× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 180c6035ca44c270b8e1556a7b2e9faf442d1b4323ef6d8e93b7e759af169c96
File name: BitGuard.exe
Detection ratio: 51 / 67
Analysis date: 2018-05-19 14:43:18 UTC ( 6 months ago )
Antivirus Result Update
Ad-Aware Trojan.AgentWDCR.CJV 20180519
AhnLab-V3 Trojan/Win32.Rotbrow.C222465 20180519
ALYac Trojan.AgentWDCR.CJV 20180519
Antiy-AVL Trojan/Win32.AGeneric 20180519
Arcabit Trojan.AgentWDCR.CJV 20180519
Avast Win32:BProtect-F [Trj] 20180519
AVG Win32:BProtect-F [Trj] 20180519
Avira (no cloud) TR/Bprotector.gyesa.3 20180519
AVware Trojan.Win32.Generic!BT 20180519
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9997 20180518
BitDefender Trojan.AgentWDCR.CJV 20180519
CAT-QuickHeal Trojan.Rotbrow.A6 20180519
ClamAV Win.Trojan.Agent-982586 20180519
Comodo UnclassifiedMalware 20180519
Cylance Unsafe 20180519
Cyren W32/Backdoor.XLBM-0682 20180519
DrWeb Adware.BGuard.56 20180519
Emsisoft Trojan.AgentWDCR.CJV (B) 20180519
Endgame malicious (high confidence) 20180507
ESET-NOD32 Win32/bProtector.J potentially unwanted 20180519
F-Prot W32/Backdoor2.HWDK 20180519
F-Secure Application:W32/BProtector.A 20180519
Fortinet W32/Rotbrow.A!tr 20180519
GData Win32.Application.BHO.A 20180519
Ikarus PUA.BProtector 20180519
Jiangmin TrojanDownloader.MultiDL.k 20180519
K7AntiVirus Unwanted-Program ( 004a8e8b1 ) 20180519
K7GW Unwanted-Program ( 004a8e8b1 ) 20180519
Kaspersky Trojan-Downloader.Win32.MultiDL.ai 20180519
Malwarebytes Trojan.RotBrow.A 20180519
MAX malware (ai score=100) 20180519
McAfee Generic.rk 20180519
McAfee-GW-Edition Generic.rk 20180519
Microsoft TrojanDropper:Win32/Rotbrow.A 20180519
eScan Trojan.AgentWDCR.CJV 20180519
NANO-Antivirus Trojan.Win32.MultiDL.efhexs 20180519
Panda Trj/WLT.A 20180519
Qihoo-360 Win32/Trojan.e6d 20180519
Sophos AV Troj/Rotbrow-A 20180519
Symantec Adware.GoonSquad 20180518
TotalDefense Win32/Tnega.AWMN 20180519
TrendMicro ADW_BPROTECT 20180519
TrendMicro-HouseCall ADW_BPROTECT 20180519
VBA32 TrojanDownloader.MultiDL 20180518
VIPRE Trojan.Win32.Generic!BT 20180519
ViRobot Trojan.Win32.S.Agent.3780064 20180519
Webroot W32.Trojan.Bprotect 20180519
Yandex Trojan.DL.MultiDL!CIbH6rzKRJw 20180518
Zillya Downloader.MultiDL.Win32.34 20180516
ZoneAlarm by Check Point Trojan-Downloader.Win32.MultiDL.ai 20180519
Zoner Trojan.MultiDL 20180518
AegisLab 20180519
Alibaba 20180518
Avast-Mobile 20180518
Babable 20180406
Bkav 20180518
CMC 20180519
CrowdStrike Falcon (ML) 20180418
Cybereason None
eGambit 20180519
Sophos ML 20180503
Kingsoft 20180519
nProtect 20180519
Palo Alto Networks (Known Signatures) 20180519
Rising 20180519
SentinelOne (Static ML) 20180225
SUPERAntiSpyware 20180519
Symantec Mobile Insight 20180518
Tencent 20180519
TheHacker 20180516
Trustlook 20180519
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2013

Product BitGuard
File version 2,7,1832,68
Description Generic software
Signature verification A certificate was explicitly revoked by its issuer.
Signing date 3:32 PM 11/18/2013
Signers
[+] MediaTechSoft Inc.
Status This certificate or one of the certificates in the certificate chain is not time valid., Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer Go Daddy Secure Certification Authority
Valid from 9:09 AM 8/4/2013
Valid to 6:18 PM 3/29/2016
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 395DA4E82ED7317EC77B1E4F0A89AFFE2E539860
Serial number 04 73 46 D0 68 7A B1
[+] Go Daddy Secure Certification Authority
Status Valid
Issuer Go Daddy Class 2 Certification Authority
Valid from 2:54 AM 11/16/2006
Valid to 2:54 AM 11/16/2026
Valid usage All
Algorithm sha1RSA
Thumbprint 7C4656C3061F7F4C0D67B319A855F60EBC11FC44
Serial number 03 01
[+] Go Daddy Class 2 Certification Authority
Status Valid
Issuer Go Daddy Class 2 Certification Authority
Valid from 6:06 PM 6/29/2004
Valid to 6:06 PM 6/29/2034
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 2796BAE63F1801E277261BA0D77770028F20EEE4
Serial number 00
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-11-18 14:32:32
Entry Point 0x001129B7
Number of sections 6
PE sections
Overlays
MD5 0f9550fe45bb50cb1215e90c12788138
File type data
Offset 3773952
Size 6112
Entropy 7.32
PE imports
RegCreateKeyExW
RegCloseKey
ConvertSidToStringSidW
GetAce
OpenServiceW
QueryServiceConfigW
ControlService
InitializeAcl
RegOpenKeyExW
RegDeleteKeyW
DeleteService
GetSecurityInfo
GetAclInformation
RegQueryValueExW
SetSecurityDescriptorDacl
CloseServiceHandle
ChangeServiceConfig2W
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenProcessToken
DeregisterEventSource
RegEnumKeyW
SetSecurityInfo
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegisterEventSourceA
SetSecurityDescriptorSacl
CreateServiceW
GetTokenInformation
DuplicateTokenEx
SetServiceStatus
IsValidSid
RegQueryInfoKeyW
RegisterServiceCtrlHandlerW
RegEnumKeyExW
OpenThreadToken
GetSecurityDescriptorSacl
GetLengthSid
DeleteAce
CreateProcessAsUserW
RegEnumValueW
StartServiceW
RegSetValueExW
RegDeleteValueW
OpenSCManagerW
InitializeSecurityDescriptor
StartServiceCtrlDispatcherW
ChangeServiceConfigW
ReportEventA
AddAce
CertFreeCertificateContext
CertCloseStore
CryptQueryObject
CertFindCertificateInStore
CryptMsgGetParam
CertGetNameStringW
CryptMsgClose
CreatePatternBrush
SelectObject
RoundRect
DeleteDC
CreateFontIndirectW
SetBkMode
CreatePen
CreateSolidBrush
SetTextColor
GetObjectW
BitBlt
CreateDIBSection
CreateCompatibleDC
DeleteObject
CreateCompatibleBitmap
Rectangle
GetPrivateProfileSectionNamesA
GetStdHandle
ReleaseMutex
InterlockedPopEntrySList
GetFileAttributesA
WaitForSingleObject
HeapDestroy
EncodePointer
GetFileAttributesW
DisconnectNamedPipe
GetCurrentProcess
OpenFileMappingW
GetConsoleMode
GetLocaleInfoA
LocalAlloc
MapViewOfFileEx
UnhandledExceptionFilter
FreeEnvironmentStringsW
GetLocaleInfoW
SetStdHandle
GetFileTime
GetTempPathA
WideCharToMultiByte
GetDiskFreeSpaceW
InterlockedExchange
GetTempPathW
GetSystemTimeAsFileTime
GetDiskFreeSpaceA
GetStringTypeW
GetFullPathNameA
FreeLibrary
LocalFree
FormatMessageW
ConnectNamedPipe
InterlockedPushEntrySList
CreateEventW
LoadResource
FindClose
TlsGetValue
FormatMessageA
GetFullPathNameW
GetStringTypeExA
GetEnvironmentVariableW
SetLastError
GetSystemTime
ReadConsoleInputA
CopyFileW
WriteProcessMemory
GetModuleFileNameW
IsDebuggerPresent
HeapAlloc
GetVersionExA
HeapSetInformation
EnumSystemLocalesA
GetPrivateProfileStringA
SetConsoleCtrlHandler
GetUserDefaultLCID
GetVolumeInformationW
InterlockedDecrement
MultiByteToWideChar
FlushInstructionCache
GetPrivateProfileStringW
MoveFileW
CreateMutexA
GetModuleHandleA
LockFileEx
CreateThread
SetEnvironmentVariableW
MoveFileExW
DeleteCriticalSection
GetExitCodeThread
SetUnhandledExceptionFilter
CreateMutexW
IsProcessorFeaturePresent
GetDateFormatA
ExitThread
DecodePointer
SetEnvironmentVariableA
GlobalMemoryStatus
GetVersion
SetCurrentDirectoryW
VirtualQuery
LocalFileTimeToFileTime
SetEndOfFile
GetCurrentThreadId
InterlockedIncrement
HeapCreate
WriteConsoleW
CreateToolhelp32Snapshot
AreFileApisANSI
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
SetHandleCount
TerminateThread
LoadLibraryW
SetConsoleMode
GetVersionExW
GetExitCodeProcess
QueryPerformanceCounter
GetTickCount
TlsAlloc
VirtualProtect
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetPrivateProfileSectionNamesW
UnlockFile
DosDateTimeToFileTime
GetFileSize
OpenProcess
CreateDirectoryA
DeleteFileA
GetStartupInfoW
ReadProcessMemory
CreateDirectoryW
DeleteFileW
GetProcAddress
GetSystemInfo
GetProcessHeap
GetTempFileNameW
CreateFileMappingW
CompareStringW
WriteFile
WaitNamedPipeW
RemoveDirectoryW
ExpandEnvironmentStringsW
FindNextFileW
WTSGetActiveConsoleSessionId
GetTimeFormatA
FindFirstFileW
IsValidLocale
WaitForMultipleObjects
SetEvent
GetCurrentDirectoryW
GetTimeZoneInformation
ReadDirectoryChangesW
CreateFileW
CreateEventA
GetFileType
TlsSetValue
CreateFileA
ExitProcess
LeaveCriticalSection
GetNativeSystemInfo
GetLastError
InitializeCriticalSection
FlushConsoleInputBuffer
LCMapStringW
GetShortPathNameW
VirtualAllocEx
CreateNamedPipeW
lstrlenA
GlobalFree
GetConsoleCP
LCMapStringA
HeapReAlloc
GetEnvironmentStringsW
LockFile
lstrlenW
Process32NextW
VirtualFree
WaitForSingleObjectEx
SizeofResource
CompareFileTime
VirtualFreeEx
GetCurrentProcessId
LockResource
SetFileTime
GetCommandLineW
GetCPInfo
HeapSize
InterlockedCompareExchange
Process32FirstW
GetCurrentThread
OpenMutexA
RaiseException
MapViewOfFile
TlsFree
SetFilePointer
ReadFile
PulseEvent
CloseHandle
UnlockFileEx
GetACP
GetModuleHandleW
GetFileAttributesExW
FindResourceExW
GetLongPathNameW
IsValidCodePage
UnmapViewOfFile
FindResourceW
CreateProcessW
Sleep
TerminateProcess
OpenEventA
VirtualAlloc
GetOEMCP
ResetEvent
VariantTimeToSystemTime
SysStringLen
SystemTimeToVariantTime
VarCmp
VarBstrFromDate
VariantClear
SysAllocString
VariantCopy
SysFreeString
VariantInit
UuidFromStringA
SHGetSpecialFolderPathW
Ord(680)
CommandLineToArgvW
StrCmpW
StrCmpNIW
PathFindFileNameW
PathFileExistsW
PathRemoveFileSpecW
PathStripPathW
StrCpyW
PathAppendW
PathFindExtensionW
PathAddExtensionW
PathStripToRootW
PathIsRootW
PathIsDirectoryW
SHGetValueW
PathRemoveExtensionW
SetFocus
MapWindowPoints
GetMonitorInfoW
GetUserObjectInformationW
GetClassInfoExW
EndPaint
SetLayeredWindowAttributes
EndDialog
DrawTextW
CallWindowProcW
DefWindowProcW
FindWindowW
KillTimer
TrackMouseEvent
GetMessageW
ShowWindow
FillRect
SetWindowPos
GetParent
GetSysColorBrush
GetSystemMetrics
SetWindowLongW
IsWindow
PeekMessageW
GetWindowRect
RegisterClassExW
LoadStringA
GetDC
MoveWindow
DialogBoxParamW
MessageBoxA
ChildWindowFromPoint
TranslateMessage
GetWindow
GetProcessWindowStation
GetSysColor
DispatchMessageW
GetCursorPos
ReleaseDC
BeginPaint
SendMessageW
UnregisterClassA
GetWindowLongW
SetWindowTextW
GetDlgItem
SystemParametersInfoW
MessageBoxW
MonitorFromWindow
ScreenToClient
InvalidateRect
SetTimer
LoadImageW
GetActiveWindow
GetClientRect
GetWindowTextW
GetDesktopWindow
LoadCursorW
GetWindowTextLengthW
CreateWindowExW
GetTopWindow
DestroyWindow
CreateEnvironmentBlock
DrawThemeParentBackground
OpenThemeData
IsThemeBackgroundPartiallyTransparent
CloseThemeData
DrawThemeBackground
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
WinHttpSetOption
WinHttpConnect
WinHttpQueryHeaders
WinHttpReadData
WinHttpCloseHandle
WinHttpQueryDataAvailable
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpAddRequestHeaders
WinHttpSetStatusCallback
WinHttpReceiveResponse
WinHttpOpen
WinHttpOpenRequest
WinHttpSendRequest
WTSQueryUserToken
CoInitializeEx
CoUninitialize
CoInitialize
CoCreateInstance
CoInitializeSecurity
StringFromGUID2
CoSetProxyBlanket
PE exports
Number of PE resources by type
RT_ICON 23
RT_DIALOG 7
RT_GROUP_ICON 3
RT_STRING 2
XML 1
RT_MANIFEST 1
RT_RCDATA 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 39
PE resources
Debug information
ExifTool file metadata
SpecialBuild
2,7,1832,68

UninitializedDataSize
0

LinkerVersion
10.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.7.1832.68

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Windows, Latin1

InitializedDataSize
1673216

PrivateBuild
2,7,1832,68

EntryPoint
0x1129b7

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) 2013

FileVersion
2,7,1832,68

TimeStamp
2013:11:18 15:32:32+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
5.1

ProductVersion
2,7,1832,68

FileDescription
Generic software

OSVersion
5.1

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
MediaTechSoft Inc.

CodeSize
2099712

ProductName
BitGuard

ProductVersionNumber
2.7.1832.68

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 44e5b5dc6a27ea109b8a234e640bb5fd
SHA1 a3dc686988e80d53e58907b579b91d3a9856d053
SHA256 180c6035ca44c270b8e1556a7b2e9faf442d1b4323ef6d8e93b7e759af169c96
ssdeep
49152:QsGolOdFTD0OZ+CFlZrDe0yGe0ZjMxkiMAqt8Ro9TdtsI86vc9v/eAafeFbR:f8v0O3nZrDeaVyxkCd/eAv

authentihash eb8b36c6dbf3c92b691caa69bf1aa6a4daaadd4354913c421a5bf18af54dfbee
imphash 795fe69f54ff5825bcd93ae50deeb968
File size 3.6 MB ( 3780064 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
revoked-cert peexe signed overlay

VirusTotal metadata
First submission 2013-11-21 13:49:21 UTC ( 5 years ago )
Last submission 2018-05-19 14:43:18 UTC ( 6 months ago )
File names rjatydimofu.exe
rjatydimofu.exe
rjatydimofu.exe
vti-rescan
bitguard.exe
uninstall.exe
44E5B5DC6A27EA109B8A234E640BB5FD
rjatydimofu.exe
BitGuard.exe (1)
bprotect.exe
ec7d88b038533087f7adbbb14e671d44_uninstall.exe.safe
3e
file-6249985_exe
180c6035ca44c270b8e1556a7b2e9faf442d1b4323ef6d8e93b7e759af169c96
BitGuard.exe.vir
BitGuard.exe.DNR
BITGUARD.EXE
44E5B5DC6A27EA109B8A234E640BB5FD_BitGuard.exe (1)
BitGuard.exe
BitGuard.exe
BitGuard.exe
44E5B5DC6A27EA109B8A234E640BB5FD_BitGuard.exe
BitGuard.exe
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Opened mutexes
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.