× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: bdcfcc63909e7da2085172867ef762041fe83713db2a199085497bd4d44aa86b
File name: a184013923368f6ef4f68d82c4d6707eaf592179_sisi.ex
Detection ratio: 46 / 54
Analysis date: 2015-10-26 21:02:22 UTC ( 1 year, 8 months ago )
Antivirus Result Update
Yandex TrojanSpy.Zbot!RYPFtgFQxTQ 20151026
AhnLab-V3 Spyware/Win32.Zbot 20151026
ALYac Trojan.Dropper.VQF 20151027
Antiy-AVL Trojan[Spy]/Win32.Zbot 20151027
Arcabit Trojan.Dropper.VQF 20151027
Avast Win32:Downloader-TJN [Trj] 20151027
AVG PSW.Generic11.TEO 20151026
Avira (no cloud) TR/PSW.Zbot.11349 20151027
AVware Trojan.Win32.Generic!BT 20151026
Baidu-International Trojan.Win32.Zbot.luzr 20151026
BitDefender Trojan.Dropper.VQF 20151027
Bkav W32.Clodefc.Trojan.5d17 20151026
CAT-QuickHeal TrojanSpy.Zbot.r6 20151026
CMC Backdoor.Win32.Androm!O 20151026
Comodo UnclassifiedMalware 20151027
Cyren W32/Trojan.DFDQ-0408 20151027
DrWeb Trojan.PWS.Wsgame.40830 20151027
Emsisoft Trojan.Dropper.VQF (B) 20151027
ESET-NOD32 Win32/Spy.Zbot.AAO 20151027
F-Prot W32/Trojan2.NXBK 20151027
F-Secure Trojan.Dropper.VQF 20151027
GData Trojan.Dropper.VQF 20151027
Ikarus Trojan.Inject 20151027
Jiangmin TrojanSpy.Zbot.eczh 20151026
K7AntiVirus Riskware ( 0040eff71 ) 20151026
K7GW Riskware ( 0040eff71 ) 20151026
Kaspersky Trojan-Spy.Win32.Zbot.luzr 20151027
Malwarebytes Trojan.Agent.ED 20151026
McAfee PWS-Zbot-FBAX!480631B75528 20151027
McAfee-GW-Edition BehavesLike.Win32.CryptDoma.fc 20151027
Microsoft PWS:Win32/Zbot 20151027
eScan Trojan.Dropper.VQF 20151027
NANO-Antivirus Trojan.Win32.Zbot.crkzkf 20151026
nProtect Trojan-Spy/W32.ZBot.313680 20151026
Panda Trj/Dtcontx.E 20151026
Rising PE:Malware.Generic/QRS!1.9E2D [F] 20151026
Sophos Mal/Cleaman-B 20151027
Symantec Trojan.Zbot 20151026
Tencent Win32.Trojan-spy.Zbot.Pavm 20151027
TotalDefense Win32/Zbot.HIQ 20151026
TrendMicro TROJ_SPNR.14FC13 20151027
TrendMicro-HouseCall TROJ_SPNR.14FC13 20151027
VBA32 TrojanPSW.Tepfer 20151026
VIPRE Trojan.Win32.Generic!BT 20151027
Zillya Trojan.OnLineGames.Win32.176352 20151026
Zoner Trojan.Zbot.AAO 20151026
AegisLab 20151026
Alibaba 20151026
ByteHero 20151027
ClamAV 20151027
Fortinet 20151026
SUPERAntiSpyware 20151027
TheHacker 20151026
ViRobot 20151026
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-05-22 18:49:15
Entry Point 0x00001550
Number of sections 6
PE sections
Overlays
MD5 09589168547fa6863c20c5b3a53d6c89
File type data
Offset 303104
Size 10576
Entropy 7.69
PE imports
HeapFree
GetStdHandle
LCMapStringW
SetHandleCount
GetOEMCP
LCMapStringA
HeapDestroy
HeapAlloc
GetEnvironmentStringsW
GetModuleFileNameA
RtlUnwind
LoadLibraryA
FreeEnvironmentStringsA
GetStartupInfoA
GetEnvironmentStrings
WideCharToMultiByte
UnhandledExceptionFilter
MultiByteToWideChar
FreeEnvironmentStringsW
GetCommandLineA
GetProcAddress
GetCPInfo
GetStringTypeA
GetModuleHandleA
WriteFile
GetCurrentProcess
GetACP
HeapReAlloc
GetStringTypeW
TerminateProcess
HeapCreate
VirtualFree
GetFileType
ExitProcess
GetVersion
VirtualAlloc
GetMessageA
UpdateWindow
EndDialog
BeginPaint
PostQuitMessage
DefWindowProcA
ShowWindow
GetSystemMetrics
DispatchMessageA
EndPaint
TranslateMessage
DialogBoxParamA
RegisterClassExA
LoadStringA
GetClientRect
InvalidateRect
LoadAcceleratorsA
CreateWindowExA
LoadCursorA
LoadIconA
TranslateAcceleratorA
DestroyWindow
Number of PE resources by type
RT_ICON 9
RT_GROUP_ICON 2
RT_DIALOG 1
Struct(498) 1
RT_MENU 1
RT_ACCELERATOR 1
Number of PE resources by language
NEUTRAL 9
ENGLISH US 5
ARABIC NEUTRAL 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2013:05:22 19:49:15+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
12288

LinkerVersion
6.0

FileTypeExtension
exe

InitializedDataSize
278528

SubsystemVersion
4.0

EntryPoint
0x1550

OSVersion
4.0

ImageVersion
0.0

UninitializedDataSize
0

File identification
MD5 480631b7552835cc9b4dec24b2b1c132
SHA1 a184013923368f6ef4f68d82c4d6707eaf592179
SHA256 bdcfcc63909e7da2085172867ef762041fe83713db2a199085497bd4d44aa86b
ssdeep
6144:cH8ZYQOsOVLu+Tdkb7S9axVg3dh4d4P8P7j15m:cH8OQOsOVK+Ti3S9aHsH4dY815m

authentihash 64799f26c82871bca2b160a66112da0a740fe2c04e32924eeae4f52cbac7560f
imphash 99764316eb020e88ace5e3e5517f36ed
File size 306.3 KB ( 313680 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe armadillo overlay

VirusTotal metadata
First submission 2013-05-24 07:09:55 UTC ( 4 years, 1 month ago )
Last submission 2013-10-03 11:57:51 UTC ( 3 years, 8 months ago )
File names a184013923368f6ef4f68d82c4d6707eaf592179_sisi.ex
aa
sisi.exe
80bf75ae3d97f6acc963c44618ca83ef-80bf75ae3d97f6acc963c44618ca83ef-1369379137
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Created processes
Code injections in the following processes
Opened mutexes
Runtime DLLs
UDP communications