× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: bd6b9940e87be866fd8cb893769c51a3e4266452f97270a97bc13685b420d308
File name: Romes
Detection ratio: 53 / 62
Analysis date: 2017-03-20 10:25:46 UTC ( 2 months ago )
Antivirus Result Update
Ad-Aware Trojan.GenericKD.3666825 20170320
AegisLab Uds.Dangerousobject.Multi!c 20170320
AhnLab-V3 Trojan/Win32.Inject.C1671418 20170319
ALYac Trojan.GenericKD.3666825 20170319
Antiy-AVL Trojan[Banker]/Win32.Emotet.fx 20170320
Arcabit Trojan.Generic.D37F389 20170320
Avast Win32:Malware-gen 20170320
AVG Generic_vb.NLO 20170320
Avira (no cloud) TR/Zbot.cdmf 20170320
AVware Trojan.Win32.Generic.pak!cobra 20170320
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9794 20170320
BitDefender Trojan.GenericKD.3666825 20170320
CAT-QuickHeal Backdoor.Androm 20170320
Comodo UnclassifiedMalware 20170320
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170130
Cyren W32/Androm.WUNW-6165 20170320
DrWeb Trojan.Packed2.39204 20170320
Emsisoft Trojan.GenericKD.3666825 (B) 20170320
Endgame malicious (high confidence) 20170317
ESET-NOD32 Win32/Spy.Zbot.ACM 20170320
F-Prot W32/Androm.JJ 20170320
F-Secure Trojan.GenericKD.3666825 20170320
Fortinet W32/Agent.D63E!tr 20170320
GData Win32.Trojan.Agent.0N3COW 20170320
Ikarus Trojan-Spy.Agent 20170320
Invincea virtool.win32.vbinject.rt 20170203
Jiangmin Trojan.VB.wrp 20170320
K7AntiVirus Trojan ( 004fc3651 ) 20170320
K7GW Trojan ( 004fc3651 ) 20170320
Kaspersky Trojan-Banker.Win32.Emotet.fx 20170320
Malwarebytes Trojan.MalPack.VB 20170320
McAfee Generic.zv 20170320
McAfee-GW-Edition BehavesLike.Win32.Dropper.dc 20170320
Microsoft VirTool:Win32/VBInject.AGW 20170320
eScan Trojan.GenericKD.3666825 20170320
NANO-Antivirus Trojan.Win32.Packed2.eigueu 20170320
Palo Alto Networks (Known Signatures) generic.ml 20170320
Panda Trj/WLT.C 20170319
Qihoo-360 Win32/Trojan.Multi.daf 20170320
SentinelOne (Static ML) static engine - malicious 20170315
Sophos Troj/VB-JHL 20170320
Symantec Trojan Horse 20170319
Tencent Win32.Backdoor.Androm.Hvaa 20170320
TrendMicro TSPY_ZBOT.YUYATN 20170320
TrendMicro-HouseCall TSPY_ZBOT.YUYATN 20170320
VBA32 Backdoor.Androm 20170317
VIPRE Trojan.Win32.Generic.pak!cobra 20170320
ViRobot Backdoor.Win32.Agent.211358[h] 20170320
Webroot W32.Trojan.Gen 20170320
Yandex TrojanSpy.Zbot!R8ViDIluB4k 20170318
Zillya Trojan.Spy.Win32.2227 20170317
ZoneAlarm by Check Point Trojan-Banker.Win32.Emotet.fx 20170320
Zoner Trojan.Zbot 20170320
Alibaba 20170320
Bkav 20170318
ClamAV 20170320
CMC 20170317
Kingsoft 20170320
nProtect 20170320
Rising 20170318
SUPERAntiSpyware 20170320
TheHacker 20170318
TotalDefense 20170320
Trustlook 20170320
WhiteArmor 20170315
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Product Manicor
Original name Romes.exe
Internal name Romes
File version 1.00.0127
Description Tan writes with breath-catching poise and grace, linguistic refinement and searching
Comments Today's DealsGift Cards & Registry SellHelp
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-11-03 07:43:11
Entry Point 0x00001130
Number of sections 3
PE sections
Overlays
MD5 d5b47855de5a640cfad74eeee3e2419a
File type data
Offset 86016
Size 125342
Entropy 7.71
PE imports
EVENT_SINK_QueryInterface
Ord(645)
Ord(648)
Ord(685)
Ord(594)
Ord(689)
Ord(663)
EVENT_SINK_AddRef
Ord(707)
Ord(717)
Ord(583)
__vbaExceptHandler
Ord(632)
MethCallEngine
DllFunctionCall
Ord(578)
Ord(552)
Ord(100)
Ord(520)
Ord(571)
ProcCallEngine
Ord(711)
Ord(606)
EVENT_SINK_Release
Ord(706)
Ord(593)
Ord(581)
Ord(582)
Ord(545)
Number of PE resources by type
RT_ICON 4
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 5
ENGLISH US 1
PE resources
ExifTool file metadata
LegalTrademarks
This duality invests the novel with a climate of doubt; a mood - as with Aritomo

SubsystemVersion
4.0

Comments
Today's DealsGift Cards & Registry SellHelp

LinkerVersion
6.0

ImageVersion
1.0

FileSubtype
0

FileVersionNumber
1.0.0.127

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

FileDescription
Tan writes with breath-catching poise and grace, linguistic refinement and searching

CharacterSet
Unicode

InitializedDataSize
45056

EntryPoint
0x1130

OriginalFileName
Romes.exe

MIMEType
application/octet-stream

FileVersion
1.00.0127

TimeStamp
2016:11:03 08:43:11+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Romes

ProductVersion
1.00.0127

UninitializedDataSize
0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Flash accofe

CodeSize
61440

ProductName
Manicor

ProductVersionNumber
1.0.0.127

FileTypeExtension
exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 2f9cdc2a7ce846fe626e47451f7fd63e
SHA1 b8fcbf49aac665f338f1d3f8dd2120a2d987006e
SHA256 bd6b9940e87be866fd8cb893769c51a3e4266452f97270a97bc13685b420d308
ssdeep
6144:hgFOOOaOOOvfbXfKl2sxgobNVR4eg5rR85:+iDv1sxDbNVsG

authentihash 7aafb44ad14b2d3f675ad8cf8b2db6aabe5abfb0bde4d81f6814d16a9b8215f4
imphash 3341a62b87005e8f855678e871cab613
File size 206.4 KB ( 211358 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (90.6%)
Win32 Executable (generic) (4.9%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Tags
peexe overlay

VirusTotal metadata
First submission 2016-11-03 08:31:46 UTC ( 6 months, 2 weeks ago )
Last submission 2017-03-16 02:34:09 UTC ( 2 months, 1 week ago )
File names 2f9cdc2a7ce846fe626e47451f7fd63e.exe
MultiplePaste.v2.2.exe
b8fcbf49aac665f338f1d3f8dd2120a2d987006e
Romes
8638549_M01.pdf8638549_D01_flat.pdf.exe.bin
Romes.exe
Advanced heuristic and reputation engines
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Deleted files
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications