× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e75c318edcbf361497507411bcfee38a8bdbe246460d4be000cf817adaa11224
File name: RFQ
Detection ratio: 35 / 66
Analysis date: 2018-11-22 09:17:42 UTC ( 6 months ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.GenericKD.40777422 20181122
AegisLab Trojan.Win32.Noon.4!c 20181122
AhnLab-V3 Win-Trojan/VBKrypt.RP05 20181122
Arcabit Trojan.Generic.D26E36CE 20181121
Avast Win32:Malware-gen 20181122
AVG Win32:Malware-gen 20181122
BitDefender Trojan.GenericKD.40777422 20181122
CrowdStrike Falcon (ML) malicious_confidence_60% (W) 20181022
Cylance Unsafe 20181122
Cyren W32/GenBl.4A6B401D!Olympus 20181122
Emsisoft Trojan.GenericKD.40777422 (B) 20181122
Endgame malicious (high confidence) 20181108
ESET-NOD32 a variant of Win32/Injector.EBUJ 20181122
F-Secure Trojan.GenericKD.40777422 20181122
Fortinet W32/Injector.EBTW!tr 20181122
GData Trojan.GenericKD.40777422 20181122
Ikarus Trojan.VB.Crypt 20181121
Sophos ML heuristic 20181108
Kaspersky Trojan-Spy.Win32.Noon.wss 20181122
MAX malware (ai score=100) 20181122
McAfee Packed-FOL!4A6B401D039A 20181122
McAfee-GW-Edition Artemis!Trojan 20181122
Microsoft Trojan:Win32/Pynamer.A!ac 20181122
eScan Trojan.GenericKD.40777422 20181122
NANO-Antivirus Trojan.Win32.Noon.fkmcgb 20181122
Palo Alto Networks (Known Signatures) generic.ml 20181122
Panda Trj/RnkBend.A 20181121
Qihoo-360 Win32/Trojan.Spy.9a0 20181122
Rising Spyware.Noon!8.E7C9 (CLOUD) 20181122
Sophos AV Mal/FareitVB-N 20181122
Symantec Downloader.Ponik 20181122
Tencent Win32.Trojan.Inject.Auto 20181122
TrendMicro TROJ_GEN.F0C2C00KL18 20181122
TrendMicro-HouseCall TROJ_GEN.F0C2C00KL18 20181122
ZoneAlarm by Check Point Trojan-Spy.Win32.Noon.wss 20181122
Alibaba 20180921
ALYac 20181122
Antiy-AVL 20181122
Avast-Mobile 20181122
Avira (no cloud) 20181122
Babable 20180918
Baidu 20181122
Bkav 20181121
CAT-QuickHeal 20181121
ClamAV 20181122
CMC 20181121
Comodo 20181122
DrWeb 20181122
eGambit 20181122
F-Prot 20181122
Jiangmin 20181122
K7AntiVirus 20181122
K7GW 20181122
Kingsoft 20181122
Malwarebytes 20181122
SentinelOne (Static ML) 20181011
SUPERAntiSpyware 20181121
Symantec Mobile Insight 20181121
TACHYON 20181122
TheHacker 20181118
Trustlook 20181122
VBA32 20181122
ViRobot 20181122
Webroot 20181122
Yandex 20181122
Zillya 20181122
Zoner 20181122
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Product cobani
Original name HEMATOXIC6.exe
Internal name HEMATOXIC6
File version 1.05
Comments Barbeyaceae6
Signature verification A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Signing date 12:49 AM 3/6/2019
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2005-03-26 05:55:24
Entry Point 0x000017F0
Number of sections 3
PE sections
Overlays
MD5 1553f6bed41c2b2ad8618c808ffa6305
File type data
Offset 606208
Size 6104
Entropy 7.48
PE imports
_adj_fdiv_m32
__vbaChkstk
Ord(523)
Ord(645)
EVENT_SINK_Release
__vbaStrCmp
Ord(521)
_allmul
_CIsin
Ord(616)
_adj_fdivr_m64
_adj_fprem
Ord(607)
__vbaLenBstr
Ord(525)
_adj_fpatan
_adj_fdiv_m32i
EVENT_SINK_AddRef
Ord(693)
__vbaStrToUnicode
EVENT_SINK_QueryInterface
__vbaStrCopy
__vbaExceptHandler
__vbaSetSystemError
__vbaFreeVarList
DllFunctionCall
__vbaFPException
__vbaStrVarMove
_adj_fdivr_m16i
__vbaStrMove
Ord(618)
_adj_fdiv_r
Ord(100)
__vbaVarSetObjAddref
__vbaFreeVar
__vbaVarLateMemCallLd
_adj_fdiv_m64
__vbaFreeObj
__vbaHresultCheckObj
_CIsqrt
__vbaVarSub
Ord(711)
Ord(660)
__vbaInStrVar
Ord(575)
_CIcos
Ord(595)
__vbaVarTstEq
_adj_fptan
__vbaVarDup
__vbaI4Var
__vbaVarMove
_CIlog
_CIatan
Ord(608)
__vbaNew2
__vbaErrorOverflow
__vbaLateIdCallLd
__vbaOnError
_adj_fdivr_m32i
_CItan
_CIexp
__vbaStrI2
__vbaStrToAnsi
_adj_fprem1
_adj_fdivr_m32
__vbaStrCat
__vbaVarCopy
__vbaFreeStrList
__vbaFpI4
__vbaFreeStr
_adj_fdiv_m16i
Number of PE resources by type
RT_ICON 3
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 4
ENGLISH US 1
PE resources
ExifTool file metadata
UninitializedDataSize
0

Comments
Barbeyaceae6

InitializedDataSize
16384

ImageVersion
1.5

FileSubtype
0

FileVersionNumber
1.5.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

LinkerVersion
6.0

EntryPoint
0x17f0

OriginalFileName
HEMATOXIC6.exe

MIMEType
application/octet-stream

FileVersion
1.05

TimeStamp
2005:03:26 06:55:24+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
HEMATOXIC6

ProductVersion
1.05

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
585728

ProductName
cobani

ProductVersionNumber
1.5.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

Execution parents
File identification
MD5 4a6b401d039a2e20ff0ed93dbffde4b0
SHA1 2c87308aeb349e971091d6be4ab03d40d5770335
SHA256 e75c318edcbf361497507411bcfee38a8bdbe246460d4be000cf817adaa11224
ssdeep
6144:3To4+UQotOcTaGw5sgNp1IDzBmASohyuXEud3ykX:skQy5a5Vp4EHu0uP

authentihash de5bc02112e1fe39ec1ed6b5f7f875c4383c65959182e8f7779a2ca758850c91
imphash c28d35e06f7782656057662457fb729d
File size 598.0 KB ( 612312 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (88.6%)
Win32 Executable (generic) (4.8%)
OS/2 Executable (generic) (2.1%)
Generic Win/DOS Executable (2.1%)
DOS Executable Generic (2.1%)
Tags
peexe overlay

VirusTotal metadata
First submission 2018-11-21 09:27:04 UTC ( 6 months ago )
Last submission 2018-11-28 09:12:23 UTC ( 5 months, 4 weeks ago )
File names RFQ#3002939_111318.exe
SOOiNA.jpg
RFQ#3002939_111318.exe
HEMATOXIC6.exe
HEMATOXIC6
RFQ
4a6b401d039a2e20ff0ed93dbffde4b0
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.