× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: c5bdf8572d3fe3c110e3c56ebd2433169ea968818ec811faf72b322d9bcf94b8
File name: Microsoft(R) Windows(R) Operating System
Detection ratio: 49 / 56
Analysis date: 2014-11-27 13:42:46 UTC ( 4 months ago )
Antivirus Result Update
ALYac Gen:Variant.Symmi.4857 20141127
AVG Agent4.AHAG.dropper 20141127
AVware Trojan.Win32.Generic!BT 20141121
Ad-Aware Gen:Variant.Symmi.4857 20141127
Agnitum Trojan.DR.Agent!KHedVHDGxfg 20141126
AhnLab-V3 Dropper/Win32.Agent 20141126
Antiy-AVL Trojan[Dropper]/Win32.Agent 20141127
Avast Win32:Malware-gen 20141127
Avira TR/Spy.Gen 20141127
Baidu-International Backdoor.Win32.MmBot.aRzx 20141127
BitDefender Gen:Variant.Symmi.4857 20141127
CAT-QuickHeal Backdoor.Mdmbot.r4 20141127
ClamAV WIN.Trojan.McRat 20141127
Comodo UnclassifiedMalware 20141127
Cyren W32/Trojan.PNVT-5130 20141127
DrWeb Trojan.MulDrop3.20837 20141127
ESET-NOD32 Win32/McRat.B 20141127
Emsisoft Gen:Variant.Symmi.4857 (B) 20141127
F-Prot W32/Trojan2.NUYM 20141126
F-Secure Gen:Variant.Symmi.4857 20141127
Fortinet W32/McRat.B!tr 20141127
GData Gen:Variant.Symmi.4857 20141127
Ikarus Backdoor.Win32.Mdmbot 20141127
Jiangmin TrojanDropper.Agent.bpvh 20141126
K7AntiVirus Riskware ( 0040eff71 ) 20141127
K7GW Riskware ( 0040eff71 ) 20141126
Kaspersky Backdoor.Win32.MmBot.b 20141127
Kingsoft Win32.Troj.Agent.(kcloud) 20141127
Malwarebytes Trojan.Dropper.SF 20141127
McAfee Dropper-FIF!4D519BF53A82 20141127
McAfee-GW-Edition Dropper-FIF!4D519BF53A82 20141127
MicroWorld-eScan Gen:Variant.Symmi.4857 20141127
Microsoft Backdoor:Win32/Mdmbot.F 20141127
NANO-Antivirus Trojan.Win32.Agent.bicnuq 20141127
Norman McRat.A 20141127
Panda Generic Suspicious 20141126
Qihoo-360 Win32/Backdoor.BO.566 20141127
Rising PE:Trojan.Win32.Generic.14979173!345477491 20141126
Sophos Troj/McRat-A 20141127
Symantec Trojan.Naid 20141127
Tencent Win32.Backdoor.Mmbot.Pept 20141127
TheHacker Trojan/McRat.a 20141124
TrendMicro BKDR_MDMBOT.A 20141127
TrendMicro-HouseCall BKDR_MDMBOT.A 20141127
VBA32 SScope.Trojan-Dropper.Aurora 20141127
VIPRE Trojan.Win32.Generic!BT 20141127
ViRobot Backdoor.Win32.S.Agent.73728.BC 20141127
Zillya Dropper.Agent.Win32.128650 20141126
nProtect Trojan/W32.Agent.73728.CIU 20141127
AegisLab 20141127
Bkav 20141127
ByteHero 20141127
CMC 20141127
SUPERAntiSpyware 20141127
TotalDefense 20141127
Zoner 20141127
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Developer metadata
Copyright
Copyright (C) 2010

Publisher Microsoft Corporation
Product Microsoft(R) Windows(R) Operating System
Original name Inst.exe
Internal name Microsoft(R) Windows(R) Operating System
File version 5, 1, 0, 0
Description Microsoft Inst Server COM interfaces
Packers identified
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-02-26 09:10:24
Link date 10:10 AM 2/26/2013
Entry Point 0x00001D90
Number of sections 4
PE sections
PE imports
RegCreateKeyExW
CloseServiceHandle
ChangeServiceConfig2W
RegCloseKey
StartServiceW
RegSetValueExW
OpenSCManagerW
RegOpenKeyExW
OpenServiceW
QueryServiceConfigW
EnumServicesStatusW
RegOpenKeyW
ChangeServiceConfigW
RegQueryValueExW
CreateServiceW
GetLastError
HeapFree
GetShortPathNameW
GetModuleFileNameW
HeapAlloc
lstrcmpiW
RtlUnwind
lstrlenW
GetCurrentProcess
SizeofResource
SetThreadPriority
SetProcessPriorityBoost
DeleteFileW
lstrcatW
GetProcessHeap
lstrcpyW
ExpandEnvironmentStringsW
WriteFile
CloseHandle
GetModuleHandleW
FreeResource
SetPriorityClass
LoadResource
FindResourceW
CreateFileW
CreateProcessW
Sleep
GetCurrentThread
GetTickCount
ExitProcess
GetProcAddress
GetEnvironmentVariableW
SHChangeNotify
Ord(680)
ShellExecuteExW
StrStrW
wsprintfW
Number of PE resources by type
BIN 1
RT_VERSION 1
Number of PE resources by language
CHINESE SIMPLIFIED 2
ExifTool file metadata
SubsystemVersion
4.0

InitializedDataSize
65536

ImageVersion
0.0

ProductName
Microsoft(R) Windows(R) Operating System

FileVersionNumber
5.1.0.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
6.0

OriginalFilename
Inst.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
5, 1, 0, 0

TimeStamp
2013:02:26 10:10:24+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Microsoft(R) Windows(R) Operating System

FileAccessDate
2014:11:27 14:46:25+01:00

ProductVersion
5, 1, 0, 0

FileDescription
Microsoft Inst Server COM interfaces

OSVersion
4.0

FileCreateDate
2014:11:27 14:46:25+01:00

FileOS
Windows NT 32-bit

LegalCopyright
Copyright (C) 2010

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
4096

FileSubtype
0

ProductVersionNumber
5.1.0.0

EntryPoint
0x1d90

ObjectFileType
Dynamic link library

File identification
MD5 4d519bf53a8217adc4c15d15f0815993
SHA1 fa9674bab61c37717f8232ebd47af915f9eb9e49
SHA256 c5bdf8572d3fe3c110e3c56ebd2433169ea968818ec811faf72b322d9bcf94b8
ssdeep
1536:H88vjJmxYMsGaR0xOGimB71w7tbWRAvis0mwm:HjExpsGaU3DgB4m

authentihash 1a4c3656846b56961d31b5cf6f0bc2effc79ad3f6d66af8addbf05b6b54d3210
imphash e1f73d9e8b5c8cff9c2ca136afd652a1
File size 72.0 KB ( 73728 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.3%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
exploit armadillo peexe

VirusTotal metadata
First submission 2013-02-28 02:49:10 UTC ( 2 years ago )
Last submission 2013-07-01 06:45:56 UTC ( 1 year, 8 months ago )
File names file-5603713_txt
Inst.exe
svchost.jpg
Microsoft(R) Windows(R) Operating System
bd89c33e9eab0c169908b574a9f4984a-bd89c33e9eab0c169908b574a9f4984a-1362019742
4d519bf53a8217adc4c15d15f0815993
c5bdf8572d3fe3c110e3c56ebd2433169ea968818ec811faf72b322d9bcf94b8
file.exe
vti-rescan
4d519bf53a8217adc4c15d15f0815993.exe
c5bdf8572d3fe3c110e3c56ebd2433169ea968818ec811faf72b322d9bcf94b8
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Written files
Set keys
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications