× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d6a41b79bb0722c2c18b9f175f2f3d3014a532a3568bb5f98c9165fffa76211b
File name: b3f95bd11479b66d08a89afceb2dcdc1
Detection ratio: 5 / 55
Analysis date: 2014-11-11 06:42:13 UTC ( 4 years, 4 months ago ) View latest
Antivirus Result Update
AVG Luhe.Fiha.A 20141111
Avira (no cloud) TR/Dropper.A.32842 20141111
CMC Trojan.Win32.Swizzor.1!O 20141110
ESET-NOD32 a variant of Win32/Kryptik.CPWD 20141111
Malwarebytes Trojan.Agent.ED 20141111
Ad-Aware 20141111
AegisLab 20141111
Yandex 20141110
AhnLab-V3 20141110
Antiy-AVL 20141111
Avast 20141111
AVware 20141111
Baidu-International 20141107
BitDefender 20141111
Bkav 20141110
ByteHero 20141111
CAT-QuickHeal 20141111
ClamAV 20141111
Comodo 20141111
Cyren 20141111
DrWeb 20141111
Emsisoft 20141111
F-Prot 20141111
F-Secure 20141111
Fortinet 20141111
GData 20141111
Ikarus 20141111
Jiangmin 20141110
K7AntiVirus 20141110
K7GW 20141111
Kaspersky 20141111
Kingsoft 20141111
McAfee 20141111
McAfee-GW-Edition 20141111
Microsoft 20141111
eScan 20141111
NANO-Antivirus 20141111
Norman 20141110
nProtect 20141110
Panda 20141110
Qihoo-360 20141111
Rising 20141110
Sophos AV 20141111
SUPERAntiSpyware 20141111
Symantec 20141111
Tencent 20141111
TheHacker 20141111
TotalDefense 20141110
TrendMicro 20141111
TrendMicro-HouseCall 20141111
VBA32 20141110
VIPRE 20141111
ViRobot 20141111
Zillya 20141110
Zoner 20141110
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
(c) AtomPark Software Inc., 2001-2014. All rights reserved.

Publisher Firetrust
Product MailWasher
Original name MailWasherPro.exe
Internal name MailWasherPro.exe
File version 7.3.0.2
Description MailWasher
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-11-08 21:48:29
Entry Point 0x00003D00
Number of sections 5
PE sections
PE imports
GetObjectA
SetROP2
GetDCBrushColor
CreateRectRgn
SelectObject
BitBlt
GetStockObject
CreateCompatibleBitmap
GetPixel
GetDIBits
SetStretchBltMode
CreateCompatibleDC
DeleteObject
StretchBlt
Rectangle
GetExtendedTcpTable
GetSystemTime
GetLastError
InitializeCriticalSectionAndSpinCount
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
SetHandleCount
GetSystemInfo
lstrlenA
LoadLibraryW
GlobalFree
GetConsoleCP
GetOEMCP
QueryPerformanceCounter
IsDebuggerPresent
HeapAlloc
TlsAlloc
GlobalUnlock
GetEnvironmentStringsW
FlushFileBuffers
GetModuleFileNameA
RtlUnwind
IsProcessorFeaturePresent
GetVolumePathNamesForVolumeNameW
DeleteCriticalSection
GetCurrentProcess
GetStartupInfoW
GetConsoleMode
DecodePointer
LocalAlloc
CreateIoCompletionPort
GetCPInfo
ExitProcess
InterlockedDecrement
MultiByteToWideChar
HeapSize
FreeEnvironmentStringsW
GetCommandLineA
GlobalLock
EncodePointer
GetProcessHeap
SetStdHandle
RaiseException
UnhandledExceptionFilter
CreateThread
GetModuleFileNameW
TlsFree
SetFilePointer
HeapSetInformation
ReadFile
SetUnhandledExceptionFilter
WriteFile
CloseHandle
GetSystemTimeAsFileTime
GetACP
HeapReAlloc
GetStringTypeW
GetModuleHandleW
LocalFree
TerminateProcess
WideCharToMultiByte
IsValidCodePage
HeapCreate
SetLastError
CreateFileW
GlobalAlloc
TlsGetValue
Sleep
GetFileType
SetEndOfFile
TlsSetValue
CreateFileA
GetTickCount
GetCurrentThreadId
InterlockedIncrement
GetProcAddress
GetCurrentProcessId
WriteConsoleW
LeaveCriticalSection
GetProcessMemoryInfo
StrFormatByteSizeA
UpdateWindow
BeginPaint
PostQuitMessage
DefWindowProcA
FindWindowA
LoadBitmapA
GetSystemMetrics
EndPaint
MessageBoxA
DialogBoxParamA
GetDC
GetCursorPos
ReleaseDC
MenuItemFromPoint
SetWindowTextA
GetMenu
GetClientRect
InvalidateRect
LoadCursorA
TrackPopupMenu
LoadImageA
SetCursor
WSASocketA
htonl
WSAAccept
bind
WSASend
WSAStartup
htons
WSAGetLastError
listen
StgCreatePropSetStg
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
CoFreeUnusedLibraries
StringFromCLSID
CoGetMalloc
Number of PE resources by type
RT_DIALOG 6
RT_ICON 4
RT_GROUP_CURSOR 3
Struct(240) 3
RT_RCDATA 3
RT_CURSOR 3
RT_STRING 2
RT_ACCELERATOR 2
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 28
ENGLISH AUS 1
PE resources
ExifTool file metadata
SubsystemVersion
5.1

LinkerVersion
10.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
7.3.0.2

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
283136

EntryPoint
0x3d00

OriginalFileName
MailWasherPro.exe

MIMEType
application/octet-stream

LegalCopyright
(c) AtomPark Software Inc., 2001-2014. All rights reserved.

FileVersion
7.3.0.2

TimeStamp
2014:11:08 22:48:29+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
MailWasherPro.exe

ProductVersion
7.3.0.2

FileDescription
MailWasher

OSVersion
5.1

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Firetrust

CodeSize
48640

ProductName
MailWasher

ProductVersionNumber
7.3.0.2

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 b3f95bd11479b66d08a89afceb2dcdc1
SHA1 c32b2618578259aa2d14e885b092cec24dc7859d
SHA256 d6a41b79bb0722c2c18b9f175f2f3d3014a532a3568bb5f98c9165fffa76211b
ssdeep
6144:4ZHkzQUBJhJ74zuIdyocMVIeCGvHigZcDyB7wJNzL8L7EkU:4QQcJfgBjTgpeB7wJhgL7E

authentihash 08f4d4c4ccdeffb925ee6a569c35e13adb8f0b83625772b02176e5ac79ff89dd
imphash e2d454194554900b0e395694792c697a
File size 325.0 KB ( 332800 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.3%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe

VirusTotal metadata
First submission 2014-11-11 06:42:13 UTC ( 4 years, 4 months ago )
Last submission 2015-10-19 05:26:43 UTC ( 3 years, 5 months ago )
File names MailWasherPro.exe
b3f95bd11479b66d08a89afceb2dcdc1
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.