× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: bf7ab9dcc69d8e0a1777fcb72e568708450fe32fae4d9cd67a68c27d2a2209cd
File name: bf7ab9dcc69d8e0a1777fcb72e568708450fe32fae4d9cd67a68c27d2a2209cd.vir
Detection ratio: 58 / 66
Analysis date: 2018-05-17 17:38:16 UTC ( 4 months, 1 week ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Zusy.12888 20180517
AegisLab Troj.Spy.W32.Zbot.ejbf!c 20180517
AhnLab-V3 Trojan/Win32.Jorik.C162687 20180517
ALYac Gen:Variant.Zusy.12888 20180517
Antiy-AVL Trojan[Spy]/Win32.Zbot 20180517
Arcabit Trojan.Zusy.D3258 20180517
Avast FileRepMalware 20180517
AVG FileRepMalware 20180517
Avira (no cloud) TR/Crypt.ZPACK.Gen8 20180517
AVware Trojan.Win32.Generic!BT 20180517
Babable Malware.HighConfidence 20180406
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9997 20180517
BitDefender Gen:Variant.Zusy.12888 20180517
Bkav W32.OnGamesLTVSSFDAL.Trojan 20180517
CAT-QuickHeal TrojanPWS.Zbot.ZL3 20180517
ClamAV Win.Trojan.Zbot-25671 20180517
CMC Trojan-Spy.Win32.Zbot!O 20180517
Comodo .UnclassifiedMalware 20180517
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20180418
Cylance Unsafe 20180517
Cyren W32/Trojan.TDSP-1208 20180517
Emsisoft Gen:Variant.Zusy.12888 (B) 20180517
Endgame malicious (high confidence) 20180507
ESET-NOD32 Win32/Spy.Zbot.AAO 20180517
F-Secure Gen:Variant.Zusy.12888 20180517
Fortinet W32/Zbot.AQJ!tr 20180517
GData Gen:Variant.Zusy.12888 20180517
Ikarus Trojan-Spy.Win32.Zbot 20180517
Sophos ML heuristic 20180503
Jiangmin TrojanSpy.Zbot.bvkg 20180517
K7AntiVirus Backdoor ( 04c4e4c01 ) 20180517
K7GW Backdoor ( 04c4e4c01 ) 20180517
Kaspersky HEUR:Trojan.Win32.Generic 20180517
Malwarebytes Spyware.Zbot.PE3NZ 20180517
MAX malware (ai score=100) 20180517
McAfee PWS-Zbot.gen.aim 20180517
McAfee-GW-Edition PWS-Zbot.gen.aim 20180517
Microsoft PWS:Win32/Zbot 20180517
eScan Gen:Variant.Zusy.12888 20180517
NANO-Antivirus Trojan.Win32.Zbot.uuwxn 20180517
Palo Alto Networks (Known Signatures) generic.ml 20180517
Panda Generic Malware 20180517
Qihoo-360 HEUR/Malware.QVM08.Gen 20180517
SentinelOne (Static ML) static engine - malicious 20180225
Sophos AV Troj/Zbot-CHT 20180517
Symantec ML.Attribute.HighConfidence 20180517
Tencent Win32.Trojan.Generic.Tafe 20180517
TheHacker Trojan/Spy.Zbot.ejbf 20180516
TotalDefense Win32/Zbot.GOB 20180517
TrendMicro TSPY_ZBOT.JWM 20180517
TrendMicro-HouseCall TSPY_ZBOT.JWM 20180517
VBA32 TrojanSpy.Zbot 20180517
VIPRE Trojan.Win32.Generic!BT 20180517
ViRobot Trojan.Win32.A.Zbot.294912.J 20180517
Webroot W32.Rogue.Gen 20180517
Yandex TrojanSpy.Zbot!3vKJMVXSws4 20180517
Zillya Trojan.Zbot.Win32.70735 20180516
ZoneAlarm by Check Point HEUR:Trojan.Win32.Generic 20180517
Alibaba 20180517
Avast-Mobile 20180517
Cybereason None
eGambit 20180517
F-Prot 20180517
Kingsoft 20180517
nProtect 20180517
Rising 20180517
SUPERAntiSpyware 20180517
Symantec Mobile Insight 20180517
Trustlook 20180517
Zoner 20180517
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-07-18 20:50:47
Entry Point 0x0000C407
Number of sections 3
PE sections
PE imports
GetStdHandle
HeapDestroy
FreeEnvironmentStringsA
DeleteCriticalSection
GetDiskFreeSpaceA
GetLocaleInfoA
ExpandEnvironmentStringsA
FreeEnvironmentStringsW
GetLocaleInfoW
SetStdHandle
GetFileTime
WideCharToMultiByte
GetStringTypeA
InterlockedExchange
WriteFile
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
InitializeCriticalSection
TlsGetValue
FindNextChangeNotification
SetLastError
ExitProcess
GetVersionExA
GetModuleFileNameA
EnumSystemLocalesA
UnhandledExceptionFilter
MultiByteToWideChar
FatalAppExitA
GetModuleHandleA
GetCurrentProcess
MoveFileExA
SetEnvironmentVariableA
TerminateProcess
FindCloseChangeNotification
GlobalAlloc
SetEndOfFile
GetCurrentThreadId
HeapFree
EnterCriticalSection
SetHandleCount
GetOEMCP
QueryPerformanceCounter
GetTickCount
IsBadWritePtr
TlsAlloc
VirtualProtect
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetStartupInfoA
GetDateFormatA
GetFileSize
AddAtomA
GetUserDefaultLCID
CompareStringW
CompareStringA
IsValidLocale
GetProcAddress
GetTimeZoneInformation
GetFileType
TlsSetValue
CreateFileA
HeapAlloc
LeaveCriticalSection
GetLastError
LCMapStringW
FindFirstChangeNotificationA
GetSystemInfo
GlobalFree
LCMapStringA
GetEnvironmentStringsW
VirtualQuery
GetEnvironmentStrings
GetCurrentProcessId
SetTapePosition
GetCPInfo
HeapSize
GetCommandLineA
GetCurrentThread
TlsFree
SetFilePointer
ReadFile
CloseHandle
GetVolumeInformationA
GetACP
IsValidCodePage
HeapCreate
VirtualFree
VirtualAlloc
GetTimeFormatA
MapWindowPoints
BeginPaint
DestroyMenu
CheckMenuRadioItem
GetIconInfo
LoadBitmapA
SetDlgItemInt
ShowScrollBar
DispatchMessageA
PostMessageA
DrawIcon
IsWindowEnabled
GetDlgItemInt
CheckDlgButton
InsertMenuItemA
SetWindowTextA
CheckMenuItem
GetSystemMetrics
InvalidateRect
ValidateRect
LoadImageA
GetClassNameA
OpenClipboard
IsDialogMessageA
SetCursor
setsockopt
WSASocketA
WSAConnect
getservbyport
getprotobynumber
socket
CLSIDFromString
CoCreateInstance
CoInitialize
OleInitialize
OleSetContainedObject
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2012:07:18 21:50:47+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
94208

LinkerVersion
7.1

FileTypeExtension
exe

InitializedDataSize
274432

SubsystemVersion
4.0

EntryPoint
0xc407

OSVersion
4.0

ImageVersion
0.0

UninitializedDataSize
0

File identification
MD5 c5def2f2d87c1049b94f848b2ffe0ef3
SHA1 1e20bb68566d2c751c98b4a16f9fc08d2e68d62a
SHA256 bf7ab9dcc69d8e0a1777fcb72e568708450fe32fae4d9cd67a68c27d2a2209cd
ssdeep
6144:rTASW/vLEmv71alrsLlLs8O3zmb6E4BhGxy1XsHRfuXuGuzQgnG:Id/vLB728Ls8TzQ1XsHRfuXrGQgnG

authentihash 29116e01f6c2f92b86243525ca9919c1259fb104136f226c926339676efd38d7
imphash 314e7dc9c5f54e87e0c1895d33556578
File size 288.0 KB ( 294912 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
peexe

VirusTotal metadata
First submission 2012-07-22 19:43:10 UTC ( 6 years, 2 months ago )
Last submission 2018-05-17 17:38:16 UTC ( 4 months, 1 week ago )
File names CC4E83D800CE3EB2805804C81C133F00D5CED0E8.exe
aa
c5def2f2d87c1049b94f848b2ffe0ef3.exe
iRNs8cqpGY.msi
C5DEF2F2D87C1049B94F848B2FFE0EF3
c5def2f2d87c1049b94f848b2ffe0ef3
zbot
bf7ab9dcc69d8e0a1777fcb72e568708450fe32fae4d9cd67a68c27d2a2209cd.vir
vSI2UIu.pdf
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
DNS requests
UDP communications