× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ff92206215115c867789dbd5a95132a2bd153bb1e5a1ef66e539f382f2ce30dc
File name: vti-rescan
Detection ratio: 16 / 48
Analysis date: 2013-10-09 22:07:08 UTC ( 6 months, 2 weeks ago )
Antivirus Result Update
AhnLab-V3 Trojan/Win64.Napolar 20131009
Avast Win32:NapolarPlugin-B [Trj] 20131009
Comodo TrojWare.Win32.Agent.~AGOP 20131009
ESET-NOD32 Win64/Napolar.A 20131009
Emsisoft Trojan.Win64.Napolar (A) 20131009
Fortinet W64/Agent.CJ!tr 20131009
Ikarus Trojan.Win64 20131009
Kaspersky Trojan.Win64.Agent.cj 20131009
Malwarebytes Trojan.Walletsteal 20131009
McAfee RDN/Generic.dx!crh 20131009
McAfee-GW-Edition RDN/Generic.dx!crh 20131009
Norman Agent.AYHNJ 20131009
Symantec WS.Reputation.1 20131009
TrendMicro TROJ_SPNR.3AJ113 20131009
TrendMicro-HouseCall TROJ_SPNR.3AJ113 20131009
VIPRE Trojan.Win32.Generic!BT 20131009
AVG 20131009
Agnitum 20131009
AntiVir 20131009
Antiy-AVL 20131009
Baidu-International 20131009
BitDefender 20131009
Bkav 20131008
ByteHero 20130920
CAT-QuickHeal 20131009
ClamAV 20131009
Commtouch 20131009
DrWeb 20131009
F-Prot 20131009
F-Secure 20131009
GData 20131009
Jiangmin 20130903
K7AntiVirus 20131009
K7GW 20131009
Kingsoft 20130829
MicroWorld-eScan 20131009
Microsoft 20131009
NANO-Antivirus 20131009
PCTools 20131002
Panda 20131009
Rising 20131009
SUPERAntiSpyware 20131009
Sophos 20131009
TheHacker 20131007
TotalDefense 20131009
VBA32 20131009
ViRobot 20131009
nProtect 20131009
The file being studied is a Portable Executable file! More specifically, it is a Win32 DLL file for the Windows GUI subsystem.
PE header basic information
Target machine x64
Compilation timestamp 2013-08-29 14:01:23
Entry Point 0x0000CBE0
Number of sections 8
PE sections
PE imports
SHGetFolderPathW
SetThreadLocale
GetLastError
HeapFree
GetStdHandle
VirtualAllocEx
GetSystemInfo
GetVersionExW
FreeLibrary
HeapAlloc
TlsAlloc
LoadLibraryA
GetCommandLineW
RtlUnwind
lstrcatW
DeleteCriticalSection
LocalAlloc
lstrcatA
GetModuleHandleW
UnhandledExceptionFilter
MultiByteToWideChar
GetStartupInfoW
GetProcAddress
GetProcessHeap
CompareStringW
RaiseException
WideCharToMultiByte
TlsFree
ReadFile
GetCurrentThreadId
WriteFile
CloseHandle
GetACP
RtlUnwindEx
LocalFree
InitializeCriticalSection
CreateFileW
VirtualQuery
VirtualFree
TlsGetValue
Sleep
TlsSetValue
ExitProcess
GetVersion
VirtualAlloc
GetFileSize
SysFreeString
MessageBoxA
HttpSendRequestA
InternetOpenW
InternetCloseHandle
HttpOpenRequestW
InternetConnectW
PE exports
Number of PE resources by type
RT_RCDATA 2
Number of PE resources by language
NEUTRAL 2
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
AMD AMD64

TimeStamp
2013:08:29 15:01:23+01:00

FileType
Win64 DLL

PEType
PE32+

CodeSize
48640

LinkerVersion
8.0

EntryPoint
0xcbe0

InitializedDataSize
16384

SubsystemVersion
5.2

ImageVersion
5.2

OSVersion
5.2

UninitializedDataSize
0

File identification
MD5 37f9f243c5d3251ac244675c227de649
SHA1 ade1b543a3e90a4b7636dc7a1949407ee7e14ac7
SHA256 ff92206215115c867789dbd5a95132a2bd153bb1e5a1ef66e539f382f2ce30dc
ssdeep
768:Oayg1Gz7PTOTLh2uWG5kt55/C0s3RpW7:OauzbTOTlQp5/2W7

File size 64.5 KB ( 66048 bytes )
File type Win32 DLL
Magic literal
PE32+ executable for MS Windows (DLL) (GUI) Mono/.Net assembly

TrID Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
Tags
assembly pedll

VirusTotal metadata
First submission 2013-09-02 00:35:22 UTC ( 7 months, 3 weeks ago )
Last submission 2013-10-09 22:07:08 UTC ( 6 months, 2 weeks ago )
File names WalletSteal.dll
file-6025972_dll
37F9F243C5D3251AC244675C227DE649
vti-rescan
37F9F243C5D3251AC244675C227DE649.exe
37F9F243C5D3251AC244675C227DE649.ex
Advanced heuristic and reputation engines
ClamAV PUA
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/index.php?s=pua&lang=en .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!