× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 9bb8671774e6ce60cc5b9e3c166bd1ee577a3f1cbb5b4957de595a53d5b461d0
File name: 50bea589f7d7958bdd2528a8f69d05cc.exe
Detection ratio: 39 / 50
Analysis date: 2014-03-08 16:09:26 UTC ( 1 month, 2 weeks ago )
Antivirus Result Update
AVG Win64/Patched.A 20140308
Ad-Aware Trojan.Patched.Sirefef.A 20140308
AhnLab-V3 Win-Trojan/Sirefef.329216.B 20140308
AntiVir W32/Patched.UC 20140308
Avast Win32:Sirefef-ZT [Trj] 20140308
Baidu-International Trojan.Win32.Agent.40 20140308
BitDefender Trojan.Patched.Sirefef.A 20140308
Bkav W32.Clode9b.Trojan.8f72 20140308
CAT-QuickHeal Trojan.Agent.WD.cw6 20140308
CMC Virus.Win64.ZAccess!O 20140307
ClamAV Win.Trojan.Sirefef-5 20140308
Commtouch W64/Sirefef.REAE-0240 20140308
Comodo TrojWare.Win32.ZAccess.~AA 20140308
DrWeb BackDoor.Maxplus.10777 20140308
ESET-NOD32 Win64/Sirefef.AX 20140308
Emsisoft Trojan.Patched.Sirefef.A (B) 20140308
F-Prot W64/Sirefef.K 20140307
F-Secure Virus:W64/ZeroAccess.A 20140308
Fortinet W64/Patched.A!tr 20140308
GData Trojan.Patched.Sirefef.A 20140308
Ikarus Virus.Win64 20140308
K7AntiVirus Trojan ( 003b22a81 ) 20140307
K7GW Trojan ( 0049080e1 ) 20140307
Kaspersky Virus.Win64.ZAccess.a 20140308
Malwarebytes Rootkit.0Access 20140308
McAfee ZeroAccess 20140308
McAfee-GW-Edition ZeroAccess 20140308
MicroWorld-eScan Trojan.Patched.Sirefef.A 20140308
Microsoft Virus:Win64/Sirefef.A 20140308
NANO-Antivirus Trojan.Win64.ZAccess.ccdazg 20140308
Norman ZAccess.KVF 20140308
Panda Generic Malware 20140308
Sophos W32/ZAccInf-A 20140308
Symantec Trojan.Zeroaccess!inf4 20140308
TheHacker Trojan/Sirefef.ax 20140308
TotalDefense Win32/Zaccess.ES 20140307
TrendMicro PTCH64_SIREFEF.A 20140308
TrendMicro-HouseCall PTCH64_SIREFEF.A 20140308
VIPRE Trojan.Win32.Generic!BT 20140308
Agnitum 20140308
Antiy-AVL 20140308
ByteHero 20140308
Jiangmin 20140308
Kingsoft 20140308
Qihoo-360 20140308
Rising 20140308
SUPERAntiSpyware 20140308
VBA32 20140308
ViRobot 20140308
nProtect 20140307
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem that targets 64bit architectures.
Authenticode signature block
Copyright
© Microsoft Corporation. All rights reserved.

Publisher Microsoft Corporation
Product Microsoft® Windows® Operating System
Original name services.exe.mui
Internal name services.exe
File version 6.1.7600.16385 (win7_rtm.090713-1255)
Description Services and Controller app
PE header basic information
Target machine x64
Compilation timestamp 2009-07-13 23:19:42
Link date 12:19 AM 7/14/2009
Entry Point 0x00013310
Number of sections 6
PE sections
PE imports
SetUnhandledExceptionFilter
GetLastError
SetErrorMode
UnhandledExceptionFilter
SetLastError
FindNextFileW
FindFirstFileW
FindClose
CreateFileW
CreateDirectoryW
SetFileInformationByHandle
DuplicateHandle
CloseHandle
HeapFree
HeapSetInformation
HeapAlloc
HeapCreate
FreeLibrary
LoadStringW
GetProcAddress
LoadLibraryExW
GetModuleHandleW
RegGetKeySecurity
RegLoadMUIStringW
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegOpenKeyExW
RegSetKeySecurity
RegNotifyChangeKeyValue
RegQueryValueExW
IsWow64Process
LocalAlloc
Sleep
LocalFree
lstrlenW
ExpandEnvironmentStringsW
GetEnvironmentVariableW
GetProcessId
OpenThreadToken
DeleteProcThreadAttributeList
GetCurrentProcess
TerminateProcess
ResumeThread
OpenProcessToken
CreateThread
SetThreadPriority
GetCurrentProcessId
CreateProcessW
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
GetProcessTimes
SetProcessShutdownParameters
ExitThread
GetCurrentThreadId
CreateProcessAsUserW
GetCurrentThread
QueryPerformanceCounter
WaitForMultipleObjectsEx
EnterCriticalSection
CreateEventW
InitializeCriticalSection
OpenProcess
OpenEventW
WaitForSingleObject
SetEvent
ResetEvent
LeaveCriticalSection
GetSystemTime
GetSystemTimeAsFileTime
GetSystemDirectoryW
GetVersionExW
GetTickCount
GetComputerNameExW
SetSecurityDescriptorOwner
GetTokenInformation
RevertToSelf
SetTokenInformation
GetKernelObjectSecurity
FreeSid
CopySid
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
AddAccessAllowedAce
AllocateAndInitializeSid
InitializeSecurityDescriptor
AdjustTokenPrivileges
InitializeAcl
EqualSid
GetLengthSid
ImpersonateLoggedOnUser
CheckTokenMembership
AddAce
AllocateLocallyUniqueId
SetKernelObjectSecurity
LsaLookupOpenLocalPolicy
LsaLookupClose
LsaLookupGetDomainInfo
LsaLookupTranslateSids
LsaLookupFreeMemory
LsaLookupManageSidNameMapping
LsaLookupTranslateNames
ConvertSecurityDescriptorToStringSecurityDescriptorW
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
SystemFunction005
SystemFunction029
UuidFromStringW
RpcRevertToSelf
RpcServerSubscribeForNotification
RpcStringBindingParseW
RpcBindingToStringBindingW
RpcImpersonateClient
RpcServerRegisterAuthInfoW
RpcAsyncAbortCall
RpcEpRegisterW
I_RpcMapWin32Status
RpcBindingFree
RpcServerInqBindings
I_RpcSessionStrictContextHandle
UuidEqual
RpcStringFreeW
RpcServerUnsubscribeForNotification
NdrServerCall2
I_RpcBindingIsClientLocal
RpcServerInqBindingHandle
RpcServerUseProtseqEpW
UuidCreateNil
RpcServerInqDefaultPrincNameW
RpcServerUseProtseqW
RpcAsyncCompleteCall
RpcServerInqCallAttributesW
RpcServerRegisterIfEx
NdrAsyncServerCall
RpcServerInqCallAttributesA
I_RpcBindingInqLocalClientPID
UuidCreate
RpcBindingVectorFree
LogonUserExExW
_ultow_s
wcstoul
memset
wcschr
_wcslwr
_ultow
_fmode
_vsnwprintf
_cexit
?terminate@@YAXXZ
__C_specific_handler
_ltow_s
_wtol
exit
_XcptFilter
_commode
__setusermatherr
wcsrchr
_amsg_exit
_wcsicmp
_exit
wcscspn
wcsncmp
__getmainargs
memcpy
_wcsnicmp
time
wcsstr
_initterm
_ltow
__set_app_type
RtlConvertSharedToExclusive
DbgPrintEx
RtlUnicodeStringToInteger
RtlAppendUnicodeStringToString
NtUnloadDriver
RtlCreateSecurityDescriptor
NtQuerySymbolicLinkObject
RtlSetGroupSecurityDescriptor
NtOpenThreadToken
NtInitializeRegistry
RtlInitializeCriticalSection
RtlValidSecurityDescriptor
NtOpenSymbolicLinkObject
RtlLengthRequiredSid
RtlConvertExclusiveToShared
RtlQuerySecurityObject
RtlAllocateHeap
NtDeleteValueKey
NtSetInformationProcess
RtlNtStatusToDosError
NtWaitForSingleObject
NtLoadDriver
RtlFreeUnicodeString
EtwRegisterTraceGuidsW
RtlAppendUnicodeToString
RtlInitializeSid
NtDuplicateToken
RtlLengthSecurityDescriptor
RtlAcquireSRWLockExclusive
RtlSetControlSecurityDescriptor
RtlAreAllAccessesGranted
EtwTraceMessage
NtSetEvent
NtQueryDirectoryObject
RtlAcquireResourceExclusive
EtwGetTraceEnableFlags
NtQueryValueKey
RtlCreateServiceSid
RtlEqualUnicodeString
NtFlushKey
NtSetSystemEnvironmentValue
RtlUnicodeStringToAnsiString
RtlDeregisterWait
RtlVirtualUnwind
RtlCopySid
RtlInitializeSRWLock
NtQuerySystemInformation
NtSetValueKey
RtlRegisterWait
RtlCreateAcl
EtwEventRegister
RtlSubAuthorityCountSid
NtQueryInformationFile
RtlSetDaclSecurityDescriptor
NtOpenThread
NtEnumerateKey
NtFilterToken
RtlAddAce
RtlInitUnicodeString
RtlSubAuthoritySid
NtSetInformationFile
NtCreateKey
EtwGetTraceEnableLevel
RtlAcquireResourceShared
RtlSetEnvironmentVariable
RtlSetProcessIsCritical
NtQueryKey
NtQueueApcThread
RtlUnhandledExceptionFilter
NtDeleteFile
RtlAnsiStringToUnicodeString
NtPrivilegeCheck
RtlNtStatusToDosErrorNoTeb
RtlExpandEnvironmentStrings_U
RtlReleaseSRWLockExclusive
NtTraceControl
RtlQueueApcWow64Thread
RtlDosPathNameToNtPathName_U
RtlLengthSid
RtlGetNtProductType
RtlInitAnsiString
NtOpenProcessToken
WinSqmAddToStream
RtlCopyLuid
RtlDeleteSecurityObject
RtlNewSecurityObject
NtShutdownSystem
RtlInitializeResource
NtAccessCheck
RtlValidRelativeSecurityDescriptor
NtClose
NtQueryInformationToken
RtlCopyUnicodeString
NtSetInformationThread
NtPrivilegeObjectAuditAlarm
NtOpenDirectoryObject
NtAccessCheckAndAuditAlarm
RtlSetSecurityObject
RtlSetSaclSecurityDescriptor
EvtIntReportEventAndSourceAsync
NtDeleteObjectAuditAlarm
RtlQueueWorkItem
RtlAcquireSRWLockShared
NtCloseObjectAuditAlarm
RtlAdjustPrivilege
NtOpenFile
EtwGetTraceLoggerHandle
RtlMapGenericMask
NtQueryDirectoryFile
NtDeleteKey
RtlCaptureContext
RtlFreeHeap
RtlSetLastWin32Error
EtwEventWrite
RtlCompareUnicodeString
RtlReleaseSRWLockShared
NtOpenKey
RtlLookupFunctionEntry
RtlReleaseResource
NtAdjustPrivilegesToken
RtlSetOwnerSecurityDescriptor
Ord(101)
Ord(106)
Ord(105)
Ord(102)
Number of PE resources by type
RT_MANIFEST 1
WEVT_TEMPLATE 1
MUI 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 4
ExifTool file metadata
SubsystemVersion
6.1

InitializedDataSize
77824

ImageVersion
6.1

ProductName
Microsoft Windows Operating System

FileVersionNumber
6.1.7600.16385

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
9.0

OriginalFilename
services.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
6.1.7600.16385 (win7_rtm.090713-1255)

TimeStamp
2009:07:14 00:19:42+01:00

FileType
Win64 EXE

PEType
PE32+

InternalName
services.exe

FileAccessDate
2014:03:08 17:04:39+01:00

ProductVersion
6.1.7600.16385

FileDescription
Services and Controller app

OSVersion
6.1

FileCreateDate
2014:03:08 17:04:39+01:00

FileOS
Windows NT 32-bit

LegalCopyright
Microsoft Corporation. All rights reserved.

MachineType
AMD AMD64

CompanyName
Microsoft Corporation

CodeSize
248832

FileSubtype
0

ProductVersionNumber
6.1.7600.16385

EntryPoint
0x13310

ObjectFileType
Executable application

File identification
MD5 50bea589f7d7958bdd2528a8f69d05cc
SHA1 ccb938d9bea1626d4786d96ed26a96ee392e314b
SHA256 9bb8671774e6ce60cc5b9e3c166bd1ee577a3f1cbb5b4957de595a53d5b461d0
ssdeep
6144:yjUy3rjJE4qxzgv7/WMNS4j7fwLQTha06H0NhsZevKa/2LI+hBm:yjUyhE4q5gD7N56H0A4oI+h

imphash 99f403a8d271c481e1abdb2a65909791
File size 321.5 KB ( 329216 bytes )
File type Win32 EXE
Magic literal
PE32+ executable for MS Windows (GUI) Mono/.Net assembly

TrID Win64 Executable (generic) (87.3%)
Generic Win/DOS Executable (6.3%)
DOS Executable Generic (6.3%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
64bits peexe assembly

VirusTotal metadata
First submission 2012-05-16 17:06:54 UTC ( 1 year, 11 months ago )
Last submission 2014-03-08 16:09:26 UTC ( 1 month, 2 weeks ago )
File names services._exe
_GR_0.0000041966_WL-73c2480e7c343d541c027600694ba8da-0
essai.exe.exe
services.exe
virus.exe
services01.tmp
services.exe.vir
services.exe
file
sample.bak
services.exe
services.exe.mui
services.exevr
services.exe.rename
tsk0000.dta
services.exe.old
services.exe
services.exe
services.exevir
servicesfdf.exe.txt
services.exe.za
services.exe
zeroaccess.services.exe
virusfil.dat
jh47078.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!