Antivirus scan for e1d2408319fd7422edceef476038d7a74f0bda73418b2b534d59d1d2e2dbd392 at 2016-10-31 02:16:59 UTC

Antivirus	Result	Update
Baidu	Win32.Trojan.WisdomEyes.16070401.9500.9999	20161029
Bkav	HW32.Packed.61C8	20161030
CrowdStrike Falcon (ML)	malicious_confidence_100% (W)	20161024
Sophos ML	generic.a	20161018
Kaspersky	Trojan.Win32.Inject.abukt	20161031
McAfee	Artemis!94A27F3A23FB	20161031
McAfee-GW-Edition	BehavesLike.Win32.VBObfus.dc	20161031
Symantec	Heur.AdvML.B	20161031
Tencent	Win32.Trojan.Raasmd.Auto	20161031
Ad-Aware		20161031
AegisLab		20161031
AhnLab-V3		20161030
Alibaba		20161028
ALYac		20161031
Antiy-AVL		20161031
Arcabit		20161031
Avast		20161031
AVG		20161031
Avira (no cloud)		20161030
AVware		20161031
BitDefender		20161031
CAT-QuickHeal		20161029
ClamAV		20161031
CMC		20161030
Comodo		20161031
Cyren		20161031
DrWeb		20161031
Emsisoft		20161031
ESET-NOD32		20161030
F-Prot		20161031
F-Secure		20161031
Fortinet		20161031
GData		20161031
Ikarus		20161030
Jiangmin		20161031
K7AntiVirus		20161030
K7GW		20161031
Kingsoft		20161031
Malwarebytes		20161031
Microsoft		20161031
eScan		20161031
NANO-Antivirus		20161031
nProtect		20161028
Panda		20161030
Qihoo-360		20161031
Rising		20161031
Sophos AV		20161030
SUPERAntiSpyware		20161030
TheHacker		20161029
TrendMicro		20161031
TrendMicro-HouseCall		20161030
VBA32		20161029
VIPRE		20161031
ViRobot		20161030
Yandex		20161030
Zillya		20161028
Zoner		20161030

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.

FileVersionInfo properties

Bacillus anthracis that is important for endospore germination triggered by two distinct germination response ...

Product Bacillus anthracis that is important for endospore germination triggered by two distinct germination response ...

Original name opwgDrNK.exe

Internal name opwgDrNK

File version 2.11.0248

Description Bacillus anthracis that is important for endospore germination triggered by two distinct germination response ...

Comments Bacillus anthracis that is important for endospore germination triggered by two distinct germination response ...

PE header basic information

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2016-10-30 17:42:12

Entry Point 0x00001158

Number of sections 3

PE sections

Name Virtual address Virtual size Raw size Entropy MD5

.text 4096 60660 61440 5.28 bfc0af3730b007107046fded937926e1

.data 65536 14912 0 0.00 d41d8cd98f00b204e9800998ecf8427e

.rsrc 81920 7752 8192 5.04 b7ae981dc407089710e23ea8514f5d27

Overlays

MD5 46dff1023a31ddd9089c81b8a84e760e

File type data

Offset 73728

Size 202761

Entropy 8.00

PE imports

[+] MSVBVM60.DLL

Number of PE resources by type

RT_PLUGPLAY 3

RT_VERSION 1

RT_GROUP_ICON 1

Number of PE resources by language

NEUTRAL 4

ENGLISH US 1

PE resources

03d5ebbad2260187dfcf41b01a6c691226ac245cb0221dd8558d3b63e460c045 data

6bd8445f904d6c1a76b8b80fe54b8c53405f5bda5394c1760a8d453ea1c306db data

6c1b8f2cf125bd06c6eb69c1ba15c3c4a6ecf453606ba11c2d85ace49040efe7 data

e63200cbaa7c4059956283f3c7623a3df5f764ad1362947182e7eeb47ea5ff27 data

ExifTool file metadata

CodeSize

61440

SubsystemVersion

4.0

Comments

Bacillus anthracis that is important for endospore germination triggered by two distinct germination response ...

InitializedDataSize

24576

ImageVersion

2.11

ProductName

Bacillus anthracis that is important for endospore germination triggered by two distinct germination response ...

FileVersionNumber

2.11.0.248

UninitializedDataSize

LanguageCode

English (U.S.)

FileFlagsMask

0x0000

CharacterSet

Unicode

LinkerVersion

6.0

FileTypeExtension

exe

OriginalFileName

opwgDrNK.exe

MIMEType

application/octet-stream

Subsystem

Windows GUI

FileVersion

2.11.0248

TimeStamp

2016:10:30 18:42:12+01:00

FileType

Win32 EXE

PEType

PE32

InternalName

opwgDrNK

ProductVersion

2.11.0248

FileDescription

Bacillus anthracis that is important for endospore germination triggered by two distinct germination response ...

OSVersion

4.0

FileOS

Win32

LegalCopyright

Bacillus anthracis that is important for endospore germination triggered by two distinct germination response ...

MachineType

Intel 386 or later, and compatibles

CompanyName

FLaSh acillus anthracis that is important for endospore germination triggered by two distinct germination response ...

LegalTrademarks

Bacillus anthracis that is important for endospore germination triggered by two distinct germination response ...

FileSubtype

ProductVersionNumber

2.11.0.248

EntryPoint

0x1158

ObjectFileType

Executable application

Compressed bundles

This file was also submitted to VirusTotal in the following compressed file bundles.

b0178655bedbc4061c6800fbe900dfcfb4571c0380dc8b649dabde952cb74d5a

File identification

MD5 94a27f3a23fbe407af27647d0a8a1766

SHA1 0e0872b73316134364286e27d8ca20c8d7134636

SHA256 e1d2408319fd7422edceef476038d7a74f0bda73418b2b534d59d1d2e2dbd392

ssdeep

6144:JT9p7W90t0wV9APCfoWy99ChwHfGXGPXM54QqyDs:7psk9AIoWw9hosoqyDs

authentihash 054a230510fea448f0c362f23376ffa6d13b49a27729c6115d461092349a2a2f

imphash f5f040c1fe3f6015fc186d3efde1f2e8

File size 270.0 KB ( 276489 bytes )

File type Win32 EXE

Magic literal

PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID	Win32 Executable Microsoft Visual Basic 6 (88.6%) Win32 Executable (generic) (4.8%) OS/2 Executable (generic) (2.1%) Generic Win/DOS Executable (2.1%) DOS Executable Generic (2.1%)

VirusTotal metadata

First submission 2016-10-30 23:38:06 UTC ( 2 years, 5 months ago )

Last submission 2016-11-02 12:18:37 UTC ( 2 years, 5 months ago )

File names

artifact-e1d2408319fd7422edceef476038d7a74f0bda73418b2b534d59d1d2e2dbd392
38641.exe
opwgDrNK
aa
ntskdfdsokfnt.ex1
0e0872b73316134364286e27d8ca20c8d7134636
94a27f3a23fbe407af27647d0a8a1766.exe
VirusShare_94a27f3a23fbe407af27647d0a8a1766
ntskdfdsokfnt.exe
3KIVS.fon
0e0872b73316134364286e27d8ca20c8d7134636.exe
opwgDrNK.exe
b933026c575acafc39e85e68b8e7cb5acc09aa99

Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

Opened files

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\~DF1A20.tmp (successful)

C:\e1d2408319fd7422edceef476038d7a74f0bda73418b2b534d59d1d2e2dbd392 (failed)

C:\WINDOWS\system32\netmsg.dll (successful)

Hooking activity

TYPE: WH_MSGFILTER
METHOD: SetWindowsHook (successful)

Runtime DLLs

oleaut32.dll (successful)

sxs.dll (successful)

c:\windows\system32\kernel32.dll (successful)

user32 (successful)

Additional details

The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.

UDP communications

<MACHINE_DNS_SERVER>:53

SHA256:	e1d2408319fd7422edceef476038d7a74f0bda73418b2b534d59d1d2e2dbd392
File name:	ntskdfdsokfnt.ex1
Detection ratio:	9 / 56
Analysis date:	2016-10-31 02:16:59 UTC ( 2 years, 5 months ago ) View latest

Ciphered bundle

FileVersionInfo properties

PE header basic information

PE sections

Overlays

PE imports

Number of PE resources by type

Number of PE resources by language

PE resources

ExifTool file metadata

Compressed bundles

File identification

VirusTotal metadata

Leave your comment...

Opened files

Hooking activity

Runtime DLLs

Additional details

UDP communications

Recover your password

Join VirusTotal Community

Sign in