× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e27c7490d979b433cecf0c5a43b4779a143b755056efc257a227067c1d358711
File name: vt-upload-agXVx
Detection ratio: 34 / 53
Analysis date: 2014-06-15 02:23:54 UTC ( 4 years, 6 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Strictor.43062 20140615
Yandex Trojan.Agent!/ZhuDgmPpOo 20140614
AntiVir TR/Dropper.VB.Gen 20140614
Avast Win32:Crypt-RAF [Trj] 20140615
AVG Generic34.AEBB 20140614
BitDefender Gen:Variant.Strictor.43062 20140615
ByteHero Virus.Win32.Heur.p 20140615
CMC Heur.Win32.Veebee.1!O 20140613
DrWeb Trojan.Packed.25125 20140615
Emsisoft Gen:Variant.Strictor.43062 (B) 20140615
ESET-NOD32 a variant of Win32/Injector.AKPY 20140614
F-Secure Gen:Variant.Strictor.43062 20140615
Fortinet W32/VBInjector.W!tr 20140615
GData Gen:Variant.Strictor.43062 20140615
Jiangmin Packed.Klone.xnb 20140614
K7AntiVirus Trojan ( 00013e901 ) 20140613
K7GW Trojan ( 00013e901 ) 20140613
Kaspersky Trojan.Win32.Agent.aapao 20140615
Malwarebytes Trojan.LVBP 20140615
McAfee RDN/Generic PWS.y!zs 20140615
McAfee-GW-Edition RDN/Generic PWS.y!zs 20140614
Microsoft PWS:Win32/Zbot 20140615
eScan Gen:Variant.Strictor.43062 20140615
NANO-Antivirus Trojan.Win32.Packed.crfvhr 20140615
Norman Obfuscated.H!genr 20140614
Panda Trj/CI.A 20140614
Sophos AV Mal/Generic-S 20140614
Symantec Trojan.ADH 20140615
TotalDefense Win32/FakeFLDR_i 20140614
TrendMicro Mal_OtorunP 20140615
TrendMicro-HouseCall Mal_OtorunP 20140615
VBA32 Malware-Cryptor.VB.gen.1 20140613
VIPRE Trojan.Win32.Generic.pak!cobra 20140615
Zillya Trojan.Agent.Win32.435109 20140614
AegisLab 20140615
AhnLab-V3 20140614
Antiy-AVL 20140611
Baidu-International 20140614
Bkav 20140614
CAT-QuickHeal 20140614
ClamAV 20140614
Commtouch 20140615
Comodo 20140615
F-Prot 20140615
Ikarus 20140614
Kingsoft 20140615
nProtect 20140613
Qihoo-360 20140615
Rising 20140614
SUPERAntiSpyware 20140614
TheHacker 20140612
ViRobot 20140615
Zoner 20140613
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
F-PROT Petite
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-08-05 23:59:46
Entry Point 0x00002070
Number of sections 3
PE sections
PE imports
_adj_fdivr_m64
__vbaGenerateBoundsError
__vbaStrFixstr
__vbaInputFile
Ord(616)
EVENT_SINK_Invoke
__vbaGet3
_adj_fprem
Ord(596)
__vbaAryMove
__vbaForEachVar
__vbaGetOwner3
Ord(301)
__vbaUI1Var
__vbaRedim
__vbaForEachCollObj
__vbaRefVarAry
__vbaVarLateMemCallSt
__vbaRaiseEvent
_adj_fdiv_r
_allmul
__vbaUI1I2
__vbaRecAnsiToUni
__vbaObjSetAddref
__vbaFixstrConstruct
__vbaMidStmtBstr
_adj_fdiv_m64
__vbaHresultCheckObj
__vbaAryUnlock
__vbaR8Str
_CIlog
Ord(601)
Ord(595)
__vbaVarLateMemCallLd
_adj_fptan
__vbaFileClose
__vbaI4Var
__vbaLateIdCall
Ord(306)
__vbaRecUniToAnsi
Ord(608)
__vbaFreeStr
__vbaLateIdCallLd
__vbaStrI2
__vbaStrR8
__vbaStrI4
__vbaStrR4
__vbaFreeStrList
__vbaI2I4
_adj_fdiv_m16i
__vbaExceptHandler
EVENT_SINK_QueryInterface
Ord(648)
Ord(516)
__vbaR8Cy
Ord(320)
__vbaNextEachVar
__vbaI4Str
Ord(607)
__vbaLenBstr
Ord(650)
Ord(617)
__vbaFpCDblR8
__vbaCyStr
__vbaInStr
_adj_fdiv_m32i
Ord(717)
Ord(307)
__vbaSetSystemError
DllFunctionCall
Zombie_GetTypeInfoCount
__vbaUbound
__vbaFreeVar
__vbaFileOpen
__vbaI2Str
Ord(321)
_CIsin
Ord(711)
Ord(606)
__vbaNew
__vbaAryLock
__vbaLsetFixstr
__vbaVarTstEq
__vbaStrMove
__vbaOnError
_adj_fdivr_m32i
__vbaI4ErrVar
__vbaInStrVar
__vbaStrCat
__vbaVarDup
__vbaNextEachAry
__vbaChkstk
EVENT_SINK_Release
__vbaStrCmp
Ord(570)
__vbaErase
__vbaFreeObjList
Ord(302)
__vbaVarSetObj
__vbaVarIndexLoad
EVENT_SINK_GetIDsOfNames
Ord(319)
__vbaVar2Vec
__vbaVarForNext
__vbaFreeVarList
__vbaStrVarMove
__vbaCastObj
Zombie_GetTypeInfo
__vbaAryConstruct2
Ord(520)
__vbaFileSeek
__vbaFreeObj
_adj_fdivr_m32
__vbaStrVarVal
__vbaVarSub
Ord(660)
_CIcos
Ord(713)
Ord(303)
Ord(685)
__vbaStrErrVarCopy
__vbaR4Var
__vbaVarMove
__vbaFPInt
__vbaErrorOverflow
__vbaNew2
__vbaLateIdSt
__vbaAryDestruct
__vbaAryCopy
_adj_fprem1
Ord(619)
Ord(537)
_adj_fdiv_m32
Ord(535)
Ord(560)
__vbaLenVar
__vbaEnd
Ord(308)
__vbaVarZero
__vbaPutOwner3
__vbaVarCat
__vbaForEachAry
_adj_fpatan
EVENT_SINK_AddRef
__vbaVarIndexLoadRefLock
__vbaVarForInit
Ord(300)
__vbaObjIs
__vbaVarVargNofree
__vbaStrCopy
Ord(632)
__vbaFPException
__vbaAryVar
__vbaStrToUnicode
_adj_fdivr_m16i
__vbaVarAdd
Ord(100)
__vbaCastObjVar
__vbaNextEachCollObj
Ord(309)
Ord(526)
_CIsqrt
__vbaVarCopy
_CIatan
Ord(573)
__vbaObjSet
Ord(644)
__vbaDateR8
_CIexp
__vbaStrToAnsi
_CItan
__vbaFpI4
Ord(598)
Number of PE resources by type
RT_ICON 9
Struct(0) 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 10
SPANISH MODERN 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2013:08:06 00:59:46+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
348160

LinkerVersion
6.0

FileAccessDate
2014:06:15 03:26:02+01:00

EntryPoint
0x2070

InitializedDataSize
45056

SubsystemVersion
4.0

ImageVersion
1.0

OSVersion
4.0

FileCreateDate
2014:06:15 03:26:02+01:00

UninitializedDataSize
0

File identification
MD5 a5300cbeb1a26a8924fb498bae862936
SHA1 3d00b6845ec1acc95f31782988f3924f5a32348f
SHA256 e27c7490d979b433cecf0c5a43b4779a143b755056efc257a227067c1d358711
ssdeep
12288:AxmGrXOxQRqAzxMLtpyzG83MYH+BCrZd2vQT1Ro07UrK1wyBXZpj33k39n8A:tGrXOxgML9YHaAZkvMhgm1wyBX3j3UiA

imphash 90ea606d35d4d409de4e9ddb74b8f40d
File size 723.1 KB ( 740462 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (63.9%)
Win32 Executable MS Visual C++ (generic) (24.3%)
Win32 Dynamic Link Library (generic) (5.1%)
Win32 Executable (generic) (3.5%)
Generic Win/DOS Executable (1.5%)
Tags
peexe petite

VirusTotal metadata
First submission 2014-06-15 02:23:54 UTC ( 4 years, 6 months ago )
Last submission 2014-06-15 02:23:54 UTC ( 4 years, 6 months ago )
File names vt-upload-agXVx
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.