diff --git a/README.md b/README.md index fcdd06f..29299ab 100644 --- a/README.md +++ b/README.md @@ -123,21 +123,26 @@ We recommend you to read the RAID 2016 and ACSAC 2020 papers for more details. ## Input JSON format -AVClass and AVClass2 support two input JSON formats: +AVClass and AVClass2 support three input JSON formats: -1. VirusTotal JSON reports (*-vt file*), -where each line in *file* should be the full JSON of a -VirusTotal report as fetched through the VirusTotal API. -By default, it assumes the VT reports are from VT API version 2. -If the VT reports are from VT API version 3, add the -vt3 command line option. +1. VirusTotal v2 API JSON reports (*-vt file*), +where each line in the input *file* should be the full JSON of a +VirusTotal v2 API response to the */file/report* endpoint, +e.g., obtained by querying https://www.virustotal.com/vtapi/v2/file/report?apikey={apikey}&resource={hash} +There is an example VirusTotal v2 input file in examples/vtv2_sample.json -2. Simplified JSON (*-lb file*), +2. VirusTotal v3 API JSON reports (*-vt file -vt3*), +where each line in the input *file* should be the full JSON of a VirusTotal API version 3 response with a *File* object report, +e.g., obtained by querying https://www.virustotal.com/api/v3/files/{hash} +There is an example VirusTotal v3 input file in examples/vtv3_sample.json + +3. Simplified JSON (*-lb file*), where each line in *file* should be a JSON with (at least) these fields: {md5, sha1, sha256, av_labels}. There is an example of such input file in *examples/malheurReference_lb.json* -**Why have two different input formats?** +**Why have a simplified JSON format?** We believe most users will get the AV labels using VirusTotal. However, AVClass and AVClass2 are IO-bound and a VirusTotal report diff --git a/avclass/README.md b/avclass/README.md index 134fa87..07fb2ec 100644 --- a/avclass/README.md +++ b/avclass/README.md @@ -87,16 +87,25 @@ that are removed by AVClass. ## Input JSON format -AVClass supports three input JSON formats: +AVClass supports three input JSON formats: -1. VirusTotal JSON reports (**-vt** file), where each line in file should be - the full JSON of a VirusTotal report as fetched through the VirusTotal API. - By default, it assumes the VT reports are from VT API version 2. - If the VT reports are from VT API version 3, add the **-vt3** command line option. +1. VirusTotal v2 API JSON reports (*-vt file*), +where each line in the input *file* should be the full JSON of a +VirusTotal v2 API response to the */file/report* endpoint, +e.g., obtained by querying https://www.virustotal.com/vtapi/v2/file/report?apikey={apikey}&resource={hash} +There is an example VirusTotal v2 input file in examples/vtv2_sample.json + +2. VirusTotal v3 API JSON reports (*-vt file -vt3*), +where each line in the input *file* should be the full JSON of a VirusTotal API version 3 response with a *File* object report, +e.g., obtained by querying https://www.virustotal.com/api/v3/files/{hash} +There is an example VirusTotal v3 input file in examples/vtv3_sample.json + +3. Simplified JSON (*-lb file*), +where each line in *file* should be a JSON +with (at least) these fields: +{md5, sha1, sha256, av_labels}. +There is an example of such input file in *examples/malheurReference_lb.json* -2. Simplified JSON (**-lb** file), where each line in file should be a JSON with - (at least) these fields: {md5, sha1, sha256, scan_date, av_labels}. - There is an example of such input file in ../examples/malheurReference_lb.json **Multiple input files** diff --git a/avclass2/README.md b/avclass2/README.md index f0a34f6..83dfaad 100644 --- a/avclass2/README.md +++ b/avclass2/README.md @@ -97,18 +97,27 @@ to minimize such differences and avoid maintaining different data files. AVClass2 supports three input JSON formats: -1. VirusTotal JSON reports (**-vt** file), where each line in file should be - the full JSON of a VirusTotal report as fetched through the VirusTotal API. - By default, it assumes the VT reports are from VT API version 2. - If the VT reports are from VT API version 3, add the **-vt3** command line option. +1. VirusTotal v2 API JSON reports (*-vt file*), +where each line in the input *file* should be the full JSON of a +VirusTotal v2 API response to the */file/report* endpoint, +e.g., obtained by querying https://www.virustotal.com/vtapi/v2/file/report?apikey={apikey}&resource={hash} +There is an example VirusTotal v2 input file in examples/vtv2_sample.json + +2. VirusTotal v3 API JSON reports (*-vt file -vt3*), +where each line in the input *file* should be the full JSON of a VirusTotal API version 3 response with a *File* object report, +e.g., obtained by querying https://www.virustotal.com/api/v3/files/{hash} +There is an example VirusTotal v3 input file in examples/vtv3_sample.json + +3. Simplified JSON (*-lb file*), +where each line in *file* should be a JSON +with (at least) these fields: +{md5, sha1, sha256, av_labels}. +There is an example of such input file in *examples/malheurReference_lb.json* -2. Simplified JSON (**-lb** file), where each line in file should be a JSON with - (at least) these fields: {md5, sha1, sha256, scan_date, av_labels}. - There is an example of such input file in ../examples/malheurReference_lb.json **Multiple input files** -AVClass can handle multiple input files putting the results in the same output files +AVClass2 can handle multiple input files putting the results in the same output files (if you want results in separate files, process each input file separately). It is possible to provide the -vt and -lb input options multiple times. diff --git a/examples/vtv2_sample.json b/examples/vtv2_sample.json new file mode 100644 index 0000000..2ea153a --- /dev/null +++ b/examples/vtv2_sample.json @@ -0,0 +1,2 @@ +{"vhash": "015086651575156d551561z60500230028dz26z5fz1", "submission_names": ["abd024a2a11487a71f4bb5826e178a0b6c38604e.exe", "602695c8f2ad76564bddcaf47b76edff", "vt-upload-UIEJN"], "scan_date": "2015-09-28 01:01:14", "first_seen": "2013-02-07 20:20:44", "times_submitted": 4, "dataset_tags": ["candia"], "additional_info": {"exports": ["SendConfigOld"], "pe-debug": [{"timedatestamp": "Sun May 13 20:45:11 2012", "codeview": {"age": 1, "guid": "2b9c1cfa-12c6-44cd-a0d4-c172399818b7", "name": "C:\\aakefNaziBarnaal1ma3eelemdefpamoi\\GratnusBeamscum6mudomaxel00mm\\CuesEllsbatseatsRyothinsMarthibaa\\Sotshup3ElmsobiHootCoaltadyaarShedpoi\\LichHeedduct5Ortsexit.pdb", "signature": "RSDS"}, "offset": 153633, "type_str": "IMAGE_DEBUG_TYPE_CODEVIEW", "type": 2, "size": 189}], "magic": "PE32 executable for MS Windows (GUI) Intel 80386 32-bit", "sigcheck": {"link date": "9:45 PM 5/13/2012"}, "exiftool": {"MIMEType": "application/octet-stream", "Subsystem": "Windows GUI", "MachineType": "Intel 386 or later, and compatibles", "TimeStamp": "2012:05:13 21:45:11+01:00", "FileType": "Win32 EXE", "PEType": "PE32", "CodeSize": "21504", "LinkerVersion": "18.0", "FileTypeExtension": "exe", "InitializedDataSize": "134656", "SubsystemVersion": "5.1", "EntryPoint": "0x1907", "OSVersion": "5.1", "ImageVersion": "0.0", "UninitializedDataSize": "0"}, "trid": "Win32 Executable MS Visual C++ (generic) (52.5%)\nWindows screen saver (22.0%)\nWin32 Dynamic Link Library (generic) (11.0%)\nWin32 Executable (generic) (7.5%)\nGeneric Win/DOS Executable (3.3%)", "pe-imphash": "cde722c6096842db74c6d973b6fd30ca", "behaviour-v1": {"hooking": [], "network": {"udp": [":53", "83.133.123.20:53", "187.34.3.31:16471", "98.234.76.45:16471", "71.254.253.254:16471", "195.3.145.57:123", "190.254.253.254:16471", "88.254.253.254:16471", "184.254.253.254:16471", "182.254.253.254:16471", "117.254.253.254:16471", "180.254.253.254:16471", "87.254.253.254:16471", "166.254.253.254:16471", "119.254.253.254:16471", "135.254.253.254:16471", "134.254.253.254:16471", "92.254.253.254:16471", "95.158.169.23:16471", "89.228.111.71:16471", "135.19.196.71:16471", "79.10.52.77:16471", "211.186.248.89:16471", "222.254.253.254:16471", "66.56.49.28:16471", "206.254.253.254:16471", "178.149.127.42:16471", "115.254.253.254:16471"], "http": [{"url": "http://j.maxmind.com/app/geoip.js", "method": "GET", "user-agent": null}, {"url": "http://mkvrpknidkurcrftiqsfjqdxbn.com/BmQVT8VVUkhwdj0xLjEmaWQ9MTAzODQ3MzAxNSZhaWQ9MzA0OTgmc2lkPTAmb3M9NS4xLTMywyzuqT66", "method": "GET", "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"}], "tcp": ["50.22.196.70:80", "98.234.76.45:16471", "83.133.120.16:80"], "dns": [{"ip": "50.22.196.70", "hostname": "j.maxmind.com"}, {"ip": "74.125.24.106", "hostname": "www.google.com"}, {"ip": "50.62.12.103", "hostname": "mkvrpknidkurcrftiqsfjqdxbn.com"}]}, "service": {"controlled": [], "opened": [{"name": "MsMpSvc", "success": false}, {"name": "windefend", "success": false}, {"name": "SharedAccess", "success": true}, {"name": "iphlpsvc", "success": false}, {"name": "wscsvc", "success": true}, {"name": "mpssvc", "success": false}, {"name": "bfe", "success": false}], "created": [], "started": [], "opened-managers": [{"machine": "localhost", "success": true, "database": "SERVICES_ACTIVE_DATABASE"}], "deleted": []}, "extra": ["DeviceIoControl"], "windows": {"searched": []}, "process": {"shellcmds": [], "terminated": [], "tree": [{"pid": 376, "name": "cc4f95243ce37e3dc825bff20af50bac6de569460917763083feb3f3a1eb92e0", "children": []}], "injected": [], "created": [{"proc": "C:\\WINDOWS\\system32\\cmd.exe", "success": true}]}, "runtime-dlls": [{"success": true, "file": "shlwapi"}, {"success": true, "file": "user32"}, {"success": true, "file": "ntdll.dll"}, {"success": true, "file": "kernel32.dll"}, {"success": true, "file": "advapi32.dll"}, {"success": true, "file": "cabinet.dll"}, {"success": true, "file": "ws2_32.dll"}, {"success": true, "file": "c:\\windows\\system32\\mswsock.dll"}, {"success": true, "file": "hnetcfg.dll"}, {"success": true, "file": "rpcrt4.dll"}, {"success": true, "file": "c:\\windows\\system32\\wshtcpip.dll"}, {"success": true, "file": "rsaenh.dll"}, {"success": true, "file": "version.dll"}], "mutex": {"opened": [{"mutex": "ShimCacheMutex", "success": true}], "created": []}, "registry": {"deleted": [], "set": []}, "filesystem": {"opened": [{"path": "\\\\.\\PIPE\\lsarpc", "success": true}, {"path": "C:\\WINDOWS\\system32\\rsaenh.dll", "success": true}, {"path": "C:\\WINDOWS\\system32\\cmd.exe", "success": true}], "read": [{"path": "C:\\WINDOWS\\system32\\rsaenh.dll", "success": true}], "moved": [], "downloaded": [], "written": [], "replaced": [], "deleted": [], "copied": []}}, "pe-timestamp": 1336941911, "imports": {"GDI32_!_dll": ["SetDIBits", "SetMapMode", "CreateFontIndirectW", "PatBlt", "GetBkMode", "CreateFontIndirectA", "GetClipBox", "CreateFontW", "TranslateCharsetInfo", "RemoveFontResourceExA", "RectInRegion", "PtInRegion", "BitBlt", "CreateDIBSection", "CreateBitmapIndirect", "DPtoLP", "CreateFontA", "SetDIBitsToDevice", "RectVisible", "CreatePalette", "CreateDIBitmap", "SetViewportOrgEx", "ExtTextOutA", "UnrealizeObject", "GetDIBits", "CreateCompatibleDC", "StretchBlt", "PolyBezier", "SelectObject", "GetNearestPaletteIndex", "GetSystemPaletteUse", "CreateSolidBrush", "WidenPath", "SetViewportExtEx", "SetRectRgn"], "KERNEL32_!_dll": ["GetSystemTime", "CopyFileW", "FileTimeToDosDateTime", "SetThreadLocale", "UnmapViewOfFile", "GetOverlappedResult", "TryEnterCriticalSection", "VirtualProtect", "GlobalGetAtomNameA", "GetHandleInformation", "lstrcmpW", "FindFirstChangeNotificationW", "DisconnectNamedPipe", "GetDateFormatA", "SizeofResource", "SetThreadPriority", "GetCPInfo", "GetDateFormatW", "SetCommMask", "FoldStringW", "SetThreadAffinityMask", "GetUserDefaultLCID", "GetFileType", "GetTempPathA", "GlobalReAlloc", "lstrcmpiA", "FindNextFileW", "FormatMessageA", "FindResourceExW", "PulseEvent", "GetTempFileNameA", "CreateFileMappingA", "GetACP", "SetFileAttributesA", "GetLongPathNameW", "HeapCreate", "SearchPathA", "GetProfileIntA", "SetMailslotInfo", "GetLocaleInfoW"], "COMDLG32_!_dll": ["ChooseFontW", "PrintDlgExW", "PageSetupDlgW", "GetSaveFileNameW", "ChooseColorW"], "rpcrt4_!_dll": ["I_RpcAllocate", "I_RpcFree"], "COMCTL32_!_dll": ["ImageList_Read", "ImageList_Destroy", "CreateStatusWindowW", "ImageList_GetIconSize", "CreatePropertySheetPageW", "ImageList_GetIcon"], "USER32_!_dll": ["AdjustWindowRect", "GetSysColor", "ClientToScreen", "CreateDialogIndirectParamW", "ChildWindowFromPointEx", "DrawTextExW", "GetPropW", "LoadMenuA", "HideCaret", "EnumWindows", "ChangeMenuW", "CreatePopupMenu", "keybd_event", "EnableScrollBar", "GetClassInfoExA", "CreateAcceleratorTableW", "ClipCursor", "GetMessageW", "PostQuitMessage", "FindWindowA", "DrawStateW", "LoadBitmapW", "GetSysColorBrush", "IsCharAlphaW", "PeekMessageW", "LockWindowUpdate", "DispatchMessageA", "EnableWindow", "OpenIcon", "CallWindowProcA", "GetMenuStringA", "ScreenToClient", "MessageBoxA", "CascadeWindows", "ChildWindowFromPoint", "TrackPopupMenu", "DialogBoxParamA", "GetWindow", "InvalidateRect", "SetMenuDefaultItem", "CharLowerBuffW", "GetDlgCtrlID", "SetWindowTextA", "SendMessageW", "SetClassLongW", "RegisterClassW", "IsCharUpperA", "SetActiveWindow", "IsZoomed", "DefFrameProcA", "GetClassInfoW", "TranslateAcceleratorA", "GetMenuCheckMarkDimensions", "IsCharAlphaNumericW", "GetShellWindow", "InvertRect", "SetWindowLongW", "MonitorFromRect", "InsertMenuA", "GetMessageExtraInfo", "GetDCEx", "GetClientRect", "OemToCharA", "MapDialogRect", "GetActiveWindow", "ShowOwnedPopups", "CharToOemW", "DefDlgProcA", "RegisterHotKey", "GetUpdateRgn", "ModifyMenuW", "MapVirtualKeyExW", "CheckDlgButton", "CloseDesktop", "IsDialogMessageW", "IsWindowUnicode", "LoadIconW", "GetTopWindow", "PostThreadMessageA", "GetMenuItemInfoW"]}, "suspicious-insight": true, "pe-entry-point": 6407, "sections": [[".text", 4096, 21065, 21504, "6.33", "98cfc71469cc137c0654d8751c79aede"], [".Obis", 28672, 140, 512, "0.66", "c5facedf21165cee8e3050a83372c885"], [".bis", 32768, 104830, 104960, "7.98", "4c3195df92f36d22c927b0a31fbe2b11"], [".oypac", 139264, 746, 1024, "3.63", "a044f8702f9c8cc35b0a0c99f8a57d0d"], [".jibmed", 143360, 21716, 22016, "6.43", "6882ad34612806c6a3699dedef3e2837"], [".data", 167936, 80585, 3072, "5.66", "757d9f5e4e2f50cf2a7badaa510e9e35"], [".rsrc", 249856, 16, 512, "0.02", "4e3b2ec5da7200456d338156d854c01b"], [".reloc", 253952, 2408, 2560, "6.55", "03f3bd2e5da3c1b2f01058742404d625"]], "pe-machine-type": 332}, "size": 157184, "scan_id": "cc4f95243ce37e3dc825bff20af50bac6de569460917763083feb3f3a1eb92e0-1443402074", "total": 57, "harmless_votes": 0, "verbose_msg": "Scan finished, information embedded", "ITW_urls": [], "sha256": "cc4f95243ce37e3dc825bff20af50bac6de569460917763083feb3f3a1eb92e0", "type": "Win32 EXE", "scans": {"Bkav": {"detected": true, "version": "1.3.0.7237", "result": "HW32.Packed.4F25", "update": "20150925"}, "TotalDefense": {"detected": false, "version": "37.1.62.1", "result": null, "update": "20150928"}, "MicroWorld-eScan": {"detected": true, "version": "12.0.250.0", "result": "Gen:Variant.Sirefef.1140", "update": "20150928"}, "nProtect": {"detected": true, "version": "2015-09-25.01", "result": "Trojan/W32.Agent.157184.NT", "update": "20150925"}, "CMC": {"detected": false, "version": "1.1.0.977", "result": null, "update": "20150925"}, "CAT-QuickHeal": {"detected": true, "version": "14.00", "result": "Backdoor.PMax.r8", "update": "20150926"}, "ALYac": {"detected": true, "version": "1.0.1.4", "result": "Gen:Variant.Sirefef.1140", "update": "20150927"}, "Malwarebytes": {"detected": true, "version": "2.1.1.1115", "result": "Rootkit.0Access", "update": "20150927"}, "VIPRE": {"detected": true, "version": "44104", "result": "Trojan.Win32.Kryptik.aulk (v)", "update": "20150927"}, "AegisLab": {"detected": false, "version": "1.5", "result": null, "update": "20150927"}, "TheHacker": {"detected": true, "version": "6.8.0.5.679", "result": "Trojan/Kryptik.atmu", "update": "20150926"}, "BitDefender": {"detected": true, "version": "7.2", "result": "Gen:Variant.Sirefef.1140", "update": "20150928"}, "K7GW": {"detected": true, "version": "9.210.17344", "result": "Trojan ( 00422eff1 )", "update": "20150927"}, "K7AntiVirus": {"detected": true, "version": "9.210.17344", "result": "Trojan ( 00422eff1 )", "update": "20150927"}, "Agnitum": {"detected": true, "version": "5.5.1.3", "result": "Trojan.Agent!yEPrlJmtQ2c", "update": "20150927"}, "F-Prot": {"detected": true, "version": "4.7.1.166", "result": "W32/Zaccess.AK.gen!Eldorado", "update": "20150927"}, "Symantec": {"detected": true, "version": "20141.2.0.56", "result": "Trojan.Zeroaccess!g33", "update": "20150927"}, "ESET-NOD32": {"detected": true, "version": "12296", "result": "a variant of Win32/Kryptik.ATMU", "update": "20150927"}, "TrendMicro-HouseCall": {"detected": true, "version": "9.800.0.1009", "result": "TROJ_SPNR.35CC13", "update": "20150928"}, "Avast": {"detected": true, "version": "8.0.1489.320", "result": "Win32:ZAccess-OO [Trj]", "update": "20150928"}, "ClamAV": {"detected": true, "version": "0.98.5.0", "result": "WIN.Trojan.Pmax-28", "update": "20150928"}, "Kaspersky": {"detected": true, "version": "15.0.1.10", "result": "Backdoor.Win32.PMax.pei", "update": "20150928"}, "Alibaba": {"detected": false, "version": "1.0", "result": null, "update": "20150927"}, "NANO-Antivirus": {"detected": true, "version": "0.30.26.3725", "result": "Trojan.Win32.Kryptik.bfzwyl", "update": "20150928"}, "ViRobot": {"detected": true, "version": "2014.3.20.0", "result": "Trojan.Win32.ZeroAccess.157184[h]", "update": "20150927"}, "Rising": {"detected": true, "version": "25.0.0.17", "result": "PE:Malware.RDM.03!5.9[F1]", "update": "20150927"}, "Ad-Aware": {"detected": true, "version": "12.0.163.0", "result": "Gen:Variant.Sirefef.1140", "update": "20150928"}, "Emsisoft": {"detected": true, "version": "3.5.0.642", "result": "Gen:Variant.Sirefef.1140 (B)", "update": "20150928"}, "Comodo": {"detected": true, "version": "23314", "result": "TrojWare.Win32.Kryptik.ATV", "update": "20150928"}, "F-Secure": {"detected": true, "version": "11.0.19100.45", "result": "Gen:Variant.Sirefef.1140", "update": "20150925"}, "DrWeb": {"detected": true, "version": "7.0.15.8310", "result": "Trojan.DownLoader8.3128", "update": "20150928"}, "Zillya": {"detected": true, "version": "2.0.0.2417", "result": "Backdoor.PMax.Win32.964", "update": "20150927"}, "TrendMicro": {"detected": true, "version": "9.740.0.1012", "result": "TROJ_SPNR.35CC13", "update": "20150928"}, "McAfee-GW-Edition": {"detected": true, "version": "v2015", "result": "ZeroAccess-FAWU!602695C8F2AD", "update": "20150927"}, "Sophos": {"detected": true, "version": "4.98.0", "result": "Troj/Sirefef-BL", "update": "20150927"}, "Cyren": {"detected": true, "version": "5.4.16.7", "result": "W32/Zaccess.AK.gen!Eldorado", "update": "20150928"}, "Jiangmin": {"detected": true, "version": "16.0.100", "result": "Backdoor/PMax.ahw", "update": "20150927"}, "Avira": {"detected": true, "version": "8.3.2.2", "result": "TR/Rogue.699874", "update": "20150927"}, "Antiy-AVL": {"detected": true, "version": "1.0.0.1", "result": "Trojan[Backdoor]/Win32.PMax", "update": "20150927"}, "Kingsoft": {"detected": true, "version": "2013.4.9.267", "result": "Win32.Troj.Undef.(kcloud)", "update": "20150928"}, "Microsoft": {"detected": true, "version": "1.1.12101.0", "result": "Trojan:Win32/Sirefef.P", "update": "20150928"}, "Arcabit": {"detected": true, "version": "1.0.0.567", "result": "Trojan.Sirefef.D474", "update": "20150928"}, "SUPERAntiSpyware": {"detected": true, "version": "5.6.0.1032", "result": "Trojan.Agent/Gen-Kryptik", "update": "20150927"}, "AhnLab-V3": {"detected": true, "version": "2015.09.28.00", "result": "Trojan/Win32.ZeroAccess", "update": "20150927"}, "GData": {"detected": true, "version": "25", "result": "Gen:Variant.Sirefef.1140", "update": "20150928"}, "ByteHero": {"detected": true, "version": "1.0.0.1", "result": "Trojan.Malware.Obscu.Gen.002", "update": "20150928"}, "McAfee": {"detected": true, "version": "6.0.6.653", "result": "ZeroAccess-FAWU!602695C8F2AD", "update": "20150928"}, "AVware": {"detected": true, "version": "1.5.0.21", "result": "Trojan.Win32.Kryptik.aulk (v)", "update": "20150927"}, "VBA32": {"detected": true, "version": "3.12.26.4", "result": "Hoax.PornoAsset", "update": "20150926"}, "Panda": {"detected": true, "version": "4.6.4.2", "result": "Generic Malware", "update": "20150927"}, "Zoner": {"detected": false, "version": "1.0", "result": null, "update": "20150928"}, "Tencent": {"detected": true, "version": "1.0.0.1", "result": "Win32.Backdoor.Pmax.bkks", "update": "20150928"}, "Ikarus": {"detected": true, "version": "T3.1.9.5.0", "result": "Backdoor.Win32.PMax", "update": "20150928"}, "Fortinet": {"detected": true, "version": "5.1.220.0", "result": "W32/ZeroAccess.B!tr", "update": "20150928"}, "AVG": {"detected": true, "version": "16.0.0.4419", "result": "BackDoor.Generic16.BFGA", "update": "20150928"}, "Baidu-International": {"detected": true, "version": "3.5.1.41473", "result": "Backdoor.Win32.PMax.pei", "update": "20150927"}, "Qihoo-360": {"detected": true, "version": "1.0.0.1015", "result": "HEUR/Malware.QVM20.Gen", "update": "20150928"}}, "tags": ["peexe"], "authentihash": "a58c624939850e6c50bc53d742e10e40548633a2ffb722b7808ff399035f5485", "unique_sources": 4, "positives": 52, "ssdeep": "3072:Qy4FkhMnSKDt6mSCJc/ohw9mrx+2WwMhl6dmexEUMubKEN:9z5KJ6tc/hw9GxWwMn6LWfE", "md5": "602695c8f2ad76564bddcaf47b76edff", "permalink": "https://www.virustotal.com/file/cc4f95243ce37e3dc825bff20af50bac6de569460917763083feb3f3a1eb92e0/analysis/1443402074/", "sha1": "abd024a2a11487a71f4bb5826e178a0b6c38604e", "resource": "602695c8f2ad76564bddcaf47b76edff", "response_code": 1, "community_reputation": 0, "malicious_votes": 0, "_id": "56948fbae97cad7b39a4886e", "last_seen": "2015-09-28 01:01:14"} +{"vhash": "0450466d1d155az14nzdfz", "submission_names": ["3ae56299b724f5846826761a736c85266423be39.exe", "drop/f117cc1477513cb181cc2e9fcaa"], "scan_date": "2013-10-29 23:02:27", "first_seen": "2012-04-27 21:45:03", "times_submitted": 2, "dataset_tags": ["malsign", "malicia"], "additional_info": {"exports": [""], "magic": "PE32 executable for MS Windows (GUI) Intel 80386 32-bit", "sigcheck": {"link date": "8:34 PM 10/25/2011"}, "exiftool": {"MIMEType": "application/octet-stream", "Subsystem": "Windows GUI", "MachineType": "Intel 386 or later, and compatibles", "TimeStamp": "2011:10:25 20:34:24+01:00", "FileType": "Win32 EXE", "PEType": "PE32", "CodeSize": "5632", "LinkerVersion": "10.0", "EntryPoint": "0xc0a9c", "InitializedDataSize": "16896", "SubsystemVersion": "4.0", "ImageVersion": "0.0", "OSVersion": "4.0", "UninitializedDataSize": "0"}, "trid": "Win32 Executable (generic) (42.6%)\nClipper DOS Executable (19.0%)\nGeneric Win/DOS Executable (18.9%)\nDOS Executable Generic (18.9%)\nVXD Driver (0.2%)", "pe-resource-list": {"7c8c7cf0b6c0861c4c4b10d10a3ee6eab717c777a9035a5efa1e05c07f50bfba": "data", "86acca2ff9c765e902d33fdbfbb379879976545fe1ba130091534e50ae6ac714": "data", "45a49bbb1c7c31038f9134c98604739dade19b7128608fbf3cc511ea116a7469": "data"}, "pe-resource-langs": {"ENGLISH US": 3}, "pe-timestamp": 1319571264, "imports": {"KERNEL32_!_dll": ["FreeEnvironmentStringsA", "LocalFree", "LocalLock", "GetConsoleAliasA", "GetModuleHandleA", "HeapCreate", "FindAtomA", "GetConsoleCP", "FindClose", "TlsGetValue", "Sleep", "CloseHandle", "CreateFileMappingA", "CreateFileA", "GlobalUnlock", "GetACP", "GetCalendarInfoA", "WaitForMultipleObjects", "GetLastError", "LoadLibraryExA"], "USER32_!_dll": ["SetFocus", "GetMessageA", "IsWindow", "DrawTextA", "DispatchMessageA", "MessageBoxA", "DrawEdge", "CallWindowProcA", "CascadeWindows", "GetDlgItem", "CreateDialogParamA", "DefWindowProcA", "GetIconInfo", "GetDC"], "MSASN1_!_dll": ["ASN1BERDecCheck", "ASN1BERDecNull", "ASN1BERDecSkip", "ASN1BEREncLength", "ASN1BERDecEoid"]}, "pe-entry-point": 789148, "pe-resource-types": {"RT_ICON": 2, "RT_GROUP_ICON": 1}, "sections": [[".text", 786432, 5548, 5632, "6.64", "ba379865d43832ee83a55bd05929c949"], [".rdata", 794624, 1116, 1536, "4.22", "9a76a421130d716cd9735966f4bd6373"], [".data", 798720, 522, 1024, "0.41", "292100f4bbf6dbf733a23595f2f8edb7"], [".rsrc", 802816, 14146, 14336, "5.85", "4c8b2c3b550520aa93678d10af073aab"]], "pe-machine-type": 332}, "size": 402432, "scan_id": "b7964446541006c2e2c77335a5504306f15136d0ade4c2d4a90d0fcea87b1e0a-1383087747", "total": 47, "harmless_votes": 0, "verbose_msg": "Scan finished, information embedded", "sha256": "b7964446541006c2e2c77335a5504306f15136d0ade4c2d4a90d0fcea87b1e0a", "type": "Win32 EXE", "scans": {"Bkav": {"detected": false, "version": "1.3.0.4261", "result": null, "update": "20131029"}, "MicroWorld-eScan": {"detected": true, "version": "12.0.250.0", "result": "Trojan.Generic.KD.593235", "update": "20131028"}, "nProtect": {"detected": false, "version": "2013-10-29.04", "result": null, "update": "20131029"}, "CAT-QuickHeal": {"detected": true, "version": "12.00", "result": "FraudTool.Security", "update": "20131029"}, "McAfee": {"detected": true, "version": "5.600.0.1067", "result": "Generic FakeAlert.ama", "update": "20131029"}, "Malwarebytes": {"detected": true, "version": "1.75.0.1", "result": "Trojan.Agent", "update": "20131029"}, "K7AntiVirus": {"detected": true, "version": "9.173.10028", "result": "Trojan", "update": "20131029"}, "K7GW": {"detected": true, "version": "12.7.0.14", "result": "Trojan", "update": "20131029"}, "TheHacker": {"detected": true, "version": "6.8.0.5.356", "result": "Trojan/Kryptik.aduj", "update": "20131029"}, "NANO-Antivirus": {"detected": false, "version": "0.26.0.55974", "result": null, "update": "20131029"}, "F-Prot": {"detected": true, "version": "4.7.1.166", "result": "W32/FakeAlert.QM.gen!Eldorado", "update": "20131029"}, "Symantec": {"detected": true, "version": "20131.1.5.61", "result": "SecShieldFraud!gen5", "update": "20131029"}, "Norman": {"detected": true, "version": "7.02.06", "result": "Websec[gs]", "update": "20131029"}, "TotalDefense": {"detected": true, "version": "37.0.10498", "result": "Win32/Winwebsec.O!generic", "update": "20131029"}, "TrendMicro-HouseCall": {"detected": true, "version": "9.700.0.1001", "result": "HV_FAKEAV_CI052752.RDXN", "update": "20131029"}, "Avast": {"detected": true, "version": "8.0.1489.320", "result": "Win32:FakeAlert-CHW [Trj]", "update": "20131029"}, "ClamAV": {"detected": true, "version": "0.97.3.0", "result": "W32.Suspect.Trojan.FakeAV", "update": "20131029"}, "Kaspersky": {"detected": true, "version": "9.0.0.837", "result": "Trojan.Win32.FakeAV.lwvc", "update": "20131029"}, "BitDefender": {"detected": true, "version": "7.2.5028.0", "result": "Trojan.Generic.KD.593235", "update": "20131029"}, "Agnitum": {"detected": true, "version": "5.5.1.3", "result": "FraudTool.Winwebsec!Em3HvMNHln4", "update": "20131029"}, "SUPERAntiSpyware": {"detected": true, "version": "5.6.0.1032", "result": "Trojan.Agent/Gen-Vundo", "update": "20131029"}, "Emsisoft": {"detected": true, "version": "3.0.0.589", "result": "Trojan.Generic.KD.593235 (B)", "update": "20131029"}, "Comodo": {"detected": true, "version": "17179", "result": "TrojWare.Win32.FakeAV.DUQ", "update": "20131029"}, "F-Secure": {"detected": true, "version": "11.0.19100.45", "result": "Trojan.Generic.KD.593235", "update": "20131029"}, "DrWeb": {"detected": true, "version": "", "result": "Trojan.Siggen.65111", "update": "20131029"}, "VIPRE": {"detected": true, "version": "22846", "result": "VirTool.Win32.Obfuscator.da!j (v)", "update": "20131029"}, "AntiVir": {"detected": true, "version": "7.11.110.26", "result": "TR/Winwebsec.acvnmb", "update": "20131030"}, "TrendMicro": {"detected": false, "version": "9.740.0.1012", "result": null, "update": "20131029"}, "McAfee-GW-Edition": {"detected": true, "version": "2013", "result": "Generic FakeAlert.ama", "update": "20131029"}, "Sophos": {"detected": true, "version": "4.94.0", "result": "Troj/FakeAV-FKQ", "update": "20131029"}, "Jiangmin": {"detected": true, "version": "16.0.100", "result": "Trojan/Fakeav.ayzc", "update": "20131029"}, "Antiy-AVL": {"detected": false, "version": "2.0.3.7", "result": null, "update": "20131029"}, "Kingsoft": {"detected": true, "version": "2013.4.9.267", "result": "Win32.Troj.Undef.(kcloud)", "update": "20130829"}, "Microsoft": {"detected": true, "version": "1.10003", "result": "Rogue:Win32/Winwebsec", "update": "20131029"}, "ViRobot": {"detected": true, "version": "2011.4.7.4223", "result": "Trojan.Win32.A.FakeAV.402432.BA", "update": "20131029"}, "AhnLab-V3": {"detected": true, "version": "2013.10.30.01", "result": "Trojan/Win32.FakeAV", "update": "20131029"}, "GData": {"detected": true, "version": "22", "result": "Trojan.Generic.KD.593235", "update": "20131029"}, "Commtouch": {"detected": true, "version": "5.4.1.7", "result": "W32/FakeAlert.QM.gen!Eldorado", "update": "20131029"}, "ByteHero": {"detected": false, "version": "1.0.0.1", "result": null, "update": "20131028"}, "VBA32": {"detected": true, "version": "3.12.24.3", "result": "Trojan.FakeAV", "update": "20131029"}, "Baidu-International": {"detected": false, "version": "3.5.1.41473", "result": null, "update": "20131029"}, "ESET-NOD32": {"detected": true, "version": "8982", "result": "a variant of Win32/Kryptik.ADUJ", "update": "20131029"}, "Rising": {"detected": false, "version": "24.86.00.04", "result": null, "update": "20131029"}, "Ikarus": {"detected": true, "version": "T3.1.5.4.0", "result": "Trojan-Dropper.Win32.Daws", "update": "20131029"}, "Fortinet": {"detected": true, "version": "5.1.147.0", "result": "W32/FakeAlert.B!tr", "update": "20131029"}, "AVG": {"detected": true, "version": "13.0.0.3169", "result": "FakeAV_s.A", "update": "20131029"}, "Panda": {"detected": true, "version": "10.0.3.5", "result": "Adware/SystemTool", "update": "20131029"}}, "tags": ["peexe"], "unique_sources": 2, "sha1": "3ae56299b724f5846826761a736c85266423be39", "positives": 39, "ssdeep": "12288:43KpJI6xj1dV9fJcEXW4OYIb5IiENCa8UM:4Cb1dV9fJhXWGHNE", "md5": "f117cc1477513cb181cc2e9fcaab39b2", "permalink": "https://www.virustotal.com/file/b7964446541006c2e2c77335a5504306f15136d0ade4c2d4a90d0fcea87b1e0a/analysis/1383087747/", "_id": "5602b554e97cad1b24c229cc", "resource": "f117cc1477513cb181cc2e9fcaab39b2", "response_code": 1, "community_reputation": 0, "malicious_votes": 0, "ITW_urls": [], "last_seen": "2013-10-29 23:02:27"}