× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: db5cbba38280afd4485def523de91cd324b070485fd28f90c2e69090b6bc7460
File name: 2015-03-21-payingday-biz-malware-payload.exe
Detection ratio: 43 / 56
Analysis date: 2015-05-31 22:52:46 UTC ( 2 years, 5 months ago ) View latest
Antivirus Result Update
Ad-Aware Gen:Variant.Zusy.134813 20150531
Yandex Trojan.Blocker!lIFwgr7ni50 20150531
AhnLab-V3 Trojan/Win32.MDA 20150531
ALYac Gen:Variant.Zusy.134813 20150531
Antiy-AVL Trojan[Backdoor]/Win32.Androm 20150531
Avast Win32:Trojan-gen 20150531
AVG Inject2.BUHY 20150531
Avira (no cloud) TR/Crypt.Xpack.167892 20150531
AVware Trojan.Win32.Generic!BT 20150531
Baidu-International Trojan.Win32.Ransomlock.gsti 20150531
BitDefender Gen:Variant.Zusy.134813 20150531
CAT-QuickHeal TrojanRansom.Blocker.r4 20150530
Comodo UnclassifiedMalware 20150531
Cyren W32/S-0b92b060!Eldorado 20150531
DrWeb BackDoor.IRC.NgrBot.42 20150531
Emsisoft Gen:Variant.Zusy.134813 (B) 20150531
ESET-NOD32 a variant of Win32/Kryptik.DCOW 20150531
F-Prot W32/S-0b92b060!Eldorado 20150531
F-Secure Gen:Variant.Zusy.134813 20150531
Fortinet W32/Blocker.DCOW!tr 20150531
GData Gen:Variant.Zusy.134813 20150531
Ikarus Trojan.Win32.Crypt 20150531
Jiangmin Backdoor/Kasidet.v 20150529
K7AntiVirus Trojan ( 004b980e1 ) 20150531
K7GW Trojan ( 004b980e1 ) 20150531
Kaspersky Trojan-Ransom.Win32.Blocker.gsti 20150531
Malwarebytes Trojan.Agent.ED 20150531
McAfee Generic-FAWH!7B9D1707A5D6 20150531
McAfee-GW-Edition Generic-FAWH!7B9D1707A5D6 20150531
Microsoft Ransom:Win32/Crowti 20150531
eScan Gen:Variant.Zusy.134813 20150531
NANO-Antivirus Trojan.Win32.NgrBot.dpktrz 20150531
Panda Trj/Chgt.O 20150531
Qihoo-360 HEUR/QVM10.1.Malware.Gen 20150531
Sophos AV Troj/Wonton-PF 20150531
SUPERAntiSpyware Trojan.Agent/Gen-Malagent 20150530
Symantec Trojan.Gen 20150531
Tencent Trojan.Win32.YY.Gen.30 20150531
TrendMicro TROJ_GEN.F0C2C00DO15 20150531
TrendMicro-HouseCall TROJ_GEN.F0C2C00DO15 20150531
VBA32 SScope.Trojan.Agent.2315 20150529
VIPRE Trojan.Win32.Generic!BT 20150531
Zillya Trojan.Blocker.Win32.27134 20150531
AegisLab 20150531
Alibaba 20150531
Bkav 20150529
ByteHero 20150531
ClamAV 20150531
CMC 20150530
Kingsoft 20150531
nProtect 20150529
Rising 20150531
TheHacker 20150529
TotalDefense 20150531
ViRobot 20150531
Zoner 20150526
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright © 1993-2010 Christian Ghisler

Product Total Commander
Original name totalcmd.exe
Internal name TOTALCMD
File version 7.56a
Description Total Commander 32 bit
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-03-21 09:51:00
Entry Point 0x00011112
Number of sections 4
PE sections
PE imports
AdjustTokenPrivileges
RegSetValueExA
SelectObject
SelectClipRgn
StretchBlt
CreateFontIndirectW
GetStdHandle
ReleaseMutex
FileTimeToSystemTime
GetOverlappedResult
FreeEnvironmentStringsA
DeleteCriticalSection
GetCurrentProcess
GetLocaleInfoA
IsProcessInJob
RequestWakeupLatency
FreeEnvironmentStringsW
GetThreadContext
ReadFileScatter
WideCharToMultiByte
GetStringTypeA
WriteFile
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
SetEvent
LocalFree
TlsGetValue
FormatMessageA
SetLastError
PeekNamedPipe
DeviceIoControl
GetWriteWatch
GetModuleFileNameW
IsDebuggerPresent
ExitProcess
GetModuleFileNameA
GetPrivateProfileStringA
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
SetUnhandledExceptionFilter
GetSystemDirectoryA
PrepareTape
TerminateProcess
GetCurrentThreadId
LeaveCriticalSection
AreFileApisANSI
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
SetHandleCount
RequestDeviceWakeup
GetOEMCP
QueryPerformanceCounter
CreateJobSet
GetTickCount
TlsAlloc
LoadLibraryA
DeleteFileA
RtlUnwind
CreateRemoteThread
GetStartupInfoA
GetFileSize
GlobalDeleteAtom
SetProcessPriorityBoost
SetCommMask
ReadProcessMemory
GetProcAddress
GetProcessHeap
CreateFileMappingW
CreateMemoryResourceNotification
CreateFileMappingA
EncodeSystemPointer
GetFileType
TlsSetValue
HeapAlloc
LocalUnlock
InterlockedIncrement
GetLastError
LCMapStringW
LCMapStringA
GetEnvironmentStringsW
GlobalUnlock
GetDevicePowerState
CreateProcessW
GetEnvironmentStrings
GetCurrentProcessId
GetCPInfo
ClearCommBreak
HeapSize
GetCommandLineA
GetCurrentThread
lstrcpynW
TlsFree
lstrcpynA
UnlockFileEx
GetACP
GetModuleHandleW
FreeResource
GetLongPathNameW
IsValidCodePage
HeapCreate
PostQueuedCompletionStatus
VirtualFree
Sleep
IsBadCodePtr
LocalShrink
OpenSemaphoreW
VirtualAlloc
SHGetPathFromIDListA
MapWindowPoints
EmptyClipboard
DrawAnimatedRects
OpenInputDesktop
ReleaseCapture
VkKeyScanExW
MoveWindow
GetCapture
EnableScrollBar
MapVirtualKeyA
TrackMouseEvent
GetMessageW
GetUserObjectInformationW
ToAsciiEx
GetClipboardData
wvsprintfW
SetDlgItemInt
GetSystemMetrics
HiliteMenuItem
SetScrollRange
GetMessageTime
LoadCursorW
SetUserObjectInformationA
MessageBoxA
SetForegroundWindow
RegisterShellHookWindow
SetUserObjectInformationW
ScrollDC
GetProcessWindowStation
MsgWaitForMultipleObjectsEx
GetClipboardSequenceNumber
GetTitleBarInfo
GetMenuBarInfo
SendMessageW
LoadStringA
GetMenuItemRect
SetClipboardData
GetDesktopWindow
IsWindowVisible
LoadStringW
RegisterRawInputDevices
MessageBoxW
GetSubMenu
SetTimer
CopyAcceleratorTableA
GetLayeredWindowAttributes
SetMessageExtraInfo
SetWindowsHookExA
OpenClipboard
CreateCaret
MapVirtualKeyExW
GetMenuState
LoadImageA
GetSystemMenu
GetFocus
GetWindowLongW
CloseClipboard
CharNextW
DefDlgProcW
WindowFromDC
GetFileVersionInfoSizeW
CoRegisterMessageFilter
CoDisconnectObject
CoTaskMemFree
OleInitialize
Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
RT_DLGINCLUDE 1
Number of PE resources by language
NEUTRAL 2
ENGLISH US 1
PE resources
ExifTool file metadata
SubsystemVersion
5.0

LinkerVersion
9.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
7.5.6.1

UninitializedDataSize
0

LanguageCode
German

FileFlagsMask
0x0006

CharacterSet
Windows, Latin1

InitializedDataSize
112128

EntryPoint
0x11112

OriginalFileName
totalcmd.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright 1993-2010 Christian Ghisler

FileVersion
7.56a

TimeStamp
2015:03:21 10:51:00+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
TOTALCMD

ProductVersion
7.56a

FileDescription
Total Commander 32 bit

OSVersion
5.0

FileOS
Windows NT

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Ghisler Software GmbH

CodeSize
90624

ProductName
Total Commander

ProductVersionNumber
7.5.6.1

FileTypeExtension
exe

ObjectFileType
Executable application

PCAP parents
File identification
MD5 7b9d1707a5d62a020d32af3194dd5208
SHA1 9e5aaf4955fc0ab9347d69a99cdd8edbdc8c602c
SHA256 db5cbba38280afd4485def523de91cd324b070485fd28f90c2e69090b6bc7460
ssdeep
3072:nkR+voV+xTFquWacSkZoXObIiSpV+HtfKH6i5aKsyGfJ3moaRwudZcLdyH0Z:VThmZoXjfau8bfhXUwumdyq

authentihash 668f6402c1de09e43a9450760260cbb83e8ea40e580456d0d41c19026378bf8b
imphash ba022eb6f72a5d9e7241461d09b6270a
File size 199.0 KB ( 203776 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe

VirusTotal metadata
First submission 2015-03-23 02:04:51 UTC ( 2 years, 8 months ago )
Last submission 2015-05-31 22:52:46 UTC ( 2 years, 5 months ago )
File names 7_.exe
2015-03-21-payingday-biz-malware-payload.exe
?2176ef7638086ba568cc9f9af1b7f178
db5cbba38280afd4485def523de91cd324b070485fd28f90c2e69090b6bc7460.exe
cryptowall3.exe
File_0.xor
totalcmd.exe
TOTALCMD
Advanced heuristic and reputation engines
TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.F0C2C00DO15.

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created processes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.