× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1b53e14f112234358d5be6ed74fdddcbbcee936a7983d0a803bf8092bcaa6fae
File name: Wextract
Detection ratio: 2 / 70
Analysis date: 2019-01-22 07:10:18 UTC ( 1 month ago )
Antivirus Result Update
Cylance Unsafe 20190122
Trapmine malicious.high.ml.score 20190102
Acronis 20190119
Ad-Aware 20190122
AegisLab 20190122
AhnLab-V3 20190122
Alibaba 20180921
ALYac 20190122
Antiy-AVL 20190122
Arcabit 20190122
Avast 20190122
Avast-Mobile 20190122
AVG 20190122
Avira (no cloud) 20190121
AVware 20180925
Babable 20180917
Baidu 20190121
BitDefender 20190122
Bkav 20190122
CAT-QuickHeal 20190122
ClamAV 20190122
CMC 20190122
Comodo 20190122
CrowdStrike Falcon (ML) 20181023
Cybereason 20190109
Cyren 20190122
DrWeb 20190122
eGambit 20190122
Emsisoft 20190122
Endgame 20181108
ESET-NOD32 20190122
F-Prot 20190122
F-Secure 20190122
Fortinet 20190122
GData 20190122
Sophos ML 20181128
Jiangmin 20190122
K7AntiVirus 20190122
K7GW 20190122
Kaspersky 20190122
Kingsoft 20190122
Malwarebytes 20190122
MAX 20190122
McAfee 20190122
McAfee-GW-Edition 20190121
Microsoft 20190122
eScan 20190122
NANO-Antivirus 20190122
Palo Alto Networks (Known Signatures) 20190122
Panda 20190121
Qihoo-360 20190122
Rising 20190122
SentinelOne (Static ML) 20190118
Sophos AV 20190122
SUPERAntiSpyware 20190116
Symantec 20190122
TACHYON 20190121
Tencent 20190122
TheHacker 20190118
TotalDefense 20190121
TrendMicro 20190122
TrendMicro-HouseCall 20190122
Trustlook 20190122
VBA32 20190122
ViRobot 20190122
Webroot 20190122
Yandex 20190121
Zillya 20190121
ZoneAlarm by Check Point 20190122
Zoner 20190121
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name WEXTRACT.EXE
Internal name Wextract
File version 6.00.3790.0 (srv03_rtm.030324-2048)
Description Win32 Cabinet Self-Extractor
Packers identified
F-PROT SFX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2003-03-25 07:08:18
Entry Point 0x00005D3C
Number of sections 3
PE sections
PE imports
GetTokenInformation
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegSetValueExA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
AdjustTokenPrivileges
EqualSid
RegCreateKeyExA
RegOpenKeyExA
RegDeleteValueA
RegQueryInfoKeyA
GetDeviceCaps
GetLastError
IsDBCSLeadByte
GetSystemTimeAsFileTime
DosDateTimeToFileTime
ReadFile
GetStartupInfoA
GetSystemInfo
lstrlenA
GetFileAttributesA
GlobalFree
WaitForSingleObject
LockResource
GetExitCodeProcess
QueryPerformanceCounter
MulDiv
ExitProcess
SetFileTime
GetVersionExA
GlobalUnlock
RemoveDirectoryA
GlobalAlloc
GetModuleFileNameA
GetShortPathNameA
FreeLibrary
GetCurrentProcess
GetVolumeInformationA
LoadLibraryExA
SizeofResource
GetCurrentDirectoryA
GetPrivateProfileStringA
WritePrivateProfileStringA
LocalAlloc
lstrcatA
GetPrivateProfileIntA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
_llseek
GetCommandLineA
GlobalLock
EnumResourceLanguagesA
TerminateThread
GetTempPathA
CreateMutexA
GetModuleHandleA
_lclose
LoadLibraryA
CreateThread
lstrcmpiA
SetFilePointer
lstrcmpA
FindFirstFileA
GetCurrentProcessId
SetUnhandledExceptionFilter
lstrcpyA
_lopen
CloseHandle
GetTempFileNameA
lstrcpynA
FindNextFileA
GetSystemDirectoryA
GetDiskFreeSpaceA
ExpandEnvironmentStringsA
FreeResource
SetFileAttributesA
SetEvent
LocalFree
FindResourceA
TerminateProcess
CreateProcessA
LoadResource
WriteFile
CreateEventA
LocalFileTimeToFileTime
FindClose
FormatMessageA
GetTickCount
CreateFileA
GetDriveTypeA
GetCurrentThreadId
GetProcAddress
SetCurrentDirectoryA
ResetEvent
CharPrevA
EndDialog
ShowWindow
MessageBeep
SetWindowPos
SendDlgItemMessageA
GetSystemMetrics
GetWindowRect
DispatchMessageA
EnableWindow
SetDlgItemTextA
GetDlgItemTextA
MessageBoxA
PeekMessageA
SetWindowLongA
CharUpperA
GetDC
ReleaseDC
SetWindowTextA
GetWindowLongA
SendMessageA
GetDlgItem
wsprintfA
LoadStringA
CharNextA
GetDesktopWindow
CallWindowProcA
MsgWaitForMultipleObjects
SetForegroundWindow
ExitWindowsEx
DialogBoxIndirectParamA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
Number of PE resources by type
RT_RCDATA 14
RT_DIALOG 6
RT_STRING 6
RT_ICON 2
AVI 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 31
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
7.1

ImageVersion
5.2

FileSubtype
0

FileVersionNumber
6.0.3790.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Win32 Cabinet Self-Extractor

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
353792

EntryPoint
0x5d3c

OriginalFileName
WEXTRACT.EXE

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.00.3790.0 (srv03_rtm.030324-2048)

TimeStamp
2003:03:25 00:08:18-07:00

FileType
Win32 EXE

PEType
PE32

InternalName
Wextract

ProductVersion
6.00.3790.0

SubsystemVersion
4.0

OSVersion
5.2

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
36864

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.0.3790.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Compressed bundles
File identification
MD5 33e6135f75c2dfaf0596830daeaa51cf
SHA1 1a996ea13a1261d2bfb7676c3ef6562fc39d321f
SHA256 1b53e14f112234358d5be6ed74fdddcbbcee936a7983d0a803bf8092bcaa6fae
ssdeep
6144:lsehzRFH3uglH7yrO7pN0ouPmsiDMsWIsBJ6tEgLknBOqo4JxE5iaswtT+lVAyEV:lrjNV7DpKhm7o9vySnBOaJuzVtTE+ToK

authentihash 671ef1db48c38d4454c29e5d56239cbf236666059778d064d55316654e961345
imphash c63ba316533609531fac22f3877f847b
File size 382.5 KB ( 391680 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 MS Cabinet Self-Extractor (WExtract stub) (79.9%)
Win32 Executable MS Visual C++ (generic) (8.2%)
Win64 Executable (generic) (7.2%)
Win32 Dynamic Link Library (generic) (1.7%)
Win32 Executable (generic) (1.1%)
Tags
peexe

VirusTotal metadata
First submission 2008-09-02 00:22:20 UTC ( 10 years, 5 months ago )
Last submission 2018-11-29 04:58:36 UTC ( 2 months, 3 weeks ago )
File names testmailservertoolsetup.exe
TestMailServerToolSetup (1).exe
75795630
1340220704-TestMailServerToolSetup.zip
test.exe
file-3135742_exe
output.75795630.txt
31134
WEXTRACT.EXE
TestMailServerToolSetup.exe
filename
TestMailServerToolSetup.exe
33e6135f75c2dfaf0596830daeaa51cf.svn-base
Wextract
file-173553_exe
TestMailServerToolSetup.exe
1da71adeb159888261b45b7de91f42eb6e39bbc4
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!