× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e555ec63a6445fc643f492c93a480157f94557cfe74686a9cfdcf095acb8acc1
File name: kperra.exe
Detection ratio: 3 / 52
Analysis date: 2014-05-08 17:36:04 UTC ( 4 years, 10 months ago )
Antivirus Result Update
Bkav HW32.CDB.0788 20140507
Qihoo-360 Malware.QVM20.Gen 20140508
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 20140507
Ad-Aware 20140508
AegisLab 20140508
Yandex 20140507
AhnLab-V3 20140508
AntiVir 20140508
Antiy-AVL 20140508
Avast 20140508
AVG 20140508
Baidu-International 20140508
BitDefender 20140508
ByteHero 20140508
CAT-QuickHeal 20140508
ClamAV 20140508
CMC 20140506
Commtouch 20140508
Comodo 20140508
DrWeb 20140508
Emsisoft 20140508
ESET-NOD32 20140508
F-Prot 20140508
F-Secure 20140508
Fortinet 20140508
GData 20140508
Ikarus 20140508
Jiangmin 20140508
K7AntiVirus 20140508
K7GW 20140508
Kaspersky 20140508
Kingsoft 20140508
Malwarebytes 20140508
McAfee 20140508
McAfee-GW-Edition 20140508
Microsoft 20140508
eScan 20140508
NANO-Antivirus 20140508
Norman 20140508
nProtect 20140507
Panda 20140508
Sophos AV 20140508
SUPERAntiSpyware 20140508
Symantec 20140508
TheHacker 20140508
TotalDefense 20140508
TrendMicro 20140508
TrendMicro-HouseCall 20140508
VBA32 20140507
VIPRE 20140508
ViRobot 20140508
Zillya 20140507
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Publisher Intuit, Inc
Product Xuxavi
Original name Ewlfkqabd.exe
Internal name Iwysyr
File version 1, 6, 5
Description Gihocif Usa Akirep
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-06-14 08:02:11
Entry Point 0x00013069
Number of sections 5
PE sections
PE imports
RegCreateKeyExW
LsaSetTrustedDomainInformation
RegQueryValueExA
SetNamedSecurityInfoExA
CryptSetProviderA
RegSetValueW
CryptHashData
OpenBackupEventLogA
RegQueryValueExW
RegOpenKeyA
AddAuditAccessObjectAce
LsaSetInformationTrustedDomain
CreateServiceA
LsaCreateAccount
ConvertStringSidToSidA
SystemFunction012
LsaLookupNames
GetAuditedPermissionsFromAclW
ObjectCloseAuditAlarmW
ElfDeregisterEventSource
LsaOpenSecret
LockServiceDatabase
GetMultipleTrusteeOperationW
TraceEvent
SetTraceCallback
LsaFreeMemory
GetSidLengthRequired
SetSecurityInfoExA
RegQueryMultipleValuesW
StartServiceA
SetUserFileEncryptionKey
ReportEventA
TranslateInfString
AddClusterResourceDependency
FailClusterResource
CloseClusterNetwork
GetClusterFromNetwork
GetClusterResourceNetworkName
ClusterRegQueryInfoKey
SetClusterGroupNodeList
ClusterResourceTypeOpenEnum
OpenClusterNetwork
ClusterRegSetKeySecurity
GetClusterNodeId
ClusterGroupOpenEnum
OfflineClusterGroup
CloseClusterNode
RestoreClusterDatabase
CreateClusterResourceType
ClusterResourceTypeControl
OnlineClusterGroup
ClusterRegDeleteKey
GetClusterNetworkId
ClusterNetworkOpenEnum
GetClusterKey
ClusterResourceEnum
GetClusterNodeState
ChooseFontW
GetSaveFileNameW
Ssync_ANSI_UNICODE_Struct_For_WOW
GetOpenFileNameA
ChooseColorA
ReplaceTextW
CommDlgExtendedError
PrintDlgExA
PageSetupDlgW
GetSaveFileNameA
ChooseFontA
dwOKSubclass
PolyPolyline
CreateHalftonePalette
GetDIBColorTable
GetTextCharset
CombineRgn
GetLayout
EnumFontFamiliesExA
GetTextExtentExPointA
EnumMetaFile
SetPixel
GetCharWidthFloatW
GetDeviceGammaRamp
EnumFontFamiliesA
CreatePatternBrush
SelectClipPath
PlayEnhMetaFile
OffsetViewportOrgEx
GetDIBits
ExtCreateRegion
SetPixelFormat
CreateCompatibleDC
CreateScalableFontResourceW
RemoveFontResourceA
GetEnhMetaFilePixelFormat
CopyMetaFileW
ResetDCA
SetWindowExtEx
SetWindowOrgEx
SetViewportOrgEx
CreateFontIndirectExW
GetTextCharacterExtra
GetCharABCWidthsA
ImmInstallIMEW
ImmSetCompositionStringA
DeleteProxyArpEntry
InternalSetIpForwardEntry
GetIfTable
AllocateAndGetIpAddrTableFromStack
NhGetInterfaceNameFromGuid
InternalSetIpNetEntry
NTTimeToNTPTime
GetUdpStatistics
GetIpForwardTable
InternalGetIfTable
GetIpStatistics
DeleteIPAddress
NotifyAddrChange
InternalGetIpNetTable
SendARP
GetPerAdapterInfo
CreateIpNetEntry
EnableRouter
SetIpForwardEntry
GetAdaptersInfo
IpRenewAddress
DeleteIpNetEntry
NhpAllocateAndGetInterfaceInfoFromStack
FlushIpNetTable
InternalCreateIpNetEntry
InternalGetUdpTable
SetFileAttributesA
FindResourceExW
acmStreamMessage
SetColorProfileElementReference
AlphaBlend
__p__fileinfo
EnumProtocolsW
GetNameByTypeA
NetDfsManagerSendSiteInfo
NetAuditWrite
NetReplImportDirAdd
NetUserModalsSet
NetRenameMachineInDomain
DsGetDcNameA
NetServerEnum
NetMessageNameDel
NetGroupEnum
NetReplImportDirDel
NetServerTransportDel
NetServiceGetInfo
NetReplExportDirEnum
NetShareCheck
NetLocalGroupDelMember
NetDfsAdd
NetMessageBufferSend
NetConnectionEnum
NetReplExportDirUnlock
NetReplExportDirAdd
DsValidateSubnetNameA
NetUserChangePassword
NetShareAdd
NetValidateName
I_BrowserQueryStatistics
NetUserDel
NetUnregisterDomainNameChangeNotification
NetAuditRead
NetFileEnum
NetServiceInstall
NetUseAdd
NetServerComputerNameAdd
RtlNewSecurityObjectEx
DsUnBindA
CreateStdAccessibleObject
PdhEnumMachinesW
PdhVbUpdateLog
PdhEnumObjectItemsW
PdhReadRawLogRecord
PdhUpdateLogFileCatalog
PdhBrowseCountersW
PdhUpdateLogA
PdhBrowseCountersA
PdhCloseQuery
PdhAddCounterA
PdhParseCounterPathA
PdhLookupPerfIndexByNameA
PdhExpandWildCardPathW
PdhComputeCounterStatistics
PdhSelectDataSourceA
PdhGetFormattedCounterArrayW
PdhSelectDataSourceW
PdhConnectMachineW
PdhMakeCounterPathA
PdhEnumObjectsA
PdhVbOpenQuery
PdhOpenLogW
PdhGetRawCounterArrayW
PdhCollectQueryDataEx
PdhParseInstanceNameW
EnumDeviceDrivers
SvcEntry_CiSvc
UuidFromStringW
NdrNonConformantStringMarshall
I_RpcTransDatagramFree
RpcSmDisableAllocate
NdrFixedArrayBufferSize
RpcSmAllocate
I_RpcBindingIsClientLocal
I_RpcFreeBuffer
NdrServerInitializeUnmarshall
NdrFullPointerInsertRefId
NdrInterfacePointerBufferSize
RpcSsGetThreadHandle
NdrFullPointerQueryRefId
MesDecodeBufferHandleCreate
NdrComplexArrayMarshall
RpcSsEnableAllocate
NdrRpcSsDisableAllocate
RpcServerInqDefaultPrincNameA
I_RpcBindingInqDynamicEndpointA
NdrMapCommAndFaultStatus
I_RpcBindingInqWireIdForSnego
MesDecodeIncrementalHandleCreate
NdrGetBuffer
NdrProxyGetBuffer
RpcBindingSetAuthInfoA
I_RpcNsInterfaceExported
RpcMgmtSetAuthorizationFn
RpcAsyncCompleteCall
RpcBindingInqAuthClientExW
RpcSmClientFree
SamOpenDomain
SamSetInformationGroup
SamSetInformationUser
SamSetSecurityObject
SamGetGroupsForUser
SamiLmChangePasswordUser
SamConnect
SamQueryDisplayInformation
SamCloseHandle
SamEnumerateAliasesInDomain
SamOpenGroup
SamLookupDomainInSamServer
SamiSetBootKeyInformation
SamGetDisplayEnumerationIndex
SamGetAliasMembership
SamChangePasswordUser2
SamLookupIdsInDomain
SamCreateAliasInDomain
ScesrvInitializeServer
ScesrvTerminateServer
GetComputerObjectNameW
DeleteSecurityPackageW
ImportSecurityContextW
LsaDeregisterLogonProcess
SaslEnumerateProfilesW
EnumerateSecurityPackagesW
LsaFreeReturnBuffer
SaslInitializeSecurityContextW
ImpersonateSecurityContext
SaslAcceptSecurityContext
TranslateNameA
SaslGetProfilePackageW
QuerySecurityPackageInfoW
ImportSecurityContextA
UnsealMessage
LsaRegisterPolicyChangeNotification
SetupGetBackupInformationA
SetupDiGetClassBitmapIndex
SetupDiGetDriverInfoDetailA
SetupAddSectionToDiskSpaceListW
SetupGetBackupInformationW
SetupQueueDefaultCopyA
SetupDiInstallClassA
SetupDiSetDeviceRegistryPropertyW
SetupCommitFileQueueA
CM_Set_HW_Prof_Flags_ExA
SetupGetFileCompressionInfoW
CM_Get_DevNode_Registry_PropertyA
CM_Get_Device_Interface_AliasA
SetupQuerySourceListW
SetupRemoveInstallSectionFromDiskSpaceListW
CM_Register_Device_Driver_Ex
CM_Get_Device_ID_List_Size_ExW
SetupRemoveFromSourceListA
SetupQuerySourceListA
CM_Get_Device_ID_List_ExW
SHFormatDrive
SHInvokePrinterCommandW
SHEmptyRecycleBinW
ExtractIconExA
SHGetFolderPathW
SHGetDiskFreeSpaceA
InternalExtractIconListW
SHGetInstanceExplorer
SHInvokePrinterCommandA
SHGetFileInfoW
SHGetMalloc
RealShellExecuteA
MMCInitialize
lineGetGroupListA
lineGetStatusMessages
MMCGetLineInfo
phoneSetVolume
lineSetCallPrivilege
MMCShutdown
lineSetAgentSessionState
phoneSetStatusMessages
lineSetTerminal
lineMakeCallW
MMCGetPhoneStatus
lineConfigDialogW
lineRedirectW
phoneSetData
lineCompleteCall
MMCAddProvider
lineCreateAgentW
tapiGetLocationInfoW
lineGetAppPriorityA
lineBlindTransferA
lineGetAgentSessionInfo
phoneGetButtonInfoA
phoneShutdown
lineGetIconW
phoneClose
lineGetAddressStatusA
internalRemoveLocation
phoneInitializeExA
lineGetProviderListW
phoneConfigDialogW
URLOpenBlockingStreamA
GetWindowTextA
GetCursorPos
UnionRect
RefreshPolicy
ExpandEnvironmentStringsForUserW
GetProfileType
GetGPOListA
GetProfilesDirectoryW
GetDefaultUserProfileDirectoryW
FreeGPOListA
GetUserProfileDirectoryW
UnloadUserProfile
RegisterGPNotification
ExpandEnvironmentStringsForUserA
GetAllUsersProfileDirectoryW
LoadUserProfileW
GetAllUsersProfileDirectoryA
ProcessGroupPolicyCompleted
GetDefaultUserProfileDirectoryA
GetUserProfileDirectoryA
VDMGetPointer
VDMGetAddrExpression
VDMGlobalFirst
VDMGetSegtablePointer
InternetSetCookieA
InternetGetConnectedStateExA
InternetHangUp
FtpRemoveDirectoryA
FindNextUrlCacheEntryA
InternetErrorDlg
InternetLockRequestFile
HttpOpenRequestW
HttpAddRequestHeadersA
ShowClientAuthCerts
SetUrlCacheEntryGroupW
RegisterUrlCacheNotification
GopherOpenFileW
FtpDeleteFileA
InternetTimeFromSystemTimeW
FindFirstUrlCacheEntryExW
HttpQueryInfoW
InternetWriteFileExW
FtpGetFileEx
FtpSetCurrentDirectoryA
RetrieveUrlCacheEntryStreamW
CreateUrlCacheContainerA
ResumeSuspendedDownload
FindCloseUrlCache
InternetAlgIdToStringA
ShowX509EncodedCertificate
InternetQueryFortezzaStatus
InternetOpenUrlW
InternetAlgIdToStringW
mciGetDeviceIDFromElementIDW
mciGetErrorStringW
joyGetNumDevs
mciLoadCommandResource
midiInGetErrorTextW
waveOutGetDevCapsW
mciSendStringA
midiInUnprepareHeader
mmioSendMessage
mmDrvInstall
mixerOpen
midiStreamOpen
mmioFlush
waveOutGetNumDevs
waveOutGetPlaybackRate
waveOutMessage
midiInClose
waveOutBreakLoop
auxOutMessage
joySetThreshold
DriverCallback
waveOutSetPitch
midiStreamClose
mciGetDeviceIDW
waveOutPrepareHeader
midiStreamPause
waveOutGetErrorTextA
mixerMessage
waveOutGetPitch
DefDriverProc
mssip32DllRegisterServer
SoftpubDllUnregisterServer
mscat32DllRegisterServer
OfficeInitializePolicy
WinVerifyTrust
CryptCATAdminAddCatalog
WVTAsn1SpcPeImageDataDecode
WVTAsn1SpcMinimalCriteriaInfoEncode
AddPersonalTrustDBPages
WVTAsn1SpcSpAgencyInfoDecode
CryptCATStoreFromHandle
TrustFindIssuerCertificate
FindCertsByIssuer
WintrustSetRegPolicyFlags
CryptCATEnumerateMember
WintrustCertificateTrust
WintrustAddActionID
CryptSIPVerifyIndirectData
SoftpubInitialize
CryptCATPutCatAttrInfo
TrustOpenStores
OfficeCleanupPolicy
CryptCATCDFOpen
CryptCATAdminAcquireContext
SoftpubDllRegisterServer
WSASetEvent
Number of PE resources by type
RT_DIALOG 180
RT_MENU 172
RT_VERSION 1
Number of PE resources by language
ENGLISH AUS 353
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2011:06:14 09:02:11+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
90112

LinkerVersion
6.0

FileAccessDate
2014:05:08 18:36:24+01:00

EntryPoint
0x13069

InitializedDataSize
249856

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
5.0

FileCreateDate
2014:05:08 18:36:24+01:00

UninitializedDataSize
0

File identification
MD5 b33ffc7b39380023f9f67e6ddf86bd02
SHA1 7b2a969cc820ae41f01ac72ddbe6672f38fb4164
SHA256 e555ec63a6445fc643f492c93a480157f94557cfe74686a9cfdcf095acb8acc1
ssdeep
6144:QmaPNUj+by1j9anvfHv45VVG17SPfpwEyvP1fPiyNahBY:QNOj+byj9AH4LVGZ4wEyvNPiy5

imphash 3606ed9d54610d7915afc4f86cd687fe
File size 277.5 KB ( 284160 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe

VirusTotal metadata
First submission 2014-05-08 17:36:04 UTC ( 4 years, 10 months ago )
Last submission 2014-05-08 17:36:04 UTC ( 4 years, 10 months ago )
File names kperra.exe
Ewlfkqabd.exe
Iwysyr
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections