× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 0121c35c6e7729eb069b99363d1ca1bbbde03b7ce1edb316aaaafe0023180521
File name: diff.exe
Detection ratio: 1 / 60
Analysis date: 2017-04-30 21:17:10 UTC ( 1 year, 9 months ago ) View latest
Antivirus Result Update
TheHacker Posible_Worm32 20170429
Ad-Aware 20170430
AegisLab 20170430
AhnLab-V3 20170430
Alibaba 20170428
ALYac 20170430
Arcabit 20170430
Avast 20170430
AVG 20170430
Avira (no cloud) 20170430
AVware 20170430
Baidu 20170428
BitDefender 20170430
Bkav 20170428
CAT-QuickHeal 20170430
ClamAV 20170430
CMC 20170427
Comodo 20170430
CrowdStrike Falcon (ML) 20170130
Cyren 20170430
DrWeb 20170430
Emsisoft 20170430
Endgame 20170419
ESET-NOD32 20170430
F-Prot 20170430
F-Secure 20170430
Fortinet 20170430
GData 20170430
Ikarus 20170430
Sophos ML 20170413
Jiangmin 20170428
K7AntiVirus 20170430
K7GW 20170426
Kaspersky 20170430
Kingsoft 20170430
Malwarebytes 20170430
McAfee 20170430
McAfee-GW-Edition 20170430
Microsoft 20170430
eScan 20170430
NANO-Antivirus 20170430
nProtect 20170430
Palo Alto Networks (Known Signatures) 20170430
Panda 20170430
Qihoo-360 20170430
Rising 20170430
SentinelOne (Static ML) 20170330
Sophos AV 20170430
SUPERAntiSpyware 20170430
Symantec 20170430
Symantec Mobile Insight 20170428
Tencent 20170430
TotalDefense 20170426
TrendMicro 20170430
TrendMicro-HouseCall 20170430
Trustlook 20170430
VBA32 20170429
VIPRE 20170430
ViRobot 20170430
WhiteArmor 20170409
Yandex 20170428
Zillya 20170428
ZoneAlarm by Check Point 20170430
Zoner 20170430
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem.
Packers identified
F-PROT UPX
PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2001-02-05 10:22:52
Entry Point 0x000159D0
Number of sections 3
PE sections
PE imports
LoadLibraryA
ExitProcess
GetProcAddress
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows command line

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2001:02:05 11:22:52+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
32768

LinkerVersion
2.55

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

EntryPoint
0x159d0

InitializedDataSize
4096

SubsystemVersion
4.0

ImageVersion
1.0

OSVersion
4.0

UninitializedDataSize
53248

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
Compressed bundles
File identification
MD5 39737d6d7da0c9a0df6400237c886de4
SHA1 12ef3aa2627353855079233e881e7058b907f649
SHA256 0121c35c6e7729eb069b99363d1ca1bbbde03b7ce1edb316aaaafe0023180521
ssdeep
768:y1tYxlL+qK3tOXaKFuvtyVzGDRY5XP7WHW9:mtYxR9K3wXhuv9dYR7WH

authentihash 45b57526787f3fa403e05d207e433a563935aa0a6b46d47f80f4ddaffdc35006
imphash 198217f39a1b31368681bed82723db34
File size 32.0 KB ( 32768 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (console) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (38.2%)
Win32 EXE Yoda's Crypter (37.5%)
Win32 Dynamic Link Library (generic) (9.2%)
Win32 Executable (generic) (6.3%)
OS/2 Executable (generic) (2.8%)
Tags
peexe upx

VirusTotal metadata
First submission 2010-04-04 11:51:08 UTC ( 8 years, 10 months ago )
Last submission 2015-12-02 21:02:46 UTC ( 3 years, 2 months ago )
File names diff.exe
diff.exe
is-l7d3n.tmp
0121C35C6E7729EB069B99363D1CA1BBBDE03B7CE1EDB316AAAAFE0023180521
diff.exe
diff.exe
diff.exe
39737d6d7da0c9a0df6400237c886de4
diff.exe
diff.exe
file-5092320_exe
diff.exe
diff.exe
diff.exe
diff.exe
diff.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!