× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: a50411aa3850e1defcce38f079daf175a9ca7fb32749c9b4394ef6236476d094
File name: host.exe
Detection ratio: 41 / 54
Analysis date: 2016-06-30 00:18:52 UTC ( 1 year, 2 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Symmi.38822 20160629
AegisLab Troj.Ransom.W32.Foreign.kcme!c 20160629
AhnLab-V3 Trojan/Win32.Gen.N1090325505 20160629
ALYac Gen:Variant.Symmi.38822 20160629
Antiy-AVL Trojan[Ransom]/Win32.Foreign 20160629
Arcabit Trojan.Symmi.D97A6 20160629
Avast Win32:Febiturk-A [Trj] 20160629
AVG Pakes_c.AMTN 20160630
Avira (no cloud) TR/Kazy.323825.3 20160630
BitDefender Gen:Variant.Symmi.38822 20160629
Bkav W32.FadobesLTA.Trojan 20160629
CAT-QuickHeal Trojan.Nixofro.A3 20160629
Comodo UnclassifiedMalware 20160630
Cyren W32/Backdoor.HATZ-3127 20160630
DrWeb Trojan.Guncelle.2 20160630
Emsisoft Gen:Variant.Symmi.38822 (B) 20160630
ESET-NOD32 Win32/TrojanDownloader.VB.QJF 20160630
F-Prot W32/Backdoor2.HUDD 20160630
F-Secure Trojan:W32/Kilim.P 20160629
Fortinet W32/Foreign.KCME!tr 20160630
GData Gen:Variant.Symmi.38822 20160630
Ikarus Trojan.Win32.Nixofro 20160629
K7AntiVirus Trojan-Downloader ( 004e4be71 ) 20160629
K7GW Trojan-Downloader ( 004e4be71 ) 20160630
Kaspersky UDS:DangerousObject.Multi.Generic 20160630
Malwarebytes Trojan.Agent 20160630
McAfee Artemis!EFFCFE91BEAF 20160630
McAfee-GW-Edition BehavesLike.Win32.Trojan.tm 20160629
Microsoft Trojan:Win32/Nixofro.A 20160630
eScan Gen:Variant.Symmi.38822 20160629
NANO-Antivirus Trojan.Win32.Foreign.csuwmy 20160629
Panda Generic Malware 20160629
Qihoo-360 Win32/Trojan.ce0 20160630
Sophos AV Mal/Generic-S 20160630
SUPERAntiSpyware Trojan.Agent/Gen-Undef 20160630
Symantec Suspicious.Cloud.9 20160630
Tencent Win32.Trojan.Foreign.Aqqm 20160630
TrendMicro TROJ_HABER.A 20160630
TrendMicro-HouseCall TROJ_HABER.A 20160630
VBA32 Hoax.Foreign 20160629
Zillya Trojan.Foreign.Win32.41642 20160629
Alibaba 20160629
AVware 20160630
Baidu 20160629
ClamAV 20160630
CMC 20160627
Jiangmin 20160629
Kingsoft 20160630
nProtect 20160629
TheHacker 20160630
TotalDefense 20160630
VIPRE 20160630
ViRobot 20160629
Zoner 20160629
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright (C) Adobe Systems Incorporated

Product Adobe Flash Player Installer
Original name host.exe
Internal name host.exe
File version 3.3.9.0
Description Adobe Flash Player Installer
Packers identified
F-PROT UPX
PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-01-26 03:13:06
Entry Point 0x001A14D0
Number of sections 3
PE sections
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
Ord(580)
Number of PE resources by type
RT_ICON 24
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 25
ENGLISH US 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
1.0

FileSubtype
0

FileVersionNumber
3.3.9.0

UninitializedDataSize
1425408

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Windows, Latin1

InitializedDataSize
798720

EntryPoint
0x1a14d0

OriginalFileName
host.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) Adobe Systems Incorporated

FileVersion
3.3.9.0

TimeStamp
2014:01:26 04:13:06+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
host.exe

ProductVersion
3.3.9.0

FileDescription
Adobe Flash Player Installer

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Solid State Networks

CodeSize
282624

ProductName
Adobe Flash Player Installer

ProductVersionNumber
3.3.9.0

Warning
Possibly corrupt Version resource

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 effcfe91beaf7a3ed2f4ac79525c5fc5
SHA1 6efdd9d1bb4582372d97d0e20e397c115ad73e75
SHA256 a50411aa3850e1defcce38f079daf175a9ca7fb32749c9b4394ef6236476d094
ssdeep
12288:N0ZI89t44eGnTWqLCH+cNbmJZOeZIc3OXoVGMcP:x0t+QTWMCH+cNbXeZIoTGMc

authentihash 505a5db89175e6d1febcdee737abd5ccaac10ea3729618bbf0b9fc083ceb3b16
imphash 5f116d8e20f7d894b4b4ecbad1704009
File size 1.0 MB ( 1078272 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (46.5%)
Win32 EXE Yoda's Crypter (40.4%)
Win32 Executable (generic) (6.8%)
Generic Win/DOS Executable (3.0%)
DOS Executable Generic (3.0%)
Tags
peexe upx

VirusTotal metadata
First submission 2014-01-27 15:39:05 UTC ( 3 years, 7 months ago )
Last submission 2016-06-30 00:18:52 UTC ( 1 year, 2 months ago )
File names FlashPlayer.exe
20000924
aa
LDpyI49Vo.ps1
FlashPlayer (7).exe
output.20000924.txt
vti-rescan
FlashPlayer.exe
file-6529357_exe
host.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Set keys
Shell commands
Created mutexes
Opened mutexes
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
HTTP requests
DNS requests
TCP connections