× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: a22b5a865d9ff4b09484f41095119d493f63b7469a0266119ac1e017cab93e58
File name: af08073f11031ab4fe075b944ebf794bc4589d8d
Detection ratio: 57 / 57
Analysis date: 2017-02-07 04:39:26 UTC ( 2 years, 1 month ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.Generic.7420281 20170207
AegisLab W32.W.AutoRun.dtbv!c 20170207
AhnLab-V3 HEUR/Fakon.mwf 20170206
ALYac Trojan.Generic.7420281 20170207
Antiy-AVL Trojan[Monitor]/Win32.Ardamax 20170207
Arcabit Trojan.Generic.D713979 20170207
Avast Win32:Evo-gen [Susp] 20170207
AVG Autoit.DB 20170207
Avira (no cloud) TR/Autoit.CI.14 20170206
AVware Trojan.Win32.Generic!BT 20170207
Baidu Win32.Trojan.AutoIt.a 20170206
BitDefender Trojan.Generic.7420281 20170207
Bkav W32.RegvcsA.Worm 20170206
CAT-QuickHeal Worm.AutoRun.A10 20170207
ClamAV Win.Trojan.Siggen-2 20170207
CMC Worm.Win32.AutoRun!O 20170206
Comodo Worm.Win32.Autoit.DB 20170207
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170130
Cyren W32/Trojan.GEGQ-3036 20170207
DrWeb Trojan.Click1.37970 20170207
Emsisoft Trojan.Generic.7420281 (B) 20170207
ESET-NOD32 Win32/Autoit.AG 20170207
F-Prot W32/Trojan2.DFYJ 20170207
F-Secure IM-Worm:W32/Sohanad.HM 20170207
Fortinet W32/Autorun.HNW!tr 20170207
GData Trojan.Generic.7420281 20170207
Ikarus Worm.Win32.AutoRun 20170206
Sophos ML worm.win32.nuqel.ae 20170203
Jiangmin Worm/Huhk.a 20170207
K7AntiVirus Password-Stealer ( 0000560c1 ) 20170206
K7GW Password-Stealer ( 0000560c1 ) 20170207
Kaspersky Worm.Win32.AutoRun.dtbv 20170207
Kingsoft Worm.Sohanad.pp.(kcloud) 20170207
Malwarebytes Trojan.FakeFolder 20170207
McAfee W32/Autorun.worm.cs 20170207
McAfee-GW-Edition BehavesLike.Win32.Autorun.jc 20170207
Microsoft VirTool:Win32/ModTool 20170207
eScan Trojan.Generic.7420281 20170207
NANO-Antivirus Trojan.Win32.AutoRun.hcfwq 20170207
nProtect Trojan/W32.Autoit.617343 20170207
Panda Trj/Autoit.gen 20170206
Qihoo-360 Worm.Win32.FakeFolder.BV 20170207
Rising Trojan.Generic-ePNzHNUGU5S (cloud) 20170207
Sophos AV Mal/Agent-QF 20170207
SUPERAntiSpyware Trojan.Agent/Gen-Nuqel 20170207
Symantec W32.Imaut 20170206
Tencent Worm.Win32.Autorun.aao 20170207
TheHacker W32/AutoRun.dtbv 20170205
TotalDefense Win32/Armax.G 20170206
TrendMicro TROJ_FORUCON.BMC 20170207
TrendMicro-HouseCall WORM_DELF.FKZ 20170207
VBA32 Trojan-Downloader.Autoit.gen 20170206
VIPRE Trojan.Win32.Generic!BT 20170207
ViRobot Trojan.Win32.Autoit.617343.D[h] 20170207
Yandex VirTool.ModTool.AD 20170206
Zillya Worm.Sohanad.Win32.287 20170206
Zoner I-Worm.Sohanad.NGI 20170207
Alibaba 20170122
Trustlook 20170207
WhiteArmor 20170202
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
PEiD ASPack v2.12
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2007-11-25 09:21:46
Entry Point 0x000A5001
Number of sections 6
PE sections
Overlays
MD5 943a71abc84939d4bdb158ad1c538ca0
File type data
Offset 307712
Size 309631
Entropy 7.98
PE imports
RegEnumValueW
ImageList_EndDrag
GetSaveFileNameW
MoveToEx
GetProcAddress
GetModuleHandleA
LoadLibraryA
WNetUseConnectionW
OleSetContainedObject
LoadRegTypeLib
DragQueryPoint
GetWindowTextLengthW
GetFileVersionInfoSizeW
waveOutSetVolume
__WSAFDIsSet
Number of PE resources by type
RT_ICON 15
RT_STRING 6
RT_GROUP_ICON 3
RT_DIALOG 1
RT_MENU 1
Number of PE resources by language
ENGLISH UK 26
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2007:11:25 10:21:46+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
414208

LinkerVersion
8.0

FileTypeExtension
exe

InitializedDataSize
250368

SubsystemVersion
4.0

EntryPoint
0xa5001

OSVersion
4.0

ImageVersion
0.0

UninitializedDataSize
0

File identification
MD5 9a45e7a2d54224f1b9de076abe00eb12
SHA1 af08073f11031ab4fe075b944ebf794bc4589d8d
SHA256 a22b5a865d9ff4b09484f41095119d493f63b7469a0266119ac1e017cab93e58
ssdeep
12288:V3TdtLW5WIj1YSSdFxrBSXe/uEsvQzt924aQUA:9Dsj1dEbBc4uLQztAc/

authentihash 80f90b8fa142282708295e833048e2826ca56683c212c665d0cf1fd438965c2b
imphash 7d580e3bc0d56dc97c988e38179b1756
File size 602.9 KB ( 617343 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable (generic) (52.9%)
Generic Win/DOS Executable (23.5%)
DOS Executable Generic (23.5%)
Tags
peexe aspack overlay

VirusTotal metadata
First submission 2013-07-20 19:11:50 UTC ( 5 years, 8 months ago )
Last submission 2017-11-03 15:05:38 UTC ( 1 year, 4 months ago )
File names regsvr.exe
bozok photos .exe
af08073f11031ab4fe075b944ebf794bc4589d8d
startup .exe
regsvr.exe
regsvr.exe
regsvr.exe
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Set keys
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections