× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d7f1f9dd332ef0710af32860001fdffc56b6dfc175b5becab6f98f69033c86ea
File name: Rwanda
Detection ratio: 48 / 68
Analysis date: 2017-12-30 17:24:22 UTC ( 6 months, 3 weeks ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Symmi.80496 20171225
AegisLab Troj.Dropper.Vb!c 20171230
AhnLab-V3 Trojan/Win32.Fareit.R213003 20171230
ALYac Gen:Variant.Symmi.80496 20171230
Arcabit Trojan.Symmi.D13A70 20171230
Avast Win32:Malware-gen 20171230
AVG Win32:Malware-gen 20171230
Avira (no cloud) TR/Dropper.VB.Gen7 20171230
AVware Trojan.Win32.Generic!BT 20171230
BitDefender Gen:Variant.Symmi.80496 20171230
CAT-QuickHeal Trojan.VBKryjetor 20171230
ClamAV Win.Packer.VbPack-0-6334882-0 20171230
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20171016
Cylance Unsafe 20171230
Cyren W32/Trojan.BAF.gen!Eldorado 20171230
DrWeb Trojan.PWS.Stealer.1932 20171230
eGambit Unsafe.AI_Score_57% 20171230
Emsisoft Gen:Variant.Symmi.80496 (B) 20171230
Endgame malicious (high confidence) 20171130
ESET-NOD32 a variant of Win32/Injector.DTOU 20171230
F-Prot W32/Trojan.BAF.gen!Eldorado 20171230
F-Secure Gen:Variant.Symmi.80496 20171230
Fortinet W32/Injector.DSOV!tr 20171230
GData Gen:Variant.Symmi.80496 20171230
Ikarus Trojan.VB.Crypt 20171230
Sophos ML heuristic 20170914
K7AntiVirus Trojan ( 0051c2511 ) 20171230
K7GW Trojan ( 0051c2511 ) 20171230
Kaspersky Trojan.Win32.VBKryjetor.aqkt 20171230
Malwarebytes Spyware.Pony 20171230
McAfee Generic.cst 20171230
McAfee-GW-Edition Generic.cst 20171230
Microsoft PWS:Win32/Fareit 20171230
eScan Gen:Variant.Symmi.80496 20171230
NANO-Antivirus Trojan.Win32.VBKryjetor.euzajl 20171230
Palo Alto Networks (Known Signatures) generic.ml 20171230
Panda Trj/GdSda.A 20171230
Qihoo-360 Win32/Trojan.Dropper.890 20171230
SentinelOne (Static ML) static engine - malicious 20171224
Sophos AV Mal/FareitVB-M 20171230
Symantec Trojan.Gen 20171229
Tencent Win32.Trojan.Vbkryjetor.Wogf 20171230
TrendMicro TROJ_GEN.R002C0DKG17 20171230
TrendMicro-HouseCall TSPY_HPFAREIT.SM2 20171230
VBA32 Trojan.VBKryjetor 20171229
VIPRE Trojan.Win32.Generic!BT 20171230
Yandex Trojan.VBKryjetor! 20171229
ZoneAlarm by Check Point Trojan.Win32.VBKryjetor.aqkt 20171230
Alibaba 20171229
Antiy-AVL 20171230
Avast-Mobile 20171229
Baidu 20171227
Bkav 20171229
CMC 20171229
Comodo 20171230
Cybereason 20171103
Jiangmin 20171230
Kingsoft 20171230
MAX 20171230
nProtect 20171230
Rising 20171230
SUPERAntiSpyware 20171230
Symantec Mobile Insight 20171230
TheHacker 20171229
TotalDefense 20171230
Trustlook 20171230
ViRobot 20171230
Webroot 20171230
WhiteArmor 20171226
Zillya 20171229
Zoner 20171230
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
FoobaR2000.org

Product cOMODo
Original name Rwanda.exe
Internal name Rwanda
File version 9.00.0003
Description www.OrbitDownloader.com
Comments GAmeRAnger Technologies
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-11-14 22:42:11
Entry Point 0x00001194
Number of sections 3
PE sections
PE imports
_adj_fdiv_m32
__vbaChkstk
_CIcos
EVENT_SINK_QueryInterface
_allmul
_adj_fprem
Ord(594)
_adj_fpatan
EVENT_SINK_AddRef
__vbaInStr
_adj_fdiv_m32i
_adj_fdivr_m64
__vbaSetSystemError
DllFunctionCall
__vbaFPException
_adj_fdivr_m16i
_adj_fdiv_r
Ord(100)
__vbaFreeVar
_adj_fdiv_m64
_CIsin
_CIsqrt
_adj_fdivr_m32
_CIlog
EVENT_SINK_Release
_adj_fptan
__vbaExceptHandler
_CIatan
_adj_fdivr_m32i
_CIexp
_adj_fprem1
_CItan
__vbaFpI4
Ord(635)
_adj_fdiv_m16i
Number of PE resources by type
RT_ICON 9
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 10
ENGLISH US 1
PE resources
ExifTool file metadata
LegalTrademarks
CANon

SubsystemVersion
4.0

Comments
GAmeRAnger Technologies

LinkerVersion
6.0

ImageVersion
9.0

FileSubtype
0

FileVersionNumber
9.0.0.3

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

FileDescription
www.OrbitDownloader.com

CharacterSet
Unicode

InitializedDataSize
36864

EntryPoint
0x1194

OriginalFileName
Rwanda.exe

MIMEType
application/octet-stream

LegalCopyright
FoobaR2000.org

FileVersion
9.00.0003

TimeStamp
2017:11:14 23:42:11+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Rwanda

ProductVersion
9.00.0003

UninitializedDataSize
0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
PWI, INC.

CodeSize
352256

ProductName
cOMODo

ProductVersionNumber
9.0.0.3

FileTypeExtension
exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 6a297ec202bb53cb235b4cd8f8395fb1
SHA1 cbc1f8863367c109834223329359351241c2b92b
SHA256 d7f1f9dd332ef0710af32860001fdffc56b6dfc175b5becab6f98f69033c86ea
ssdeep
3072:0CCfEU6RjNUGFfWh9YoQzkOfz8S5744aDhptZLlt26JoleaOpa4EOpuecio67:0CU6LCheo0kObDmtxP1me7aIueb7

authentihash b819a57b0a55f5ce070346ed34ccc4e092451be5f06dabf59371f13f561cd773
imphash 4bc1bf573b2c217f29602db76966ee5d
File size 384.0 KB ( 393216 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (90.6%)
Win32 Executable (generic) (4.9%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Tags
peexe

VirusTotal metadata
First submission 2017-11-15 00:11:14 UTC ( 8 months, 1 week ago )
Last submission 2017-12-30 17:24:22 UTC ( 6 months, 3 weeks ago )
File names Rwanda.exe
d7f1f9dd332ef0710af32860001fdffc56b6dfc175b5becab6f98f69033c86ea
Rwanda
DERASERVER_outputD265DCF.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Shell commands
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications