× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 624568125153d786e21927182b141cd8fe7fd4e97b7eb8b1933b8663bf3652ad
File name: 2016-09-28-Afraidgate-Rig-EK-payload-Locky-downloader.exe
Detection ratio: 55 / 62
Analysis date: 2017-04-16 03:39:04 UTC ( 7 months, 1 week ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Ransom.Locky.27 20170416
AegisLab Backdoor.W32.Fonten!c 20170414
AhnLab-V3 Trojan/Win32.Dynamer.C1582621 20170415
ALYac Backdoor.Fonten.gen 20170416
Antiy-AVL Trojan[Backdoor]/Win32.Fonten 20170416
Arcabit Trojan.Ransom.Locky.27 20170416
Avast Win32:Malware-gen 20170416
AVG Generic38.OJZ 20170416
Avira (no cloud) TR/Crypt.ZPACK.bfpue 20170415
AVware Trojan.Win32.Generic!BT 20170410
Baidu Win32.Trojan.Kryptik.awy 20170414
BitDefender Gen:Variant.Ransom.Locky.27 20170416
Bkav W32.Clodb46.Trojan.05a8 20170415
CAT-QuickHeal Ransom.Locky 20170415
ClamAV Win.Trojan.Fonten-2 20170415
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170130
Cyren W32/S-3968c2a2!Eldorado 20170416
DrWeb Trojan.Encoder.6449 20170416
Emsisoft Gen:Variant.Ransom.Locky.27 (B) 20170416
Endgame malicious (high confidence) 20170413
ESET-NOD32 a variant of Win32/Kryptik.FGYK 20170415
F-Prot W32/S-3968c2a2!Eldorado 20170416
F-Secure Gen:Variant.Ransom.Locky.27 20170416
Fortinet W32/GenKryptik.GZP!tr 20170416
GData Gen:Variant.Ransom.Locky.27 20170416
Ikarus Trojan-Ransom.Locky 20170415
Sophos ML generic.a 20170413
Jiangmin Backdoor.Fonten.i 20170416
K7AntiVirus Trojan ( 004f96991 ) 20170416
K7GW Trojan ( 004f96991 ) 20170416
Kaspersky Backdoor.Win32.Fonten.al 20170416
McAfee Ransomware-FRM!8906DCFA9D6C 20170416
McAfee-GW-Edition BehavesLike.Win32.Backdoor.ph 20170416
Microsoft Trojan:Win32/Dynamer!ac 20170416
eScan Gen:Variant.Ransom.Locky.27 20170416
NANO-Antivirus Trojan.Win32.Kryptik.egqgxd 20170416
nProtect Backdoor/W32.Fonten.48640 20170416
Palo Alto Networks (Known Signatures) generic.ml 20170416
Panda Trj/Genetic.gen 20170415
Qihoo-360 Win32/Backdoor.b08 20170416
Rising Backdoor.Fonten!8.1ECE (cloud:iK02NAc4cJB) 20170416
SentinelOne (Static ML) static engine - malicious 20170330
Sophos AV Mal/Generic-S 20170416
Symantec Downloader.Quanader!g1 20170415
Tencent Win32.Backdoor.Fonten.Dyzu 20170416
TotalDefense Win32/Inject.C!generic 20170415
TrendMicro Ransom_HPLOCKY.SMBOS4 20170416
TrendMicro-HouseCall Ransom_HPLOCKY.SMBOS4 20170416
VBA32 Backdoor.Fonten 20170414
VIPRE Trojan.Win32.Generic!BT 20170416
ViRobot Trojan.Win32.Agent.48640.BO[h] 20170416
Webroot Trojan.Dropper.Gen 20170416
Yandex Backdoor.Fonten! 20170414
Zillya Backdoor.Fonten.Win32.47 20170414
ZoneAlarm by Check Point Backdoor.Win32.Fonten.al 20170416
Alibaba 20170415
CMC 20170415
Comodo 20170416
Kingsoft 20170416
Malwarebytes 20170416
SUPERAntiSpyware 20170415
Symantec Mobile Insight 20170414
TheHacker 20170412
Trustlook 20170416
WhiteArmor 20170409
Zoner 20170416
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
File version 68.90.37.493
Description Doubloons
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-09-27 23:44:00
Entry Point 0x00001000
Number of sections 5
PE sections
PE imports
SetThreadToken
InitCommonControlsEx
PrintDlgA
HeapFree
GlobalFree
FreeLibrary
HeapDestroy
ExitProcess
VirtualProtect
GlobalUnlock
LoadLibraryA
FreeEnvironmentStringsA
SetProcessWorkingSetSize
GetProcAddress
SetFilePointer
GetModuleHandleA
VirtualUnlock
SetUnhandledExceptionFilter
WriteFile
CloseHandle
HeapReAlloc
GlobalLock
HeapLock
GetLogicalDriveStringsA
HeapCreate
GlobalAlloc
SetEndOfFile
CreateFileA
HeapAlloc
memset
strcat
strcpy
strlen
memcpy
strncpy
CoInitialize
DragQueryFileA
SystemParametersInfoA
DdeDisconnectList
OpenClipboard
SetWindowTextA
MsgWaitForMultipleObjects
DdeImpersonateClient
GetKBCodePage
GetMenuItemCount
UnhookWindowsHookEx
LoadMenuA
RemoveMenu
ClipCursor
CloseClipboard
CheckMenuItem
GetSysColor
GetClipboardData
WindowFromDC
VerInstallFileA
waveOutMessage
mciSendCommandA
midiDisconnect
waveInGetErrorTextA
DefDriverProc
Number of PE resources by type
RT_VERSION 1
Number of PE resources by language
ENGLISH US 1
PE resources
ExifTool file metadata
fileversion
68.90.37.493

UninitializedDataSize
0

InitializedDataSize
18432

filedescription
Doubloons

ImageVersion
0.0

FileVersionNumber
74.39.44.1486

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

companyname
Egressed

CharacterSet
Windows, Latin1

LinkerVersion
2.5

FileTypeExtension
exe

MIMEType
application/octet-stream

TimeStamp
2016:09:28 00:44:00+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
29696

FileSubtype
0

ProductVersionNumber
80.55.39.9750

EntryPoint
0x1000

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 8906dcfa9d6cfeb3408bfbe497b802bf
SHA1 cb5b1b094f33b69882297fc8b8d83fe9f24e542e
SHA256 624568125153d786e21927182b141cd8fe7fd4e97b7eb8b1933b8663bf3652ad
ssdeep
768:NkmvqhgaqUGF8DI4RcXVbcIg+JHQW3j/dHJKYkDErIL1hBbnwfNVKStJk6YzJJi0:rQgaPs4Rc5Ygp3j/dHJKYle1HwfNVDtd

authentihash 70cee7d19ab35e516156b7cab447f140650c994e169af042e8989939cb3ff7d4
imphash a4a098252b9d572ed65e13ce8afdc37f
File size 47.5 KB ( 48640 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable PureBasic (generic) (58.0%)
Win32 Executable MS Visual C++ (generic) (17.2%)
Win64 Executable (generic) (15.2%)
Win32 Dynamic Link Library (generic) (3.6%)
Win32 Executable (generic) (2.4%)
Tags
peexe

VirusTotal metadata
First submission 2016-09-28 06:47:32 UTC ( 1 year, 1 month ago )
Last submission 2017-04-16 03:39:04 UTC ( 7 months, 1 week ago )
File names 2016-09-28-Afraidgate-Rig-EK-payload-Locky-downloader.exe
2016-09-28-Afraidgate-Rig-EK-payload-Locky-downloader.exe
624568125153d786e21927182b141cd8fe7fd4e97b7eb8b1933b8663bf3652ad
Afraidgate-Rig-EK-payload-Locky-downloader.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications