0 KB ( 61440 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (42.3%)
Win32 EXE Yoda's Crypter (36.7%)
Win32 Dynamic Link Library (generic) (9.1%)
Win32 Executable (generic) (6.2%)
Generic Win/DOS Executable (2.7%)
Tags
peexe upx

VirusTotal metadata
First submission 2011-06-04 14:41:35 UTC ( 7 years, 10 months ago )
Last submission 2014-04-09 19:23:02 UTC ( 5 years ago )
File names 857972
96412ac32ee27fb37c3f7cb1ae552c25.exe
index.html
hoVil.tmp
comprovante_mercado-html18978939
96412ac32ee27fb37c3f7cb1ae552c25
WMI_Scripting.exe
WMI_Scripting
comprovante_mercado_html18978939.exe.vir
file-2334538_swat
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.