× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: cf3459cf29125101f5bea3f4206d8e43dbe097dd884ebf3155c49b276736f727
File name: AU2_EXEsd.executable
Detection ratio: 51 / 67
Analysis date: 2018-06-27 11:12:48 UTC ( 8 months, 3 weeks ago ) View latest
Antivirus Result Update
Ad-Aware Generic.DataStealer.1.82368076 20180627
AegisLab W32.W.Viking.lixn 20180627
AhnLab-V3 Malware/Win32.Generic.C1900722 20180627
ALYac Trojan.Delf 20180627
Antiy-AVL Trojan/Win32.AGeneric 20180627
Arcabit Generic.DataStealer.1.82368076 20180627
Avast Win32:Malware-gen 20180627
AVG Win32:Malware-gen 20180627
Avira (no cloud) TR/Crypt.XPACK.Gen 20180627
AVware Trojan.Win32.Generic!BT 20180627
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9858 20180627
BitDefender Generic.DataStealer.1.82368076 20180627
CAT-QuickHeal Trojan.Generic 20180627
Comodo UnclassifiedMalware 20180627
CrowdStrike Falcon (ML) malicious_confidence_90% (D) 20180530
Cybereason malicious.fceeed 20180225
Cyren W32/Trojan.GMAK-1580 20180627
DrWeb Trojan.PWS.Steam.13803 20180627
Emsisoft Generic.DataStealer.1.82368076 (B) 20180627
Endgame malicious (high confidence) 20180612
ESET-NOD32 a variant of Win32/PSW.Delf.ORF 20180627
F-Secure Generic.DataStealer.1.82368076 20180627
Fortinet W32/Delf.ORF!tr 20180627
GData Generic.DataStealer.1.82368076 20180627
Ikarus Trojan.Win32.PSW 20180627
Sophos ML heuristic 20180601
Jiangmin Trojan.Generic.bcufq 20180627
K7AntiVirus Password-Stealer ( 0050cad01 ) 20180627
K7GW Password-Stealer ( 0050cad01 ) 20180627
Kaspersky HEUR:Trojan.Win32.Generic 20180627
MAX malware (ai score=100) 20180627
McAfee Artemis!3A3F739FCEEE 20180627
McAfee-GW-Edition BehavesLike.Win32.Suspiciousatg.gh 20180627
Microsoft PWS:Win32/PWSteal.Q!bit 20180627
eScan Generic.DataStealer.1.82368076 20180627
NANO-Antivirus Trojan.Win32.Steam.eqyllz 20180627
Palo Alto Networks (Known Signatures) generic.ml 20180627
Panda Trj/GdSda.A 20180626
Rising Stealer.Delf!8.415 (CLOUD) 20180627
SentinelOne (Static ML) static engine - malicious 20180618
Sophos AV Mal/Generic-S 20180627
Symantec Trojan.Gen 20180627
Tencent Win32.Trojan.Generic.Ljul 20180627
TrendMicro TROJ_GEN.R002C0DCQ18 20180627
TrendMicro-HouseCall TROJ_GEN.R002C0DCQ18 20180627
VBA32 suspected of Trojan.Downloader.gen.h 20180626
VIPRE Trojan.Win32.Generic!BT 20180627
Webroot W32.Trojan.Gen 20180627
Yandex Trojan.Agent!399qRkbS8oU 20180627
Zillya Trojan.Delf.Win32.87782 20180626
ZoneAlarm by Check Point HEUR:Trojan.Win32.Generic 20180627
Alibaba 20180627
Avast-Mobile 20180627
Babable 20180406
Bkav 20180627
ClamAV 20180627
CMC 20180627
Cylance 20180627
eGambit 20180627
F-Prot 20180627
Kingsoft 20180627
Malwarebytes 20180627
Qihoo-360 20180627
SUPERAntiSpyware 20180627
Symantec Mobile Insight 20180626
TACHYON 20180627
TheHacker 20180624
Trustlook 20180627
ViRobot 20180627
Zoner 20180627
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
PEiD BobSoft Mini Delphi -> BoB / BobSoft
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x0006F470
Number of sections 6
PE sections
PE imports
RegCreateKeyExW
RegCloseKey
RegEnumKeyW
FreeSid
RegQueryValueExA
RegOpenKeyExW
RegEnumKeyA
LookupAccountSidA
RegOpenKeyW
RegOpenKeyExA
GetUserNameW
AllocateAndInitializeSid
RegQueryValueExW
GetStdHandle
FileTimeToSystemTime
GetFileAttributesA
WaitForSingleObject
FindFirstFileW
HeapDestroy
GetFileAttributesW
DeleteCriticalSection
GetCurrentProcess
GetLocaleInfoA
LocalAlloc
GetTempPathA
WideCharToMultiByte
GetDiskFreeSpaceW
WriteFile
GetSystemTimeAsFileTime
GetDiskFreeSpaceA
GetFullPathNameA
LocalFree
FormatMessageW
InitializeCriticalSection
OutputDebugStringW
FindClose
FormatMessageA
GetFullPathNameW
OutputDebugStringA
GetSystemTime
CopyFileW
GetModuleFileNameW
TryEnterCriticalSection
ExitProcess
GetVersionExA
GetModuleFileNameA
FlushViewOfFile
UnhandledExceptionFilter
MultiByteToWideChar
CreateMutexA
GetModuleHandleA
LockFileEx
CreateThread
SetEnvironmentVariableW
CreateMutexW
ExitThread
SetCurrentDirectoryW
SetEndOfFile
GetCurrentThreadId
CloseHandle
AreFileApisANSI
HeapFree
EnterCriticalSection
LoadLibraryW
GetVersionExW
FreeLibrary
QueryPerformanceCounter
GetTickCount
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetStartupInfoA
UnlockFile
GetFileSize
DeleteFileA
DeleteFileW
GetProcAddress
GetProcessHeap
GetComputerNameW
ExpandEnvironmentStringsW
FindNextFileW
HeapValidate
CreateFileMappingA
FindNextFileA
CreateFileW
CreateFileA
HeapAlloc
LeaveCriticalSection
GetLastError
SystemTimeToFileTime
CreateFileMappingW
HeapCreate
GetSystemInfo
lstrlenA
HeapReAlloc
GetThreadLocale
WaitForSingleObjectEx
HeapCompact
LockFile
FileTimeToLocalFileTime
GetCurrentDirectoryW
GetCurrentProcessId
HeapSize
GetCommandLineA
InterlockedCompareExchange
RaiseException
MapViewOfFile
SetFilePointer
ReadFile
FindFirstFileA
UnlockFileEx
GetVersion
GetFileAttributesExW
UnmapViewOfFile
GetTempPathW
VirtualFree
Sleep
VirtualAlloc
SysReAllocStringLen
SysFreeString
SysAllocStringLen
EnumDisplayDevicesA
MessageBoxA
GetKeyboardType
GetSystemMetrics
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
1992:06:20 00:22:17+02:00

FileType
Win32 EXE

PEType
PE32

CodeSize
452096

LinkerVersion
2.25

ImageFileCharacteristics
Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi

EntryPoint
0x6f470

InitializedDataSize
56832

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

File identification
MD5 3a3f739fceeedc38544f2c4b699674c5
SHA1 c5ceebb4cddaa8b2b049719ffd2602ee6f36c6c2
SHA256 cf3459cf29125101f5bea3f4206d8e43dbe097dd884ebf3155c49b276736f727
ssdeep
12288:WgIxgMdrq7UtjN47YuwqiDaE1nEm+hkjVjtzzpJdKZKO:WMMdrq4DowqGEm5jVjtza

authentihash 3b278b4968dea5beb26a3ed6fd0fe6e8843a3f8884e9c429d4d1c57a036f4680
imphash 5fccf23bb71a95da67e903fab75940db
File size 498.0 KB ( 509952 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Windows screen saver (40.5%)
Win32 Dynamic Link Library (generic) (20.3%)
Win32 Executable (generic) (13.9%)
Win16/32 Executable Delphi generic (6.4%)
OS/2 Executable (generic) (6.2%)
Tags
bobsoft peexe

VirusTotal metadata
First submission 2017-07-12 20:08:18 UTC ( 1 year, 8 months ago )
Last submission 2018-10-23 21:48:03 UTC ( 4 months, 3 weeks ago )
File names output.111801226.txt
malware sample 01_09_2017 (91)
2017-07-17-Ramnit-post-infection-binary-from-steelskull.com-AU2_EXEsd.exe
AU2_EXEsd.exe
AU2_EXEsd.exe
2017-07-17-4th-run-post-infection-binary-from-stellskull.com-AU2_EXEsd.exe
VirusShare_3a3f739fceeedc38544f2c4b699674c5
Ramnit-post-infection-binary-from-steelskull.com-AU2_EXEsd.exe
Samp(33)_11.vir.rename
3186a66ec31d2fa64dc656eb1dda53e1b08c7c29
cf3459cf29125101f5bea3f4206d8e43dbe097dd884ebf3155c49b276736f727
9dVWiN.dll
2017-07-17-Ramnit-post-infection-binary-from-steelskull.com-AU2_EXEsd.exe-
AU2_EXEsd.executable
VirusShare_3a3f739fceeedc38544f2c4b699674c5.scr
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created processes
Shell commands
Created mutexes
Opened mutexes
Runtime DLLs
HTTP requests
DNS requests
TCP connections
UDP communications