× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d7f7aac5349daaddb1623193dfe2713c77722999d83220b959aa6610cee377b3
File name: ri.php
Detection ratio: 44 / 68
Analysis date: 2017-10-29 07:37:41 UTC ( 2 months, 3 weeks ago )
Antivirus Result Update
Ad-Aware Trojan.GenericKD.12517031 20171029
AhnLab-V3 Trojan/Win32.Ursnif.R211385 20171028
Antiy-AVL Trojan/Win32.TSGeneric 20171029
Arcabit Trojan.Generic.DBEFEA7 20171029
Avast Win32:DangerousSig [Trj] 20171029
AVG Win32:DangerousSig [Trj] 20171029
Avira (no cloud) TR/Crypt.ZPACK.aexlz 20171028
AVware Trojan.Win32.Generic!BT 20171029
BitDefender Trojan.GenericKD.12517031 20171029
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20171016
Cylance Unsafe 20171029
Cyren W32/Trojan.ZRVC-2448 20171029
DrWeb Trojan.PWS.Papras.2867 20171029
Emsisoft Application.InstallMon (A) 20171029
Endgame malicious (high confidence) 20171024
ESET-NOD32 a variant of Win32/Kryptik.FXQW 20171029
F-Secure Trojan.GenericKD.12517031 20171029
Fortinet W32/Kryptik.FXWS!tr 20171029
GData Trojan.GenericKD.12517031 20171029
Ikarus Trojan.Win32.Crypt 20171028
Sophos ML heuristic 20170914
Jiangmin Trojan.Vobfus.kzy 20171029
K7AntiVirus Trojan ( 0051a4931 ) 20171027
K7GW Trojan ( 0051a4931 ) 20171029
Kaspersky Trojan-Spy.Win32.Ursnif.uib 20171029
Malwarebytes Adware.FileTour 20171029
MAX malware (ai score=90) 20171029
McAfee Packed-SW!CCFDE68BA893 20171029
McAfee-GW-Edition Packed-SW!CCFDE68BA893 20171029
Microsoft Trojan:Win32/Skeeyah.A!rfn 20171029
eScan Trojan.GenericKD.12517031 20171029
Palo Alto Networks (Known Signatures) generic.ml 20171029
Panda Trj/GdSda.A 20171028
Qihoo-360 Win32/Trojan.9ad 20171029
SentinelOne (Static ML) static engine - malicious 20171019
Sophos AV Troj/Gozi-MA 20171029
Symantec Trojan.Bebloh 20171028
Tencent Win32.Trojan.Inject.Auto 20171029
TrendMicro TROJ_GEN.R002C0OJQ17 20171029
TrendMicro-HouseCall TROJ_GEN.R002C0OJQ17 20171029
VBA32 Signed-Trojan.Filecoder 20171027
VIPRE Trojan.Win32.Generic!BT 20171029
Webroot W32.Trojan.Gen 20171029
ZoneAlarm by Check Point Trojan-Spy.Win32.Ursnif.uib 20171029
AegisLab 20171029
Alibaba 20170911
ALYac 20171028
Avast-Mobile 20171029
Baidu 20171027
Bkav 20171029
CAT-QuickHeal 20171028
ClamAV 20171029
CMC 20171028
Comodo 20171029
Cybereason 20170628
eGambit 20171029
F-Prot 20171029
Kingsoft 20171029
NANO-Antivirus 20171029
nProtect 20171029
Rising 20171029
SUPERAntiSpyware 20171029
Symantec Mobile Insight 20171027
TheHacker 20171028
TotalDefense 20171029
Trustlook 20171029
ViRobot 20171028
WhiteArmor 20171024
Yandex 20171027
Zillya 20171027
Zoner 20171029
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification A certificate was explicitly revoked by its issuer.
Signing date 6:28 PM 10/25/2017
Signers
[+] INFORM VT, OOO
Status Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer COMODO RSA Code Signing CA
Valid from 1:00 AM 12/7/2016
Valid to 12:59 AM 12/8/2017
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 49B0C2688D4C84681E71538AD5E6E55B707BC6A4
Serial number 00 BB C2 ED 37 E1 1D F5 3B 33 79 36 3C B4 D1 02 11
[+] COMODO RSA Code Signing CA
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 5/9/2013
Valid to 12:59 AM 5/9/2028
Valid usage Code Signing
Algorithm sha384RSA
Thumbprint B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Serial number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
[+] COMODO SECURE™
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 1/19/2010
Valid to 12:59 AM 1/19/2038
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha384RSA
Thumbprint AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Serial number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
Counter signers
[+] COMODO SHA-256 Time Stamping Signer
Status Valid
Issuer UTN-USERFirst-Object
Valid from 1:00 AM 12/31/2015
Valid to 7:40 PM 7/9/2019
Valid usage Timestamp Signing
Algorithm sha256RSA
Thumbrint 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
Serial number 4E B0 87 8F CC 24 35 36 B2 D8 C9 F7 BF 39 55 77
[+] USERTrust (Code Signing)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-10-25 14:25:23
Entry Point 0x00006DC0
Number of sections 4
PE sections
Overlays
MD5 3af7d5a9f521a31b8de6716089d38ce6
File type data
Offset 460288
Size 5744
Entropy 7.42
PE imports
GetDeviceCaps
SetBkMode
GetLastError
InitializeCriticalSectionAndSpinCount
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
SetHandleCount
GetConsoleCP
GetOEMCP
LCMapStringA
IsDebuggerPresent
GetTickCount
TlsAlloc
GetEnvironmentStringsW
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetModuleFileNameA
FreeEnvironmentStringsA
DeleteCriticalSection
GetCurrentProcess
GetEnvironmentStrings
GetConsoleMode
GetLocaleInfoA
GetCurrentProcessId
GetConsoleOutputCP
GetCPInfo
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
HeapSize
FreeEnvironmentStringsW
GetCommandLineA
GetProcAddress
TlsFree
GetLocaleInfoW
SetStdHandle
WideCharToMultiByte
GetStringTypeA
SetFilePointer
GetCurrentThreadId
SetUnhandledExceptionFilter
WriteFile
GetStartupInfoA
CloseHandle
GetSystemTimeAsFileTime
GetACP
HeapReAlloc
GetStringTypeW
GetModuleHandleW
HeapAlloc
TerminateProcess
ResumeThread
QueryPerformanceCounter
WriteConsoleA
IsValidCodePage
HeapCreate
SetLastError
VirtualFree
InterlockedDecrement
Sleep
GetFileType
TlsSetValue
CreateFileA
ExitProcess
GetVersion
InterlockedIncrement
VirtualAlloc
WriteConsoleW
LeaveCriticalSection
ShellExecuteExW
SHBrowseForFolderW
SHGetFileInfoW
SetFocus
GetParent
EndDialog
DrawTextW
DefWindowProcW
KillTimer
GetMessageW
ShowWindow
MessageBeep
SetWindowPos
wvsprintfW
GetSystemMetrics
SetWindowLongW
IsWindow
GetMenu
GetWindowRect
ClientToScreen
UnhookWindowsHookEx
CharUpperW
MessageBoxA
LoadIconW
GetWindowDC
GetWindow
GetSysColor
PtInRect
DispatchMessageW
GetKeyState
ReleaseDC
SendMessageW
GetWindowLongW
DrawIconEx
IsWindowVisible
SetWindowTextW
GetDlgItem
SystemParametersInfoW
LoadImageW
GetDC
ScreenToClient
CallNextHookEx
wsprintfA
SetTimer
CallWindowProcW
GetSystemMenu
DialogBoxIndirectParamW
EnableWindow
GetClientRect
GetWindowTextW
EnableMenuItem
SetWindowsHookExW
GetClassNameA
GetWindowTextLengthW
CreateWindowExW
wsprintfW
CopyImage
DestroyWindow
GetFileVersionInfoA
Number of PE resources by type
RT_ICON 2
RT_GROUP_ICON 2
RT_DIALOG 1
RT_MANIFEST 1
Number of PE resources by language
NEUTRAL 6
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2017:10:25 15:25:23+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
58880

LinkerVersion
21.0

FileTypeExtension
exe

InitializedDataSize
559104

SubsystemVersion
5.0

EntryPoint
0x6dc0

OSVersion
5.0

ImageVersion
0.0

UninitializedDataSize
0

File identification
MD5 ccfde68ba8931ce735a0fae71bf345b9
SHA1 b52e345bd6c43e14705afeca76cb25e3a5c88bf7
SHA256 d7f7aac5349daaddb1623193dfe2713c77722999d83220b959aa6610cee377b3
ssdeep
6144:IjLZBKrz/IeRvG/h28/oKK5m67omxnL2MxB5Y4MMmeXfukXTR2ANK/HmBznHkse+:Ijd6IeR29nK5JxL2MxYK3vLd7VTHcA0g

authentihash 714411c85c00d39ec027069ffda94bbbea348f786bd82fb196c107950e7d613c
imphash 467a08fcb1dbf4b78878a2ef71cd507c
File size 455.1 KB ( 466032 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.4%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
revoked-cert peexe signed overlay

VirusTotal metadata
First submission 2017-10-25 18:08:52 UTC ( 2 months, 4 weeks ago )
Last submission 2017-10-25 18:08:52 UTC ( 2 months, 4 weeks ago )
File names 74265290.scr
ri.php
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Shell commands
Opened mutexes
Searched windows
Runtime DLLs
HTTP requests
DNS requests
TCP connections
UDP communications