× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ae46a7f85ad13885a5f799f49e73eb8e1b9306ef182e3bb4636c080bb7f350a0
File name: vt-upload-XMtRK
Detection ratio: 38 / 51
Analysis date: 2014-04-06 00:13:36 UTC ( 4 years, 8 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Kazy.167270 20140406
Yandex TrojanSpy.Zbot!0AN9+5cNhY0 20140405
AhnLab-V3 Spyware/Win32.Zbot 20140405
AntiVir TR/Kazy.167270.5 20140405
Antiy-AVL Trojan[Spy]/Win32.Zbot 20140405
Avast Win32:Malware-gen 20140406
AVG PSW.Generic11.HEO 20140405
BitDefender Gen:Variant.Kazy.167270 20140406
CAT-QuickHeal (Suspicious) - DNAScan 20140405
Comodo TrojWare.Win32.Kryptik.AZJH 20140406
DrWeb Trojan.PWS.Panda.2977 20140406
Emsisoft Gen:Variant.Kazy.167270 (B) 20140406
ESET-NOD32 Win32/Spy.Zbot.AAO 20140405
F-Secure Gen:Variant.Kazy.167270 20140405
Fortinet W32/ZBot.DS!tr 20140405
GData Gen:Variant.Kazy.167270 20140406
Ikarus Trojan-Spy.Win32.Zbot 20140405
Jiangmin TrojanSpy.Zbot.duaq 20140405
K7AntiVirus Trojan ( 0040f3ca1 ) 20140404
K7GW Trojan ( 0040f3ca1 ) 20140404
Kaspersky Trojan-Spy.Win32.Zbot.rzni 20140405
Kingsoft Win32.Troj.Zbot.ku.(kcloud) 20140406
Malwarebytes Trojan.PWS.Zbot 20140405
McAfee Artemis!51405554BEF6 20140406
McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.C!81 20140405
Microsoft PWS:Win32/Zbot.gen!AJ 20140406
eScan Gen:Variant.Kazy.167270 20140406
NANO-Antivirus Trojan.Win32.Panda.cujaqf 20140405
nProtect Trojan-Spy/W32.ZBot.208896.BC 20140404
Panda Trj/Genetic.gen 20140405
Qihoo-360 HEUR/Malware.QVM18.Gen 20140406
Sophos AV Troj/Zbot-ETH 20140405
Symantec Trojan.Zbot 20140406
TotalDefense Win32/Zbot.LAOaDD 20140405
TrendMicro TROJ_SPNR.30FD13 20140406
TrendMicro-HouseCall TROJ_SPNR.30FD13 20140405
VBA32 BScope.Trojan.MTA.0661 20140404
VIPRE Trojan.Win32.Generic!BT 20140406
AegisLab 20140406
Baidu-International 20140405
Bkav 20140405
ByteHero 20140406
ClamAV 20140406
CMC 20140404
Commtouch 20140405
F-Prot 20140405
Norman 20140404
Rising 20140405
SUPERAntiSpyware 20140405
TheHacker 20140404
ViRobot 20140405
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Product Kowiru
Original name Pcpaqvynhcgw7mi.exe
Internal name Osakaz
Description Ofata Enohi Zehimod
Packers identified
F-PROT UPX_LZMA
PEiD UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-06-25 07:32:12
Entry Point 0x000841B0
Number of sections 3
PE sections
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
SHQueryRecycleBinA
WinHelpA
Number of PE resources by type
RT_ACCELERATOR 13
RT_DIALOG 11
RT_ICON 5
RT_STRING 5
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
SPANISH ECUADOR 36
PE resources
ExifTool file metadata
Tag1mYO5VPU6SACXqBQrIEU
bry2Is45DHsQ

SubsystemVersion
4.0

U3Fr2NfdxFQEx
u5MLGNhR2P

LinkerVersion
4.0

ImageVersion
0.0

ProductName
Kowiru

FileVersionNumber
6.9.0.0

DJqGemqAOD8
VvPtK6MBhyJAlet

FFN2FUK6o7mQKXX6
LDMhpjrwBgS

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
20480

OriginalFilename
Pcpaqvynhcgw7mi.exe

UIDL6A2oy6gC
m74jQOky271WMggiycH

MIMEType
application/octet-stream

PEType
PE32

TimeStamp
2011:06:25 08:32:12+01:00

FileType
Win32 EXE

EGHG5YnC1MJefdY2MP
TkkA8XvwlPT4JCp8Av

InternalName
Osakaz

FileAccessDate
2014:04:06 01:15:55+01:00

FileDescription
Ofata Enohi Zehimod

VJKyMaAtBQojVMLCTPDW
SwWxaA8vDorsMOv

OSVersion
4.0

FileCreateDate
2014:04:06 01:15:55+01:00

Tag15FJUhqCAjPR8v1i4m2
RhPwpkhJldLA3eQU

acDTfFQpabVgaO5qXU
TPWv4XBtk5fUE3p

iKinmafdvEyhq5Ppau
xfSWUEGoBbruG

Subsystem
Windows GUI

HOkTmwysq6dfRg21GVyN
tk7BSN5EWQ7xWdBNd

MachineType
Intel 386 or later, and compatibles

CodeSize
188416

FileSubtype
0

ProductVersionNumber
6.9.0.0

UninitializedDataSize
352256

EntryPoint
0x841b0

ObjectFileType
Executable application

FileOS
Windows NT 32-bit

File identification
MD5 51405554bef68a2db09ff3413bf27a6c
SHA1 84fb0e1ca3aa61e95dea8a27ad0f2a85fc7a029c
SHA256 ae46a7f85ad13885a5f799f49e73eb8e1b9306ef182e3bb4636c080bb7f350a0
ssdeep
3072:LT2INyOSqkcYZQjD0k2Uz/yDaXHpoDVtPGtIwZ3UT6GTyaviFZouVRD3:LTRjSqF3qEHpCVQtIUCyaSZom5

imphash 921e697cce6041dd82a6f2cbf32a49d5
File size 204.0 KB ( 208896 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable (generic) (52.9%)
Generic Win/DOS Executable (23.5%)
DOS Executable Generic (23.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe upx

VirusTotal metadata
First submission 2014-04-06 00:13:36 UTC ( 4 years, 8 months ago )
Last submission 2014-04-06 00:13:36 UTC ( 4 years, 8 months ago )
File names Osakaz
vt-upload-XMtRK
Pcpaqvynhcgw7mi.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.