× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: f8c45af956e71195acc3fd63fa734d4c9dee44ea7b723317c214ecb17f6944d1
File name: 544_12_08_2016_01_37_26_0194.exe.malware
Detection ratio: 54 / 62
Analysis date: 2017-07-01 08:41:04 UTC ( 3 months, 3 weeks ago )
Antivirus Result Update
Ad-Aware Trojan.GenericKD.4744438 20170701
AegisLab Troj.Ransom.W32.Shade!c 20170701
AhnLab-V3 Trojan/Win32.Shade.R200719 20170630
ALYac Trojan.GenericKD.4744438 20170701
Antiy-AVL Trojan[Ransom]/Win32.Shade 20170630
Arcabit Trojan.Generic.D4864F6 20170701
Avast Win32:Rootkit-gen [Rtk] 20170701
AVG Win32:Rootkit-gen [Rtk] 20170701
Avira (no cloud) TR/Dropper.VB.hidzi 20170701
AVware Trojan.Win32.Generic!BT 20170701
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170630
BitDefender Trojan.GenericKD.4744438 20170701
Bkav W32.Clod5cd.Trojan.d840 20170701
CAT-QuickHeal TrojanRansom.Shade 20170630
Comodo UnclassifiedMalware 20170701
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170420
Cyren W32/Trojan.FIOP-2275 20170701
DrWeb Trojan.KillProc.52394 20170701
Emsisoft Trojan-Ransom.Shade (A) 20170701
Endgame malicious (high confidence) 20170629
ESET-NOD32 a variant of Win32/Injector.DNJN 20170701
F-Secure Trojan.GenericKD.4744438 20170701
Fortinet W32/Shade.IBOAZHF!tr 20170629
GData Trojan.GenericKD.4744438 20170701
Ikarus Trojan.Win32.Emotet 20170701
Sophos ML heuristic 20170607
Jiangmin Trojan.Shade.eu 20170701
K7AntiVirus Trojan ( 0050a7521 ) 20170701
K7GW Trojan ( 0050a7521 ) 20170701
Kaspersky Trojan-Ransom.Win32.Shade.mhr 20170701
Malwarebytes Trojan.PasswordStealer 20170701
McAfee RDN/Ransom 20170701
McAfee-GW-Edition BehavesLike.Win32.Generic.dc 20170701
Microsoft Trojan:Win32/Dynamer!ac 20170701
eScan Trojan.GenericKD.4744438 20170701
NANO-Antivirus Trojan.Win32.Shade.enhibt 20170701
nProtect Ransom/W32.Shade.244284 20170701
Palo Alto Networks (Known Signatures) generic.ml 20170701
Panda Trj/Genetic.gen 20170701
Qihoo-360 Win32/RootKit.Rootkit.7e5 20170701
Rising Malware.FakePDF@CV!1.6AC1 (cloud:X6OyI7nrfLB) 20170701
SentinelOne (Static ML) static engine - malicious 20170516
Sophos AV Troj/VBinjec-LC 20170701
Symantec Ransom.Kovter 20170630
Tencent Win32.Trojan.Shade.Pegj 20170701
TrendMicro Ransom_CRYPSHED.F117D3 20170701
TrendMicro-HouseCall Ransom_CRYPSHED.F117D3 20170701
VBA32 Hoax.Shade 20170630
VIPRE Trojan.Win32.Generic!BT 20170701
ViRobot Trojan.Win32.Z.Shade.244284 20170701
Webroot W32.Malware.Gen 20170701
Yandex Trojan.Injector!qGll/YW8o5g 20170630
Zillya Trojan.Shade.Win32.416 20170630
ZoneAlarm by Check Point Trojan-Ransom.Win32.Shade.mhr 20170701
Alibaba 20170630
ClamAV 20170701
CMC 20170701
F-Prot 20170701
Kingsoft 20170701
SUPERAntiSpyware 20170701
Symantec Mobile Insight 20170630
TheHacker 20170628
TotalDefense 20170701
Trustlook 20170701
WhiteArmor 20170627
Zoner 20170701
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
We wish you a long and amazing life. We wish you great health and.

Product We wish you a long and amazing life. We wish you great health and.
Original name RRousei.exe
Internal name RRousei
File version 1.00.0181
Description We wish you a long and amazing life. We wish you great health and.
Comments We wish you a long and amazing life. We wish you great health and.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-04-02 10:36:38
Entry Point 0x000016B0
Number of sections 3
PE sections
Overlays
MD5 06451e324b5036d8182ad32db281f213
File type data
Offset 155648
Size 88636
Entropy 8.00
PE imports
_adj_fdivr_m64
Ord(546)
__vbaGenerateBoundsError
_allmul
__vbaGet3
_adj_fprem
__vbaAryMove
__vbaObjVar
__vbaRedim
Ord(537)
_adj_fdiv_r
__vbaObjSetAddref
__vbaMidStmtBstr
Ord(100)
__vbaHresultCheckObj
_CIlog
Ord(595)
_adj_fptan
__vbaFileClose
Ord(581)
__vbaI4Var
__vbaVarLateMemSt
Ord(608)
__vbaFreeStr
Ord(631)
__vbaStrI4
__vbaFreeStrList
_adj_fdiv_m16i
EVENT_SINK_QueryInterface
__vbaLenBstr
Ord(525)
__vbaResume
__vbaRedimPreserve
__vbaInStr
_adj_fdiv_m32i
Ord(717)
__vbaExceptHandler
__vbaSetSystemError
DllFunctionCall
__vbaUbound
__vbaFreeVar
__vbaFileOpen
Ord(606)
__vbaAryLock
EVENT_SINK_Release
__vbaOnError
_adj_fdivr_m32i
__vbaStrCat
__vbaVarDup
__vbaChkstk
__vbaPrintFile
Ord(570)
__vbaAryUnlock
Ord(661)
__vbaStrVarCopy
__vbaFreeObjList
__vbaVar2Vec
__vbaFreeVarList
__vbaStrVarMove
__vbaExitProc
__vbaVarTstGe
__vbaAryConstruct2
__vbaFreeObj
__vbaVarCopy
Ord(573)
_CIcos
__vbaDateVar
__vbaNew2
__vbaR8IntI4
__vbaAryDestruct
__vbaStrMove
_adj_fprem1
_adj_fdiv_m32
Ord(685)
__vbaUI1ErrVar
_adj_fpatan
EVENT_SINK_AddRef
__vbaStrCopy
Ord(632)
__vbaFPException
_adj_fdivr_m16i
_adj_fdiv_m64
_CIsin
_CIsqrt
_adj_fdivr_m32
_CIatan
__vbaLateMemCall
__vbaObjSet
__vbaVarCat
_CIexp
_CItan
__vbaFpI4
Ord(598)
Number of PE resources by type
RT_ICON 2
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 3
ENGLISH US 1
PE resources
ExifTool file metadata
LegalTrademarks
We wish you a long and amazing life. We wish you great health and.

SubsystemVersion
4.0

Comments
We wish you a long and amazing life. We wish you great health and.

LinkerVersion
6.0

ImageVersion
1.0

FileSubtype
0

FileVersionNumber
1.0.0.181

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

FileDescription
We wish you a long and amazing life. We wish you great health and.

CharacterSet
Unicode

InitializedDataSize
36864

EntryPoint
0x16b0

OriginalFileName
RRousei.exe

MIMEType
application/octet-stream

LegalCopyright
We wish you a long and amazing life. We wish you great health and.

FileVersion
1.00.0181

TimeStamp
2017:04:02 11:36:38+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
RRousei

ProductVersion
1.00.0181

UninitializedDataSize
0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
135168

ProductName
We wish you a long and amazing life. We wish you great health and.

ProductVersionNumber
1.0.0.181

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 4f2dac8e556e727efb12d16255c9a5d9
SHA1 6ec9e9f996f6c5f9476dca542f5ffec9d3dc16ab
SHA256 f8c45af956e71195acc3fd63fa734d4c9dee44ea7b723317c214ecb17f6944d1
ssdeep
3072:4F4z349T7F4z349TPZIsKAjNuShzHJ3zB9gqBVg4rmQvuOKItBQhBK+F71kp:A40NJ40NPqsKAjNuC1EqEQmOdBN+FWp

authentihash 1051d255d697126fb1a918c0d0cd521520275a188b61d1f093f015b87ba14398
imphash a0041139679b318811b354bdeb73fb12
File size 238.6 KB ( 244284 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (84.4%)
Win32 Dynamic Link Library (generic) (6.7%)
Win32 Executable (generic) (4.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Tags
peexe overlay

VirusTotal metadata
First submission 2017-04-03 08:47:00 UTC ( 6 months, 3 weeks ago )
Last submission 2017-07-01 08:41:04 UTC ( 3 months, 3 weeks ago )
File names aa
0194.exe
544_12_08_2016_01_37_26_0194.exe.malware
0194.bin
cbz7UoM6DY.wsf
544_12_08_2016_01_37_26_0194.exe.malware.mrg
2851.exe
f8c45af956e71195acc3fd63fa734d4c9dee44ea7b723317c214ecb17f6944d1
RRousei.exe
RRousei
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications