× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 2f2a645b873a5dfe7985a2c9cbfeff3424e68d9181791c908081c023c2a817b0
File name: 2f2a645b873a5dfe7985a2c9cbfeff3424e68d9181791c908081c023c2a817b0
Detection ratio: 54 / 66
Analysis date: 2018-08-23 16:33:03 UTC ( 1 month ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Adware.Hotbar.1 20180823
AhnLab-V3 Trojan/Win32.ClickPotato.R21822 20180823
ALYac Gen:Variant.Adware.Hotbar.1 20180823
Antiy-AVL RiskWare[WebToolbar]/Win32.Zango 20180823
Arcabit Trojan.Adware.Hotbar.1 20180823
Avast Win32:HotBar-CJ [PUP] 20180823
AVG Win32:HotBar-CJ [PUP] 20180823
Avira (no cloud) ADSPY/AdSpy.Gen2 20180823
AVware Pinball Corporation. (v) 20180823
Baidu Win32.Trojan.HotBar.a 20180820
BitDefender Gen:Variant.Adware.Hotbar.1 20180823
Bkav W32.HfsAdware.AAAA 20180823
CAT-QuickHeal PUA.Pinballcor.Gen 20180823
ClamAV Win.Adware.Adinstall-1 20180823
CMC WebToolbar.Win32.Zango!O 20180823
Comodo ApplicUnwnt.Win32.AdWare.Hotbar.F 20180823
CrowdStrike Falcon (ML) malicious_confidence_80% (D) 20180723
Cybereason malicious.585f8b 20180225
Cylance Unsafe 20180823
Cyren W32/HotBar.L.gen!Eldorado 20180823
DrWeb Adware.Hotbar.700 20180823
Emsisoft Gen:Variant.Adware.Hotbar.1 (B) 20180823
Endgame malicious (moderate confidence) 20180730
ESET-NOD32 a variant of Win32/Adware.HotBar.H 20180823
F-Prot W32/HotBar.L.gen!Eldorado 20180823
F-Secure Adware:W32/Hotbar 20180823
Fortinet Riskware/Zango 20180823
GData Gen:Variant.Adware.Hotbar.1 20180823
Ikarus Trojan.SuspectCRC 20180823
Sophos ML heuristic 20180717
Jiangmin AdWare/ScreenSaver.ax 20180823
K7AntiVirus Adware ( 004ae5101 ) 20180823
K7GW Adware ( 004ae5101 ) 20180823
Kaspersky not-a-virus:AdWare.Win32.ScreenSaver.g 20180823
Kingsoft Win32.Troj.Generic.a.(kcloud) 20180823
MAX malware (ai score=65) 20180823
McAfee Adware-ClickPotato 20180823
McAfee-GW-Edition BehavesLike.Win32.AdwareHotBar.dc 20180823
Microsoft PUA:Win32/HotBarToolbar 20180823
eScan Gen:Variant.Adware.Hotbar.1 20180823
NANO-Antivirus Riskware.Win32.bqt.dvtokf 20180823
Qihoo-360 HEUR/Malware.QVM11.Gen 20180823
Rising Trojan.Win32.Generic.12E227F4 (C64:YzY0OsYx1mNBHqaF) 20180823
SentinelOne (Static ML) static engine - malicious 20180701
Sophos AV ClickPotato Installer (PUA) 20180823
SUPERAntiSpyware PUP.HotBar/Variant 20180823
Symantec Adware.Clickpotato!gen 20180823
TrendMicro HeurSpy_Zango-3 20180823
TrendMicro-HouseCall HeurSpy_Zango-3 20180823
VBA32 BScope.Adware.ClickPotato.01552 20180823
VIPRE Pinball Corporation. (v) 20180823
Webroot Adware.Hotbar 20180823
Yandex Adware.Rugo.Gen.5 20180822
ZoneAlarm by Check Point not-a-virus:AdWare.Win32.ScreenSaver.g 20180823
AegisLab 20180823
Alibaba 20180713
Avast-Mobile 20180823
Babable 20180822
eGambit 20180823
Malwarebytes 20180823
Palo Alto Networks (Known Signatures) 20180823
Panda 20180823
Symantec Mobile Insight 20180822
TACHYON 20180823
Tencent 20180823
TheHacker 20180821
Trustlook 20180823
ViRobot 20180823
Zoner 20180822
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
File version 2.0.266.0
Description Installer
Signature verification A certificate was explicitly revoked by its issuer.
Signers
[+] Pinball Corporation.
Status This certificate or one of the certificates in the certificate chain is not time valid., Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer VeriSign Class 3 Code Signing 2010 CA
Valid from 1:00 AM 4/1/2011
Valid to 12:59 AM 5/20/2013
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 420D56334AEFACA2729883BAC0EEDF33536539EF
Serial number 22 E4 9C 51 DC D7 1B 05 71 3A AF 78 65 82 D1 35
[+] VeriSign Class 3 Code Signing 2010 CA
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 2/8/2010
Valid to 12:59 AM 2/8/2020
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 495847A93187CFB8C71F840CB7B41497AD95C64F
Serial number 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7
[+] VeriSign
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 11/8/2006
Valid to 12:59 AM 7/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Serial number 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A
Packers identified
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-03-30 20:51:32
Entry Point 0x00074580
Number of sections 3
PE sections
Overlays
MD5 a249fe16787faabc2cc54c569eaf965b
File type data
Offset 203264
Size 3736
Entropy 7.22
PE imports
RegCloseKey
PatBlt
GetAdaptersInfo
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
SysFreeString
UrlEscapeA
VerQueryValueA
WSAStartup
CoCreateGuid
Number of PE resources by type
JPEG 5
RT_ICON 4
RT_STRING 2
RT_DIALOG 1
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 15
PE resources
ExifTool file metadata
UninitializedDataSize
278528

InitializedDataSize
8192

ImageVersion
0.0

FileVersionNumber
2.0.266.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Installer

ImageFileCharacteristics
No relocs, Executable, 32-bit

CharacterSet
Windows, Latin1

LinkerVersion
9.0

FileTypeExtension
exe

MIMEType
application/octet-stream

FileVersion
2.0.266.0

TimeStamp
2011:03:30 21:51:32+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
2.0.266.0

SubsystemVersion
5.0

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
196608

FileSubtype
0

ProductVersionNumber
2.0.266.0

EntryPoint
0x74580

ObjectFileType
Executable application

File identification
MD5 dc57fd4585f8b48ff9fb7ce53bda6309
SHA1 9c7d58477acbff857ea9a0f0258502d771a042a3
SHA256 2f2a645b873a5dfe7985a2c9cbfeff3424e68d9181791c908081c023c2a817b0
ssdeep
6144:+5YB4ruXIiAAttZvd3DCza1mgGeD1O1+i0gg:+5Q4r6eAtt5dz71XB0+n

authentihash 8c961df50d1ab3c45fae1a39ec0907eaf32f95aa207478dff248c077670c4078
imphash ea0878ef48c758c0d86dd1e1e439a9c9
File size 202.1 KB ( 207000 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (38.2%)
Win32 EXE Yoda's Crypter (37.5%)
Win32 Dynamic Link Library (generic) (9.2%)
Win32 Executable (generic) (6.3%)
OS/2 Executable (generic) (2.8%)
Tags
revoked-cert peexe signed upx overlay

VirusTotal metadata
First submission 2012-07-26 12:23:22 UTC ( 6 years, 2 months ago )
Last submission 2012-08-01 11:22:20 UTC ( 6 years, 1 month ago )
File names 2f2a645b873a5dfe7985a2c9cbfeff3424e68d9181791c908081c023c2a817b0
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Moved files
Deleted files
Set keys
Deleted keys
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications