× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: fd7868f90757f63a092220a06f28ec2e500358d23c0ba6aae13bc61ff3b14ecc
File name: vt-upload-Hv8ZV
Detection ratio: 48 / 55
Analysis date: 2016-12-09 22:59:05 UTC ( 1 year, 11 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Symmi.17062 20161209
AegisLab Troj.Spy.W32.Zbot.jycg!c 20161209
AhnLab-V3 Spyware/Win32.Zbot.R60197 20161209
ALYac Gen:Variant.Symmi.17062 20161209
Antiy-AVL Trojan[Spy]/Win32.Zbot 20161209
Arcabit Trojan.Symmi.D42A6 20161209
Avast Win32:Crypt-OZC [Trj] 20161209
AVG Win32/Cryptor 20161209
Avira (no cloud) TR/Spy.ZBot.jycg 20161209
AVware Trojan.Win32.Zbot.ma!ag (v) 20161209
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9947 20161207
BitDefender Gen:Variant.Symmi.17062 20161209
Comodo UnclassifiedMalware 20161209
CrowdStrike Falcon (ML) malicious_confidence_89% (D) 20161024
Cyren W32/Symmi.AE.gen!Eldorado 20161209
DrWeb Trojan.PWS.Panda.2977 20161209
Emsisoft Gen:Variant.Symmi.17062 (B) 20161209
ESET-NOD32 a variant of Win32/Kryptik.AXLT 20161209
F-Prot W32/Symmi.AE.gen!Eldorado 20161209
F-Secure Trojan:W32/Agent.DUKE 20161209
Fortinet W32/Zbot.OAT!tr 20161209
GData Gen:Variant.Symmi.17062 20161209
Sophos ML ransom.win32.urausy.c 20161202
Jiangmin TrojanSpy.Zbot.esmr 20161209
K7AntiVirus Trojan ( 0042fb3f1 ) 20161209
K7GW Trojan ( 0042fb3f1 ) 20161209
Kaspersky Trojan-Spy.Win32.Zbot.jycg 20161209
Malwarebytes Virus.Expiro 20161209
McAfee PWS-Zbot 20161209
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.dh 20161209
Microsoft PWS:Win32/Zbot 20161209
eScan Gen:Variant.Symmi.17062 20161209
NANO-Antivirus Trojan.Win32.Zbot.cqkgpi 20161209
nProtect Trojan-Spy/W32.ZBot.264704.AA 20161209
Panda Trj/CI.A 20161209
Qihoo-360 HEUR/Malware.QVM07.Gen 20161209
Rising Trojan.Generic-bbVeBwdqggR (cloud) 20161209
Sophos AV Troj/Agent-AAXH 20161209
SUPERAntiSpyware Trojan.Agent/Gen-Festo 20161209
Symantec Trojan.Zbot 20161209
Tencent Win32.Trojan-spy.Zbot.Aoae 20161210
TheHacker Trojan/Kryptik.axog 20161130
TrendMicro TSPY_ZBOT.AS 20161209
TrendMicro-HouseCall TSPY_ZBOT.AS 20161209
VBA32 TrojanSpy.Zbot 20161209
VIPRE Trojan.Win32.Zbot.ma!ag (v) 20161209
Yandex TrojanSpy.Zbot!eh9KlF/lKk8 20161209
Zillya Trojan.Zbot.Win32.112651 20161209
Alibaba 20161209
CAT-QuickHeal 20161209
ClamAV 20161209
CMC 20161209
Kingsoft 20161209
TotalDefense 20161209
Trustlook 20161210
ViRobot 20161209
WhiteArmor 20161207
Zoner 20161209
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-03-25 12:16:08
Entry Point 0x00001A9A
Number of sections 4
PE sections
PE imports
GetLastError
HeapFree
GetStdHandle
LCMapStringW
SetHandleCount
GetOEMCP
LCMapStringA
HeapDestroy
ExitProcess
GetEnvironmentStringsW
FlushFileBuffers
LoadLibraryA
RtlUnwind
RemoveDirectoryA
FreeEnvironmentStringsA
SetupComm
GetStartupInfoA
GetEnvironmentStrings
GetWindowsDirectoryW
SetThreadPriority
CompareStringW
SetTimeZoneInformation
GetCommProperties
GetCPInfo
GetVolumeInformationW
MultiByteToWideChar
WriteFileGather
FreeEnvironmentStringsW
BackupRead
GetCommandLineA
GetProcAddress
SetStdHandle
SetFilePointer
GlobalAddAtomW
UnhandledExceptionFilter
WideCharToMultiByte
GetStringTypeA
GetModuleHandleA
CreateSemaphoreW
WriteFile
GetCurrentProcess
CompareStringA
GetACP
HeapReAlloc
GetStringTypeW
SetEnvironmentVariableA
TerminateProcess
GetModuleFileNameA
GetCurrentDirectoryW
HeapCreate
VirtualFree
GetFileType
GetProcessVersion
HeapAlloc
GetVersion
VirtualAlloc
CloseHandle
Number of PE resources by type
RT_ACCELERATOR 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 2
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2013:03:25 13:16:08+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
120320

LinkerVersion
6.0

EntryPoint
0x1a9a

InitializedDataSize
148992

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

Compressed bundles
File identification
MD5 7ffc17193a5cf2661e5950e24ee80d4b
SHA1 1c32a70c7d2a199e1164a0a5d816fe5aba26e055
SHA256 fd7868f90757f63a092220a06f28ec2e500358d23c0ba6aae13bc61ff3b14ecc
ssdeep
6144:Ymu21gO9clkYr4vQW/xtD8+8RgYt19WGjU9e/4vE:ppCW04x/xF8+8R9/QI/4

authentihash 4aef1f12843bde1edaa22632a31d62413b6ca56b24b479201cc059cd414ed927
imphash 32e98546eff4db42062927609e7126de
File size 258.5 KB ( 264704 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.4%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe armadillo

VirusTotal metadata
First submission 2013-03-25 13:46:06 UTC ( 5 years, 7 months ago )
Last submission 2013-07-30 05:26:54 UTC ( 5 years, 3 months ago )
File names 7ffc17193a5cf2661e5950e24ee80d4b.malware
vt-upload-Hv8ZV
file-5300667_scr
1806884.malware
TzwbWgbL
fedex_trk_61293150511865307217.scr
921637.malware
fedex_trk_61293150511865307217.scr.ex_
7ffc17193a5cf2661e5950e24ee80d4b.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Moved files
Deleted files
Set keys
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications