Antivirus scan for 671e41c198fb1220101050d7dc79edcd75e9244a87b15e1210a7b39023c84a42 at 2015-03-25 13:08:16 UTC

Antivirus	Ergebnis	Aktualisierung
Ad-Aware		20150325
AegisLab		20150325
Yandex		20150325
AhnLab-V3		20150324
Alibaba		20150325
ALYac		20150325
Antiy-AVL		20150325
Avast		20150325
AVG		20150325
Avira (no cloud)		20150325
AVware		20150325
Baidu-International		20150325
BitDefender		20150325
Bkav		20150325
ByteHero		20150325
CAT-QuickHeal		20150325
ClamAV		20150325
CMC		20150325
Comodo		20150325
Cyren		20150325
DrWeb		20150325
Emsisoft		20150325
ESET-NOD32		20150325
F-Prot		20150325
F-Secure		20150325
Fortinet		20150325
GData		20150325
Ikarus		20150325
Jiangmin		20150324
K7AntiVirus		20150325
K7GW		20150325
Kaspersky		20150325
Kingsoft		20150325
Malwarebytes		20150325
McAfee		20150325
McAfee-GW-Edition		20150325
Microsoft		20150325
eScan		20150325
NANO-Antivirus		20150325
Norman		20150325
nProtect		20150325
Panda		20150324
Qihoo-360		20150325
Rising		20150325
Sophos AV		20150325
SUPERAntiSpyware		20150325
Symantec		20150325
Tencent		20150325
TheHacker		20150324
TotalDefense		20150325
TrendMicro		20150325
TrendMicro-HouseCall		20150325
VBA32		20150324
VIPRE		20150325
ViRobot		20150325
Zillya		20150325
Zoner		20150323

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.

Packers identified

F-PROT UPX

PE header basic information

Target machine Intel 386 or later processors and compatible processors

Entry Point 0x00395870

Number of sections 3

PE sections

Name Virtual address Virtual size Raw size Entropy MD5

UPX0 4096 1806336 0 0.00 d41d8cd98f00b204e9800998ecf8427e

UPX1 1810432 1949696 1948672 7.90 f9c6ba3c1e9a42177333cc67a0536d9b

.rsrc 3760128 57344 55296 6.83 233cf5159fabb377701fef3a698525b1

PE imports

Number of PE resources by type

RT_ICON 9

RT_GROUP_ICON 1

Number of PE resources by language

ENGLISH US 10

PE resources

2b0d3087242bf76a277d67ff87b9820117892f204aa0172207aafe135d28ed73 data

5764f49b58d833dda8fad7a33698944e4f23eb013c3de37480c6cff783185c72 data

9604dcf007aa0758ecd8507016babcf3b209e0650cb972cede024b61ef5bb6d5 data

a5ecde0f03d811704bbc460d35270d976ed21a6fe3fd3b26f7f6b216cd016fe8 image/x-png

aec0247c87160e010d20469e213c104c9411351420583134e21b302396c787fd data

b8ac7b308c350ae0459d9a908cdba0ae58404d2db4b08b114690ec654b2973c4 data

c8b96c4a4438eee7d7f60ded75f415958c9c8ab052a1b751a7cbfd07d0df2be0 data

d1109b778a56f4571eac4039a60b86ace3628e08551759ca72c962ea4c8ff98a data

dc22f7b1f15e65e914028ef285785cf8523202f768dade3d634899b2971a8aa5 data

f3ad8837407af936f8fc32ff58124a8d113283b753d513000538467f0a2bd822 data

ExifTool file metadata

MIMEType

application/octet-stream

Subsystem

Windows GUI

MachineType

Intel 386 or later, and compatibles

FileTypeExtension

exe

TimeStamp

0000:00:00 00:00:00

FileType

Win32 EXE

PEType

PE32

CodeSize

1949696

LinkerVersion

2.24

EntryPoint

0x395870

InitializedDataSize

57344

SubsystemVersion

4.0

ImageVersion

1.0

OSVersion

4.0

UninitializedDataSize

1806336

Compressed bundles

This file was also submitted to VirusTotal in the following compressed file bundles.

a8931636079cc7f6f995cd8cef9c6423f345e5bb20296eb5f9e2646ea61b9eb6

File identification

MD5 ea5b8af7da0615409dbac4380198f305

SHA1 35e0e0379a6425885c7facbc9e53e0ef5d3dc6cb

SHA256 671e41c198fb1220101050d7dc79edcd75e9244a87b15e1210a7b39023c84a42

ssdeep

49152:u7pQK+Nu0u3MoFVhZY+/tgaVwdBBMJsAkHjMdhaG25lsmuqKrjInQ:KpQu07oFfZRl3+dBBMJVkHjMdhaG25+b

authentihash 0ec10e80790cd5098b6387e2754640ef957217f1b0ef15092d0c2da48f8c0f8a

imphash 702f54fbacd1d4438ce5f8e5050cdf31

File size 1.9 MB ( 2004480 bytes )

File type Win32 EXE

Magic literal

PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID	UPX compressed Win32 Executable (42.3%) Win32 EXE Yoda's Crypter (36.7%) Win32 Dynamic Link Library (generic) (9.1%) Win32 Executable (generic) (6.2%) Generic Win/DOS Executable (2.7%)

VirusTotal metadata

First submission 2015-03-25 13:08:16 UTC ( vor 3 Jahre, 8 Monate )

Last submission 2015-03-25 13:08:16 UTC ( vor 3 Jahre, 8 Monate )

Dateinamen

BPMSkinInstaller-BlackCitrus.exe

Advanced heuristic and reputation engines

ClamAV

Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight

Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

Created mutexes

gcc-shmem-tdm2-mutex_global_shmem (successful)

gcc-shmem-tdm2-global_lock_spinlock (successful)

gcc-shmem-tdm2-use_fc_key (successful)

gcc-shmem-tdm2-sjlj_once (successful)

gcc-shmem-tdm2-once_global_shmem (successful)

gcc-shmem-tdm2-once_obj_shmem (successful)

gcc-shmem-tdm2-_pthread_tls_once_shmem (successful)

gcc-shmem-tdm2-_pthread_tls_shmem (successful)

gcc-shmem-tdm2-mtx_pthr_locked_shmem (successful)

gcc-shmem-tdm2-mutex_global_static_shmem (successful)

Runtime DLLs

kernel32.dll (successful)

advapi32.dll (successful)

comctl32.dll (successful)

gdi32.dll (successful)

msvcrt.dll (successful)

ole32.dll (successful)

shell32.dll (successful)

user32.dll (successful)

SHA256:	671e41c198fb1220101050d7dc79edcd75e9244a87b15e1210a7b39023c84a42
Dateiname:	BPMSkinInstaller-BlackCitrus.exe
Erkennungsrate:	0 / 57
Analyse-Datum:	2015-03-25 13:08:16 UTC ( vor 3 Jahre, 8 Monate ) Zeige Neueste

Ciphered bundle