× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: bc5c0986903154cd84089a5a37082aed31c86b968b0a12bd06281df84e45c1b0
File name: 2019-01-30-IcedID-retrieved-by-Emotet-infected-host.exe
Detection ratio: 39 / 69
Analysis date: 2019-02-01 03:36:18 UTC ( 1 month, 2 weeks ago ) View latest
Antivirus Result Update
Acronis suspicious 20190130
Ad-Aware Trojan.Autoruns.GenericKDS.41002543 20190131
AegisLab Trojan.Win32.IcedID.4!c 20190131
AhnLab-V3 Trojan/Win32.Banker.C2986132 20190131
ALYac Trojan.IcedID.gen 20190131
Arcabit Trojan.Autoruns.GenericS.D271A62F 20190131
Avast Win32:Malware-gen 20190131
AVG Win32:Malware-gen 20190131
BitDefender Trojan.Autoruns.GenericKDS.41002543 20190131
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20181023
DrWeb Trojan.Inject3.12534 20190131
Emsisoft Trojan.Autoruns.GenericKDS.41002543 (B) 20190131
Endgame malicious (moderate confidence) 20181108
ESET-NOD32 Win32/Spy.IcedId.H 20190131
Fortinet W32/IcedId.H!tr.spy 20190131
GData Trojan.Autoruns.GenericKDS.41002543 20190131
Ikarus Trojan-Banker.IcedID 20190131
Sophos ML heuristic 20181128
K7AntiVirus Spyware ( 0053a3c61 ) 20190131
K7GW Spyware ( 0053a3c61 ) 20190131
Kaspersky Trojan-Banker.Win32.IcedID.tope 20190131
MAX malware (ai score=83) 20190131
McAfee RDN/PWS-Banker 20190131
McAfee-GW-Edition BehavesLike.Win32.Ransomware.ch 20190131
Microsoft Trojan:Win32/Tiggre!plock 20190131
eScan Trojan.Autoruns.GenericKDS.41002543 20190131
Palo Alto Networks (Known Signatures) generic.ml 20190131
Panda Trj/GdSda.A 20190131
Qihoo-360 Win32/Trojan.9c5 20190131
Rising Spyware.IcedId!8.F061 (CLOUD) 20190131
Sophos AV Mal/Generic-S 20190131
Symantec ML.Attribute.HighConfidence 20190131
TACHYON Banker/W32.IcedID.173056 20190131
Tencent Win32.Trojan-banker.Icedid.Htmt 20190131
Trapmine malicious.high.ml.score 20190123
TrendMicro TROJ_GEN.R045C0WAV19 20190131
TrendMicro-HouseCall TROJ_GEN.R045C0WAV19 20190131
Webroot W32.Rogue.Gen 20190131
ZoneAlarm by Check Point Trojan-Banker.Win32.IcedID.tope 20190131
Alibaba 20180921
Antiy-AVL 20190131
Avast-Mobile 20190130
Avira (no cloud) 20190131
Babable 20180917
Baidu 20190130
Bkav 20190130
CAT-QuickHeal 20190131
ClamAV 20190131
CMC 20190131
Comodo 20190131
Cylance 20190131
Cyren 20190131
eGambit 20190131
F-Prot 20190131
F-Secure 20190131
Jiangmin 20190131
Kingsoft 20190131
Malwarebytes 20190131
NANO-Antivirus 20190131
SentinelOne (Static ML) 20190124
SUPERAntiSpyware 20190130
TheHacker 20190131
TotalDefense 20190131
Trustlook 20190131
VBA32 20190131
ViRobot 20190131
Yandex 20190128
Zillya 20190131
Zoner 20190131
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright (c) 2004-2014, MyWebGrocer book coverheat

Original name Creasesalt.exe
Internal name Norgreat
File version 10.3.21.16
Description Norgreat
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-01-30 10:24:51
Entry Point 0x0000A7C9
Number of sections 4
PE sections
PE imports
SetSecurityDescriptorDacl
RegDeleteKeyA
LookupPrivilegeValueA
RegCloseKey
StartServiceCtrlDispatcherA
OpenProcessToken
SetServiceStatus
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
InitializeSecurityDescriptor
OpenThreadToken
ControlService
SetEntriesInAclA
RegCreateKeyExA
QueryServiceStatus
RegOpenKeyExA
OpenSCManagerA
RegisterServiceCtrlHandlerA
CreateServiceW
OpenServiceA
CreatePropertySheetPageA
PropertySheetA
Ord(6)
GetOpenFileNameA
ReplaceTextA
GetSaveFileNameA
SetWindowExtEx
ScaleViewportExtEx
OffsetViewportOrgEx
SetViewportExtEx
GetSystemTime
GetLastError
InitializeCriticalSectionAndSpinCount
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
SetHandleCount
GetConsoleCP
GetOEMCP
LCMapStringA
IsDebuggerPresent
GetTickCount
TlsAlloc
GetVersionExA
GetEnvironmentStringsW
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetTimeFormatA
FreeEnvironmentStringsA
DeleteCriticalSection
GetStartupInfoA
GetDateFormatA
GetEnvironmentStrings
GetConsoleMode
GetLocaleInfoA
GetCurrentProcessId
GetConsoleOutputCP
OpenProcess
LockResource
IsValidCodePage
GetWindowsDirectoryA
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
HeapSize
FreeEnvironmentStringsW
GetCPInfo
GetCommandLineA
GetProcAddress
VirtualProtectEx
SetStdHandle
CompareStringW
GetTempPathA
RaiseException
WideCharToMultiByte
GetStringTypeA
SetFilePointer
LeaveCriticalSection
GetModuleHandleA
SetUnhandledExceptionFilter
WriteFile
GetCurrentProcess
CloseHandle
GetSystemTimeAsFileTime
GetACP
HeapReAlloc
GetStringTypeW
GetModuleHandleW
ExitProcess
SetEnvironmentVariableA
TlsFree
TerminateProcess
GetModuleFileNameA
QueryPerformanceCounter
WriteConsoleA
GetTimeZoneInformation
HeapCreate
SetLastError
VirtualFree
InterlockedDecrement
Sleep
GetFileType
TlsSetValue
CreateFileA
HeapAlloc
GetCurrentThreadId
InterlockedIncrement
VirtualAlloc
WriteConsoleW
CompareStringA
PathFindFileNameA
PathAppendA
PathAddBackslashA
PathStripToRootA
IsDestinationReachableA
EndDeferWindowPos
SetFocus
GetWindowTextLengthA
AppendMenuA
DispatchMessageA
InflateRect
SetParent
RegisterHotKey
CallWindowProcA
DrawIcon
IntersectRect
GetClientRect
GetClassInfoExA
GetFocus
GetClassNameA
GetCursorPos
CheckMenuRadioItem
LoadImageA
IsWindowEnabled
ExitWindowsEx
RegisterClassExA
OpenPrinterA
DocumentPropertiesA
ClosePrinter
AddPrinterConnectionA
GetJobA
Number of PE resources by type
RT_ICON 7
RT_GROUP_ICON 1
RT_VERSION 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 10
PE resources
Debug information
ExifTool file metadata
CodeSize
83456

UninitializedDataSize
0

LinkerVersion
9.0

ImageVersion
0.0

FileVersionNumber
10.3.21.16

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

FileDescription
Norgreat

ImageFileCharacteristics
No relocs, Executable, 32-bit

CharacterSet
Unicode

InitializedDataSize
176640

EntryPoint
0xa7c9

OriginalFileName
Creasesalt.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright (c) 2004-2014, MyWebGrocer book coverheat

FileVersion
10.3.21.16

TimeStamp
2010:01:30 11:24:51+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Norgreat

ProductVersion
10.3.21.16

SubsystemVersion
5.0

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
MyWebGrocer

LegalTrademarks
Norgreat freshschool thousand

FileSubtype
0

ProductVersionNumber
10.3.21.16

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 28cf5ebe7cca4f596abdada5d2ab23b0
SHA1 73702b3237015aa3db0123c1f9cae2d95f437ba5
SHA256 bc5c0986903154cd84089a5a37082aed31c86b968b0a12bd06281df84e45c1b0
ssdeep
3072:7HogBAhpeZN1IJ5w+SZQN8ZyTIdyIU55+nrHUN5HDpCfsz:7HmhQZ/2GQi4TImSrHyFCfsz

authentihash 66e2dacae79f49f8388655cc0d1b1ddf0786fb3a42acfc041cfb8d1257a71acd
imphash 3e55c8a6565f754f7970a2c24c375ddb
File size 169.0 KB ( 173056 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
peexe

VirusTotal metadata
First submission 2019-01-31 05:41:30 UTC ( 1 month, 3 weeks ago )
Last submission 2019-02-26 11:07:44 UTC ( 3 weeks, 4 days ago )
File names 2019-01-30-IcedID-retrieved-by-Emotet-infected-host.exe
28cf5ebe7cca4f596abdada5d2ab23b0.virobj
2019-01-30-IcedID-retrieved-by-Emotet-infected-host.exe
73702b3237015aa3db0123c1f9cae2d95f437ba5
Creasesalt.exe
Norgreat
Advanced heuristic and reputation engines
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.