× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b274fe7e085a5d2cced12118e1bea56f5147d5f7a38b772d721cf4e60fcddbaa
File name: BF67.exe
Detection ratio: 45 / 57
Analysis date: 2016-11-15 15:14:02 UTC ( 2 years, 4 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Zboter.2 20161115
AegisLab W32.W.Ngrbot.aeeq!c 20161115
AhnLab-V3 Trojan/Win32.Agent.N1188786300 20161115
Antiy-AVL Worm/Win32.Ngrbot 20161115
Arcabit Trojan.Zboter.2 20161115
Avast Win32:Inject-BJO [Trj] 20161115
AVG VBCrypt.GDW 20161115
Avira (no cloud) TR/Tolouge.vlfyt 20161115
AVware Trojan.Win32.Generic!BT 20161115
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9998 20161115
BitDefender Gen:Variant.Zboter.2 20161115
CAT-QuickHeal Trojan.Bagsu 20161115
Comodo UnclassifiedMalware 20161115
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024
Cyren W32/Dorkbot.Y.gen!Eldorado 20161115
Emsisoft Gen:Variant.Zboter.2 (B) 20161115
ESET-NOD32 a variant of Win32/Injector.BEAU 20161115
F-Prot W32/Dorkbot.Y.gen!Eldorado 20161115
F-Secure Gen:Variant.Zboter.2 20161115
Fortinet W32/Injector.ADYQ!tr 20161115
GData Gen:Variant.Zboter.2 20161115
Ikarus Worm.Win32.Ngrbot 20161115
Sophos ML generic.a 20161018
K7AntiVirus Trojan ( 0040f7e91 ) 20161115
K7GW Trojan ( 0040f7e91 ) 20161115
Kaspersky HEUR:Trojan.Win32.Generic 20161115
McAfee Dorkbot-FAN!FDF23AC38EAD 20161115
McAfee-GW-Edition BehavesLike.Win32.VBObfus.ch 20161115
Microsoft Trojan:Win32/Bagsu!rfn 20161115
eScan Gen:Variant.Zboter.2 20161115
NANO-Antivirus Trojan.Win32.Ngrbot.ebgmrs 20161115
nProtect Worm/W32.Ngrbot.183373 20161115
Panda Trj/Genetic.gen 20161114
Qihoo-360 HEUR/Malware.QVM03.Gen 20161115
Rising Malware.Generic!4lwUnGiFMf@5 (thunder) 20161115
Sophos AV Mal/Generic-S 20161115
SUPERAntiSpyware Trojan.Agent/Gen-Symmi 20161115
Symantec Trojan.ADH.SMH 20161115
Tencent Win32.Worm.Ngrbot.Eiva 20161115
TrendMicro TROJ_SPNR.11F614 20161115
TrendMicro-HouseCall TROJ_SPNR.11F614 20161115
VBA32 Worm.Ngrbot 20161115
VIPRE Trojan.Win32.Generic!BT 20161115
Yandex Worm.Ngrbot!Nvx+tRjShGs 20161114
Zillya Worm.Ngrbot.Win32.5344 20161115
Alibaba 20161115
ALYac 20161115
Bkav 20161112
ClamAV 20161115
CMC 20161115
DrWeb 20161115
Jiangmin 20161115
Kingsoft 20161115
Malwarebytes 20161115
TheHacker 20161115
TotalDefense 20161115
ViRobot 20161115
Zoner 20161115
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
F-PROT embedded
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-02-11 11:28:40
Entry Point 0x000013E4
Number of sections 3
PE sections
Overlays
MD5 133721bdf7a6b19e6e0256c199fb2d32
File type ASCII text
Offset 180224
Size 3149
Entropy 0.00
PE imports
_adj_fdiv_m32
_adj_fdiv_m32i
DllFunctionCall
__vbaVarDup
__vbaEnd
__vbaGenerateBoundsError
_allmul
Ord(516)
__vbaPutOwner4
__vbaErase
_adj_fprem
Ord(712)
__vbaLenBstr
__vbaFreeStrList
_adj_fpatan
_CIatan
__vbaFreeObjList
Ord(681)
__vbaUI1Str
Ord(717)
__vbaExceptHandler
__vbaSetSystemError
__vbaFreeVarList
Ord(632)
__vbaRedim
__vbaStrCmp
__vbaFPException
__vbaAryVar
__vbaStrVarMove
__vbaFileOpen
Ord(578)
__vbaVar2Vec
_adj_fdiv_r
__vbaFreeObj
__vbaFreeVar
__vbaVarTstNe
__vbaChkstk
Ord(619)
__vbaMidStmtBstr
__vbaI4Var
__vbaVarLateMemCallLd
Ord(100)
__vbaGet3
__vbaHresultCheckObj
__vbaStrVarVal
_CIsin
Ord(711)
Ord(606)
__vbaStrCopy
__vbaAryLock
_CIcos
Ord(595)
EVENT_SINK_QueryInterface
_adj_fptan
Ord(685)
__vbaFileClose
Ord(581)
__vbaLineInputStr
__vbaAryUnlock
__vbaObjSet
__vbaAryCopy
_CIsqrt
Ord(608)
__vbaNew2
Ord(644)
__vbaVarCat
_adj_fdivr_m32i
Ord(631)
__vbaAryDestruct
_CIexp
__vbaStrMove
_adj_fprem1
_adj_fdivr_m32
__vbaStrCat
Ord(537)
_CItan
__vbaFpI4
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2013:02:11 12:28:40+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
45056

LinkerVersion
6.22

Warning
Error processing PE data dictionary

FileTypeExtension
exe

InitializedDataSize
135168

SubsystemVersion
4.476

EntryPoint
0x13e4

OSVersion
4.17757

ImageVersion
45.6

UninitializedDataSize
0

Compressed bundles
File identification
MD5 fdf23ac38eadf4f15e8b768d39c4eee4
SHA1 dd387b1d117466603cd9962ca1d204bffe953d55
SHA256 b274fe7e085a5d2cced12118e1bea56f5147d5f7a38b772d721cf4e60fcddbaa
ssdeep
3072:8pGOpV4mVzsBMAlgqrNCYYIjCpzaaX/CEa:4JV41B5lnrNFXx

authentihash d78d4656398a883d7e13ea24be36bf2a3b153cdfd4c831d50c9fd1452685e6ee
imphash f75bdbc9a4ebe3811b7e0ab26e9b240d
File size 179.1 KB ( 183373 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit system file

TrID Win32 Executable (generic) (52.9%)
Generic Win/DOS Executable (23.5%)
DOS Executable Generic (23.5%)
Tags
peexe usb-autorun overlay

VirusTotal metadata
First submission 2014-05-24 02:43:44 UTC ( 4 years, 10 months ago )
Last submission 2014-10-01 22:56:04 UTC ( 4 years, 5 months ago )
File names 1002-dd387b1d117466603cd9962ca1d204bffe953d55
BF67.exe
fdf23ac38eadf4f15e8b768d39c4eee4
vt-upload-iLk6A
4C7B.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.