× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: fe7a8161729880ba10da047c6fd56c77b4d811ca57c87bd32c73509de87d3cc8
File name: 2018-12-10-IcedID-persistent-on-infected-host.exe
Detection ratio: 14 / 69
Analysis date: 2018-12-11 11:19:18 UTC ( 3 months, 1 week ago ) View latest
Antivirus Result Update
Bkav W32.AIDetectVM.malware 20181211
CrowdStrike Falcon (ML) malicious_confidence_70% (W) 20181022
Cylance Unsafe 20181211
Endgame malicious (high confidence) 20181108
ESET-NOD32 a variant of Win32/Kryptik.GNPE 20181211
Fortinet W32/Kryptik.GNPE!tr 20181211
Ikarus Win32.Outbreak 20181211
Sophos ML heuristic 20181128
Kaspersky Trojan-Banker.Win32.IcedID.tkcq 20181211
Microsoft Trojan:Win32/Tiggre!plock 20181211
Palo Alto Networks (Known Signatures) generic.ml 20181211
Rising Trojan.Kryptik!8.8 (CLOUD) 20181211
Webroot W32.Trojan.Gen 20181211
ZoneAlarm by Check Point UDS:DangerousObject.Multi.Generic 20181211
Ad-Aware 20181211
AegisLab 20181211
AhnLab-V3 20181210
Alibaba 20180921
ALYac 20181211
Antiy-AVL 20181210
Arcabit 20181211
Avast 20181211
Avast-Mobile 20181210
AVG 20181211
Avira (no cloud) 20181210
Babable 20180918
Baidu 20181207
BitDefender 20181211
CAT-QuickHeal 20181210
ClamAV 20181211
CMC 20181210
Comodo 20181211
Cybereason 20180225
Cyren 20181211
DrWeb 20181211
eGambit 20181211
Emsisoft 20181211
F-Prot 20181211
F-Secure 20181211
GData 20181211
Jiangmin 20181211
K7AntiVirus 20181211
K7GW 20181211
Kingsoft 20181211
Malwarebytes 20181211
MAX 20181211
McAfee 20181211
McAfee-GW-Edition 20181211
eScan 20181211
NANO-Antivirus 20181211
Panda 20181210
Qihoo-360 20181211
SentinelOne (Static ML) 20181011
Sophos AV 20181211
SUPERAntiSpyware 20181205
Symantec 20181211
Symantec Mobile Insight 20181207
TACHYON 20181211
Tencent 20181211
TheHacker 20181210
Trapmine 20181205
TrendMicro 20181211
TrendMicro-HouseCall 20181211
Trustlook 20181211
VBA32 20181211
VIPRE 20181211
ViRobot 20181211
Yandex 20181207
Zillya 20181211
Zoner 20181211
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright © 2001 Formstack Round. All rights reserved.

Product Rosestudent
Original name greatvalley.exe
File version 7.8.81.32
Description Rosestudent
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-12-10 12:00:58
Entry Point 0x00018F05
Number of sections 4
PE sections
PE imports
SelectClipRgn
CreateFontA
GetPixel
GetStockObject
CreateRectRgn
GetLastError
InitializeCriticalSectionAndSpinCount
HeapFree
GetStdHandle
EnterCriticalSection
GetConsoleOutputCP
SetHandleCount
GetConsoleCP
GetOEMCP
QueryPerformanceCounter
IsDebuggerPresent
HeapAlloc
TlsAlloc
GetEnvironmentStringsW
FlushFileBuffers
GetModuleFileNameA
RtlUnwind
LoadLibraryA
FreeEnvironmentStringsA
DeleteCriticalSection
GetCurrentProcess
GetEnvironmentStrings
GetConsoleMode
GetLocaleInfoA
GetFileSize
LCMapStringW
WriteConsoleW
GetCPInfo
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
HeapSize
GetTickCount
FreeEnvironmentStringsW
GetCommandLineA
GetProcAddress
GetStringTypeA
GetProcessHeap
SetStdHandle
GetModuleHandleA
WideCharToMultiByte
TlsFree
SetFilePointer
ReadFile
SetUnhandledExceptionFilter
WriteFile
GetStartupInfoA
CloseHandle
GetSystemTimeAsFileTime
GetACP
HeapReAlloc
GetStringTypeW
GetModuleHandleW
TerminateProcess
LCMapStringA
WriteConsoleA
IsValidCodePage
HeapCreate
VirtualFree
TlsGetValue
Sleep
GetFileType
SetEndOfFile
TlsSetValue
CreateFileA
ExitProcess
GetCurrentThreadId
InterlockedIncrement
VirtualAlloc
GetCurrentProcessId
SetLastError
LeaveCriticalSection
ReleaseDC
GetWindowLongA
EnumWindows
GetClassInfoExA
DefWindowProcA
CallNextHookEx
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
Number of PE resources by type
RT_DIALOG 13
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 15
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
9.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
7.8.81.32

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

FileDescription
Rosestudent

ImageFileCharacteristics
No relocs, Executable, 32-bit

CharacterSet
Unicode

InitializedDataSize
78336

EntryPoint
0x18f05

OriginalFileName
greatvalley.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright 2001 Formstack Round. All rights reserved.

FileVersion
7.8.81.32

TimeStamp
2010:12:10 04:00:58-08:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
7.8.81.32

SubsystemVersion
5.0

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Formstack Round

CodeSize
148992

ProductName
Rosestudent

ProductVersionNumber
7.8.81.32

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 f2d64d1b86f931a67ea2665572318ae1
SHA1 9f19912c49325574afa2a91d2f90cf0fae239bde
SHA256 fe7a8161729880ba10da047c6fd56c77b4d811ca57c87bd32c73509de87d3cc8
ssdeep
3072:CDsf+gV8NCBjUkthKg4k8PiRJq9ydxBBGNQ9/nt/oYVZXjQGxj+U:/fyNejU+hKDkxRJEydYeJBoiu

authentihash 441cfb9313eb83a4d493c96287bae98e9f3f68027f3a20bc4a3b7802675a7acc
imphash 77da906dafc5e296e25c317d128165c2
File size 177.0 KB ( 181248 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
peexe

VirusTotal metadata
First submission 2018-12-10 22:51:03 UTC ( 3 months, 1 week ago )
Last submission 2018-12-10 22:51:03 UTC ( 3 months, 1 week ago )
File names 2018-12-10-IcedID-persistent-on-infected-host.exe
greatvalley.exe
2018-12-10-IcedID-persistent-on-infected-host.exe
2018-12-10-IcedID-persistent-on-infected-host.exe
Advanced heuristic and reputation engines
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.