× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: c5bdf8572d3fe3c110e3c56ebd2433169ea968818ec811faf72b322d9bcf94b8
File name: Microsoft(R) Windows(R) Operating System
Detection ratio: 46 / 50
Analysis date: 2014-03-06 08:40:38 UTC ( 1 month, 1 week ago )
Antivirus Result Update
AVG Agent4.AHAF 20140305
Ad-Aware Gen:Variant.Symmi.4857 20140306
Agnitum Trojan.DR.Agent!KHedVHDGxfg 20140305
AhnLab-V3 Dropper/Win32.Agent 20140305
AntiVir TR/Spy.Gen 20140306
Antiy-AVL Trojan[Backdoor]/Win32.MmBot 20140306
Avast Win32:Malware-gen 20140306
Baidu-International Backdoor.Win32.MmBot.aHQ 20140306
BitDefender Gen:Variant.Symmi.4857 20140306
Bkav W32.CVE20131493YHPtv.Worm 20140305
CAT-QuickHeal Backdoor.Mdmbot 20140306
ClamAV WIN.Trojan.McRat 20140305
Commtouch W32/Trojan.PNVT-5130 20140306
Comodo UnclassifiedMalware 20140306
DrWeb Trojan.MulDrop3.20837 20140306
ESET-NOD32 Win32/McRat.B 20140306
Emsisoft Gen:Variant.Symmi.4857 (B) 20140306
F-Prot W32/Trojan2.NUYM 20140306
F-Secure Gen:Variant.Symmi.4857 20140306
Fortinet W32/McRat.B!tr 20140306
GData Gen:Variant.Symmi.4857 20140306
Ikarus Backdoor.Win32.Mdmbot 20140306
Jiangmin TrojanDropper.Agent.bpvh 20140306
K7AntiVirus Riskware ( 0040eff71 ) 20140305
K7GW Riskware ( 0040eff71 ) 20140305
Kaspersky Backdoor.Win32.MmBot.b 20140306
Kingsoft Win32.Troj.Agent.(kcloud) 20140306
Malwarebytes Trojan.Dropper.SF 20140306
McAfee Dropper-FIF!4D519BF53A82 20140306
McAfee-GW-Edition Dropper-FIF!4D519BF53A82 20140306
MicroWorld-eScan Gen:Variant.Symmi.4857 20140306
Microsoft Backdoor:Win32/Mdmbot.F 20140306
NANO-Antivirus Trojan.Win32.Agent.bicnuq 20140306
Norman McRat.A 20140306
Panda Suspicious file 20140305
Qihoo-360 HEUR/Malware.QVM20.Gen 20140306
Rising PE:Malware.XPACK/RDM!5.1 20140305
Sophos Troj/McRat-A 20140306
Symantec Trojan.Naid 20140306
TheHacker Trojan/McRat.a 20140305
TrendMicro BKDR_MDMBOT.A 20140306
TrendMicro-HouseCall BKDR_MDMBOT.A 20140306
VBA32 SScope.Trojan-Dropper.Aurora 20140305
VIPRE Trojan.Win32.Generic!BT 20140306
ViRobot Backdoor.Win32.S.Agent.73728.BC 20140306
nProtect Trojan/W32.Agent.73728.CIU 20140305
ByteHero 20140306
CMC 20140228
SUPERAntiSpyware 20140306
TotalDefense 20140306
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Copyright
Copyright (C) 2010

Publisher Microsoft Corporation
Product Microsoft(R) Windows(R) Operating System
Original name Inst.exe
Internal name Microsoft(R) Windows(R) Operating System
File version 5, 1, 0, 0
Description Microsoft Inst Server COM interfaces
Packers identified
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-02-26 09:10:24
Link date 10:10 AM 2/26/2013
Entry Point 0x00001D90
Number of sections 4
PE sections
PE imports
RegCreateKeyExW
CloseServiceHandle
ChangeServiceConfig2W
RegCloseKey
StartServiceW
RegSetValueExW
OpenSCManagerW
RegOpenKeyExW
OpenServiceW
QueryServiceConfigW
EnumServicesStatusW
RegOpenKeyW
ChangeServiceConfigW
RegQueryValueExW
CreateServiceW
GetLastError
HeapFree
GetShortPathNameW
GetModuleFileNameW
HeapAlloc
lstrcmpiW
RtlUnwind
lstrlenW
GetCurrentProcess
SizeofResource
SetThreadPriority
SetProcessPriorityBoost
DeleteFileW
lstrcatW
GetProcessHeap
lstrcpyW
ExpandEnvironmentStringsW
WriteFile
CloseHandle
GetModuleHandleW
FreeResource
SetPriorityClass
LoadResource
FindResourceW
CreateFileW
CreateProcessW
Sleep
GetCurrentThread
GetTickCount
ExitProcess
GetProcAddress
GetEnvironmentVariableW
SHChangeNotify
Ord(680)
ShellExecuteExW
StrStrW
wsprintfW
Number of PE resources by type
BIN 1
RT_VERSION 1
Number of PE resources by language
CHINESE SIMPLIFIED 2
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
5.1.0.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
65536

FileOS
Windows NT 32-bit

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) 2010

FileVersion
5, 1, 0, 0

TimeStamp
2013:02:26 10:10:24+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Microsoft(R) Windows(R) Operating System

FileAccessDate
2014:03:06 09:41:04+01:00

ProductVersion
5, 1, 0, 0

FileDescription
Microsoft Inst Server COM interfaces

OSVersion
4.0

FileCreateDate
2014:03:06 09:41:04+01:00

OriginalFilename
Inst.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
4096

ProductName
Microsoft(R) Windows(R) Operating System

ProductVersionNumber
5.1.0.0

EntryPoint
0x1d90

ObjectFileType
Dynamic link library

File identification
MD5 4d519bf53a8217adc4c15d15f0815993
SHA1 fa9674bab61c37717f8232ebd47af915f9eb9e49
SHA256 c5bdf8572d3fe3c110e3c56ebd2433169ea968818ec811faf72b322d9bcf94b8
ssdeep
1536:H88vjJmxYMsGaR0xOGimB71w7tbWRAvis0mwm:HjExpsGaU3DgB4m

imphash e1f73d9e8b5c8cff9c2ca136afd652a1
File size 72.0 KB ( 73728 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.3%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe armadillo cve-2013-1493 exploit

VirusTotal metadata
First submission 2013-02-28 02:49:10 UTC ( 1 year, 1 month ago )
Last submission 2013-07-01 06:45:56 UTC ( 9 months, 2 weeks ago )
File names file-5603713_txt
Inst.exe
svchost.jpg
Microsoft(R) Windows(R) Operating System
bd89c33e9eab0c169908b574a9f4984a-bd89c33e9eab0c169908b574a9f4984a-1362019742
4d519bf53a8217adc4c15d15f0815993
file.exe
vti-rescan
4d519bf53a8217adc4c15d15f0815993.exe
c5bdf8572d3fe3c110e3c56ebd2433169ea968818ec811faf72b322d9bcf94b8
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Written files
Set keys
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications