× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e288aa78bfe583f31b151d3bba16743d185164dece2583fbaa63cad811f75a45
File name: PI.exe
Detection ratio: 26 / 68
Analysis date: 2018-09-04 06:05:28 UTC ( 5 months, 2 weeks ago ) View latest
Antivirus Result Update
Ad-Aware Gen:Variant.Graftor.514718 20180904
Arcabit Trojan.Graftor.D7DA9E 20180904
Avast FileRepMetagen [Malware] 20180904
AVG FileRepMetagen [Malware] 20180904
BitDefender Gen:Variant.Graftor.514718 20180904
Bkav HW32.Packed. 20180831
Cylance Unsafe 20180904
Emsisoft Gen:Variant.Graftor.514718 (B) 20180904
Endgame malicious (high confidence) 20180730
ESET-NOD32 a variant of Win32/Injector.EAET 20180904
F-Secure Gen:Variant.Graftor.514718 20180904
GData Gen:Variant.Graftor.514718 20180904
Sophos ML heuristic 20180717
Kaspersky Trojan-PSW.Win32.Fareit.eitu 20180904
Malwarebytes Trojan.MalPack.VB.Generic 20180904
MAX malware (ai score=100) 20180904
McAfee Packed-FLJ!45C99CD25D06 20180904
McAfee-GW-Edition Packed-FLJ!45C99CD25D06 20180904
Microsoft Trojan:Win32/Fuery.B!cl 20180904
eScan Gen:Variant.Graftor.514718 20180904
Palo Alto Networks (Known Signatures) generic.ml 20180904
Qihoo-360 HEUR/QVM03.0.9E8D.Malware.Gen 20180904
Rising Trojan.Injector!8.C4 (CLOUD) 20180904
Sophos AV Mal/FareitVB-N 20180904
Symantec ML.Attribute.HighConfidence 20180904
ZoneAlarm by Check Point Trojan-PSW.Win32.Fareit.eitu 20180904
AegisLab 20180904
AhnLab-V3 20180903
Alibaba 20180713
ALYac 20180904
Antiy-AVL 20180904
Avast-Mobile 20180904
Avira (no cloud) 20180903
AVware 20180823
Babable 20180902
Baidu 20180904
CAT-QuickHeal 20180902
ClamAV 20180904
CMC 20180903
Comodo 20180904
CrowdStrike Falcon (ML) 20180723
Cybereason 20180225
Cyren 20180904
DrWeb 20180904
eGambit 20180904
F-Prot 20180904
Fortinet 20180904
Ikarus 20180903
Jiangmin 20180904
K7AntiVirus 20180904
K7GW 20180904
Kingsoft 20180904
NANO-Antivirus 20180904
Panda 20180903
SentinelOne (Static ML) 20180830
SUPERAntiSpyware 20180903
Symantec Mobile Insight 20180831
TACHYON 20180904
Tencent 20180904
TheHacker 20180904
TotalDefense 20180904
TrendMicro 20180904
TrendMicro-HouseCall 20180904
Trustlook 20180904
VBA32 20180903
VIPRE 20180904
ViRobot 20180903
Webroot 20180904
Yandex 20180903
Zillya 20180903
Zoner 20180903
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Product lavasocT
Original name Demotist2.exe
Internal name Demotist2
File version 2.07
Description Ac adEE, aAc.
Comments makayamA inteRACTIVE
Signature verification A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Signing date 2:20 AM 11/8/2018
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2006-02-22 17:56:00
Entry Point 0x00001AF0
Number of sections 3
PE sections
Overlays
MD5 57d3d75bcd13c08700dc640949619226
File type data
Offset 540672
Size 5088
Entropy 7.61
PE imports
_adj_fdiv_m32
__vbaChkstk
Ord(610)
Ord(645)
_CIcos
__vbaStrCmp
__vbaVarDup
_adj_fdivr_m64
Ord(527)
_adj_fprem
__vbaLenBstr
__vbaObjVar
_adj_fdiv_m32i
EVENT_SINK_AddRef
Ord(544)
__vbaStrComp
__vbaStrToUnicode
_adj_fdivr_m16i
EVENT_SINK_QueryInterface
__vbaStrCopy
Ord(666)
__vbaR8Sgn
__vbaExceptHandler
__vbaSetSystemError
__vbaFreeVarList
Ord(546)
DllFunctionCall
__vbaFPException
__vbaStrVarMove
__vbaLateMemCall
__vbaRecDestruct
EVENT_SINK_Release
Ord(563)
Ord(589)
Ord(571)
__vbaVarSetObjAddref
__vbaFreeStr
_CItan
__vbaFreeVar
__vbaVarTstNe
Ord(618)
__vbaLbound
__vbaVarCat
_adj_fdiv_r
_adj_fpatan
__vbaDateVar
_adj_fdiv_m64
Ord(100)
Ord(542)
__vbaFreeObj
__vbaHresultCheckObj
_CIsqrt
_CIsin
_CIlog
Ord(660)
__vbaVarMul
_allmul
__vbaLsetFixstr
__vbaVarTstEq
_adj_fptan
Ord(685)
__vbaFreeStrList
__vbaObjSet
__vbaI4Var
__vbaVarMove
__vbaErrorOverflow
_CIatan
__vbaNew2
Ord(612)
__vbaR8IntI4
__vbaLateIdCallLd
__vbaOnError
_adj_fdivr_m32i
Ord(631)
__vbaAryDestruct
_CIexp
__vbaStrMove
__vbaStrToAnsi
_adj_fprem1
_adj_fdivr_m32
__vbaFpR8
Ord(609)
__vbaI2I4
Ord(698)
_adj_fdiv_m16i
Number of PE resources by type
RT_ICON 3
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 4
ENGLISH US 1
PE resources
ExifTool file metadata
LegalTrademarks
http:\\WWW.LIGht-ALLAy.AU

SubsystemVersion
4.0

Comments
makayamA inteRACTIVE

InitializedDataSize
12288

ImageVersion
2.7

ProductName
lavasocT

FileVersionNumber
2.7.0.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

LinkerVersion
6.0

FileTypeExtension
exe

OriginalFileName
Demotist2.exe

MIMEType
application/octet-stream

FileVersion
2.07

TimeStamp
2006:02:22 18:56:00+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Demotist2

ProductVersion
2.07

FileDescription
Ac adEE, aAc.

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
ePsOn

CodeSize
528384

FileSubtype
0

ProductVersionNumber
2.7.0.0

EntryPoint
0x1af0

ObjectFileType
Executable application

Execution parents
File identification
MD5 45c99cd25d060f8504272aabe4314767
SHA1 a87e8e3805bb438f53299e91168e8bc786875fb8
SHA256 e288aa78bfe583f31b151d3bba16743d185164dece2583fbaa63cad811f75a45
ssdeep
12288:ow1kAyi2PmrSyMxlmDGlq2ZNLvEt1CsX8UI0Hl:9k62u+HxlYAq2ZN7owk8UI0F

authentihash efa4ca78a6ed7bf2a2ad57ad4ffb8c79674b2c7830dab750cf6a6c381f09a916
imphash 7fc15a60a45003b2f7920f939379aaa1
File size 533.0 KB ( 545760 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (82.7%)
Win32 Dynamic Link Library (generic) (6.6%)
Win32 Executable (generic) (4.5%)
OS/2 Executable (generic) (2.0%)
Generic Win/DOS Executable (2.0%)
Tags
peexe overlay

VirusTotal metadata
First submission 2018-09-04 02:21:43 UTC ( 5 months, 2 weeks ago )
Last submission 2018-09-16 09:17:10 UTC ( 5 months ago )
File names PI.exe
Demotist2
udpss.exe
Demotist2.exe
upnpsvc.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.