× Cookies are disabled! אתר זה דורש שקבצי Cookie יהיו זמינים על מנת שיוכל לפעול כראוי
SHA256: 689fb4c908b29aa44859bfc8eef9f6b345ac5601d1046b4f26a5bfb5ff343ecd
שם קובץ: 2014-09-09-Rig-EK-malware-payload.exe
יחס זיהוי: 49 / 62
תאריך ניתוח: 2017-04-16 05:17:05 UTC ( 1 שנה, 4 חודשים לפני )
אנטי־וירוס תוצאה עדכן
Ad-Aware Dropped:Trojan.GenericKDZ.25969 20170416
AegisLab Troj.Downloader.W32.Goo.pfh!c 20170414
AhnLab-V3 Dropper/Win32.Necurs.C539671 20170415
ALYac Dropped:Trojan.GenericKDZ.25969 20170416
Antiy-AVL Trojan[Ransom]/Win32.Gimemo 20170416
Arcabit Trojan.Generic.D6571 20170416
Avast Win32:GenMalicious-INU [Trj] 20170416
AVG Win32/Herz.B 20170416
Avira (no cloud) TR/Spy.ZBot.ikaab 20170415
AVware Trojan.Win32.Generic!BT 20170410
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9954 20170414
BitDefender Dropped:Trojan.GenericKDZ.25969 20170416
CAT-QuickHeal Trojan.Carberp 20170415
Comodo TrojWare.Win32.Joinkjot.SRG 20170416
CrowdStrike Falcon (ML) malicious_confidence_83% (W) 20170130
Cyren W32/Downloader.FQUD-7282 20170416
DrWeb Trojan.Winlock.8004 20170416
Emsisoft Dropped:Trojan.GenericKDZ.25969 (B) 20170416
Endgame malicious (high confidence) 20170413
ESET-NOD32 NSIS/TrojanDropper.Agent.BS 20170415
F-Prot W32/Downldr2.IZQE 20170416
F-Secure Trojan.GenericKDZ.25969 20170416
Fortinet W32/Dropper.OEM!tr.NSIS 20170416
Ikarus Trojan-Downloader.Win32.Zurgop 20170415
Sophos ML trojan.win32.skeeyah.a!rfn 20170413
Jiangmin Trojan.Generic.ihrf 20170416
K7AntiVirus Trojan ( 004a98b31 ) 20170416
K7GW Trojan ( 004a98b31 ) 20170416
Kaspersky Trojan-Downloader.Win32.Goo.pfh 20170416
McAfee Artemis!250819688DC1 20170416
McAfee-GW-Edition Zemot-FAJN!BC183D917BC4 20170416
Microsoft Trojan:Win32/Carberp.I 20170416
eScan Dropped:Trojan.GenericKDZ.25969 20170416
NANO-Antivirus Trojan.Win32.Goo.dewbnv 20170416
Palo Alto Networks (Known Signatures) generic.ml 20170416
Panda Trj/Chgt.F 20170415
Rising Trojan.Generic (cloud:i219Qbgo0LH) 20170416
SentinelOne (Static ML) static engine - malicious 20170330
Sophos AV Mal/Wonton-S 20170416
SUPERAntiSpyware Trojan.Agent/Gen-Downloader 20170415
Symantec Downloader 20170415
Tencent Win32.Trojan-downloader.Goo.Hnuu 20170416
TrendMicro TROJ_DOFOIL.SM03 20170416
TrendMicro-HouseCall TROJ_DOFOIL.SM03 20170416
VBA32 BScope.P2P-Worm.Palevo 20170414
VIPRE Trojan.Win32.Generic!BT 20170416
Webroot W32.Trojan.GenKDZ 20170416
Yandex Trojan.Injector!cOq3IFdL8XI 20170414
ZoneAlarm by Check Point Trojan-Downloader.Win32.Goo.pfh 20170416
Alibaba 20170415
Bkav 20170415
ClamAV 20170416
CMC 20170416
GData 20170416
Kingsoft 20170416
Malwarebytes 20170416
nProtect 20170416
Qihoo-360 20170416
Symantec Mobile Insight 20170414
TheHacker 20170412
TotalDefense 20170416
Trustlook 20170416
ViRobot 20170416
WhiteArmor 20170409
Zillya 20170414
Zoner 20170416
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
F-PROT NSIS
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2009-12-05 22:50:58
Entry Point 0x0000325E
Number of sections 5
PE sections
Overlays
MD5 2468d3e6e225a845af20a5df314781ac
File type data
Offset 54784
Size 49974
Entropy 7.99
PE imports
RegDeleteKeyA
RegCloseKey
RegQueryValueExA
RegSetValueExA
RegEnumValueA
RegCreateKeyExA
RegOpenKeyExA
RegEnumKeyA
RegDeleteValueA
ImageList_Create
Ord(17)
ImageList_Destroy
ImageList_AddMasked
GetDeviceCaps
SetBkMode
CreateBrushIndirect
CreateFontIndirectA
SelectObject
SetBkColor
DeleteObject
SetTextColor
GetLastError
lstrlenA
GetFileAttributesA
GlobalFree
WaitForSingleObject
GetExitCodeProcess
CopyFileA
ExitProcess
SetFileTime
GlobalUnlock
GetModuleFileNameA
LoadLibraryA
GetShortPathNameA
GetCurrentProcess
LoadLibraryExA
CompareFileTime
GetPrivateProfileStringA
WritePrivateProfileStringA
GetFileSize
lstrcatA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
SetErrorMode
MultiByteToWideChar
GetCommandLineA
GlobalLock
SetFileAttributesA
SetFilePointer
GetTempPathA
CreateThread
lstrcmpiA
GetModuleHandleA
lstrcmpA
ReadFile
WriteFile
FindFirstFileA
CloseHandle
GetTempFileNameA
lstrcpynA
FindNextFileA
RemoveDirectoryA
GetSystemDirectoryA
GetDiskFreeSpaceA
ExpandEnvironmentStringsA
GetFullPathNameA
FreeLibrary
MoveFileA
CreateProcessA
GlobalAlloc
SearchPathA
FindClose
Sleep
CreateFileA
GetTickCount
GetVersion
GetProcAddress
SetCurrentDirectoryA
MulDiv
SHGetFileInfoA
SHGetSpecialFolderLocation
SHBrowseForFolderA
SHGetPathFromIDListA
ShellExecuteA
SHFileOperationA
EmptyClipboard
GetMessagePos
EndPaint
CharPrevA
EndDialog
BeginPaint
PostQuitMessage
DefWindowProcA
SetWindowTextA
SetClassLongA
LoadBitmapA
SetWindowPos
GetSystemMetrics
IsWindow
AppendMenuA
GetWindowRect
DispatchMessageA
ScreenToClient
SetDlgItemTextA
MessageBoxIndirectA
LoadImageA
GetDlgItemTextA
PeekMessageA
SetWindowLongA
IsWindowEnabled
GetSysColor
CheckDlgButton
GetDC
FindWindowExA
SystemParametersInfoA
CreatePopupMenu
wsprintfA
DialogBoxParamA
SetClipboardData
IsWindowVisible
GetClassInfoA
SetForegroundWindow
GetClientRect
CreateWindowExA
GetDlgItem
CreateDialogParamA
DrawTextA
EnableMenuItem
RegisterClassA
InvalidateRect
GetWindowLongA
SendMessageTimeoutA
SetTimer
LoadCursorA
TrackPopupMenu
SendMessageA
FillRect
ShowWindow
OpenClipboard
CharNextA
CallWindowProcA
GetSystemMenu
EnableWindow
CloseClipboard
DestroyWindow
ExitWindowsEx
SetCursor
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
OleUninitialize
CoTaskMemFree
OleInitialize
CoCreateInstance
Number of PE resources by type
RT_ICON 3
RT_DIALOG 3
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 7
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2009:12:05 23:50:58+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
24064

LinkerVersion
6.0

EntryPoint
0x325e

InitializedDataSize
164864

SubsystemVersion
4.0

ImageVersion
6.0

OSVersion
4.0

UninitializedDataSize
1024

Compressed bundles
File identification
MD5 250819688dc109a79a4de24eeabbb3de
SHA1 f63af5cccb6411fd89386f2261bbb86d49328a50
SHA256 689fb4c908b29aa44859bfc8eef9f6b345ac5601d1046b4f26a5bfb5ff343ecd
ssdeep
1536:CSV8/DcCDCMMkG0DaXJ+gQ2hMNDZEUN9F1jqMV0N436gAm:CS8BCfoDaXJk2ONGkp36gAm

authentihash 946c541af67cb73dd04b8b60243faf151551fc33162cb672ff5ffb628eeb8e93
imphash 099c0646ea7282d232219f8807883be0
קודל קובץ 102.3 ק"ב ( 104758 bytes )
סוג קובץ Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID NSIS - Nullsoft Scriptable Install System (94.8%)
Win32 Executable MS Visual C++ (generic) (3.4%)
Win32 Dynamic Link Library (generic) (0.7%)
Win32 Executable (generic) (0.5%)
Generic Win/DOS Executable (0.2%)
Tags
nsis peexe overlay

VirusTotal metadata
First submission 2014-09-09 23:32:13 UTC ( 3 שנים, 11 חודשים לפני )
Last submission 2017-04-16 05:17:05 UTC ( 1 שנה, 4 חודשים לפני )
שמות קבצים file-7601922_exe
2014-09-09-Rig-EK-malware-payload.exe
1.exe_
2014-09-09-Rig-EK-malware-payload.exe
2014-09-09-Rig-EK-malware-payload.exe.txt
Rig-EK-malware-payload.exe
Advanced heuristic and reputation engines
TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: Suspicious_GEN.F47V1001.

Symantec reputation Suspicious.Insight
אין תגובות. אף חבר קהילה של VirusTotal הגיב על הפריט הזה. היה הראשון לעשות זאת!

השאר תגובה...

?
פרסם תגובה

אתה לא מחובר. רק משתמשים רשומים יכולים להשאיר תגובה. והתחבר והראה את קולך!

אין הצבעות. אף אחד לא הצביע על קובץ זה. היה הראשון לעשות זאת!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Moved files
Deleted files
Created processes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.