× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e07e7f4cf45889b77c2a4942ee71c2a16f5b9192be5eef44c972bc478f56866b
File name: output.105432834.txt
Detection ratio: 48 / 56
Analysis date: 2017-01-02 16:05:38 UTC ( 2 years, 2 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Midie.6160 20170102
AegisLab Backdoor.W32.Poison!c 20161231
AhnLab-V3 Backdoor/Win32.Poison.R72119 20170102
ALYac Gen:Variant.Midie.6160 20170102
Antiy-AVL Trojan[Backdoor]/Win32.Poison 20170102
Arcabit Trojan.Midie.D1810 20170102
Avast Win32:Malware-gen 20170102
AVG BackDoor.Generic18.BEJD 20170102
Avira (no cloud) TR/Crypt.ZPACK.qpvru 20170102
AVware Detect.Trojan.Win32.Small.nmm (v) 20170102
Baidu Win32.Trojan-Dropper.Small.o 20161207
BitDefender Gen:Variant.Midie.6160 20170102
CAT-QuickHeal TrojanDropper.Small.PQ4 20170102
ClamAV Win.Trojan.Poison-8692 20170102
Comodo TrojWare.Win32.Ransom.Xorist.ET 20170102
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024
Cyren W32/GenTroj.S.gen!Eldorado 20170102
DrWeb Trojan.MulDrop4.64539 20170102
Emsisoft Gen:Variant.Midie.6160 (B) 20170102
ESET-NOD32 Win32/TrojanDropper.Small.NMM 20170102
F-Prot W32/GenTroj.S.gen!Eldorado 20170102
F-Secure Gen:Variant.Midie.6160 20170102
Fortinet W32/Poison.GGRF!tr 20170102
GData Gen:Variant.Midie.6160 20170102
Ikarus Backdoor.Poison 20170102
Sophos ML virtool.win32.ceeinject.lh 20161216
Jiangmin Backdoor/Poison.abtg 20170102
K7AntiVirus Backdoor ( 0040f6fb1 ) 20170102
K7GW Backdoor ( 0040f6fb1 ) 20170102
Kaspersky Backdoor.Win32.Poison.ggrf 20170102
Malwarebytes HackTool.Agent 20170102
McAfee GenericRXAC-LG!8D4C09365333 20170102
McAfee-GW-Edition BehavesLike.Win32.Upatre.wc 20170102
Microsoft VirTool:Win32/Vbinder 20170102
eScan Gen:Variant.Midie.6160 20170102
NANO-Antivirus Trojan.Win32.Poison.cbeljp 20170102
Panda Trj/Genetic.gen 20170101
Qihoo-360 Win32/Trojan.572 20170102
Rising Dropper.Win32.Small.bnv-tucub3u95AL (cloud) 20170102
Sophos AV Mal/Generic-S 20170102
Symantec Trojan.Dropper!g1 20170102
Tencent Win32.Backdoor.Poison.Ecau 20170102
TrendMicro-HouseCall TROJ_VBINDER_FE31029F.UVPM 20170102
VBA32 Backdoor.Poison 20161229
VIPRE Detect.Trojan.Win32.Small.nmm (v) 20170102
ViRobot Backdoor.Win32.Agent.67584.L[h] 20170102
Yandex Trojan.Oxij.Gen.LA 20161230
Zillya Backdoor.Poison.Win32.79461 20170102
Alibaba 20161223
Bkav 20161229
CMC 20170102
Kingsoft 20170102
nProtect 20170102
SUPERAntiSpyware 20170102
TheHacker 20161229
TotalDefense 20170102
Trustlook 20170102
WhiteArmor 20161221
Zoner 20170102
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright

Original name WFHack by MayLo [v0.5].exe
Internal name WFHack by MayLo [v0.5].exe
File version 0.5.0.0
Description WFHack by MayLo [v0.5]
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-06-15 16:44:28
Entry Point 0x00001AE1
Number of sections 4
PE sections
PE imports
HeapFree
lstrlenA
GlobalFree
HeapAlloc
LoadLibraryA
GetModuleFileNameA
SizeofResource
GetFileSize
lstrcatA
LockResource
GetWindowsDirectoryA
GetCommandLineA
GetProcAddress
GetProcessHeap
GetTempPathA
GetModuleHandleA
WriteFile
CloseHandle
lstrcpynA
GetSystemDirectoryA
FreeResource
SetFileAttributesA
GetEnvironmentVariableA
LoadResource
lstrcpyA
GlobalAlloc
RtlMoveMemory
CreateFileA
ExitProcess
FindResourceA
PathFindFileNameA
GetMessageA
CreateWindowExA
LoadCursorA
LoadIconA
UpdateWindow
DispatchMessageA
TranslateMessage
SendMessageA
MessageBoxA
PostQuitMessage
DefWindowProcA
ShowWindow
RegisterClassExA
Number of PE resources by type
RT_RCDATA 2
RT_ICON 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 5
PE resources
ExifTool file metadata
SubsystemVersion
4.0

InitializedDataSize
4128768

ImageVersion
0.0

FileVersionNumber
0.5.0.0

UninitializedDataSize
0

LanguageCode
Neutral

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
5.12

FileTypeExtension
exe

OriginalFileName
WFHack by MayLo [v0.5].exe

MIMEType
application/octet-stream

FileVersion
0.5.0.0

TimeStamp
2013:06:15 17:44:28+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
WFHack by MayLo [v0.5].exe

ProductVersion
0.5.0.0

FileDescription
WFHack by MayLo [v0.5]

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
3584

FileSubtype
0

ProductVersionNumber
0.5.0.0

EntryPoint
0x1ae1

ObjectFileType
Executable application

AssemblyVersion
0.5.0.0

File identification
MD5 8d4c09365333f48bfea1b202d47a920c
SHA1 ee8080ba418ab72453319f930dfc8ee36502163a
SHA256 e07e7f4cf45889b77c2a4942ee71c2a16f5b9192be5eef44c972bc478f56866b
ssdeep
98304:+fMIgjQBcyZwkyfV0FR7kllUmfOeqVWYK6rI+f+wm2aFW:OMIg6cy9yar7kfjiU98j+wn

authentihash 27d8f0ee2be601531cef84710b468800f83a924af8ddcc530b2723e6c4b0536a
imphash d5d9d937853db8b666bd4b525813d7bd
File size 3.9 MB ( 4133376 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ 4.x (75.0%)
Win64 Executable (generic) (15.3%)
Win32 Dynamic Link Library (generic) (3.6%)
Win32 Executable (generic) (2.5%)
Win16/32 Executable Delphi generic (1.1%)
Tags
peexe

VirusTotal metadata
First submission 2016-12-07 20:03:08 UTC ( 2 years, 3 months ago )
Last submission 2017-01-02 16:05:38 UTC ( 2 years, 2 months ago )
File names WFHack
WFHack [v0.5].exe
b4b10ee8636b64f83b2416198c40f280a902abbf
output.105432834.txt
output.104804685.txt
WFHack by MayLo [v0.5].exe
ee8080ba418ab72453319f930dfc8ee36502163a.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
DNS requests
UDP communications