× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ac23e5ccaaa073f5f65e1668c3c08033d3bb98509b4ac0875af4fbff27ac76c3
File name: f2c6eef7857209ef187c3ee8318624e0e0e9f230
Detection ratio: 30 / 45
Analysis date: 2013-04-20 11:19:35 UTC ( 5 years, 9 months ago ) View latest
Antivirus Result Update
Yandex Trojan.DL.Wauchos!CnucqYO6oRA 20130420
AhnLab-V3 Dropper/Win32.Injector 20130420
AntiVir BDS/Androm.EB.108 20130420
AVG SHeur4.BGQD 20130420
BitDefender Trojan.GenericKD.948092 20130420
Commtouch W32/Trojan.ODMW-3825 20130420
Comodo Heur.Suspicious 20130420
DrWeb Trojan.Inject2.23 20130420
Emsisoft Trojan.GenericKD.948092 (B) 20130420
ESET-NOD32 Win32/TrojanDownloader.Wauchos.I 20130420
F-Secure Trojan.GenericKD.948092 20130420
Fortinet W32/Blocker.BBEB!tr 20130420
GData Trojan.GenericKD.948092 20130420
Ikarus Trojan-Spy.Zbot 20130420
Kaspersky Trojan-Ransom.Win32.Blocker.bbeb 20130420
Malwarebytes Trojan.FakeMS 20130420
McAfee RDN/Generic Dropper!je 20130420
McAfee-GW-Edition Artemis!936DAA7DC359 20130420
Microsoft Worm:Win32/Gamarue 20130420
eScan Trojan.GenericKD.948092 20130420
NANO-Antivirus Trojan.Win32.Blocker.bocxog 20130420
Norman MPGen.A 20130420
nProtect Trojan.GenericKD.948092 20130420
Panda Trj/CI.A 20130420
PCTools Trojan.Generic 20130420
Sophos AV Troj/ProcHL-R 20130420
Symantec Trojan Horse 20130420
TrendMicro TROJ_RANSOM.EMJ 20130420
TrendMicro-HouseCall TROJ_RANSOM.EMJ 20130420
VIPRE Trojan.Win32.Generic!BT 20130420
Antiy-AVL 20130420
Avast 20130420
ByteHero 20130418
CAT-QuickHeal 20130419
eSafe 20130418
F-Prot 20130418
Jiangmin 20130420
K7AntiVirus 20130419
K7GW 20130419
Kingsoft 20130415
SUPERAntiSpyware 20130420
TheHacker 20130418
TotalDefense 20130419
VBA32 20130419
ViRobot 20130420
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
© ?????????? ??????????. ??? ????? ????????.

Publisher ?????????? ??????????
Product ???????????? ??????? Microsoft® Windows®
Original name MSPAINT.EXE
Internal name MSPAINT
File version 5.1.2600.5918 (xpsp_sp3_qfe.091216-2118)
Description Paint
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-04-13 19:59:54
Entry Point 0x00005019
Number of sections 4
PE sections
PE imports
GetLastError
IsValidCodePage
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
SetHandleCount
GetModuleFileNameW
HeapDestroy
QueryPerformanceCounter
IsDebuggerPresent
HeapAlloc
TlsAlloc
GetEnvironmentStringsW
GetVersionExA
LoadLibraryA
RtlUnwind
GetModuleFileNameA
FreeEnvironmentStringsA
DeleteCriticalSection
GetCurrentProcess
GetEnvironmentStrings
GetWindowsDirectoryW
HeapSize
GetCurrentProcessId
GetCommandLineW
GetCPInfo
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
GetStartupInfoW
FreeEnvironmentStringsW
GetCommandLineA
GetProcAddress
GetStringTypeA
GetProcessHeap
RaiseException
WideCharToMultiByte
TlsFree
GetModuleHandleA
GetLocaleInfoA
SetUnhandledExceptionFilter
WriteFile
GetStartupInfoA
GetSystemTimeAsFileTime
GetACP
HeapReAlloc
GetStringTypeW
GetModuleHandleW
GetOEMCP
TerminateProcess
LCMapStringA
InitializeCriticalSection
HeapCreate
VirtualFree
TlsGetValue
Sleep
GetFileType
GetTickCount
TlsSetValue
ExitProcess
GetCurrentThreadId
LeaveCriticalSection
VirtualAlloc
SetLastError
InterlockedIncrement
wsprintfW
Number of PE resources by type
RT_ACCELERATOR 15
RT_ICON 4
RT_MANIFEST 1
RT_RCDATA 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 23
PE resources
ExifTool file metadata
UninitializedDataSize
0

InitializedDataSize
69632

ImageVersion
0.0

ProductName
Microsoft Windows

FileVersionNumber
5.1.2600.5918

LanguageCode
Russian

FileFlagsMask
0x003f

FileDescription
Paint

CharacterSet
Unicode

LinkerVersion
3.3

FileTypeExtension
exe

OriginalFileName
MSPAINT.EXE

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
5.1.2600.5918 (xpsp_sp3_qfe.091216-2118)

TimeStamp
2013:04:13 20:59:54+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
MSPAINT

ProductVersion
5.1.2600.5918

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Windows NT 32-bit

LegalCopyright
. .

MachineType
Intel 386 or later, and compatibles

CodeSize
57344

FileSubtype
0

ProductVersionNumber
5.1.2600.5918

Warning
Possibly corrupt Version resource

EntryPoint
0x5019

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Compressed bundles
File identification
MD5 936daa7dc3591d7d8d56e9fb29043c3b
SHA1 57f36e75aa57837d3da0b98c92bde32ca9cf0b75
SHA256 ac23e5ccaaa073f5f65e1668c3c08033d3bb98509b4ac0875af4fbff27ac76c3
ssdeep
1536:j4SubbKByrA4Bj41DU7+buh3RNAutEuFnJR4SlvLFMIZHc456yzIYfxQ:jIbbzBiaFAutEubR4Slnp5ZzfJQ

authentihash 79e85015fcd96d751cc23eb0e779b1d455b3d03c97c13b147094a51131824a86
imphash 2998bc576ed3d1941cb3b1dee101ce72
File size 125.0 KB ( 128000 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe

VirusTotal metadata
First submission 2013-04-17 10:54:02 UTC ( 5 years, 9 months ago )
Last submission 2015-06-12 10:46:09 UTC ( 3 years, 7 months ago )
File names Gaslieferauftrag-7756844001.PDF.exe_
aa
MSPAINT
Gaslieferauftrag-7756844001.pdf.exe
wl-fb81f09b90bd94046e595bd81401200a-0.exe
Gaslieferauftrag-7756844001.PDF.exe
WL-fb81f09b90bd94046e595bd81401200a-0
005264774
file-5390105_exe
MSPAINT.EXE
svchost.exe
f2c6eef7857209ef187c3ee8318624e0e0e9f230
aZFa.pdf
Gaslieferauftrag-7756844001.PDF.exe
wl-fb81f09b90bd94046e595bd81401200a-0.filepart
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Created processes
Opened mutexes
Runtime DLLs