× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 93f82ebc98406784bf10484495231e17a7f8270c17dfb4a0caf4caae29519f5a
File name: Demonoid.exe
Detection ratio: 49 / 54
Analysis date: 2014-07-14 05:10:41 UTC ( 4 years, 8 months ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.Generic.3831675 20140714
Yandex Trojan.VBInject.Gen.5 20140713
AhnLab-V3 Trojan/Win32.Zbot 20140714
AntiVir TR/Dropper.Gen 20140713
Antiy-AVL Trojan[RemoteAdmin:not-a-virus]/Win32.VB 20140714
Avast Win32:VB-QSB [Drp] 20140714
AVG Dropper.Generic2.FJW 20140714
Baidu-International HackTool.Win32.RemoteAdmin.Avfx 20140713
BitDefender Trojan.Generic.3831675 20140714
Bkav W32.SdraMYSA.Trojan 20140711
CAT-QuickHeal (Suspicious) - DNAScan 20140714
ClamAV Trojan.Spy.Zbot-74 20140713
Commtouch W32/Risk.ZGCS-6043 20140714
Comodo Worm.Win32.VBNA.~gen 20140712
DrWeb Trojan.PWS.Panda.307 20140714
Emsisoft Trojan.Generic.3831675 (B) 20140714
ESET-NOD32 Win32/Spy.Zbot.WM 20140714
F-Prot W32/MalwareF.TGMD 20140714
F-Secure Trojan.Generic.3831675 20140713
Fortinet W32/Refroso.BLC!tr 20140714
GData Trojan.Generic.3831675 20140714
Ikarus not-a-virus:RemoteAdmin.Win32.VB 20140714
Jiangmin Worm/VBNA.fijf 20140713
K7AntiVirus EmailWorm ( 003c363a1 ) 20140711
K7GW EmailWorm ( 003c363a1 ) 20140711
Kaspersky Worm.Win32.VBNA.b 20140714
Kingsoft Win32.Troj.Generic.(kcloud) 20140714
Malwarebytes Trojan.Zbot 20140714
McAfee Generic PUP.x!bg3 20140714
McAfee-GW-Edition Generic PUP.x!bg3 20140713
Microsoft VirTool:Win32/VBInject.TE 20140714
eScan Trojan.Generic.3831675 20140714
NANO-Antivirus Trojan.Win32.Zbot.tjzi 20140714
Norman ZBot.SML 20140714
nProtect Trojan/W32.Agent.192512.NE 20140713
Panda Trj/Sinowal.XII 20140713
Qihoo-360 HEUR/Malware.QVM03.Gen 20140714
Rising PE:Trojan.Win32.Generic.125C9002!308056066 20140713
Sophos AV Mal/Koobface-D 20140713
SUPERAntiSpyware Trojan.Agent/Gen-SDRA[VB] 20140713
Symantec Trojan.Gen 20140714
Tencent Win32.Worm.Vbna.Wlza 20140714
TotalDefense Win32/Zbot.BND 20140713
TrendMicro TROJ_ZBOT.BWF 20140714
TrendMicro-HouseCall TROJ_ZBOT.BWF 20140714
VBA32 Trojan.VB.Dhost.ec 20140712
VIPRE Trojan-Spy.Win32.Zbot.sml (v) 20140714
ViRobot Trojan.Win32.Vbinject.192512 20140714
Zillya Trojan.Zbot.Win32.28577 20140712
AegisLab 20140714
ByteHero 20140714
CMC 20140714
TheHacker 20140711
Zoner 20140711
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
© Microsoft Windows. All rights reserved.

Product sdra64
Original name sdra64.exe
Internal name sdra64
File version 7.01.2600
Description System Data Recover Analyst
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-05-01 01:42:17
Entry Point 0x000011C8
Number of sections 3
PE sections
PE imports
EVENT_SINK_QueryInterface
Ord(537)
Ord(516)
Ord(713)
EVENT_SINK_Invoke
Ord(320)
Ord(685)
Ord(514)
Ord(712)
Ord(710)
Ord(512)
EVENT_SINK_AddRef
EVENT_SINK_GetIDsOfNames
Ord(717)
__vbaExceptHandler
Ord(632)
MethCallEngine
DllFunctionCall
Zombie_GetTypeInfoCount
Ord(100)
Zombie_GetTypeInfo
Ord(608)
Ord(616)
Ord(694)
Ord(542)
Ord(526)
Ord(321)
Ord(319)
ProcCallEngine
Ord(711)
EVENT_SINK_Release
Ord(595)
Ord(573)
Ord(610)
Ord(628)
Ord(528)
Ord(529)
Ord(697)
Ord(644)
Ord(631)
Ord(572)
Ord(545)
Ord(619)
Ord(563)
Number of PE resources by type
RT_ICON 3
MICROSOFT 2
RT_GROUP_ICON 1
RT_VERSION 1
CUSTOM 1
Number of PE resources by language
NEUTRAL 6
ENGLISH US 1
DUTCH 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

InitializedDataSize
122880

ImageVersion
7.1

ProductName
sdra64

FileVersionNumber
7.1.0.2600

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

LinkerVersion
6.0

FileTypeExtension
exe

OriginalFileName
sdra64.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
7.01.2600

TimeStamp
2010:05:01 03:42:17+02:00

FileType
Win32 EXE

PEType
PE32

InternalName
sdra64

ProductVersion
7.01.2600

FileDescription
System Data Recover Analyst

OSVersion
4.0

FileOS
Win32

LegalCopyright
Microsoft Windows. All rights reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Windows

CodeSize
73728

FileSubtype
0

ProductVersionNumber
7.1.0.2600

EntryPoint
0x11c8

ObjectFileType
Executable application

File identification
MD5 6606b5380d3785e57583a978802d755e
SHA1 ed08a2cb3307952245eadda65b924a62bb9025e7
SHA256 93f82ebc98406784bf10484495231e17a7f8270c17dfb4a0caf4caae29519f5a
ssdeep
3072:inXA7Crl80FsXZXBo2cgYrp9dLizIlMGBURss5bgzDQ2+NmsRTcQHtYmG:inXOo8xYrpHizINKbuDYmsRTJN

authentihash 965b5f8bb77e09b2c60477eb770e3670e5348060b8662327160edf89dac4e1c1
imphash a97a7d2f448ca0be69a06abbe6ba3ab2
File size 188.0 KB ( 192512 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (88.6%)
Win32 Executable (generic) (4.8%)
OS/2 Executable (generic) (2.1%)
Generic Win/DOS Executable (2.1%)
DOS Executable Generic (2.1%)
Tags
peexe

VirusTotal metadata
First submission 2010-12-02 22:04:03 UTC ( 8 years, 3 months ago )
Last submission 2018-01-21 08:46:18 UTC ( 1 year, 2 months ago )
File names sdra64.exe
SDRA64.EXE
sdra64
Demonoid.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Created processes
Code injections in the following processes
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.