× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: aa33b121f716e8c6142025ca726dbe47e79d2dda67a07694be526abcf8a5b38d
File name: output.113809706.txt
Detection ratio: 31 / 67
Analysis date: 2018-08-08 15:04:12 UTC ( 7 months, 1 week ago ) View latest
Antivirus Result Update
Ad-Aware Gen:Heur.PonyStealer.3 20180808
AhnLab-V3 Trojan/Win32.Injector.R233783 20180808
Arcabit Trojan.PonyStealer.3 20180808
Avast FileRepMalware 20180808
AVG FileRepMalware 20180808
BitDefender Gen:Heur.PonyStealer.3 20180808
CrowdStrike Falcon (ML) malicious_confidence_60% (D) 20180723
Cylance Unsafe 20180808
Cyren W32/Fareit.GB.gen!Eldorado 20180808
Emsisoft Trojan.Injector (A) 20180808
Endgame malicious (high confidence) 20180730
ESET-NOD32 a variant of Win32/Injector.DZRB 20180808
F-Prot W32/Fareit.GB.gen!Eldorado 20180808
F-Secure Gen:Heur.PonyStealer.3 20180808
Fortinet W32/Injector.DZRG!tr 20180808
GData Gen:Heur.PonyStealer.3 20180808
Sophos ML heuristic 20180717
K7AntiVirus Trojan ( 00539abe1 ) 20180808
K7GW Trojan ( 00539abe1 ) 20180808
Kaspersky Trojan-Spy.Win32.Noon.qdn 20180808
Malwarebytes Trojan.MalPack.VB 20180808
MAX malware (ai score=81) 20180808
Microsoft VirTool:Win32/VBInject 20180808
eScan Gen:Heur.PonyStealer.3 20180808
Qihoo-360 Win32/Trojan.16a 20180808
SentinelOne (Static ML) static engine - malicious 20180701
Symantec ML.Attribute.HighConfidence 20180808
Tencent Win32.Trojan.Inject.Auto 20180808
TrendMicro TROJ_GEN.R020C0DH718 20180808
TrendMicro-HouseCall TROJ_GEN.R020C0DH718 20180808
ZoneAlarm by Check Point Trojan-Spy.Win32.Noon.qdn 20180808
AegisLab 20180808
Alibaba 20180713
ALYac 20180808
Antiy-AVL 20180808
Avast-Mobile 20180807
Avira (no cloud) 20180808
AVware 20180727
Babable 20180725
Baidu 20180808
Bkav 20180807
CAT-QuickHeal 20180807
ClamAV 20180808
CMC 20180808
Comodo 20180808
Cybereason 20180225
DrWeb 20180808
eGambit 20180808
Jiangmin 20180808
Kingsoft 20180808
McAfee 20180808
McAfee-GW-Edition 20180808
NANO-Antivirus 20180808
Palo Alto Networks (Known Signatures) 20180808
Panda 20180808
Rising 20180808
Sophos AV 20180808
SUPERAntiSpyware 20180808
Symantec Mobile Insight 20180801
TACHYON 20180808
TheHacker 20180807
TotalDefense 20180808
Trustlook 20180808
VBA32 20180808
VIPRE 20180808
ViRobot 20180808
Webroot 20180808
Yandex 20180807
Zillya 20180808
Zoner 20180808
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
VODAFOne

Product WORlDCOin
Original name Goharherkeri2.exe
Internal name Goharherkeri2
File version 9.09
Description eaSY-hiDE-iP VPa
Comments INSTAllx, LLa
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2007-04-19 20:10:00
Entry Point 0x000014D4
Number of sections 3
PE sections
PE imports
_adj_fdiv_m32
__vbaChkstk
Ord(645)
EVENT_SINK_Release
EVENT_SINK_QueryInterface
Ord(521)
_allmul
Ord(695)
_adj_fdivr_m64
Ord(527)
_adj_fprem
Ord(519)
_adj_fpatan
EVENT_SINK_AddRef
Ord(526)
Ord(563)
__vbaUI1Str
_adj_fdiv_m32i
__vbaStrCopy
Ord(673)
__vbaSetSystemError
__vbaFreeVarList
DllFunctionCall
__vbaFPException
__vbaStrVarMove
__vbaStrToUnicode
_adj_fdivr_m16i
__vbaStrMove
__vbaCyMul
Ord(589)
Ord(100)
__vbaUI1I2
__vbaFreeVar
__vbaVarTstNe
__vbaFreeStr
__vbaLateMemCallLd
__vbaObjSetAddref
_adj_fdiv_r
_adj_fdiv_m64
Ord(542)
__vbaFreeObj
__vbaHresultCheckObj
_CIsqrt
_CIsin
_CIlog
Ord(660)
Ord(575)
_CIcos
__vbaVarTstEq
_adj_fptan
Ord(610)
Ord(581)
__vbaI4Var
__vbaFpI4
__vbaVarMove
Ord(646)
__vbaErrorOverflow
_CIatan
__vbaNew2
__vbaLateIdCallLd
_adj_fdivr_m32i
Ord(631)
_CItan
_CIexp
__vbaLenBstr
__vbaStrToAnsi
_adj_fprem1
_adj_fdivr_m32
__vbaVarCopy
__vbaFreeStrList
__vbaVarCat
Ord(598)
Ord(698)
_adj_fdiv_m16i
__vbaExceptHandler
Number of PE resources by type
RT_ICON 2
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 3
ENGLISH US 1
PE resources
ExifTool file metadata
CodeSize
503808

SubsystemVersion
4.0

Comments
INSTAllx, LLa

LinkerVersion
6.0

ImageVersion
9.9

FileSubtype
0

FileVersionNumber
9.9.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

FileDescription
eaSY-hiDE-iP VPa

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
16384

EntryPoint
0x14d4

OriginalFileName
Goharherkeri2.exe

MIMEType
application/octet-stream

LegalCopyright
VODAFOne

FileVersion
9.09

TimeStamp
2007:04:19 21:10:00+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Goharherkeri2

ProductVersion
9.09

UninitializedDataSize
0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
the maSK PRODUCtions

LegalTrademarks
KASPERsky lab

ProductName
WORlDCOin

ProductVersionNumber
9.9.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 f3b8710593e5d54255b94b02deee9a0f
SHA1 fec6fa73b01a689bc0fb08477fedbcbf120340cd
SHA256 aa33b121f716e8c6142025ca726dbe47e79d2dda67a07694be526abcf8a5b38d
ssdeep
6144:BK2RQ6wnT1/cB/UmsgCuCKEmd4yOeYgGX/kF+jNRnfkEEmthAM9HtX/12vLLnBX:xRQ6wnx+U/I/qlNlM3MV11yLLZ

authentihash c6f6e1ac686b5ced0bac8e4c792068826dbaff95240f8bb71af15efbbf42aaa4
imphash 8bf18c7d6a93c177e56ca3741f5b080f
File size 508.0 KB ( 520192 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (82.7%)
Win32 Dynamic Link Library (generic) (6.6%)
Win32 Executable (generic) (4.5%)
OS/2 Executable (generic) (2.0%)
Generic Win/DOS Executable (2.0%)
Tags
peexe

VirusTotal metadata
First submission 2018-08-08 15:04:12 UTC ( 7 months, 1 week ago )
Last submission 2018-08-08 15:04:12 UTC ( 7 months, 1 week ago )
File names output.113809706.txt
a.exe
Goharherkeri2.exe
Goharherkeri2
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.