× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 002beda2973521958ca83848b483aae1b9914391ad8b6c575843f6d5a65ac66c
File name: tools.exe
Detection ratio: 0 / 57
Analysis date: 2015-02-18 13:20:18 UTC ( 4 years ago ) View latest
Antivirus Result Update
Ad-Aware 20150218
AegisLab 20150218
Yandex 20150218
AhnLab-V3 20150218
Alibaba 20150218
ALYac 20150218
Antiy-AVL 20150218
Avast 20150218
AVG 20150218
Avira (no cloud) 20150218
AVware 20150218
Baidu-International 20150218
BitDefender 20150218
Bkav 20150213
ByteHero 20150218
CAT-QuickHeal 20150218
ClamAV 20150218
CMC 20150214
Comodo 20150218
Cyren 20150218
DrWeb 20150218
Emsisoft 20150218
ESET-NOD32 20150218
F-Prot 20150218
F-Secure 20150218
Fortinet 20150218
GData 20150218
Ikarus 20150218
Jiangmin 20150216
K7AntiVirus 20150218
K7GW 20150218
Kaspersky 20150218
Kingsoft 20150218
Malwarebytes 20150218
McAfee 20150218
McAfee-GW-Edition 20150218
Microsoft 20150218
eScan 20150218
NANO-Antivirus 20150218
Norman 20150218
nProtect 20150218
Panda 20150218
Qihoo-360 20150218
Rising 20150218
Sophos AV 20150218
SUPERAntiSpyware 20150218
Symantec 20150218
Tencent 20150218
TheHacker 20150218
TotalDefense 20150218
TrendMicro 20150218
TrendMicro-HouseCall 20150218
VBA32 20150218
VIPRE 20150218
ViRobot 20150218
Zillya 20150218
Zoner 20150218
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification A certificate was explicitly revoked by its issuer.
Signing date 11:58 AM 2/11/2015
Signers
[+] 谭信福
Status This certificate or one of the certificates in the certificate chain is not time valid., Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer WoSign Class 2 Code Signing CA
Valid from 4:37 AM 7/29/2014
Valid to 4:37 AM 7/29/2015
Valid usage Code Signing, 1.3.6.1.4.1.311.2.1.22
Algorithm sha1RSA
Thumbprint 6C5C90167999B134FD83E69BB24E72ECADEA2E1F
Serial number 31 A3 E1 AE EC 24 4D 4A BB 44 56 80 B7 5B 15 74
[+] WoSign Class 2 Code Signing CA
Status Valid
Issuer Certification Authority of WoSign
Valid from 2:00 AM 8/8/2009
Valid to 2:00 AM 8/8/2024
Valid usage Code Signing, 1.3.6.1.4.1.311.2.1.22
Algorithm sha1RSA
Thumbprint F55E68103DB949B7F0C3ADEBB0151F6DDF4A1927
Serial number 25 E7 3B 77 32 8E 5C A0 AA 57 F8 65 68 DC F6 E8
[+] Certification Authority of WoSign
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer StartCom Certification Authority
Valid from 2:00 AM 3/1/2011
Valid to 2:00 AM 3/1/2016
Valid usage All
Algorithm sha1RSA
Thumbprint 868241C8B85AF79E2DAC79EDADB723E82A36AFC3
Serial number 3D
[+] StartCom Certification Authority
Status Valid
Issuer StartCom Certification Authority
Valid from 8:46 PM 9/17/2006
Valid to 8:46 PM 9/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha1RSA
Thumbprint 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Serial number 01
Counter signers
[+] COMODO Time Stamping Signer
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer UTN-USERFirst-Object
Valid from 1:00 AM 5/10/2010
Valid to 12:59 AM 5/11/2015
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 3DBB6DB5085C6DD5A1CA7F9CF84ECB1A3910CAC8
Serial number 47 8A 8E FB 59 E1 D8 3F 0C E1 42 D2 A2 87 07 BE
[+] USERTrust (Code Signing)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-12-09 16:16:30
Entry Point 0x00002E18
Number of sections 4
PE sections
Overlays
MD5 0c6abf21ffcab8835721c7f18e22f54e
File type data
Offset 81408
Size 6784
Entropy 7.53
PE imports
RegCreateKeyExW
RegCloseKey
RegQueryValueExW
GetLastError
IsValidCodePage
HeapFree
GetStdHandle
EnterCriticalSection
GetConsoleOutputCP
SetHandleCount
GetConsoleCP
GetOEMCP
QueryPerformanceCounter
IsDebuggerPresent
HeapAlloc
TlsAlloc
GetEnvironmentStringsW
FlushFileBuffers
GetModuleFileNameA
RtlUnwind
LoadLibraryA
FreeEnvironmentStringsA
DeleteCriticalSection
GetCurrentProcess
GetEnvironmentStrings
GetConsoleMode
GetLocaleInfoA
GetCurrentProcessId
LCMapStringW
GetCPInfo
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
HeapSize
GetTickCount
FreeEnvironmentStringsW
InitializeCriticalSectionAndSpinCount
GetCommandLineA
GetProcAddress
GetStringTypeA
GetFileType
SetStdHandle
SetFilePointer
RaiseException
WideCharToMultiByte
TlsFree
GetModuleHandleA
SetUnhandledExceptionFilter
WriteFile
GetStartupInfoA
CloseHandle
GetSystemTimeAsFileTime
GetACP
HeapReAlloc
GetStringTypeW
GetModuleHandleW
TerminateProcess
LCMapStringA
WriteConsoleA
InitializeCriticalSection
HeapCreate
CreateProcessW
InterlockedDecrement
Sleep
SetLastError
VirtualFree
TlsSetValue
CreateFileA
ExitProcess
GetCurrentThreadId
InterlockedIncrement
VirtualAlloc
WriteConsoleW
LeaveCriticalSection
ShellExecuteW
PathFileExistsW
PathGetArgsW
PathIsDirectoryW
MessageBoxW
Number of PE resources by type
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 1
PE resources
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2014:12:09 17:16:30+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
61952

LinkerVersion
9.0

ImageFileCharacteristics
No relocs, Executable, 32-bit

FileTypeExtension
exe

InitializedDataSize
18432

SubsystemVersion
5.0

EntryPoint
0x2e18

OSVersion
5.0

ImageVersion
0.0

UninitializedDataSize
0

File identification
MD5 3abc835f5fd1efb59a16e7b14a129536
SHA1 294c3ed75481eec95f86a8945e9908097c4f25f9
SHA256 002beda2973521958ca83848b483aae1b9914391ad8b6c575843f6d5a65ac66c
ssdeep
1536:pR2k8+KZLvvoGDd2sCfqu436lBVZxnPy3+LG5gRNE:poz9f0qrKrLLG5go

authentihash 0c90da0461bfa31f299dff529bb479b9fa252fd2ad25bcaf7f862739c8c4f0b5
imphash f4f76ee7fd7311a49aedda549ac442f9
File size 86.1 KB ( 88192 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
revoked-cert peexe signed overlay

VirusTotal metadata
First submission 2015-02-11 13:12:05 UTC ( 4 years, 1 month ago )
Last submission 2015-02-11 13:12:05 UTC ( 4 years, 1 month ago )
File names tools.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created processes
Created mutexes
Opened mutexes
Searched windows
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.