× Cookies are disabled! This site requires cookies to be enabled to work properly
VirusTotal
SHA256: cf352976323bd8683e8ec5728eb1282def49fbd4dc58ab5748a2747243177942
File name: isheriff_afe2a5435273e6c2a389c9d14c8ceeaf.bin
Detection ratio: 41 / 50
Analysis date: 2016-06-14 03:48:58 UTC ( 2 years, 8 months ago )
Antivirus Result Update
Ad-Aware Trojan.Zbot.5852 20160614
AegisLab Troj.Dropper.W32.Autoit.lVxD 20160613
AhnLab-V3 Spyware/Win32.Zbot 20160613
ALYac Trojan.Zbot.5852 20160613
Arcabit Trojan.Zbot.D16DC 20160613
Avast AutoIt:MalOb-BZ [Trj] 20160613
AVG Autoit 20160613
Avira (no cloud) TR/Dropper.Gen 20160613
AVware Trojan.Win32.Autoit.bjn (v) 20160613
Baidu AutoIt.Worm.Agent.c 20160612
Baidu-International Trojan.Win32.Dropper.adzuv 20160606
BitDefender Trojan.Zbot.5852 20160613
ClamAV Win.Trojan.8740072-1 20160613
CMC Trojan.Win32.Generic!O 20160613
Cyren W32/Trojan.FVBG-7880 20160613
DrWeb Trojan.MulDrop4.46259 20160613
Emsisoft Trojan.Zbot.5852 (B) 20160613
ESET-NOD32 Win32/Autoit.KE 20160613
F-Prot W32/Trojan2.ORIG 20160613
F-Secure Trojan.Zbot.5852 20160613
Fortinet W32/Inject.EYEW!tr 20160613
GData Trojan.Zbot.5852 20160613
Ikarus Worm.Win32.AutoIt 20160613
Jiangmin Trojan.MSIL.aeui 20160613
K7AntiVirus Trojan ( 700000111 ) 20160613
K7GW Trojan ( 700000111 ) 20160613
Kaspersky Trojan-Dropper.Win32.FrauDrop.adzuv 20160613
McAfee Artemis!AFE2A5435273 20160613
McAfee-GW-Edition BehavesLike.Win32.Spyware.fc 20160613
Microsoft Worm:Win32/Jenxcus.N 20160613
eScan Trojan.Zbot.5852 20160613
NANO-Antivirus Trojan.Script.Agent.debwym 20160613
nProtect Trojan.Zbot.5852 20160613
Panda Trj/CI.A 20160613
Qihoo-360 HEUR/QVM11.1.Malware.Gen 20160614
Sophos AV Mal/Generic-S 20160613
SUPERAntiSpyware Trojan.Agent/Gen-Injector 20160613
TheHacker Backdoor/Poison.evjc 20160612
TrendMicro TROJ_SPNR.03AR14 20160613
VBA32 Trojan.Autoit.Wirus 20160611
ViRobot Trojan.Win32.Z.Zbot.358912.B[h] 20160614
Alibaba 20160613
Antiy-AVL 20160614
Bkav 20160613
CAT-QuickHeal 20160613
Comodo 20160613
Kingsoft 20160614
Tencent 20160614
TotalDefense 20160613
Yandex 20160612
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
File version 3, 3, 8, 1
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-01-29 21:32:28
Entry Point 0x000B88B0
Number of sections 3
PE sections
Overlays
MD5 261eb87a5e1407da3d2b767f6c49a382
File type data
Offset 303616
Size 55296
Entropy 7.99
PE imports
[+] ADVAPI32.dll
GetAce
[+] COMCTL32.dll
ImageList_Remove
[+] COMDLG32.dll
GetSaveFileNameW
[+] GDI32.dll
LineTo
[+] KERNEL32.DLL
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
[+] MPR.dll
WNetGetConnectionW
[+] OLEAUT32.dll
VariantInit
[+] PSAPI.DLL
EnumProcesses
[+] SHELL32.dll
DragFinish
[+] USER32.dll
GetDC
[+] USERENV.dll
LoadUserProfileW
[+] VERSION.dll
VerQueryValueW
[+] WININET.dll
FtpOpenFileW
[+] WINMM.dll
timeGetTime
[+] WSOCK32.dll
recv
[+] ole32.dll
CoInitialize
Number of PE resources by type
RT_ICON 12
RT_STRING 7
RT_GROUP_ICON 4
RT_DIALOG 1
RT_MANIFEST 1
RT_MENU 1
RT_VERSION 1
Number of PE resources by language
ENGLISH UK 25
ENGLISH US 2
PE resources
ExifTool file metadata
UninitializedDataSize
479232

LinkerVersion
10.0

ImageVersion
0.0

FileVersionNumber
3.3.8.1

LanguageCode
English (British)

FileFlagsMask
0x0017

CharacterSet
Unicode

InitializedDataSize
32768

EntryPoint
0xb88b0

MIMEType
application/octet-stream

FileVersion
3, 3, 8, 1

TimeStamp
2012:01:29 22:32:28+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
5.0

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

CompiledScript
AutoIt v3 Script: 3, 3, 8, 1

MachineType
Intel 386 or later, and compatibles

CodeSize
274432

FileSubtype
0

ProductVersionNumber
3.3.8.1

FileTypeExtension
exe

ObjectFileType
Unknown

File identification
MD5 afe2a5435273e6c2a389c9d14c8ceeaf
SHA1 da7abbeda5f22f0528a5bad7b7aef830f6379e6a
SHA256 cf352976323bd8683e8ec5728eb1282def49fbd4dc58ab5748a2747243177942
ssdeep
6144:sAFELV9WkhHnkpPlxhPG+hxHLjdw/4NzNXn85R7Iuyuy8wFto3xfIYLRjhtUOVdy:sA6bf5Ud3rjdJzxVuy8WohNRfxV

authentihash 664f363399c3a6b47c21abc8ca7889107cbea8a576e2c20a966985cd7387d846
imphash 890e522b31701e079a367b89393329e6
File size 350.5 KB ( 358912 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID AutoIt3 compiled script executable (87.6%)
UPX compressed Win32 Executable (5.2%)
Win32 EXE Yoda's Crypter (4.5%)
Win32 Dynamic Link Library (generic) (1.1%)
Win32 Executable (generic) (0.7%)
Tags
peexe overlay

VirusTotal metadata
First submission 2015-10-13 18:17:34 UTC ( 3 years, 4 months ago )
Last submission 2016-06-14 03:48:58 UTC ( 2 years, 8 months ago )
File names isheriff_afe2a5435273e6c2a389c9d14c8ceeaf.bin
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!
More comments

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

Sign in Join the community
No votes. No one has voted on this item yet, be the first one to do so!
More votes
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Copied files
Deleted files
Created processes
Shell commands
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
DNS requests
TCP connections
Blog | Twitter | Contact us | ToS | Privacy policy