× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 27c81c938edf0a2a06d8d80de7e852a61d8ff89ff17ab69b7818858edaa3c446
File name: Windows Loader.exe
Detection ratio: 3 / 46
Analysis date: 2012-12-30 12:48:59 UTC ( 4 years, 8 months ago ) View latest
Antivirus Result Update
Sophos AV W32/AutoRun-BSY 20121230
Symantec WS.Reputation.1 20121230
TrendMicro-HouseCall TROJ_GEN.R47H1LT 20121230
Yandex 20121229
AhnLab-V3 20121230
AntiVir 20121230
Antiy-AVL 20121230
Avast 20121230
AVG 20121230
BitDefender 20121230
ByteHero 20121226
CAT-QuickHeal 20121229
ClamAV 20121230
Commtouch 20121228
Comodo 20121230
DrWeb 20121230
Emsisoft 20121230
eSafe 20121226
ESET-NOD32 20121230
F-Prot 20121229
F-Secure 20121230
Fortinet 20121230
GData 20121230
Ikarus 20121230
Jiangmin 20121221
K7AntiVirus 20121228
Kaspersky 20121230
Kingsoft 20121225
Malwarebytes 20121230
McAfee 20121230
McAfee-GW-Edition 20121230
Microsoft 20121230
eScan 20121230
NANO-Antivirus 20121230
Norman 20121230
nProtect 20121230
Panda 20121230
PCTools 20121230
Rising 20121228
SUPERAntiSpyware 20121229
TheHacker 20121229
TotalDefense 20121230
TrendMicro 20121230
VBA32 20121229
VIPRE 20121230
ViRobot 20121230
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
F-PROT UPX_LZMA
PEiD UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2007-10-31 16:53:19
Entry Point 0x0021A9A0
Number of sections 3
PE sections
Overlays
MD5 90fcd1006ce1b62966eb922fe1b13843
File type data
Offset 619520
Size 3311965
Entropy 6.36
PE imports
RegCloseKey
LineTo
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
OleLoadPicturePath
DragFinish
VerQueryValueA
midiOutOpen
PrintDlgA
GetAdaptersInfo
DoDragDrop
Number of PE resources by type
RT_ICON 6
RT_GROUP_CURSOR 3
RT_CURSOR 3
RT_MANIFEST 1
PICKLE 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 16
PE resources
ExifTool file metadata
UninitializedDataSize
1613824

LinkerVersion
8.0

ImageVersion
0.0

FileVersionNumber
2.2.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
28672

EntryPoint
0x21a9a0

OriginalFileName
Windows Loader.exe

MIMEType
application/octet-stream

FileVersion
2.2.0.0

TimeStamp
2007:10:31 17:53:19+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
4.0

Release
Final

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
593920

FileSubtype
0

ProductVersionNumber
2.2.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
PE resource-wise parents
Compressed bundles
File identification
MD5 e7be2c033c6ab0ba199b4717f98bc947
SHA1 6c964ec7100ad55922e186a157a445825998cfa4
SHA256 27c81c938edf0a2a06d8d80de7e852a61d8ff89ff17ab69b7818858edaa3c446
ssdeep
49152:VEYCFEWz3sKcA1990FW6drnq9QF/Fs454vn6puWV355FXw/+euWV355FXw/+AuWy:VEYzhnA1990FW6drnq9QpFXmv8

authentihash f750027a8b3decdb986e293317723939e30643351e2c95e94678be9a5103b900
imphash ac2ed402c59cc91af94988a7c20ffd67
File size 3.7 MB ( 3931485 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 EXE PECompact compressed (generic) (30.1%)
Win64 Executable (generic) (20.0%)
UPX compressed Win32 Executable (19.6%)
Win32 EXE Yoda's Crypter (19.2%)
Win32 Dynamic Link Library (generic) (4.7%)
Tags
peexe via-tor upx overlay

VirusTotal metadata
First submission 2012-12-29 01:28:11 UTC ( 4 years, 8 months ago )
Last submission 2017-08-21 08:25:52 UTC ( 4 weeks, 1 day ago )
File names 27c81c938edf0a2a06d8d80de7e852a61d8ff89ff17ab69b7818858edaa3c446.bin
pnewline.exe
Windows 7 Loader.exe
Windows 7 R.exe
Loader.exe
file.exe
d1fb2846efdad0048339a9dad577bce5
ew.exe
6c964ec7100ad55922e186a157a445825998cfa4
Копия Windows Loader.exe
Setup.exe
Windows Loader 2.2.exe
ad.exe
00000459.bin
a.exe
6c964ec7100ad55922e186a157a445825998cfa4.exe
windows loader.exe.283345.gzquar
Windows 7 Keygen.exe
windows loader.exe
bc0052833b52559812e3e4f2caa2e792.safe
avz00001.dta
file-4953664_exe
Crack-win.exe
loader.exe
filename
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Sophos
Possibly Unwanted Application labelled as Windows 7 Loader. This is a term used to describe applications that, while not malicious, are generally considered unsuitable for business networks. More details about Sophos PUA classifications can be found at: https://www.sophos.com/en-us/support/knowledgebase/14887.aspx .

TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.R02SC0RC715.

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!