× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 968d47391cddb4ff7ca360d805409365799e0b3fadd74feef07505213db64ba2
File name: Eli
Detection ratio: 42 / 63
Analysis date: 2018-07-02 05:28:03 UTC ( 6 months, 3 weeks ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Razy.158985 20180702
ALYac Gen:Variant.Razy.158985 20180702
Antiy-AVL Trojan/Win32.AGeneric 20180702
Arcabit Trojan.Razy.D26D09 20180702
Avast Win32:Crypt-RDQ [Trj] 20180702
AVG Win32:Crypt-RDQ [Trj] 20180702
Avira (no cloud) TR/Crypt.EPACK.Gen2 20180701
AVware Trojan.Win32.Agent.wbca (v) 20180702
Baidu Win32.Trojan.Kryptik.ho 20180628
BitDefender Gen:Variant.Razy.158985 20180702
Cybereason malicious.912a2d 20180225
Cyren W32/Symmi.LFKL-2355 20180702
DrWeb Trojan.Encoder.514 20180702
Emsisoft Gen:Variant.Razy.158985 (B) 20180702
Endgame malicious (high confidence) 20180612
ESET-NOD32 Win32/Filecoder.CryptoWall.B 20180702
F-Prot W32/Symmi.H 20180702
F-Secure Gen:Variant.Razy.158985 20180702
Fortinet W32/Cryptodef.PD!tr 20180702
Ikarus Crypt.Win32.Krypti7 20180701
K7AntiVirus Trojan ( 0049ee0a1 ) 20180702
K7GW Trojan ( 0049ee0a1 ) 20180701
Kaspersky HEUR:Trojan.Win32.Generic 20180702
Malwarebytes Spyware.Zbot.VXGen 20180702
MAX malware (ai score=100) 20180702
McAfee PWSZbot-FAAB!1625FD5912A2 20180702
McAfee-GW-Edition PWSZbot-FAAB!1625FD5912A2 20180702
Microsoft Ransom:Win32/Crowti.A 20180702
eScan Gen:Variant.Razy.158985 20180702
NANO-Antivirus Trojan.Win32.Blocker.detwqn 20180702
Palo Alto Networks (Known Signatures) generic.ml 20180702
Panda Trj/Genetic.gen 20180701
Sophos AV Troj/Agent-AHQI 20180702
Symantec Ransom.Cryptodefense 20180701
Tencent Win32.Trojan.Filecoder.Dvzp 20180702
TheHacker Trojan/Filecoder.CryptoWall.b 20180628
VBA32 Malware-Cryptor.ImgChk 20180629
VIPRE Trojan.Win32.Agent.wbca (v) 20180702
Webroot Trojan.Dropper.Gen 20180702
Yandex Trojan.Filecoder!AgN+h9djkX0 20180629
Zillya Trojan.KryptikCRTD.Win32.7881 20180629
ZoneAlarm by Check Point HEUR:Trojan.Win32.Generic 20180702
AegisLab 20180702
AhnLab-V3 20180702
Avast-Mobile 20180702
Babable 20180406
Bkav 20180630
CAT-QuickHeal 20180701
ClamAV 20180702
CMC 20180701
Comodo 20180702
CrowdStrike Falcon (ML) 20180530
eGambit 20180702
Sophos ML 20180601
Jiangmin 20180702
Kingsoft 20180702
Qihoo-360 20180702
SentinelOne (Static ML) 20180701
SUPERAntiSpyware 20180701
TACHYON 20180702
TotalDefense 20180701
Trustlook 20180702
ViRobot 20180701
Zoner 20180701
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
2003

Product Qymonuk
Original name Oqiwc.exe
Internal name Eli
File version 7, 2, 8
Description Foviruc Yrip Kyp
Signature verification A certificate was explicitly revoked by its issuer.
Signing date 8:58 PM 7/2/2014
Signers
[+] The Nielsen Company
Status This certificate or one of the certificates in the certificate chain is not time valid., Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer VeriSign Class 3 Code Signing 2010 CA
Valid from 1:00 AM 7/2/2013
Valid to 12:59 AM 8/31/2016
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint BD9CE17C3380CC71C4F3330154677669766CAB81
Serial number 30 1F 24 DA 9C 3D 72 27 B8 E7 72 DF 47 F3 1E 94
[+] VeriSign Class 3 Code Signing 2010 CA
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 2/8/2010
Valid to 12:59 AM 2/8/2020
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 495847A93187CFB8C71F840CB7B41497AD95C64F
Serial number 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7
[+] VeriSign
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 11/8/2006
Valid to 12:59 AM 7/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Serial number 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A
Counter signers
[+] COMODO Time Stamping Signer
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer UTN-USERFirst-Object
Valid from 1:00 AM 5/10/2010
Valid to 12:59 AM 5/11/2015
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 3DBB6DB5085C6DD5A1CA7F9CF84ECB1A3910CAC8
Serial number 47 8A 8E FB 59 E1 D8 3F 0C E1 42 D2 A2 87 07 BE
[+] USERTrust (Code Signing)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-03-01 04:22:45
Entry Point 0x000183F9
Number of sections 5
PE sections
Overlays
MD5 9493a603f621692eeaeddab13e012ded
File type data
Offset 179712
Size 6776
Entropy 7.35
PE imports
EnumUILanguagesA
CreateJobObjectA
GetUserDefaultLangID
FindNextVolumeA
GetCommMask
CreateTimerQueue
GlobalUnfix
CommConfigDialogA
GetQueuedCompletionStatus
WritePrivateProfileStringA
GetStringTypeExW
Process32First
GetSystemDefaultLCID
SetErrorMode
lstrcatW
_lread
Process32FirstW
WritePrivateProfileStringW
EnumResourceTypesA
WaitForDebugEvent
GlobalAddAtomA
CreateSemaphoreW
GetProcessPriorityBoost
DeleteAtom
SetVolumeLabelW
GetCalendarInfoA
ReadDirectoryChangesW
GetCommState
LocalHandle
EnumLanguageGroupLocalesA
OutputDebugStringA
PdhGetDllVersion
PdhVbIsGoodStatus
PdhGetDataSourceTimeRangeA
PdhOpenLogA
PdhExpandCounterPathW
PdhGetCounterInfoA
PdhSelectDataSourceA
PdhOpenQueryW
PdhExpandCounterPathA
PdhUpdateLogA
PdhVbGetCounterPathFromList
PdhSetCounterScaleFactor
PdhGetFormattedCounterValue
PdhSelectDataSourceW
PdhVbGetCounterPathElements
PdhConnectMachineW
ResUtilVerifyPropertyTable
ResUtilSetPropertyParameterBlockEx
ResUtilEnumProperties
ResUtilGetResourceNameDependency
ResUtilResourcesEqual
ResUtilAddUnknownProperties
ResUtilSetResourceServiceStartParameters
ResUtilSetBinaryValue
ResUtilFindMultiSzProperty
ResUtilCreateDirectoryTree
ResUtilStartResourceService
ResUtilVerifyPrivatePropertyList
ResUtilExpandEnvironmentStrings
ResUtilGetProperty
ResUtilGetPropertiesToParameterBlock
ResUtilFindSzProperty
ResUtilDupParameterBlock
ClusWorkerCreate
ResUtilFreeEnvironment
ResUtilGetSzProperty
ResUtilGetResourceDependentIPAddressProps
DialogBoxParamA
Number of PE resources by type
RT_GROUP_ICON 5
RT_STRING 3
RT_GROUP_CURSOR 2
RT_DLGINCLUDE 2
RT_MENU 2
RT_RCDATA 1
RT_FONT 1
Struct(18) 1
RT_VERSION 1
Number of PE resources by language
CHINESE TRADITIONAL 12
ENGLISH AUS 6
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2011:03:01 05:22:45+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
110592

LinkerVersion
9.0

FileTypeExtension
exe

InitializedDataSize
389120

SubsystemVersion
4.0

EntryPoint
0x183f9

OSVersion
4.0

ImageVersion
10.2

UninitializedDataSize
0

Compressed bundles
PCAP parents
File identification
MD5 1625fd5912a2d620c4a423227d59b241
SHA1 f34e8672d9d64700a56bf8dc5e2f3dd7140f85ee
SHA256 968d47391cddb4ff7ca360d805409365799e0b3fadd74feef07505213db64ba2
ssdeep
3072:uMMTyHx7Y2YlPQG699Knriw49K9grtS+zZIxNbVVDRJOlEuXC:zMIM1V6K0vXSVDOXC

authentihash c882beb532925be7dc42363b2886416b0df031964d676c25fc28455726393828
imphash 0640a10ac91c830dd14b0bd80f352502
File size 182.1 KB ( 186488 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (38.4%)
Win32 Executable (generic) (26.3%)
OS/2 Executable (generic) (11.8%)
Generic Win/DOS Executable (11.6%)
DOS Executable Generic (11.6%)
Tags
revoked-cert peexe signed overlay

VirusTotal metadata
First submission 2014-07-03 01:42:56 UTC ( 4 years, 6 months ago )
Last submission 2017-05-16 20:21:18 UTC ( 1 year, 8 months ago )
File names Eli
1625FD5912A2D620C4A423227D59B241
1625FD5912A2D620C4A423227D59B241.exe
2014-07-03-Nuclear-EK-malware-payload.exe
vti-rescan
Oqiwc.exe
Nuclear-EK-malware-payload.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created processes
Opened mutexes
Runtime DLLs