× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: bf7ab9dcc69d8e0a1777fcb72e568708450fe32fae4d9cd67a68c27d2a2209cd
File name: bf7ab9dcc69d8e0a1777fcb72e568708450fe32fae4d9cd67a68c27d2a2209cd.vir
Detection ratio: 58 / 66
Analysis date: 2017-12-06 18:47:01 UTC ( 4 months, 2 weeks ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Zusy.12888 20171206
AegisLab Troj.Spy.W32.Zbot.ejbf!c 20171206
AhnLab-V3 Trojan/Win32.Jorik.C162687 20171206
ALYac Gen:Variant.Zusy.12888 20171206
Antiy-AVL Trojan[Spy]/Win32.Zbot 20171206
Arcabit Trojan.Zusy.D3258 20171206
Avast FileRepMalware 20171206
AVG FileRepMalware 20171206
Avira (no cloud) TR/Crypt.ZPACK.Gen8 20171206
AVware Trojan.Win32.Generic!BT 20171206
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9997 20171206
BitDefender Gen:Variant.Zusy.12888 20171206
Bkav W32.OnGamesLTVSSFDAL.Trojan 20171206
CAT-QuickHeal TrojanPWS.Zbot.ZL3 20171206
ClamAV Win.Trojan.Zbot-25671 20171206
CMC Trojan-Spy.Win32.Zbot!O 20171206
Comodo UnclassifiedMalware 20171206
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20171016
Cybereason malicious.1b8fb7 20171103
Cylance Unsafe 20171206
DrWeb Trojan.PWS.Panda.1981 20171206
Emsisoft Gen:Variant.Zusy.12888 (B) 20171206
Endgame malicious (high confidence) 20171130
ESET-NOD32 Win32/Spy.Zbot.AAO 20171206
F-Secure Gen:Variant.Zusy.12888 20171206
Fortinet W32/Zbot.AQJ!tr 20171206
GData Gen:Variant.Zusy.12888 20171206
Ikarus Trojan-Spy.Win32.Zbot 20171206
Sophos ML heuristic 20170914
Jiangmin TrojanSpy.Zbot.bvkg 20171206
K7AntiVirus Backdoor ( 04c4fff51 ) 20171205
K7GW Backdoor ( 04c4fff51 ) 20171206
Kaspersky HEUR:Trojan.Win32.Generic 20171206
Kingsoft Win32.Troj.Zbot.(kcloud) 20171206
Malwarebytes Spyware.Zbot.PE3NZ 20171206
MAX malware (ai score=86) 20171206
McAfee PWS-Zbot.gen.aim 20171206
McAfee-GW-Edition PWS-Zbot.gen.aim 20171206
Microsoft PWS:Win32/Zbot 20171206
eScan Gen:Variant.Zusy.12888 20171206
NANO-Antivirus Trojan.Win32.Zbot.uuwxn 20171206
Palo Alto Networks (Known Signatures) generic.ml 20171206
Panda Generic Malware 20171206
Qihoo-360 HEUR/Malware.QVM08.Gen 20171206
SentinelOne (Static ML) static engine - malicious 20171113
Sophos AV Troj/Zbot-CHT 20171206
Symantec Trojan.Gen 20171206
Tencent Win32.Trojan.Generic.Tafe 20171206
TheHacker Trojan/Spy.Zbot.ejbf 20171205
TrendMicro TSPY_ZBOT.JWM 20171206
TrendMicro-HouseCall TSPY_ZBOT.JWM 20171206
VBA32 TrojanSpy.Zbot 20171206
VIPRE Trojan.Win32.Generic!BT 20171206
ViRobot Trojan.Win32.A.Zbot.294912.J 20171206
Webroot W32.Rogue.Gen 20171206
Yandex TrojanSpy.Zbot!3vKJMVXSws4 20171205
Zillya Trojan.Zbot.Win32.70735 20171206
ZoneAlarm by Check Point HEUR:Trojan.Win32.Generic 20171206
Alibaba 20171206
Avast-Mobile 20171206
Cyren 20171206
eGambit 20171206
F-Prot 20171206
nProtect 20171206
Rising 20171206
SUPERAntiSpyware 20171206
Symantec Mobile Insight 20171206
Trustlook 20171206
Zoner 20171206
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-07-18 20:50:47
Entry Point 0x0000C407
Number of sections 3
PE sections
PE imports
GetStdHandle
HeapDestroy
FreeEnvironmentStringsA
DeleteCriticalSection
GetDiskFreeSpaceA
GetLocaleInfoA
ExpandEnvironmentStringsA
FreeEnvironmentStringsW
GetLocaleInfoW
SetStdHandle
GetFileTime
WideCharToMultiByte
GetStringTypeA
InterlockedExchange
WriteFile
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
InitializeCriticalSection
TlsGetValue
FindNextChangeNotification
SetLastError
ExitProcess
GetVersionExA
GetModuleFileNameA
EnumSystemLocalesA
UnhandledExceptionFilter
MultiByteToWideChar
FatalAppExitA
GetModuleHandleA
GetCurrentProcess
MoveFileExA
SetEnvironmentVariableA
TerminateProcess
FindCloseChangeNotification
GlobalAlloc
SetEndOfFile
GetCurrentThreadId
HeapFree
EnterCriticalSection
SetHandleCount
GetOEMCP
QueryPerformanceCounter
GetTickCount
IsBadWritePtr
TlsAlloc
VirtualProtect
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetStartupInfoA
GetDateFormatA
GetFileSize
AddAtomA
GetUserDefaultLCID
CompareStringW
CompareStringA
IsValidLocale
GetProcAddress
GetTimeZoneInformation
GetFileType
TlsSetValue
CreateFileA
HeapAlloc
LeaveCriticalSection
GetLastError
LCMapStringW
FindFirstChangeNotificationA
GetSystemInfo
GlobalFree
LCMapStringA
GetEnvironmentStringsW
VirtualQuery
GetEnvironmentStrings
GetCurrentProcessId
SetTapePosition
GetCPInfo
HeapSize
GetCommandLineA
GetCurrentThread
TlsFree
SetFilePointer
ReadFile
CloseHandle
GetVolumeInformationA
GetACP
IsValidCodePage
HeapCreate
VirtualFree
VirtualAlloc
GetTimeFormatA
MapWindowPoints
BeginPaint
DestroyMenu
CheckMenuRadioItem
GetIconInfo
LoadBitmapA
SetDlgItemInt
ShowScrollBar
DispatchMessageA
PostMessageA
DrawIcon
IsWindowEnabled
GetDlgItemInt
CheckDlgButton
InsertMenuItemA
SetWindowTextA
CheckMenuItem
GetSystemMetrics
InvalidateRect
ValidateRect
LoadImageA
GetClassNameA
OpenClipboard
IsDialogMessageA
SetCursor
setsockopt
WSASocketA
WSAConnect
getservbyport
getprotobynumber
socket
CLSIDFromString
CoCreateInstance
CoInitialize
OleInitialize
OleSetContainedObject
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2012:07:18 21:50:47+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
94208

LinkerVersion
7.1

EntryPoint
0xc407

InitializedDataSize
274432

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

File identification
MD5 c5def2f2d87c1049b94f848b2ffe0ef3
SHA1 1e20bb68566d2c751c98b4a16f9fc08d2e68d62a
SHA256 bf7ab9dcc69d8e0a1777fcb72e568708450fe32fae4d9cd67a68c27d2a2209cd
ssdeep
6144:rTASW/vLEmv71alrsLlLs8O3zmb6E4BhGxy1XsHRfuXuGuzQgnG:Id/vLB728Ls8TzQ1XsHRfuXrGQgnG

authentihash 29116e01f6c2f92b86243525ca9919c1259fb104136f226c926339676efd38d7
imphash 314e7dc9c5f54e87e0c1895d33556578
File size 288.0 KB ( 294912 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe

VirusTotal metadata
First submission 2012-07-22 19:43:10 UTC ( 5 years, 9 months ago )
Last submission 2017-12-06 18:47:01 UTC ( 4 months, 2 weeks ago )
File names CC4E83D800CE3EB2805804C81C133F00D5CED0E8.exe
aa
c5def2f2d87c1049b94f848b2ffe0ef3.exe
iRNs8cqpGY.msi
C5DEF2F2D87C1049B94F848B2FFE0EF3
c5def2f2d87c1049b94f848b2ffe0ef3
zbot
bf7ab9dcc69d8e0a1777fcb72e568708450fe32fae4d9cd67a68c27d2a2209cd.vir
vSI2UIu.pdf
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
DNS requests
UDP communications