× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 0979c745740bf09e1ad53fd5e15b0753a6be6493cadbad9b94781e013b440155
File name: .
Detection ratio: 46 / 56
Analysis date: 2016-09-06 02:17:19 UTC ( 2 years, 4 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Adware.PCMega.4 20160906
AegisLab Backdoor.W32.Zaccess!c 20160906
AhnLab-V3 PUP/Win32.Adload.R112161 20160905
ALYac Gen:Variant.Adware.PCMega.4 20160906
Antiy-AVL Trojan[Downloader:not-a-virus]/Win32.Agent.bvtd 20160906
Avast Win32:Downloader-UDX [PUP] 20160906
AVG Midia.691 20160906
Avira (no cloud) ADWARE/Adware.Gen 20160905
AVware Trojan.Win32.Generic!BT 20160906
Baidu Win32.Trojan.WisdomEyes.151026.9950.9994 20160905
BitDefender Gen:Variant.Adware.PCMega.4 20160906
Bkav W32.HfsAdware.9E97 20160905
CAT-QuickHeal Backdoor.ZAccess 20160904
ClamAV Win.Adware.Agent-1142907 20160906
Comodo Application.Win32.PCMega.L 20160905
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20160725
Cyren W32/A-a0a8885e!Eldorado 20160906
DrWeb Trojan.Fraudster.1464 20160906
Emsisoft Gen:Variant.Adware.PCMega.4 (B) 20160906
ESET-NOD32 a variant of Win32/AdWare.Midia.A 20160906
F-Prot W32/A-a0a8885e!Eldorado 20160906
F-Secure Gen:Variant.Adware.PCMega 20160906
Fortinet Adware/PCMega.J 20160906
GData Gen:Variant.Adware.PCMega.4 20160906
Ikarus not-a-virus:Downloader.Agent 20160905
Sophos ML virus.win32.sality.at 20160830
K7AntiVirus Adware ( 004ae5491 ) 20160905
K7GW Adware ( 004ae5491 ) 20160906
Kaspersky Backdoor.Win32.ZAccess.feev 20160906
Malwarebytes PUP.Optional.PCMega 20160906
McAfee Artemis!DD3424F98AF2 20160906
McAfee-GW-Edition BehavesLike.Win32.Midia.fc 20160906
Microsoft SoftwareBundler:Win32/Fourthrem 20160906
eScan Gen:Variant.Adware.PCMega.4 20160906
nProtect Trojan/W32.Agent.390688 20160906
Panda Trj/Downloader.VPT 20160905
Qihoo-360 HEUR/QVM11.1.Malware.Gen 20160906
Rising Malware.Heuristic!ET (rdm+) 20160906
Sophos AV PCMega (PUA) 20160906
SUPERAntiSpyware Trojan.Agent/Gen-Downloader 20160905
Symantec Downloader 20160906
TheHacker Trojan/Downloader.Agent.ryh 20160905
VIPRE Trojan.Win32.Generic!BT 20160831
ViRobot Backdoor.Win32.A.ZAccess.394869[UPX][h] 20160906
Yandex PUA.AdLoad! 20160905
Zillya Adware.AdLoadCRT.Win32.110 20160905
Alibaba 20160905
Arcabit 20160906
CMC 20160905
Jiangmin 20160906
Kingsoft 20160906
NANO-Antivirus 20160906
Tencent 20160906
TrendMicro 20160906
TrendMicro-HouseCall 20160906
VBA32 20160905
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© .

Product .
Original name download.exe
Internal name .
File version 1.0.0
Description .
Signature verification Certificate out of its validity period
Signers
[+] Open Source Developer
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Certum Level III CA
Valid from 8:02 AM 4/10/2013
Valid to 8:02 AM 4/10/2014
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 3EF72909166F21C7B7B0273CD592B88B3728C862
Serial number 0B C9 F9 E0 A6 8B 1D BD B6 DE 42 AF 15 70 76 6A
[+] Certum Level III CA
Status Valid
Issuer Certum CA
Valid from 1:53 PM 3/3/2009
Valid to 1:53 PM 3/3/2024
Valid usage All
Algorithm sha1RSA
Thumbprint 827E72353D6910A9DEC7F3D1061676E80356FD53
Serial number 04 7A 53
[+] Certum
Status Valid
Issuer Certum CA
Valid from 11:46 AM 6/11/2002
Valid to 11:46 AM 6/11/2027
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, OCSP Signing
Algorithm sha1RSA
Thumbprint 6252DC40F71143A22FDE9EF7348E064251B18118
Serial number 01 00 20
Packers identified
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2009-05-06 17:23:44
Entry Point 0x000FC6C0
Number of sections 3
PE sections
Overlays
MD5 654615d4de5e8ed6ce4eaa071c6bfbd4
File type data
Offset 385536
Size 5152
Entropy 7.32
PE imports
RegEnumKeyA
InitCommonControlsEx
Escape
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
VariantCopy
SHGetMalloc
PathIsUNCA
FreeContextBuffer
OpenPrinterA
GetFileTitleA
CoTaskMemFree
Number of PE resources by type
RT_STRING 65
RT_DIALOG 35
RT_CURSOR 17
RT_GROUP_CURSOR 16
RT_BITMAP 6
RT_ICON 5
RT_MANIFEST 1
RT_ACCELERATOR 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
PORTUGUESE BRAZILIAN 147
ENGLISH US 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
8.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.0.7.1

UninitializedDataSize
667648

LanguageCode
Portuguese (Brazilian)

FileFlagsMask
0x003f

CharacterSet
Windows, Latin1

InitializedDataSize
24576

EntryPoint
0xfc6c0

OriginalFileName
download.exe

MIMEType
application/octet-stream

LegalCopyright
.

FileVersion
1.0.0

TimeStamp
2009:05:06 18:23:44+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
.

ProductVersion
1.0.0

FileDescription
.

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
.

CodeSize
364544

ProductName
.

ProductVersionNumber
1.0.7.1

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 dd3424f98af2ccd88330814a886dcdbb
SHA1 7c0e925a71d1d02bfe6347359df449e9b861ef7d
SHA256 0979c745740bf09e1ad53fd5e15b0753a6be6493cadbad9b94781e013b440155
ssdeep
6144:Ufxjxvjpe238JMJRMVkvkcyc65DECBe2UQB343iTYOGQKnO+3sxbOs3:UfnbsJiRQf9VnBe2U8ISUZQB+3sxbX3

authentihash 12440330dfbfc31d95939f44595df869089746f85ab91f4336cc04bb3d963e38
imphash 7fbc84ae33c5cb1e7584b1e84d28f778
File size 381.5 KB ( 390688 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (30.6%)
Win64 Executable (generic) (27.6%)
Win32 EXE Yoda's Crypter (26.6%)
Win32 Dynamic Link Library (generic) (6.5%)
Win32 Executable (generic) (4.5%)
Tags
peexe signed upx overlay

VirusTotal metadata
First submission 2013-08-09 12:30:37 UTC ( 5 years, 5 months ago )
Last submission 2016-09-06 02:17:19 UTC ( 2 years, 4 months ago )
File names DD3424F98AF2CCD88330814A886DCDBB.VIR
0979c745740bf09e1ad53fd5e15b0753a6be6493cadbad9b94781e013b440155
download.exe
vt-upload-XQiKN
7C0E925A71D1D02BFE6347359DF449E9B861EF7D.exe
vt-upload-tQ4cx
.
DD3424F98AF2CCD88330814A886DCDBB.vir
7c0e925a71d1d02bfe6347359df449e9b861ef7d
vt-upload-4OvUt
vt-upload-B5Yy4
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Moved files
Deleted files
Set keys
Created mutexes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.