× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ec7c5d5d4c32dfaf0f7295dfacde591cf8272c67396296707868dbe629580a0f
File name: a8e4976f73c6f761d7232afa464304c0
Detection ratio: 56 / 62
Analysis date: 2017-03-18 12:51:43 UTC ( 1 year, 8 months ago )
Antivirus Result Update
Ad-Aware Trojan.Generic.11611036 20170318
AegisLab Troj.Spy.W32.Zbot.tszf!c 20170318
AhnLab-V3 Trojan/Win32.Generic.R118823 20170318
ALYac Trojan.Generic.11611036 20170318
Arcabit Trojan.Generic.DB12B9C 20170318
Avast AutoIt:Zbot-L [Trj] 20170318
AVG Autoit.FW 20170318
Avira (no cloud) TR/Spy.Banker.1255 20170318
AVware Win32.Malware!Drop 20170318
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9869 20170318
BitDefender Trojan.Generic.11611036 20170318
Bkav W32.HfsAtITSTIL.4830 20170318
CAT-QuickHeal TrojanPWS.Zbot 20170317
ClamAV Win.Trojan.Zapchast-1340 20170318
CMC Trojan.Win32.Generic!O 20170317
Comodo UnclassifiedMalware 20170318
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170130
Cyren W32/Injector.BK.gen!Eldorado 20170318
DrWeb Trojan.PWS.Panda.7278 20170318
Emsisoft Trojan.Generic.11611036 (B) 20170318
Endgame malicious (moderate confidence) 20170317
ESET-NOD32 Win32/Spy.Zbot.AAO 20170318
F-Prot W32/Injector.BK.gen!Eldorado 20170318
F-Secure Trojan.Generic.11611036 20170318
Fortinet W32/Autoit.ALR!tr 20170318
GData Win32.Trojan.Agent.SB31Q8 20170318
Ikarus Trojan-Spy.Win32.Zbot 20170318
Sophos ML worm.win32.renocide.y 20170203
Jiangmin TrojanSpy.Zbot.egct 20170318
K7AntiVirus Trojan ( 700000111 ) 20170318
K7GW Trojan ( 700000111 ) 20170317
Kaspersky Trojan-Spy.Win32.Zbot.tszf 20170318
Malwarebytes Trojan.InfoStealer.LLO 20170318
McAfee Generic.ul 20170318
McAfee-GW-Edition BehavesLike.Win32.Spyware.dh 20170318
Microsoft PWS:Win32/Zbot 20170318
eScan Trojan.Generic.11611036 20170318
NANO-Antivirus Trojan.Win32.Zbot.eahzoc 20170318
Palo Alto Networks (Known Signatures) generic.ml 20170318
Panda Trj/WLT.A 20170318
Qihoo-360 HEUR/Malware.QVM11.Gen 20170318
Rising Trojan.Generic (cloud:nEQQFBJSlUL) 20170318
SentinelOne (Static ML) static engine - malicious 20170315
Sophos AV Mal/Autoit-R 20170318
Symantec Trojan.Zbot 20170317
Tencent Win32.Trojan-spy.Zbot.Lpuy 20170318
TheHacker Backdoor/Poison.etvb 20170318
TotalDefense Win32/Zbot.JbTfaED 20170318
TrendMicro TSPY_ZBOT.YYSJ 20170318
TrendMicro-HouseCall TSPY_ZBOT.YYSJ 20170318
VIPRE Win32.Malware!Drop 20170318
Webroot W32.Malware.Heur 20170318
Yandex TrojanSpy.Zbot!QKNEX02vo1M 20170317
Zillya Trojan.Zbot.Win32.166236 20170317
ZoneAlarm by Check Point Trojan-Spy.Win32.Zbot.tszf 20170318
Zoner Trojan.Zbot.AAO 20170318
Alibaba 20170228
Antiy-AVL 20170318
Kingsoft 20170318
nProtect 20170318
SUPERAntiSpyware 20170318
Trustlook 20170318
VBA32 20170317
ViRobot 20170318
WhiteArmor 20170315
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
File version 3, 3, 8, 1
Packers identified
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-01-29 21:32:28
Entry Point 0x000C2E80
Number of sections 3
PE sections
Overlays
MD5 006fb30ff09216194918c8b64c914216
File type data
Offset 344064
Size 645224
Entropy 5.71
PE imports
ImageList_Remove
GetSaveFileNameW
LineTo
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
WNetGetConnectionW
VariantInit
EnumProcesses
DragFinish
LoadUserProfileW
VerQueryValueW
FtpOpenFileW
timeGetTime
CoInitialize
Number of PE resources by type
RT_STRING 7
RT_ICON 4
RT_GROUP_ICON 4
RT_DIALOG 1
RT_MANIFEST 1
RT_MENU 1
RT_VERSION 1
Number of PE resources by language
ENGLISH UK 17
ENGLISH US 2
PE resources
ExifTool file metadata
UninitializedDataSize
524288

InitializedDataSize
73728

ImageVersion
0.0

FileVersionNumber
3.3.8.1

LanguageCode
English (British)

FileFlagsMask
0x0017

CharacterSet
Unicode

LinkerVersion
10.0

FileTypeExtension
exe

MIMEType
application/octet-stream

FileVersion
3, 3, 8, 1

TimeStamp
2012:01:29 22:32:28+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
5.0

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

CompiledScript
AutoIt v3 Script: 3, 3, 8, 1

MachineType
Intel 386 or later, and compatibles

CodeSize
274432

FileSubtype
0

ProductVersionNumber
3.3.8.1

EntryPoint
0xc2e80

ObjectFileType
Unknown

File identification
MD5 a8e4976f73c6f761d7232afa464304c0
SHA1 9a7ec15c37887ebda741866626ff147ba1d63049
SHA256 ec7c5d5d4c32dfaf0f7295dfacde591cf8272c67396296707868dbe629580a0f
ssdeep
24576:jthEVaPqLJaDLaHImJKSFhRrpHfaQ8nj49hS0b:3EVUcJDHTp7

authentihash 28f49846b5508452d2a8450d0bc7cc477c8b5190c9e4cd80ea1247468038cf3a
imphash 890e522b31701e079a367b89393329e6
File size 966.1 KB ( 989288 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID AutoIt3 compiled script executable (88.1%)
UPX compressed Win32 Executable (4.6%)
Win32 EXE Yoda's Crypter (4.5%)
Win32 Dynamic Link Library (generic) (1.1%)
Win32 Executable (generic) (0.7%)
Tags
peexe upx overlay

VirusTotal metadata
First submission 2014-08-14 05:33:34 UTC ( 4 years, 3 months ago )
Last submission 2014-08-14 05:33:34 UTC ( 4 years, 3 months ago )
File names a8e4976f73c6f761d7232afa464304c0
_38HPX25.tmp
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created processes
Code injections in the following processes
Opened mutexes
Searched windows
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.