× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: f58d91bd0ae45743feff5bab0427f490336b2fc96548b2f8a76d0f5bc491609d
File name: 2015-05-02-RIG-EK-Payload.exe
Detection ratio: 5 / 56
Analysis date: 2015-05-02 18:26:38 UTC ( 2 years ago ) View latest
Antivirus Result Update
ESET-NOD32 a variant of Win32/Injector.BZPT 20150502
Kaspersky UDS:DangerousObject.Multi.Generic 20150502
Panda Trj/Chgt.O 20150502
Qihoo-360 HEUR/QVM10.1.Malware.Gen 20150502
Tencent Trojan.Win32.YY.Gen.30 20150502
Ad-Aware 20150502
AegisLab 20150502
Yandex 20150502
AhnLab-V3 20150502
Alibaba 20150502
ALYac 20150516
Antiy-AVL 20150502
Avast 20150502
AVG 20150502
Avira (no cloud) 20150502
AVware 20150502
Baidu-International 20150502
BitDefender 20150502
Bkav 20150425
ByteHero 20150502
CAT-QuickHeal 20150502
ClamAV 20150502
CMC 20150501
Comodo 20150502
Cyren 20150502
DrWeb 20150502
Emsisoft 20150502
F-Prot 20150502
F-Secure 20150502
Fortinet 20150502
GData 20150502
Ikarus 20150502
Jiangmin 20150430
K7AntiVirus 20150502
K7GW 20150502
Kingsoft 20150502
McAfee 20150502
McAfee-GW-Edition 20150502
Microsoft 20150502
eScan 20150502
NANO-Antivirus 20150502
Norman 20150502
nProtect 20150430
Rising 20150502
Sophos 20150502
SUPERAntiSpyware 20150502
Symantec 20150502
TheHacker 20150501
TotalDefense 20150430
TrendMicro 20150502
TrendMicro-HouseCall 20150502
VBA32 20150501
VIPRE 20150502
ViRobot 20150502
Zillya 20150501
Zoner 20150430
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright © 1997-2011 PrestoSoft LLC

Publisher PrestoSoft LLC
Product ExamDiff Freeware Application
Original name ExamDiff.exe
Internal name ExamDiff
File version 1.9
Description ExamDiff Freeware Application
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-05-02 11:25:53
Entry Point 0x0002FA12
Number of sections 4
PE sections
PE imports
GetLastError
InitializeCriticalSectionAndSpinCount
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
ReleaseMutex
SetHandleCount
GetOEMCP
LCMapStringA
IsDebuggerPresent
HeapAlloc
TlsAlloc
GetEnvironmentStringsW
LoadLibraryA
RtlUnwind
GetModuleFileNameA
GetTapeParameters
DisconnectNamedPipe
GetCommTimeouts
GetEnvironmentStrings
GetLocaleInfoA
GetCurrentProcessId
GetCurrentProcess
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
HeapSize
GetLogicalDrives
FreeEnvironmentStringsW
GetCommandLineA
GetProcAddress
QueryPerformanceCounter
GetThreadContext
GetProcessHeap
AssignProcessToJobObject
FreeEnvironmentStringsA
GetCPInfo
GetStringTypeA
TlsSetValue
DeleteCriticalSection
SetUnhandledExceptionFilter
WriteFile
GetStartupInfoA
CreateMemoryResourceNotification
GetSystemTimeAsFileTime
GetACP
HeapReAlloc
GetStringTypeW
GetModuleHandleW
TlsFree
TerminateProcess
GetProcessHandleCount
WideCharToMultiByte
IsValidCodePage
HeapCreate
VirtualFree
InterlockedDecrement
Sleep
GetFileType
GetTickCount
SetMessageWaitingIndicator
GetProcessVersion
ExitProcess
GetCurrentThreadId
InterlockedIncrement
VirtualAlloc
SetLastError
LeaveCriticalSection
EmptyClipboard
GetCaretBlinkTime
GetUserObjectInformationW
GetInputState
ReleaseCapture
MapVirtualKeyA
GetComboBoxInfo
GetCaretPos
DeferWindowPos
GetClipboardFormatNameA
GetKBCodePage
DrawIcon
GetClipboardFormatNameW
IsCharAlphaA
IsWindowEnabled
VkKeyScanW
GetSysColor
GetAsyncKeyState
GetWindowRgn
GetMenuItemRect
IsCharLowerA
CloseClipboard
GetKeyboardLayoutList
GetThreadDesktop
WaitForInputIdle
CreateIconFromResourceEx
CreateIconFromResource
IsWindowUnicode
MapVirtualKeyExA
GetDlgItem
NotifyWinEvent
OpenClipboard
Number of PE resources by type
RT_DIALOG 15
RT_RCDATA 1
RT_VERSION 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 16
NEUTRAL 2
PE resources
ExifTool file metadata
SubsystemVersion
5.0

LinkerVersion
9.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.9.0.2

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
43008

EntryPoint
0x2fa12

OriginalFileName
ExamDiff.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright 1997-2011 PrestoSoft LLC

FileVersion
1.9

TimeStamp
2015:05:02 12:25:53+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
ExamDiff

ProductVersion
1.9

FileDescription
ExamDiff Freeware Application

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
PrestoSoft LLC

CodeSize
216064

ProductName
ExamDiff Freeware Application

ProductVersionNumber
1.9.0.2

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 15a8a3ce4ec984dbb3b7e9268268c988
SHA1 3914f13e7de66f97068ad829de49813b51308f1e
SHA256 f58d91bd0ae45743feff5bab0427f490336b2fc96548b2f8a76d0f5bc491609d
ssdeep
3072:aO04qaakZ+xxMDk3cmDN19AJtYmtzBm1AMTrIRNsbJgga7V9yjwrT1i9:+qZ+G8n9A/NzKAkcRRB9j1g

authentihash 078611f13c9850c4ef2daeb8d17286b0d12abc8e228c72358a5ef6a3a2e491a6
imphash 8a5921f0e9c29c2812a5cd7efae005c2
File size 254.0 KB ( 260096 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe

VirusTotal metadata
First submission 2015-05-02 17:45:19 UTC ( 2 years ago )
Last submission 2015-05-02 18:26:38 UTC ( 2 years ago )
File names ExamDiff
2015-05-02-RIG-EK-Payload.exe
891E.tmp
ExamDiff.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Runtime DLLs
UDP communications