Antivirus scan for b8442e623761d0e255b760ce3eef233fb03992cde8c1ea58f962b65897745ecd at 2018-06-12 07:12:34 UTC

Antivirus	Result	Update
Ad-Aware	Gen:Variant.Razy.325512	20180612
AegisLab	Troj.W32.Generic!c	20180612
AhnLab-V3	Trojan/Win32.Emotet.R228517	20180612
ALYac	Gen:Variant.Razy.325512	20180612
Antiy-AVL	Trojan[Banker]/Win32.Emotet	20180612
Avast	Win32:Malware-gen	20180612
AVG	Win32:Malware-gen	20180612
Avira (no cloud)	HEUR/AGEN.1023999	20180612
Babable	Malware.HighConfidence	20180406
Baidu	Win32.Trojan.WisdomEyes.16070401.9500.9999	20180612
Bkav	HW32.Packed.C56B	20180611
CrowdStrike Falcon (ML)	malicious_confidence_100% (W)	20180530
Cybereason	malicious.81ec4b	20180225
Cylance	Unsafe	20180612
Cyren	W32/Trojan.XXUZ-7111	20180612
DrWeb	Trojan.EmotetENT.224	20180612
Emsisoft	Gen:Variant.Razy.325512 (B)	20180612
Endgame	malicious (high confidence)	20180507
ESET-NOD32	a variant of Win32/Kryptik.GHAB	20180612
Fortinet	W32/Kryptik.GGRP!tr	20180612
Ikarus	Win32.Outbreak	20180611
Sophos ML	heuristic	20180601
Jiangmin	Trojan.Banker.Emotet.avr	20180612
K7AntiVirus	Trojan ( 005320b01 )	20180612
K7GW	Trojan ( 005320b01 )	20180612
Kaspersky	HEUR:Trojan.Win32.Generic	20180612
Malwarebytes	Spyware.Emotet	20180612
MAX	malware (ai score=99)	20180612
McAfee	Artemis!009011C6F3C3	20180612
McAfee-GW-Edition	BehavesLike.Win32.VTFlooder.cc	20180612
Microsoft	Trojan:Win32/Fuerboos.A!cl	20180612
eScan	Gen:Variant.Razy.325512	20180612
NANO-Antivirus	Trojan.Win32.Emotet.fcqnzz	20180612
Panda	Trj/CI.A	20180611
Qihoo-360	Win32/Trojan.ace	20180612
SentinelOne (Static ML)	static engine - malicious	20180225
Sophos AV	Mal/EncPk-ANX	20180612
Symantec	Packed.Generic.517	20180612
Tencent	Win32.Trojan.Generic.Dkq	20180612
TrendMicro	TSPY_HPEMOTET.SMAL8	20180612
TrendMicro-HouseCall	TSPY_HPEMOTET.SMAL8	20180612
VBA32	BScope.TrojanBanker.Emotet	20180611
ZoneAlarm by Check Point	HEUR:Trojan.Win32.Generic	20180612
Alibaba		20180612
Arcabit		20180612
Avast-Mobile		20180611
AVware		20180612
BitDefender		20180612
CAT-QuickHeal		20180612
ClamAV		20180612
CMC		20180611
Comodo		20180612
eGambit		20180612
F-Prot		20180612
GData		20180612
Kingsoft		20180612
Palo Alto Networks (Known Signatures)		20180612
Rising		20180612
SUPERAntiSpyware		20180612
Symantec Mobile Insight		20180605
TACHYON		20180612
TheHacker		20180608
TotalDefense		20180612
Trustlook		20180612
VIPRE		20180612
ViRobot		20180612
Webroot		20180612
Yandex		20180609
Zoner		20180612

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.

PE header basic information

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2018-05-20 02:50:10

Entry Point 0x00001403

Number of sections 8

PE sections

Name Virtual address Virtual size Raw size Entropy MD5

.text 4096 11426 11776 6.17 9b093cea876c25009260e6e92c51a46e

.crt1 16384 1232 1536 5.30 2f32f134a8403d38d10274b088db2b93

.pdata 20480 1544 2048 4.17 9c801b080d78faf87392f4207ce7ab42

.rdata 24576 19316 15360 6.26 1463f24a9ee3fd45aaffda1350dc70b0

.A 45056 72271 72704 7.18 2f3e13468171c68a951596aaca60a2d7

.CRT2 118784 30974 31232 7.27 7074f2650c2ecc45c9339df7e12dfccb

.rsrc 151552 536 1024 0.00 0f343b0931126a20f133d67c2b018a3b

.CRT0 155648 908 1024 0.27 c12b5e69f97f6a14ed250e44a3cc7424

PE imports

Debug information

Type Timestamp Offset Size

IMAGE_DEBUG_TYPE_COFF (1) Sun May 20 02:50:10 2018 14872 33 Bytes

12 (12) Sun May 20 02:50:10 2018 14996 20 Bytes

ExifTool file metadata

MIMEType

application/octet-stream

Subsystem

Windows GUI

MachineType

Intel 386 or later, and compatibles

TimeStamp

2018:05:20 04:50:10+02:00

FileType

Win32 EXE

PEType

PE32

CodeSize

13312

LinkerVersion

12.1

FileTypeExtension

exe

InitializedDataSize

127488

SubsystemVersion

5.0

EntryPoint

0x1403

OSVersion

5.0

ImageVersion

0.0

UninitializedDataSize

File identification

MD5 009011c6f3c3b579f092bc7567251a1b

SHA1 dfd916281ec4b2ebe7c515929c4c7af3571e8910

SHA256 b8442e623761d0e255b760ce3eef233fb03992cde8c1ea58f962b65897745ecd

ssdeep

1536:L4JC4mBArA414NcvkNO6ukZUU0gLSFrx5lis/DRjetS1kZiKX1bGPu3o5N7fR:LNCScyukTjWFNB8S1Yik8u30N

authentihash 202e4e12375a3a470e7948fd4bf04b0f3908871b41dedc62084bde185129bbe1

imphash 52c95df56b03d40a2713765654e9b772

File size 134.5 KB ( 137728 bytes )

File type Win32 EXE

Magic literal

PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID	Win32 Dynamic Link Library (generic) (38.4%) Win32 Executable (generic) (26.3%) OS/2 Executable (generic) (11.8%) Generic Win/DOS Executable (11.6%) DOS Executable Generic (11.6%)

VirusTotal metadata

First submission 2018-06-11 18:43:00 UTC ( 8 months, 2 weeks ago )

Last submission 2018-06-12 07:12:34 UTC ( 8 months, 2 weeks ago )

Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

Opened files

C:\b8442e623761d0e255b760ce3eef233fb03992cde8c1ea58f962b65897745ecd (successful)

\\.\PIPE\lsarpc (successful)

C:\WINDOWS\system32\winsock.dll (successful)

C:\WINDOWS\system32\drwtsn32.exe (successful)

C:\WINDOWS\system32\netmsg.dll (successful)

Read files

C:\WINDOWS\system32\winsock.dll (successful)

Created processes

C:\WINDOWS\system32\drwtsn32 -p 240 -e 172 -g (successful)

Opened mutexes

ShimCacheMutex (successful)

Runtime DLLs

rpcrt4.dll (successful)

shlwapi.dll (successful)

version.dll (successful)

shell32.dll (successful)

advapi32.dll (successful)

ntdll.dll (successful)

kernel32.dll (successful)

SHA256:	b8442e623761d0e255b760ce3eef233fb03992cde8c1ea58f962b65897745ecd
File name:	b8442e623761d0e255b760ce3eef233fb03992cde8c1ea58f962b65897745ecd
Detection ratio:	43 / 67
Analysis date:	2018-06-12 07:12:34 UTC ( 8 months, 2 weeks ago )

Ciphered bundle