× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ea986397bb883d05305838fbcb2174cc62b33e8b45fe5168f99baa2b3f8c4b3a
File name: Bluet00th.exe
Detection ratio: 42 / 55
Analysis date: 2017-01-31 13:17:54 UTC ( 2 years ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.GenericKD.1424529 20170131
AegisLab Troj.W32.Agent!c 20170131
AhnLab-V3 Malware/Win32.Generic.C466266 20170131
ALYac Trojan.GenericKD.1424529 20170131
Arcabit Trojan.Generic.D15BC91 20170131
Avast AutoIt:MalOb-BZ [Trj] 20170131
AVG Autoit 20170131
Avira (no cloud) TR/Spy.Gen 20170131
AVware Trojan.Win32.Autoit.bjn (v) 20170131
Baidu AutoIt.Worm.Agent.c 20170125
BitDefender Trojan.GenericKD.1424529 20170131
CMC Trojan.Win32.Generic!O 20170131
Comodo UnclassifiedMalware 20170131
CrowdStrike Falcon (ML) malicious_confidence_82% (W) 20161024
Cyren W32/GenBl.3E7F0817!Olympus 20170131
Emsisoft Trojan.GenericKD.1424529 (B) 20170131
ESET-NOD32 Win32/Autoit.KE 20170131
F-Secure Trojan.GenericKD.1424529 20170131
Fortinet W32/Inject.EYEW!tr 20170131
GData Trojan.GenericKD.1424529 20170131
Ikarus Worm.Win32.Renocide 20170131
Sophos ML trojandropper.autoit.rebhip.a 20170111
Jiangmin Trojan.MSIL.aeui 20170131
K7AntiVirus Trojan ( 700000111 ) 20170131
K7GW Trojan ( 700000111 ) 20170131
Kaspersky Trojan.Win32.Agent.acztp 20170131
Kingsoft Win32.Troj.Agent.(kcloud) 20170131
McAfee Artemis!3E7F081748FE 20170131
McAfee-GW-Edition BehavesLike.Win32.Spyware.gc 20170131
Microsoft Worm:Win32/Jenxcus.N 20170131
eScan Trojan.GenericKD.1424529 20170131
NANO-Antivirus Trojan.Script.Agent.debwym 20170131
Panda Trj/CI.A 20170130
Qihoo-360 Win32/Trojan.fd6 20170131
Sophos AV Mal/Autoit-C 20170131
Symantec SecurityRisk.gen1 20170130
Tencent Win32.Trojan.Agent.Lmvf 20170131
TrendMicro TROJ_SPNR.06LC13 20170131
TrendMicro-HouseCall TROJ_SPNR.06LC13 20170131
VBA32 Trojan.Autoit.Wirus 20170131
VIPRE Trojan.Win32.Autoit.bjn (v) 20170131
Zillya Trojan.Agent.Win32.552746 20170131
Alibaba 20170122
Antiy-AVL 20170131
Bkav 20170123
CAT-QuickHeal 20170131
ClamAV 20170131
DrWeb 20170131
F-Prot 20170131
Malwarebytes 20170131
nProtect 20170131
Rising 20170131
SUPERAntiSpyware 20170131
TheHacker 20170129
Trustlook 20170131
ViRobot 20170131
WhiteArmor 20170123
Yandex 20170130
Zoner 20170131
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
File version 3, 3, 8, 1
Packers identified
F-PROT AutoIt, UTF-8, UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-01-29 21:32:28
Entry Point 0x000CA8D0
Number of sections 3
PE sections
Overlays
MD5 7e584b245e95aff33e99bfc4447e98ba
File type data
Offset 379904
Size 55123
Entropy 8.00
PE imports
ImageList_Remove
GetSaveFileNameW
LineTo
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
WNetGetConnectionW
VariantInit
EnumProcesses
DragFinish
LoadUserProfileW
VerQueryValueW
FtpOpenFileW
timeGetTime
CoInitialize
Number of PE resources by type
RT_ICON 9
RT_STRING 7
RT_GROUP_ICON 4
RT_DIALOG 1
RT_MANIFEST 1
RT_MENU 1
RT_VERSION 1
Number of PE resources by language
ENGLISH UK 22
ENGLISH US 2
PE resources
ExifTool file metadata
UninitializedDataSize
552960

LinkerVersion
10.0

ImageVersion
0.0

FileVersionNumber
3.3.8.1

LanguageCode
English (British)

FileFlagsMask
0x0017

ImageFileCharacteristics
No relocs, Executable, Large address aware, 32-bit

CharacterSet
Unicode

InitializedDataSize
106496

EntryPoint
0xca8d0

MIMEType
application/octet-stream

FileVersion
3, 3, 8, 1

TimeStamp
2012:01:29 22:32:28+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
5.0

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

CompiledScript
AutoIt v3 Script: 3, 3, 8, 1

MachineType
Intel 386 or later, and compatibles

CodeSize
274432

FileSubtype
0

ProductVersionNumber
3.3.8.1

FileTypeExtension
exe

ObjectFileType
Unknown

File identification
MD5 3e7f081748fe6b448b8948215330dc2e
SHA1 61e071abd58f6f65c2e501a9b16793a2d8b0f7c5
SHA256 ea986397bb883d05305838fbcb2174cc62b33e8b45fe5168f99baa2b3f8c4b3a
ssdeep
6144:EAFELV9WkhHnkpPlxhPG+hxHLjdw/4NzNXn85R7Iuyuy8wFto39jMdP3oRjhtc3z:EA6bf5Ud3rjdJzxVuy8WoNjMhoRfc3DX

authentihash 40e5547320ed32a8789ccb8743529d0059245d8b7bc40710cfec495fd083fa77
imphash 890e522b31701e079a367b89393329e6
File size 424.8 KB ( 435027 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID AutoIt3 compiled script executable (87.8%)
UPX compressed Win32 Executable (4.6%)
Win32 EXE Yoda's Crypter (4.5%)
Win32 Dynamic Link Library (generic) (1.1%)
Win32 Executable (generic) (0.7%)
Tags
peexe upx usb-autorun overlay

VirusTotal metadata
First submission 2013-11-26 16:25:51 UTC ( 5 years, 2 months ago )
Last submission 2018-05-20 17:58:15 UTC ( 9 months ago )
File names Bluet00th.exe
vt-upload-XY0QX
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Copied files
Created processes
Shell commands
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
DNS requests
TCP connections