× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: bb60e72387030c957226e173de173a97241dec0a46c1d4aa3194ecd0257d185b
File name: DHL-Label.exe
Detection ratio: 12 / 45
Analysis date: 2013-04-23 00:57:34 UTC ( 12 months ago ) View latest
Antivirus Result Update
BitDefender Trojan.GenericKD.959766 20130423
Commtouch W32/Trojan.DNYJ-8339 20130423
Emsisoft Trojan.GenericKD.959766 (B) 20130423
Fortinet W32/Kryptik.AX!tr 20130423
GData Trojan.GenericKD.959766 20130423
Ikarus Trojan.Crypt 20130423
Kaspersky Backdoor.Win32.Androm.pta 20130423
McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.F!81 20130422
MicroWorld-eScan Trojan.GenericKD.959766 20130423
TheHacker Posible_Worm32 20130422
TrendMicro-HouseCall TROJ_GEN.F47V0422 20130423
eSafe Suspicious File 20130418
AVG 20130423
Agnitum 20130422
AhnLab-V3 20130422
AntiVir 20130422
Antiy-AVL 20130422
ByteHero 20130418
CAT-QuickHeal 20130422
ClamAV 20130423
Comodo 20130423
DrWeb 20130423
ESET-NOD32 20130422
F-Prot 20130422
F-Secure 20130423
Jiangmin 20130422
K7AntiVirus 20130422
K7GW 20130422
Kingsoft 20130422
Malwarebytes 20130423
McAfee 20130423
Microsoft 20130423
NANO-Antivirus 20130423
Norman 20130422
PCTools 20130422
Panda 20130422
SUPERAntiSpyware 20130423
Sophos 20130423
Symantec 20130423
TotalDefense 20130422
TrendMicro 20130423
VBA32 20130422
VIPRE 20130423
ViRobot 20130422
nProtect 20130422
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Copyright
Edgy 2002 2007

Publisher H%oq#
Original name Gang.exe
File version 3, 3, 1
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2007-11-07 16:51:40
Entry Point 0x0018A670
Number of sections 3
PE sections
PE imports
LsaGetRemoteUserName
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
EndDialog
Number of PE resources by type
RT_DLGINCLUDE 15
RT_DIALOG 12
RT_ICON 2
RT_GROUP_ICON 1
RT_VERSION 1
Number of PE resources by language
NEUTRAL DEFAULT 31
ExifTool file metadata
N5YwKBAulTJUUnWW8ju7
6JxvwpYeaWGQk

UninitializedDataSize
1564672

Tag5tsIqwfMunMe4bpderR
JmhLC5nLlU

InitializedDataSize
12288

fYGRiarf3CrNYwX
7imWFQYD5pY1xUXKJilK

ImageVersion
0.0

GFaGM1GapC23GeDVl
j3qE4kPbcTGj

FileVersionNumber
3.3.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

qcvUg5tX6W
jp5kvmv56M

LinkerVersion
5.0

OriginalFilename
Gang.exe

rhx1F1nOQ47l5Kx
e43gcFd7o7YEjkBCQ

x8ROYKgFYI823ft
FRtB7iGqmvSoVGKU

Subsystem
Windows GUI

FileVersion
3, 3, 1

TimeStamp
2007:11:07 17:51:40+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
3 3 541

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Windows NT 32-bit

NIx28MsDMo
QhRm8njucR

LegalCopyright
Edgy 2002 2007

MachineType
Intel 386 or later, and compatibles

CompanyName
H%oq#

CodeSize
49152

FileSubtype
0

ProductVersionNumber
3.3.0.0

EntryPoint
0x18a670

ObjectFileType
Executable application

MIMEType
application/octet-stream

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
File identification
MD5 85f908a5bd0ada2d72d138e038aecc7d
SHA1 017e82b1074dd210c0c41c8129d81e577d3c121b
SHA256 bb60e72387030c957226e173de173a97241dec0a46c1d4aa3194ecd0257d185b
ssdeep
1536:/LCYucodrjf+alIjV4wEwcVwg4vBB78zqbR7I:/LCYucmuaqjiwETV87Y

File size 56.0 KB ( 57344 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe

VirusTotal metadata
First submission 2013-04-22 20:16:53 UTC ( 12 months ago )
Last submission 2014-01-07 17:01:14 UTC ( 3 months, 1 week ago )
File names Andromeda_85F908A5BD0ADA2D72D138E038AECC7D_DHL-LABEL-ID-2456-8344-5362-5466.exe_
Andromeda_85F908A5BD0ADA2D72D138E038AECC7D_DHL-LABEL-ID-2456-8344-5362-5466.exe_.exe-8637452-1376710686-tmp
dxrmdlwc.exe2b5bc0da
a0167708.exe2ffef366
DHL-Label.exe
Gang.exe
Andromeda_85F908A5BD0ADA2D72D138E038AECC7D_DHL-LABEL-ID-2456-8344-5362-5466.exe
dxqfoceda.exe_1367248509.arl
a0167708.exe.994c82d830b590c7
file-5411261_exe
Andromeda_85F908A5BD0ADA2D72D138E038AECC7D_DHL-LABEL-ID-2456-8344-5362-5466.exe_
85f908a5bd0ada2d72d138e038aecc7d.virus
svchost.exe
DHLLABELID24568344536254661.exe
85F908A5BD0ADA2D72D138E038AECC7D
a0167783.exe587e3aa4
dxrmdlwc.exe
NCW-1077033057-2-0-3-DHL-LABEL-ID-2456-8344-5362-5466.exe
85f908a5bd0ada2d72d138e038aecc7d
DHL-LABEL-ID-2456-8344-5362-5466.exe
a0167783.exe.339d84e456996d3e
Advanced heuristic and reputation engines
ClamAV PUA
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/index.php?s=pua&lang=en .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Copied files
Set keys
Runtime DLLs
UDP communications