× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 013ef768024d486e6116fab11148306734cc98b83a18d686e858b53f7a6f2a15
File name: Updater.exe
Detection ratio: 31 / 64
Analysis date: 2019-02-19 10:06:54 UTC ( 2 months ago )
Antivirus Result Update
Ad-Aware Gen:Application.Imonetize.1 20190219
AhnLab-V3 PUP/Win32.Amonetize.R95993 20190219
Antiy-AVL Trojan/Win32.TSGeneric 20190219
Arcabit Application.Imonetize.1 20190219
Avast Win32:Amonetize-I [PUP] 20190219
AVG FileRepMetagen [PUP] 20190219
BitDefender Gen:Application.Imonetize.1 20190219
CAT-QuickHeal PUA.Amonetizel.Gen 20190218
Cybereason malicious.5949a5 20190109
Cylance Unsafe 20190219
DrWeb Adware.Downware.19088 20190219
eGambit Generic.Adware 20190219
Emsisoft Application.InstallMon (A) 20190219
Endgame malicious (moderate confidence) 20190215
ESET-NOD32 a variant of Win32/Amonetize.I potentially unwanted 20190219
Fortinet Riskware/Amonetize 20190219
GData Gen:Application.Imonetize.1 20190219
Sophos ML heuristic 20181128
K7AntiVirus Adware ( 004c136c1 ) 20190219
K7GW Adware ( 004c136c1 ) 20190219
Malwarebytes PUP.Optional.Amonetize 20190219
Microsoft PUA:Win32/Amonetize 20190219
eScan Gen:Application.Imonetize.1 20190219
NANO-Antivirus Riskware.Win32.Amonetize.egxqmf 20190219
Qihoo-360 Win32/Application.IM.495 20190219
SentinelOne (Static ML) static engine - malicious 20190203
SUPERAntiSpyware PUP.Amonetize/Variant 20190213
Symantec PUA.SwVersionUpdater 20190219
VBA32 BScope.Trojan.Amonetize 20190219
ViRobot Adware.Amonetize.300584 20190219
Webroot Pua.Adware.Amonetize 20190219
Acronis 20190213
AegisLab 20190219
Alibaba 20180921
ALYac 20190219
Avast-Mobile 20190219
Avira (no cloud) 20190219
Babable 20180918
Baidu 20190215
ClamAV 20190218
CMC 20190219
Comodo 20190219
CrowdStrike Falcon (ML) 20181023
Cyren 20190219
F-Secure 20190219
Ikarus 20190219
Jiangmin 20190219
Kaspersky 20190219
Kingsoft 20190219
MAX 20190219
McAfee 20190219
McAfee-GW-Edition 20190219
Palo Alto Networks (Known Signatures) 20190219
Panda 20190218
Rising 20190219
Sophos AV 20190219
Symantec Mobile Insight 20190207
TACHYON 20190219
Tencent 20190219
TheHacker 20190217
TotalDefense 20190219
Trapmine 20190123
Trustlook 20190219
Yandex 20190219
ZoneAlarm by Check Point 20190219
Zoner 20190219
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
(c) Amonetize ltd., 2012. All rights reserved.

Product Launcher
Original name Updater.exe
Internal name Updater.exe
File version 1.1.3.6
Description Software version updater
Signature verification Signed file, verified signature
Signing date 10:08 PM 1/26/2013
Signers
[+] Amonetize ltd.
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Code Signing CA - G2
Valid from 11:00 PM 05/14/2012
Valid to 10:59 PM 05/15/2013
Valid usage Code Signing, 1.3.6.1.4.1.311.2.1.22
Algorithm sha1RSA
Thumbprint 5CA5B2591EF403A0C551EC9556A673C31201C5C5
Serial number 47 25 6A 10 E8 98 6C 45 AD 86 92 52 DE 42 04 AC
[+] Thawte Code Signing CA - G2
Status Valid
Issuer thawte Primary Root CA
Valid from 12:00 AM 02/08/2010
Valid to 11:59 PM 02/07/2020
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7
Serial number 47 97 4D 78 73 A5 BC AB 0D 2F B3 70 19 2F CE 5E
[+] thawte
Status Valid
Issuer thawte Primary Root CA
Valid from 12:00 AM 11/17/2006
Valid to 10:59 PM 07/16/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 91C6D6EE3E8AC86384E548C299295C756C817B81
Serial number 34 4E D5 57 20 D5 ED EC 49 F4 2F CE 37 DB 2B 6D
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 11:00 PM 10/17/2012
Valid to 11:59 PM 12/29/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 12:00 AM 12/21/2012
Valid to 11:59 PM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 12:00 AM 01/01/1997
Valid to 11:59 PM 12/31/2020
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT UPX
PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-01-26 21:08:28
Entry Point 0x000A6680
Number of sections 3
PE sections
Overlays
MD5 01bf73f847f0e2d626ddc06db3ad6e91
File type data
Offset 294912
Size 5672
Entropy 7.37
PE imports
BitBlt
GetAdaptersAddresses
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
VariantCopy
Ord(680)
StrStrIW
VerQueryValueW
WinHttpOpen
CoInitialize
Number of PE resources by type
RT_STRING 2
REGISTRY 2
RT_DIALOG 1
RT_ICON 1
TYPELIB 1
RT_MANIFEST 1
TXTCCR 1
RT_MENU 1
RT_BITMAP 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 13
PE resources
ExifTool file metadata
UninitializedDataSize
397312

LinkerVersion
10.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.1.3.6

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Software version updater

ImageFileCharacteristics
Executable, 32-bit

CharacterSet
Unicode

InitializedDataSize
16384

EntryPoint
0xa6680

OriginalFileName
Updater.exe

MIMEType
application/octet-stream

LegalCopyright
(c) Amonetize ltd., 2012. All rights reserved.

FileVersion
1.1.3.6

TimeStamp
2013:01:26 22:08:28+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Updater.exe

ProductVersion
1.1.3.6

SubsystemVersion
5.1

OSVersion
5.1

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Amonetize ltd.

CodeSize
282624

ProductName
Launcher

ProductVersionNumber
1.1.3.6

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
PCAP parents
File identification
MD5 b2442e25949a5ea619a44b2ac213503d
SHA1 e9df6e1c0a52457a70bff7c948fb68a5d9a93747
SHA256 013ef768024d486e6116fab11148306734cc98b83a18d686e858b53f7a6f2a15
ssdeep
6144:t8X4mJkWImgQrORZKz6OPJleizOwdAjLl2VMMfO0X7S+RRTCFv4:KVJkEgQrORwR3bzOwk4fh7bTCFv4

authentihash cac3e97691dbd8a8526a1cecb3f105a6728b86a8c6bdb1ecb482d790ed2beda1
imphash 630d7147b64491948edec61964020e25
File size 293.5 KB ( 300584 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (28.0%)
UPX compressed Win32 Executable (27.5%)
Win32 EXE Yoda's Crypter (27.0%)
Win32 Dynamic Link Library (generic) (6.6%)
Win32 Executable (generic) (4.5%)
Tags
peexe signed upx overlay

VirusTotal metadata
First submission 2013-01-27 13:53:09 UTC ( 6 years, 2 months ago )
Last submission 2018-05-20 17:39:25 UTC ( 11 months, 1 week ago )
File names e9df6e1c0a52457a70bff7c948fb68a5d9a93747
013EF768024D486E6116FAB11148306734CC98B83A18D686E858B53F7A6F2A15
b2442e25949a5ea619a44b2ac213503d
Updater.exe
updater.exe
nutharlmdimajxd_updater.exe
file-5138837_exe
Updater.exe
updater.exee
UpdUninstall.exe
a
B2442E25949A5EA619A44B2AC213503D_Updater.exe.ViR
b2442e25949a5ea619a44b2ac213503d013ef768024d486e6116fab11148306734cc98b83a18d686e858b53f7a6f2a152896040000000000
Updater.exe.x-msdownload
b2442e25949a5ea619a44b2ac213503d.exe
24185aaf-116f-718d-30f4-58a80b92598b_1d2475230602484
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Set keys
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.