× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e264ca33fc1d1d47b6eea0b4a673f9d10edeba43a45924cbb6e38d61f31d5abe
File name: vt-upload-Xn0cF
Detection ratio: 24 / 53
Analysis date: 2014-07-20 10:24:47 UTC ( 4 years, 4 months ago )
Antivirus Result Update
AhnLab-V3 Win-Trojan/MDA.140610 20140719
AntiVir TR/Dropper.VB.17782 20140719
Antiy-AVL Trojan[Spy]/Win32.Zbot 20140720
Avast Win32:Malware-gen 20140720
AVG Zbot.LPJ 20140720
ByteHero Virus.Win32.Heur.p 20140720
CMC Heur.Win32.Veebee.1!O 20140717
Commtouch W32/PWS.CUZM-8467 20140720
ESET-NOD32 Win32/Spy.Zbot.AAO 20140720
Fortinet W32/Zbot.AAO!tr 20140720
GData Win32.Trojan.Agent.G09FDE 20140720
Ikarus Trojan.Win32.VBKrypt 20140720
Kaspersky Trojan-Spy.Win32.Zbot.tnhd 20140719
Kingsoft Win32.Troj.Zbot.tn.(kcloud) 20140720
McAfee Dropper-FHX!0C76FABBE907 20140720
McAfee-GW-Edition PWSZbot-FAAR!0C76FABBE907 20140719
NANO-Antivirus Trojan.Win32.Zbot.dcinka 20140720
Qihoo-360 HEUR/Malware.QVM03.Gen 20140720
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 20140720
Sophos AV Mal/VB-ALO 20140720
Symantec Trojan.ADH.2 20140720
Tencent Win32.Trojan-spy.Zbot.Hfi 20140720
TrendMicro-HouseCall TROJ_GEN.R011H07GG14 20140720
VIPRE Trojan.Win32.Generic.pak!cobra 20140720
Ad-Aware 20140720
AegisLab 20140720
Yandex 20140719
Baidu-International 20140720
BitDefender 20140720
Bkav 20140719
CAT-QuickHeal 20140719
ClamAV 20140719
Comodo 20140720
DrWeb 20140720
Emsisoft 20140720
F-Prot 20140720
F-Secure 20140720
Jiangmin 20140720
K7AntiVirus 20140718
K7GW 20140719
Malwarebytes 20140720
Microsoft 20140720
eScan 20140720
Norman 20140720
nProtect 20140720
Panda 20140720
SUPERAntiSpyware 20140719
TheHacker 20140718
TotalDefense 20140720
TrendMicro 20140720
VBA32 20140718
ViRobot 20140720
Zoner 20140718
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Publisher VS Revo Group
Product Hematose
Original name Hypocrea.exe
Internal name Hypocrea
File version 1.01.0007
Description Feintest misec
Signature verification The digital signature of the object did not verify.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-07-15 07:17:48
Entry Point 0x00001414
Number of sections 3
PE sections
PE imports
_adj_fdiv_m32
__vbaChkstk
Ord(523)
Ord(546)
EVENT_SINK_Release
__vbaEnd
__vbaRedim
_allmul
_adj_fdivr_m64
__vbaAryUnlock
_adj_fprem
Ord(584)
Ord(525)
_adj_fpatan
EVENT_SINK_AddRef
Ord(707)
Ord(714)
_adj_fdiv_m32i
__vbaStrCopy
__vbaR8Sgn
__vbaExceptHandler
__vbaSetSystemError
__vbaFreeVarList
DllFunctionCall
__vbaFPException
__vbaFpCSngR4
Ord(685)
_adj_fdivr_m16i
__vbaStrMove
_adj_fdiv_r
Ord(517)
__vbaDerefAry1
Ord(599)
__vbaFreeVar
Ord(588)
Ord(100)
Ord(534)
__vbaObjSetAddref
_CItan
_adj_fdiv_m64
__vbaFreeObj
__vbaHresultCheckObj
_CIsqrt
_CIsin
_CIlog
Ord(614)
Ord(513)
_CIcos
Ord(595)
EVENT_SINK_QueryInterface
_adj_fptan
__vbaI2Var
Ord(593)
__vbaObjSet
Ord(529)
__vbaI4Var
__vbaVarMove
Ord(646)
__vbaErrorOverflow
_CIatan
__vbaNew2
__vbaR8IntI4
__vbaLateIdSt
__vbaOnError
_adj_fdivr_m32i
__vbaAryLock
__vbaAryDestruct
_CIexp
__vbaStrI2
_adj_fprem1
_adj_fdivr_m32
__vbaStrCat
Ord(543)
__vbaVarDup
Ord(598)
__vbaFreeStr
_adj_fdiv_m16i
Ord(690)
Number of PE resources by type
RT_ICON 12
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 13
ENGLISH US 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

InitializedDataSize
131072

ImageVersion
1.1

ProductName
Hematose

FileVersionNumber
1.1.0.7

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

LinkerVersion
6.0

OriginalFilename
Hypocrea.exe

MIMEType
application/octet-stream

FileVersion
1.01.0007

TimeStamp
2014:07:15 08:17:48+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Hypocrea

FileAccessDate
2014:07:20 11:24:08+01:00

ProductVersion
1.01.0007

FileDescription
Feintest misec

OSVersion
4.0

FileCreateDate
2014:07:20 11:24:08+01:00

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
VS Revo Group

CodeSize
278528

FileSubtype
0

ProductVersionNumber
1.1.0.7

EntryPoint
0x1414

ObjectFileType
Executable application

File identification
MD5 0c76fabbe90784d07a24e995bfd25ff0
SHA1 b1e3e831e06e6f16d8380a2dc162b78322103875
SHA256 e264ca33fc1d1d47b6eea0b4a673f9d10edeba43a45924cbb6e38d61f31d5abe
ssdeep
6144:ncB8ZGtp0GvLP7tmflbFFGSpDzcZDJuBNzBr+IfiUoMntKLNtVGX:ncB8ZCpxj7IVF9pXcYlqIfiKntWuX

imphash 2fb887dd46f3eb1a50115c7b29d08192
File size 398.9 KB ( 408425 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (84.4%)
Win32 Dynamic Link Library (generic) (6.7%)
Win32 Executable (generic) (4.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Tags
peexe

VirusTotal metadata
First submission 2014-07-20 10:24:47 UTC ( 4 years, 4 months ago )
Last submission 2014-07-20 10:24:47 UTC ( 4 years, 4 months ago )
File names Hypocrea.exe
Hypocrea
vt-upload-Xn0cF
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Created processes
Terminated processes
Opened mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.