× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 9eb00f65140106d6d9c4b2158ee553c5d5eb65b0f083543cb7c44616a84c9303
File name: ZBOT-CX.000
Detection ratio: 44 / 55
Analysis date: 2015-08-05 11:40:02 UTC ( 3 years, 9 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Kazy.23432 20150805
Yandex Trojan.DL.FakeAlert!387hJl7XfKM 20150804
ALYac Gen:Variant.Kazy.23432 20150805
Antiy-AVL Trojan[:HEUR]/Win32.AGeneric 20150805
Arcabit Trojan.Kazy.D5B88 20150805
Avast Win32:Evo-gen [Susp] 20150805
AVG Generic22.BESG 20150805
Avira (no cloud) TR/Crypt.ULPM.Gen 20150805
AVware Trojan.Win32.Zbot.xmp (v) 20150805
Baidu-International Trojan.Win32.FakeAV.i 20150805
BitDefender Gen:Variant.Kazy.23432 20150805
Bkav W32.AutoStartAVP.Trojan 20150805
CAT-QuickHeal Trojan.ZAgent.r3 20150805
Comodo Heur.Suspicious 20150805
Cyren W32/Shiz.C.gen!Eldorado 20150805
Emsisoft Gen:Variant.Kazy.23432 (B) 20150805
ESET-NOD32 Win32/TrojanDownloader.FakeAlert.BLI 20150805
F-Prot W32/Shiz.C.gen!Eldorado 20150805
F-Secure Gen:Variant.Kazy.23432 20150805
Fortinet W32/Bamital.FA!tr 20150804
GData Gen:Variant.Kazy.23432 20150805
Ikarus Trojan-FakeAV.Win32.SystemToolUpdate 20150805
Jiangmin Trojan/Jorik.jrj 20150804
K7AntiVirus Backdoor ( 04c533cd1 ) 20150805
K7GW Backdoor ( 04c533cd1 ) 20150805
Kaspersky HEUR:Trojan.Win32.Generic 20150805
Kingsoft Win32.Troj.Jorik.(kcloud) 20150805
Malwarebytes Spyware.Passwords.XGen 20150805
McAfee Generic.tra!a 20150805
McAfee-GW-Edition Generic.tra!a 20150805
Microsoft Backdoor:Win32/Atadommoc.C 20150805
eScan Gen:Variant.Kazy.23432 20150805
NANO-Antivirus Trojan.Win32.Kryptik.cgvkl 20150805
nProtect Trojan/W32.Jorik.41984.D 20150805
Panda Bck/Qbot.AO 20150805
Qihoo-360 Win32/Trojan.Downloader.9ae 20150805
Sophos AV Mal/EncPk-AAY 20150805
Symantec Trojan.Ransomlock!gen4 20150805
TheHacker Trojan/Jorik.SystemToolUpdate.aaf 20150805
TrendMicro TROJ_KRYPTK.SMCM 20150805
TrendMicro-HouseCall TROJ_KRYPTK.SMCM 20150805
VIPRE Trojan.Win32.Zbot.xmp (v) 20150805
ViRobot Trojan.Win32.Jorik.41984[h] 20150805
Zillya Trojan.FakeAV.Win32.73287 20150805
AegisLab 20150805
AhnLab-V3 20150805
Alibaba 20150803
ByteHero 20150805
ClamAV 20150805
DrWeb 20150805
Rising 20150731
SUPERAntiSpyware 20150805
Tencent 20150805
VBA32 20150805
Zoner 20150805
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright © Evshcls Software 2004-2011

Publisher Evshcls Software
Product Evshcls
Original name Evshcls.exe
Internal name Evshcls
File version 219
Description Evshcls Lavrs Qypctdv
Packers identified
Command UPX
F-PROT UPX
PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2004-03-21 05:34:18
Entry Point 0x0003A690
Number of sections 3
PE sections
PE imports
RegSaveRestoreOnINF
OpenClusterNetwork
ImmLockIMCC
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
s_perror
DsBindW
PdhConnectMachineA
UrlEscapeA
SetFormA
Number of PE resources by type
RT_BITMAP 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 2
PE resources
ExifTool file metadata
KwNrM
CFtWruTfs

SubsystemVersion
4.0

PkmVexlf
cAwL3Eu

LinkerVersion
9.4

ImageVersion
7.3

ProductName
Evshcls

FileVersionNumber
9.4.219.0

UninitializedDataSize
196608

OtmW5ItWu
1I1XhjIFa

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

fD5GkxYJRq
GLENAlRCkS

CharacterSet
Unicode

InitializedDataSize
4096

b6n4Q
8dvC7r3

FileTypeExtension
exe

HaoDbMP
Nc4d14Rkv

Tag8Cs7x7
tmKQKuDgef

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
219

bsAGS
18s64BtVh

TimeStamp
2004:03:21 06:34:18+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Evshcls

ProductVersion
9.4

FileDescription
Evshcls Lavrs Qypctdv

OSVersion
7.1

FileOS
Windows NT 32-bit

LegalCopyright
Copyright Evshcls Software 2004-2011

MachineType
Intel 386 or later, and compatibles

CompanyName
GVM SOFTWIN DY

CodeSize
40960

FileSubtype
0

ProductVersionNumber
9.4.219.0

uWBKY
Rpgm7jTbEn

EntryPoint
0x3a690

OriginalFileName
Evshcls.exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 19b61224326173cf2a2cbc4e95f45401
SHA1 e2aafcc4c432022d369716a5082e961c242c698d
SHA256 9eb00f65140106d6d9c4b2158ee553c5d5eb65b0f083543cb7c44616a84c9303
ssdeep
768:31xcX6v39mR2yxIC3bDoA0Xhp7h0JWOoxL9/k2osErGluZUUbo/WWNrRkuHAoVr:1PYpxn3gX/eWOGLy2osErGlUUKUkuHt

authentihash d4cca84dc9454add88766162971b137d20e230305ce3b2a0871d614b66fdee86
imphash 8bc6672be7bb8611c739f4966047a62f
File size 41.0 KB ( 41984 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (42.3%)
Win32 EXE Yoda's Crypter (36.7%)
Win32 Dynamic Link Library (generic) (9.1%)
Win32 Executable (generic) (6.2%)
Generic Win/DOS Executable (2.7%)
Tags
peexe upx

VirusTotal metadata
First submission 2011-05-22 20:46:15 UTC ( 8 years ago )
Last submission 2015-08-05 11:40:02 UTC ( 3 years, 9 months ago )
File names ZBOT-CX.000
Evshcls
19b61224326173cf2a2cbc4e95f45401
Evshcls.exe
849902
e2aafcc4c432022d369716a5082e961c242c698d
xv1.exe
FDDEA155001FB6D1A40500862809BC00D29F359A.000
XvidSetup3.exe
19b61224326173cf2a2cbc4e95f45401.exe
9eb1540a7e9876125017685e19e1822f
62b404004fbdf28956aaa935cd3ac0c2
XvidSetup.exe
file-2280774_swat
sample_19b61224326173cf2a2cbc4e95f45401
3836 22.05.2011 22.39.45.793
Fake_XvidSetup.exe
856057
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!