× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e0d048e241ef3502af8bea0a1c1dbc942f15b712b34e23117425f6336f062747
File name: 13c6ec7a7defa40416ed6db190d70000.virobj
Detection ratio: 58 / 61
Analysis date: 2017-05-06 07:20:22 UTC ( 1 month, 2 weeks ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Kazy.165 20170506
AegisLab Troj.Spy.W32.Zbot.dkuo!c 20170506
AhnLab-V3 Trojan/Win32.Zbot.R4880 20170505
ALYac Gen:Variant.Kazy.165 20170506
Antiy-AVL Trojan[Spy]/Win32.Zbot.qhgb 20170506
Arcabit Trojan.Kazy.165 20170506
Avast Sf:Crypt-BT [Trj] 20170506
AVG BackDoor.Generic_r.ADH 20170506
Avira (no cloud) TR/Kazy.MK 20170505
AVware Trojan-PWS.Win32.Zbot.aac (v) 20170506
Baidu Win32.Trojan.Zbot.a 20170503
BitDefender Gen:Variant.Kazy.165 20170506
Bkav W32.JayfoF.Trojan 20170506
CAT-QuickHeal TrojanPWS.Zbot.Y3 20170505
ClamAV Win.Spyware.Zbot-1275 20170506
Comodo TrojWare.Win32.Kazy.MKD 20170506
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170130
Cyren W32/Zbot.BR.gen!Eldorado 20170506
DrWeb Trojan.PWS.Panda.547 20170506
Endgame malicious (high confidence) 20170503
ESET-NOD32 Win32/Spy.Zbot.YW 20170505
F-Prot W32/Zbot.BR.gen!Eldorado 20170506
F-Secure Trojan-Spy:W32/Zbot.AVTH 20170506
Fortinet W32/Zbot.AT!tr 20170506
GData Gen:Variant.Kazy.165 20170506
Ikarus Trojan-Spy.Banker.Citadel 20170505
Invincea trojanspy.win32.nivdort.dd 20170413
Jiangmin Trojan/Generic.wciu 20170506
K7AntiVirus Spyware ( 004b8a241 ) 20170506
K7GW Spyware ( 004b8a241 ) 20170506
Kaspersky Trojan-Spy.Win32.Zbot.dkuo 20170506
Kingsoft Win32.Troj.Zbot.(kcloud) 20170506
Malwarebytes Trojan.Zbot 20170506
McAfee PWS-Zbot.gen.ds 20170506
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.ch 20170505
Microsoft PWS:Win32/Zbot 20170506
eScan Gen:Variant.Kazy.165 20170505
NANO-Antivirus Trojan.Win32.Zbot.wlyrm 20170505
nProtect Trojan-Spy/W32.ZBot.143872.AP 20170506
Panda Trj/WLT.A 20170505
Qihoo-360 Win32/Trojan.333 20170506
Rising Trojan.Generic (cloud:Y2b5wEuFINE) 20170506
SentinelOne (Static ML) static engine - malicious 20170330
Sophos Mal/Zbot-HX 20170506
SUPERAntiSpyware Trojan.Agent/Gen-Zbot 20170506
Symantec Trojan.Zbot 20170505
Tencent Trojan.Win32.Zbot.aaw 20170506
TheHacker Trojan/Spy.Zbot.yw 20170505
TotalDefense Win32/Zbot.AZ!generic 20170506
TrendMicro-HouseCall TSPY_ZBOT.SMIG 20170506
VBA32 SScope.Trojan.FakeAV.01110 20170505
VIPRE Trojan-PWS.Win32.Zbot.aac (v) 20170506
ViRobot Trojan.Win32.A.Zbot.139035[h] 20170506
Webroot W32.Infostealer.Zeus 20170506
Yandex TrojanSpy.Zbot!J2Dok2V33FE 20170504
Zillya Trojan.Zbot.Win32.176330 20170505
ZoneAlarm by Check Point Trojan-Spy.Win32.Zbot.dkuo 20170506
Zoner Trojan.Zbot.YW 20170506
Alibaba 20170505
CMC 20170505
Palo Alto Networks (Known Signatures) 20170506
Symantec Mobile Insight 20170504
TrendMicro 20170506
Trustlook 20170506
WhiteArmor 20170502
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-01-24 13:03:24
Entry Point 0x0000E0F1
Number of sections 3
PE sections
Overlays
MD5 eef784aa5b83db4221e79ecf44b130de
File type data
Offset 143360
Size 512
Entropy 7.59
PE imports
RegCreateKeyExW
RegCloseKey
ConvertSidToStringSidW
AdjustTokenPrivileges
LookupPrivilegeValueW
CryptHashData
InitializeSecurityDescriptor
RegQueryValueExW
CryptCreateHash
SetSecurityDescriptorDacl
GetSidSubAuthorityCount
GetSidSubAuthority
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenProcessToken
RegOpenKeyExW
SetSecurityDescriptorSacl
CheckTokenMembership
GetTokenInformation
CryptReleaseContext
RegEnumKeyExW
OpenThreadToken
GetSecurityDescriptorSacl
GetLengthSid
CreateProcessAsUserW
CryptDestroyHash
CryptAcquireContextW
RegSetValueExW
FreeSid
CryptGetHashParam
AllocateAndInitializeSid
InitiateSystemShutdownExW
EqualSid
IsWellKnownSid
SetNamedSecurityInfoW
CertEnumCertificatesInStore
CryptUnprotectData
PFXImportCertStore
CertCloseStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertDuplicateCertificateContext
PFXExportCertStoreEx
GetDeviceCaps
DeleteDC
RestoreDC
SelectObject
SaveDC
SetViewportOrgEx
GetDIBits
GdiFlush
CreateDIBSection
CreateCompatibleDC
DeleteObject
CreateCompatibleBitmap
SetRectRgn
FileTimeToDosDateTime
ReleaseMutex
WaitForSingleObject
FindFirstFileW
HeapDestroy
GetFileAttributesW
GetLocalTime
GetProcessId
SetErrorMode
GetFileInformationByHandle
GetThreadContext
GetFileTime
WideCharToMultiByte
LoadLibraryW
WriteFile
Thread32First
HeapReAlloc
FreeLibrary
LocalFree
InitializeCriticalSection
FindClose
TlsGetValue
SetFileAttributesW
GetEnvironmentVariableW
SetLastError
GetUserDefaultUILanguage
GetSystemTime
WriteProcessMemory
RemoveDirectoryW
HeapAlloc
lstrcmpiW
SetThreadPriority
MultiByteToWideChar
SetFilePointerEx
GetPrivateProfileStringW
CreateEventW
CreateThread
MoveFileExW
CreateMutexW
GetVolumeNameForVolumeMountPointW
SetThreadContext
TerminateProcess
VirtualQueryEx
SetEndOfFile
GetCurrentThreadId
GetProcAddress
HeapCreate
CreateToolhelp32Snapshot
HeapFree
EnterCriticalSection
lstrcmpiA
GetVersionExW
SetEvent
GetTickCount
TlsAlloc
VirtualProtect
FlushFileBuffers
LoadLibraryA
CreateRemoteThread
OpenProcess
ReadProcessMemory
CreateDirectoryW
DeleteFileW
GlobalLock
GetPrivateProfileIntW
VirtualProtectEx
GetProcessHeap
GetTempFileNameW
GetComputerNameW
GetFileSizeEx
GetModuleFileNameW
ExpandEnvironmentStringsW
FindNextFileW
WTSGetActiveConsoleSessionId
ResetEvent
Thread32Next
DuplicateHandle
WaitForMultipleObjects
GetTempPathW
GetTimeZoneInformation
CreateFileW
TlsSetValue
ExitProcess
LeaveCriticalSection
GetNativeSystemInfo
GetLastError
SystemTimeToFileTime
CreateFileMappingW
VirtualAllocEx
GlobalUnlock
Process32NextW
VirtualFree
FileTimeToLocalFileTime
VirtualFreeEx
GetCurrentProcessId
SetFileTime
GetCommandLineW
Process32FirstW
GetCurrentThread
MapViewOfFile
TlsFree
ReadFile
CloseHandle
OpenMutexW
GetModuleHandleW
GetFileAttributesExW
UnmapViewOfFile
OpenEventW
CreateProcessW
Sleep
IsBadReadPtr
VirtualAlloc
NetUserEnum
NetUserGetInfo
NetApiBufferFree
SysFreeString
VariantClear
VariantInit
SysAllocString
SHGetFolderPathW
ShellExecuteW
CommandLineToArgvW
StrCmpNIW
wvnsprintfA
StrCmpNIA
wvnsprintfW
SHDeleteKeyW
PathIsDirectoryW
PathRemoveBackslashW
PathQuoteSpacesW
PathAddBackslashW
UrlUnescapeA
SHDeleteValueW
PathCombineW
PathRenameExtensionW
StrStrIA
PathRemoveFileSpecW
StrStrIW
PathMatchSpecW
PathUnquoteSpacesW
PathFindFileNameW
PathIsURLW
PathAddExtensionW
PathSkipRootW
GetUserNameExW
GetMessagePos
SetWindowPos
IsWindow
EndPaint
OpenWindowStationW
WindowFromPoint
CreateDesktopW
DispatchMessageW
GetCursorPos
ReleaseDC
SendMessageW
EndMenu
DefFrameProcA
DefWindowProcW
CharLowerBuffA
GetThreadDesktop
LoadImageW
GetTopWindow
GetUpdateRgn
MsgWaitForMultipleObjects
GetMenuItemCount
GetMenuItemID
DrawEdge
GetUserObjectInformationW
GetParent
EqualRect
DefMDIChildProcA
GetMessageW
PeekMessageW
CharUpperW
PeekMessageA
TranslateMessage
SetThreadDesktop
GetWindow
GetIconInfo
GetMenuItemRect
RegisterClassW
OpenDesktopW
CharLowerA
RegisterClassA
TrackPopupMenuEx
GetSubMenu
GetDCEx
FillRect
ToUnicode
GetWindowLongW
GetUpdateRect
GetWindowInfo
MapWindowPoints
RegisterWindowMessageW
OpenInputDesktop
GetMessageA
SwitchDesktop
BeginPaint
DefMDIChildProcW
DrawIcon
MapVirtualKeyW
DefWindowProcA
GetClipboardData
GetSystemMetrics
SetWindowLongW
GetWindowRect
SetCapture
ReleaseCapture
CharLowerW
SetProcessWindowStation
SetKeyboardState
GetClassLongW
CreateWindowStationW
PostMessageW
CloseWindowStation
GetKeyboardState
PostThreadMessageW
CharToOemW
GetMenuState
GetAncestor
GetDC
GetProcessWindowStation
ExitWindowsEx
IntersectRect
GetCapture
GetShellWindow
GetWindowThreadProcessId
HiliteMenuItem
DefFrameProcW
RegisterClassExW
CallWindowProcA
GetWindowDC
RegisterClassExA
MenuItemFromPoint
PrintWindow
SetCursorPos
SystemParametersInfoW
CallWindowProcW
GetClassNameW
DefDlgProcW
DefDlgProcA
CloseDesktop
IsRectEmpty
SendMessageTimeoutW
GetMenu
HttpSendRequestA
InternetSetStatusCallbackW
InternetReadFileExA
InternetSetOptionA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestExW
InternetCloseHandle
InternetOpenA
InternetConnectA
InternetQueryOptionA
HttpSendRequestW
GetUrlCacheEntryInfoW
HttpQueryInfoA
InternetReadFile
InternetQueryDataAvailable
InternetCrackUrlA
HttpAddRequestHeadersW
HttpSendRequestExA
InternetQueryOptionW
getaddrinfo
shutdown
accept
WSAAddressToStringW
WSAStartup
freeaddrinfo
connect
getsockname
WSASetLastError
select
recv
send
WSASend
WSAGetLastError
listen
WSAEventSelect
getpeername
closesocket
WSAIoctl
setsockopt
socket
bind
recvfrom
sendto
CoUninitialize
CoInitializeEx
CoCreateInstance
CLSIDFromString
StringFromGUID2
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2012:01:24 14:03:24+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
135168

LinkerVersion
10.0

EntryPoint
0xe0f1

InitializedDataSize
14848

SubsystemVersion
5.1

ImageVersion
1.0

OSVersion
5.1

UninitializedDataSize
0

File identification
MD5 13c6ec7a7defa40416ed6db190d70000
SHA1 76820f5c9582959cb152de349ba9c86878620f10
SHA256 e0d048e241ef3502af8bea0a1c1dbc942f15b712b34e23117425f6336f062747
ssdeep
3072:DvZ5bfhILrwJvNR/kuRjfJACYfsG+qeL0WT7B43foo1Oe7hg:DvZLILUJLRjRTGgVT7B43KWhg

authentihash f833fc85eb2b4a4f6ad966c68bce40781d50e247aa2906397c7efce34d9f8c1d
imphash cc1c8e87ca79bdf902cbaeda84aac151
File size 140.5 KB ( 143872 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (52.5%)
Windows screen saver (22.0%)
Win32 Dynamic Link Library (generic) (11.0%)
Win32 Executable (generic) (7.5%)
Generic Win/DOS Executable (3.3%)
Tags
peexe overlay

VirusTotal metadata
First submission 2014-08-01 10:15:49 UTC ( 2 years, 10 months ago )
Last submission 2017-05-06 07:20:22 UTC ( 1 month, 2 weeks ago )
File names virussign.com_13c6ec7a7defa40416ed6db190d70000.vir
13c6ec7a7defa40416ed6db190d70000
13c6ec7a7defa40416ed6db190d70000.virobj
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Moved files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections