× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 98fcc9d8016d25cf5db02e74b693d57c5e79f6cc01fb3455b5ca17de8633d0ee
File name: KB05501032.exe
Detection ratio: 31 / 52
Analysis date: 2014-05-15 14:13:52 UTC ( 4 years, 10 months ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.GenericKD.1679774 20140515
Yandex TrojanSpy.Zbot!rcPkIIGQKJo 20140515
Antiy-AVL Trojan[Spy]/Win32.Zbot 20140515
AVG Zbot.IRY 20140515
Baidu-International Trojan.Win32.Zbot.aHPy 20140515
BitDefender Trojan.GenericKD.1679774 20140515
Bkav HW32.CDB.4941 20140515
Emsisoft Trojan.GenericKD.1679774 (B) 20140515
ESET-NOD32 Win32/Spy.Zbot.YW 20140515
F-Secure Trojan.GenericKD.1679774 20140515
Fortinet W32/Zbot.SJWI!tr 20140515
GData Trojan.GenericKD.1679774 20140515
Ikarus Virus.Win32.Zbot 20140515
K7AntiVirus Spyware ( 00009b291 ) 20140515
K7GW Spyware ( 00009b291 ) 20140515
Kaspersky Trojan-Spy.Win32.Zbot.sjwi 20140515
Kingsoft Win32.Troj.Generic.a.(kcloud) 20140515
Malwarebytes Spyware.Zbot.VXGen 20140515
McAfee PWSZbot-FXW!A26C3B9358CB 20140515
McAfee-GW-Edition Artemis!A26C3B9358CB 20140515
Microsoft PWS:Win32/Zbot 20140515
eScan Trojan.GenericKD.1679774 20140515
nProtect Trojan.GenericKD.1679774 20140515
Panda Trj/CI.A 20140515
Qihoo-360 HEUR/Malware.QVM20.Gen 20140515
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 20140507
Sophos AV Mal/Ransom-CO 20140515
Symantec WS.Reputation.1 20140515
Tencent Win32.Trojan.Bp-qqthief.Iqpl 20140515
TrendMicro-HouseCall TROJ_GEN.F47V0513 20140515
VIPRE Trojan.Win32.Generic!BT 20140515
AegisLab 20140515
AhnLab-V3 20140515
AntiVir 20140515
Avast 20140515
ByteHero 20140227
CAT-QuickHeal 20140515
ClamAV 20140515
CMC 20140512
Commtouch 20140515
Comodo 20140515
DrWeb 20140515
F-Prot 20140515
Jiangmin 20140515
NANO-Antivirus 20140515
Norman 20140515
SUPERAntiSpyware 20140515
TheHacker 20140513
TotalDefense 20140515
TrendMicro 20140515
VBA32 20140514
ViRobot 20140515
Zillya 20140514
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
 2000

Publisher Hogwarts
Product Ihyluko
Original name Odawvrry.exe
Internal name Duhypyw
File version 4, 8, 8
Description Sip Vonoda Yqis
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-03-17 04:26:31
Entry Point 0x0001149A
Number of sections 5
PE sections
Overlays
MD5 029efd59131d674db7d9b0e0664b0c4a
File type data
Offset 222720
Size 512
Entropy 7.59
PE imports
LsaSetTrustedDomainInformation
BuildTrusteeWithObjectsAndSidA
OpenServiceW
RegSetKeySecurity
RegDisablePredefinedCache
GetExplicitEntriesFromAclA
CryptCreateHash
RegOpenKeyA
LsaClose
RegConnectRegistryW
SetServiceObjectSecurity
EnumServicesStatusExA
StartTraceA
BuildImpersonateTrusteeW
LsaSetInformationPolicy
RegLoadKeyA
RemoveUsersFromEncryptedFile
ObjectPrivilegeAuditAlarmW
GetLocalManagedApplications
CreateRestrictedToken
CryptVerifySignatureA
LsaEnumerateTrustedDomains
CryptDecrypt
CryptDestroyHash
AddAccessDeniedAceEx
BuildTrusteeWithObjectsAndNameW
BackupEventLogA
StartServiceA
SetUserFileEncryptionKey
SetPrivateObjectSecurityEx
ConvertSecurityDescriptorToStringSecurityDescriptorA
RegInstall
RegSaveRestore
DelNodeRunDLL32
GetVersionFromFile
LaunchINFSectionEx
AddDelBackupEntry
CloseINFEngine
DeleteClusterResourceType
OpenCluster
ClusterGroupCloseEnum
GetClusterQuorumResource
GetClusterResourceKey
OpenClusterResource
ClusterRegDeleteKey
ImageList_BeginDrag
ImageList_LoadImageA
FlatSB_SetScrollInfo
CreateStatusWindowA
ImageList_DragMove
ImageList_SetOverlayImage
ImageList_LoadImageW
LocalCompact
DeviceIoControl
GetShortPathNameW
GetSystemWindowsDirectoryA
TlsAlloc
FindNextVolumeW
GetPrivateProfileStructW
GetAtomNameA
CompareFileTime
SetFileTime
GetPrivateProfileStructA
GetDateFormatW
EnumTimeFormatsA
RequestWakeupLatency
GetCommModemStatus
GetLogicalDrives
ExpandEnvironmentStringsW
GetExitCodeThread
FindFirstFileA
GetSystemTimeAsFileTime
QueryInformationJobObject
DuplicateHandle
GetDiskFreeSpaceA
GetProcessAffinityMask
FindCloseChangeNotification
GetProcessShutdownParameters
IsValidCodePage
LoadResource
FindResourceW
GlobalHandle
TlsGetValue
InterlockedIncrement
CreateHardLinkW
NetServiceControl
DsAddressToSiteNamesExA
NetJoinDomain
NetUserModalsSet
DsGetDcNameW
NetUserGetLocalGroups
NetMessageNameAdd
NetDfsRemoveStdRoot
NetUnjoinDomain
NetReplExportDirGetInfo
NetFileClose
NetDfsGetClientInfo
NetGroupDel
NetReplImportDirLock
DsGetDcSiteCoverageW
NetApiBufferAllocate
I_BrowserDebugTrace
NetDfsSetClientInfo
DsDeregisterDnsHostRecordsW
NetShareSetInfo
NetDfsGetInfo
NetApiBufferReallocate
NetLocalGroupDelMember
NetServerSetInfo
NetUnregisterDomainNameChangeNotification
DsGetSiteNameA
I_BrowserResetStatistics
NetShareDel
NetLocalGroupDel
NetLocalGroupAddMember
NetUseAdd
NetWkstaTransportAdd
RtlDowncaseUnicodeString
LdrUnloadDll
NtOpenEvent
ZwFreeUserPhysicalPages
RtlGetProcessHeaps
ZwListenPort
NtSaveKey
RtlCancelTimer
NtCreateDirectoryObject
RtlLengthRequiredSid
ZwCreateProcess
RtlGetCurrentDirectory_U
NtDisplayString
ZwSaveMergedKeys
RtlEmptyAtomTable
RtlCreateQueryDebugBuffer
RtlFreeHeap
ZwNotifyChangeDirectoryFile
RtlQueryTagHeap
NtSetIoCompletion
NtReadRequestData
NtCreateProcess
LdrFindEntryForAddress
NtOpenIoCompletion
NtOpenMutant
NtSetHighWaitLowEventPair
ZwSetInformationKey
NtVdmControl
NtFilterToken
RtlCopySecurityDescriptor
RtlCopyLuid
NtSetTimerResolution
RasQueryRedialOnLinkFailure
RasValidateEntryNameA
RasClearConnectionStatistics
RasEnumConnectionsW
RasEnumEntriesW
RasGetCredentialsW
RasSetAutodialAddressA
RasSetCustomAuthDataA
RasGetEntryPropertiesW
RasGetEntryHrasconnW
RasSetAutodialAddressW
RasSetEntryDialParamsW
RasSetEntryPropertiesA
RasGetProjectionInfoA
RasGetHport
RasIsSharedConnection
RasSetAutodialEnableA
RasGetCustomAuthDataA
RasGetErrorStringW
RasEnumDevicesW
RasAutodialAddressToNetwork
RasDeleteEntryA
RasSetAutodialEnableW
RasDialA
RasGetEapUserDataW
GetCursorPos
GetKeyboardType
GetFocus
Number of PE resources by type
RT_MENU 181
RT_DIALOG 138
RT_VERSION 1
Number of PE resources by language
ENGLISH AUS 320
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2011:03:17 05:26:31+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
77824

LinkerVersion
8.0

FileTypeExtension
exe

InitializedDataSize
376832

SubsystemVersion
4.0

EntryPoint
0x1149a

OSVersion
5.0

ImageVersion
0.0

UninitializedDataSize
0

File identification
MD5 a26c3b9358cb6e2bdd721288d90e58cc
SHA1 2c1486659f2c6f786fa72ce73f35c50f471a6557
SHA256 98fcc9d8016d25cf5db02e74b693d57c5e79f6cc01fb3455b5ca17de8633d0ee
ssdeep
6144:XitlySO0vLm88lnO5XIjkXkyo9TnzETsUG:SrH1IjAG1wIt

authentihash 61090fed40072219ed16fb4ace4ae5a66676c3864d6de9f0b57c66ce4eab4de1
imphash dfcc905511ba51ea0c872d6333dc3d2a
File size 218.0 KB ( 223232 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe overlay

VirusTotal metadata
First submission 2014-05-13 08:14:41 UTC ( 4 years, 10 months ago )
Last submission 2014-06-16 01:10:35 UTC ( 4 years, 9 months ago )
File names Odawvrry.exe
tq0Z5j1DR.xml
mjjofjj.exe
KB05501032.exe
output.27250297.txt
27250297
vti-rescan
flvplayer3.exe
Duhypyw
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Moved files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections