× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: dc140c6064adec211bd06e931b943b5d532eee375fa7510eab4da634d624e405
File name: tny1.exe
Detection ratio: 16 / 68
Analysis date: 2018-11-25 23:23:35 UTC ( 6 months ago ) View latest
Antivirus Result Update
Ad-Aware Gen:Variant.Babar.14170 20181125
Arcabit Trojan.Babar.D375A 20181125
BitDefender Gen:Variant.Babar.14170 20181125
CrowdStrike Falcon (ML) malicious_confidence_70% (D) 20181022
Cybereason malicious.a7d967 20180225
eGambit Unsafe.AI_Score_90% 20181126
Emsisoft Gen:Variant.Babar.14170 (B) 20181125
Endgame malicious (high confidence) 20181108
ESET-NOD32 a variant of Win32/GenKryptik.CSDL 20181125
F-Secure Gen:Trojan.Heur.VP2.Km1@aOX1ZVdi 20181125
GData Gen:Variant.Babar.14170 20181125
Sophos ML heuristic 20181108
MAX malware (ai score=86) 20181126
eScan Gen:Variant.Babar.14170 20181125
Qihoo-360 HEUR/QVM03.0.7359.Malware.Gen 20181126
Trapmine malicious.high.ml.score 20180918
AegisLab 20181125
AhnLab-V3 20181125
Alibaba 20180921
ALYac 20181126
Antiy-AVL 20181125
Avast 20181125
Avast-Mobile 20181125
AVG 20181126
Avira (no cloud) 20181125
Babable 20180918
Baidu 20181123
Bkav 20181123
CAT-QuickHeal 20181125
ClamAV 20181125
CMC 20181125
Comodo 20181125
Cylance 20181126
Cyren 20181125
DrWeb 20181125
F-Prot 20181125
Fortinet 20181125
Ikarus 20181125
Jiangmin 20181125
K7AntiVirus 20181125
K7GW 20181125
Kaspersky 20181125
Kingsoft 20181126
Malwarebytes 20181125
McAfee 20181125
McAfee-GW-Edition 20181125
Microsoft 20181125
NANO-Antivirus 20181125
Palo Alto Networks (Known Signatures) 20181126
Panda 20181125
Rising 20181125
SentinelOne (Static ML) 20181011
Sophos AV 20181125
SUPERAntiSpyware 20181121
Symantec 20181125
Symantec Mobile Insight 20181121
TACHYON 20181125
Tencent 20181126
TheHacker 20181118
TrendMicro 20181125
TrendMicro-HouseCall 20181125
Trustlook 20181126
VBA32 20181123
ViRobot 20181125
Webroot 20181126
Yandex 20181123
Zillya 20181123
ZoneAlarm by Check Point 20181125
Zoner 20181125
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Product madelle
Original name DESCHIFFART9.exe
Internal name DESCHIFFART9
File version 4.09
Comments cromwellian
Signature verification A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Signing date 10:07 AM 3/8/2019
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2006-03-04 12:02:31
Entry Point 0x00001318
Number of sections 3
PE sections
Overlays
MD5 89de831a3732000b123b7ee05130a85c
File type data
Offset 593920
Size 6048
Entropy 7.52
PE imports
_adj_fdiv_m32
__vbaChkstk
Ord(645)
EVENT_SINK_Release
__vbaEnd
EVENT_SINK_QueryInterface
__vbaInStrB
_allmul
Ord(616)
_adj_fdivr_m64
_adj_fprem
Ord(617)
_adj_fpatan
EVENT_SINK_AddRef
__vbaStrToUnicode
_adj_fdiv_m32i
__vbaStrCopy
__vbaExceptHandler
__vbaSetSystemError
__vbaFreeVarList
DllFunctionCall
__vbaFPException
__vbaStrVarMove
__vbaLateMemCall
_adj_fdivr_m16i
_adj_fdiv_r
Ord(517)
Ord(606)
_CItan
__vbaFreeVar
__vbaVarTstNe
__vbaFreeStr
__vbaLateMemCallLd
Ord(100)
Ord(619)
__vbaAryConstruct2
_adj_fdiv_m64
__vbaFreeObj
__vbaHresultCheckObj
_CIsqrt
_CIsin
_CIlog
__vbaLenBstrB
_CIcos
Ord(595)
__vbaVarTstEq
_adj_fptan
Ord(571)
__vbaVarDup
Ord(537)
__vbaVarMove
__vbaErrorOverflow
_CIatan
__vbaNew2
Ord(660)
_adj_fdivr_m32i
__vbaAryDestruct
_CIexp
__vbaStrMove
__vbaStrToAnsi
_adj_fprem1
_adj_fdivr_m32
__vbaStrCat
__vbaFPFix
__vbaVarCopy
__vbaFpR8
Ord(698)
_adj_fdiv_m16i
Number of PE resources by type
RT_ICON 3
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 4
ENGLISH US 1
PE resources
ExifTool file metadata
UninitializedDataSize
0

Comments
cromwellian

InitializedDataSize
16384

ImageVersion
4.9

FileSubtype
0

FileVersionNumber
4.9.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

LinkerVersion
6.0

EntryPoint
0x1318

OriginalFileName
DESCHIFFART9.exe

MIMEType
application/octet-stream

FileVersion
4.09

TimeStamp
2006:03:04 13:02:31+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
DESCHIFFART9

ProductVersion
4.09

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
573440

ProductName
madelle

ProductVersionNumber
4.9.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

Execution parents
File identification
MD5 b431173a7d9678ae74166ea20b31b439
SHA1 3c788b22ddc63c96a602b4c8e150a07dbf6b4331
SHA256 dc140c6064adec211bd06e931b943b5d532eee375fa7510eab4da634d624e405
ssdeep
6144:gM2DkxfQGoxf8delcA+UxsBZK29bbzyX2pDhJNTJTTopo+AyYFQBijA/XLnUZEe0:gM204Goxf4edlabK8vZMm8BnLUP0

authentihash 792d126c3a3bec6e9cdf1f48fd2adabf5c96331783881c07c4e221258526601c
imphash 86d565b20127dbbf1a81ec663b56202a
File size 585.9 KB ( 599968 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (88.6%)
Win32 Executable (generic) (4.8%)
OS/2 Executable (generic) (2.1%)
Generic Win/DOS Executable (2.1%)
DOS Executable Generic (2.1%)
Tags
peexe overlay

VirusTotal metadata
First submission 2018-11-25 23:23:35 UTC ( 6 months ago )
Last submission 2018-12-21 22:18:24 UTC ( 5 months ago )
File names b431173a7d9678ae74166ea20b31b439
b431173a7d9678ae74166ea20b31b439
tny1.exe
DESCHIFFART9
DESCHIFFART9.exe
tny.exe
dgjmlx.exe
tny[1].exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.