× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 30e8db508953230bccfbcddfaa298e44c13e641381f43693544a365097d3afa2
File name: EtherDetect_setup.exe
Detection ratio: 9 / 57
Analysis date: 2016-04-01 20:08:08 UTC ( 2 years, 11 months ago ) View latest
Antivirus Result Update
AegisLab W32.Application.Agent!c 20160401
CMC Generic.Win32.a802939f0a!CMCRadar 20160401
Comodo TrojWare.Win32.HackTool.Agent.in 20160401
ESET-NOD32 Win32/NetTool.EtherDetect potentially unsafe 20160401
GData Win32.Application.Agent.I5WS28 20160401
Panda Trj/CI.A 20160401
Rising PE:Malware.Generic/QRS!1.9E2D [F] 20160401
SUPERAntiSpyware Hack.Tool/Gen-EtherDetect 20160401
Symantec Hacktool 20160331
Ad-Aware 20160401
AhnLab-V3 20160401
Alibaba 20160401
ALYac 20160401
Antiy-AVL 20160401
Arcabit 20160401
Avast 20160401
AVG 20160401
Avira (no cloud) 20160401
AVware 20160401
Baidu 20160331
Baidu-International 20160401
BitDefender 20160401
Bkav 20160401
CAT-QuickHeal 20160401
ClamAV 20160401
Cyren 20160401
DrWeb 20160401
Emsisoft 20160401
F-Prot 20160401
F-Secure 20160401
Fortinet 20160401
Ikarus 20160401
Jiangmin 20160401
K7AntiVirus 20160401
K7GW 20160401
Kaspersky 20160401
Kingsoft 20160401
Malwarebytes 20160401
McAfee 20160401
McAfee-GW-Edition 20160401
Microsoft 20160401
eScan 20160401
NANO-Antivirus 20160401
nProtect 20160401
Qihoo-360 20160401
Sophos AV 20160401
Tencent 20160401
TheHacker 20160330
TotalDefense 20160330
TrendMicro 20160401
TrendMicro-HouseCall 20160401
VBA32 20160401
VIPRE 20160401
ViRobot 20160401
Yandex 20160316
Zillya 20160401
Zoner 20160401
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
2008 EtherDetect

File version 1.4
Description EtherDetect Packet Sniffer
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2001-10-25 19:47:11
Entry Point 0x000021AF
Number of sections 4
PE sections
Overlays
MD5 8a6a04c5fec4e3339172c14699f7ae0e
File type data
Offset 14848
Size 1294463
Entropy 8.00
PE imports
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
GetDeviceCaps
SelectPalette
SelectObject
PatBlt
CreateFontA
CreatePalette
GetStockObject
TextOutA
CreateSolidBrush
SetBkMode
DeleteObject
RealizePalette
SetTextColor
StretchDIBits
GetLastError
lstrlenA
GlobalFree
FreeLibrary
ExitProcess
GetVersionExA
GlobalUnlock
GetModuleFileNameA
LoadLibraryA
WinExec
OpenFile
GetCurrentProcess
_lwrite
lstrcatA
GetWindowsDirectoryA
SetErrorMode
_llseek
GetCommandLineA
GetProcAddress
_lread
GetTempPathA
_lcreat
_lclose
GetModuleHandleA
lstrcpyA
_lopen
MulDiv
GetTempFileNameA
GlobalLock
LocalFree
GlobalAlloc
FormatMessageA
DrawTextA
CreateWindowExA
RegisterClassA
LoadIconA
LoadCursorA
ReleaseDC
EndPaint
BeginPaint
MessageBoxA
ExitWindowsEx
SendMessageA
GetClientRect
SetTimer
SetWindowPos
PostQuitMessage
DefWindowProcA
ShowWindow
UpdateWindow
wsprintfA
GetDC
InvalidateRect
PE exports
Number of PE resources by type
RT_ICON 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 3
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
6.0

ImageVersion
4.0

FileVersionNumber
1.4.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
EtherDetect Packet Sniffer

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit, Removable run from swap

CharacterSet
Windows, Latin1

InitializedDataSize
5632

EntryPoint
0x21af

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
1.4

TimeStamp
2001:10:25 20:47:11+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Windows 16-bit

LegalCopyright
2008 EtherDetect

MachineType
Intel 386 or later, and compatibles

CompanyName
EtherDetect

CodeSize
8704

FileSubtype
0

ProductVersionNumber
1.4.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
Compressed bundles
File identification
MD5 a802939f0aeb5e3487e7aad0e0874eca
SHA1 019ad04a4ec41a6b4157fcc5cc2e35b5055cd790
SHA256 30e8db508953230bccfbcddfaa298e44c13e641381f43693544a365097d3afa2
ssdeep
24576:eHJduFt5vFq2xTuCgP8JuDV1XSOSorLyoCg/TBvOVWCuQWxaPQRK4syfLWzx5bL:gJMwCFJCV2oCg7BhCkvMMLWfL

authentihash 8decf9a442df5405cd70559e72bce5f90c5f194092a5101b94c398b1900c303a
imphash e41c25ab7824b3df73334188c40518ae
File size 1.2 MB ( 1309311 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Wise Installer executable (91.3%)
Win64 Executable (generic) (5.3%)
Win32 Dynamic Link Library (generic) (1.2%)
Win32 Executable (generic) (0.8%)
OS/2 Executable (generic) (0.3%)
Tags
peexe overlay

VirusTotal metadata
First submission 2009-01-31 05:58:58 UTC ( 10 years, 1 month ago )
Last submission 2018-07-27 05:00:05 UTC ( 8 months ago )
File names A802939F0AEB5E3487E7AAD0E0874ECA
EtherDetect_setup.exe
35598
EtherDetect_setup.exe
VirusShare_a802939f0aeb5e3487e7aad0e0874eca
EtherDetect_setup.exe
octet-stream
a802939f0aeb5e3487e7aad0e0874eca
EtherDetect-Packet-Sniffer14.exe
a802939f0aeb5e3487e7aad0e0874eca_INF7D5D.tmp
a802939f0aeb5e3487e7aad0e0874eca.exe
smona_30e8db508953230bccfbcddfaa298e44c13e641381f43693544a365097d3afa2.bin
141479116260587-EtherDetect_setup.exe
EtherDetect_setup.exe
EtherDetect_setup.exe
1345725695-EtherDetect_setup.exe
etherdetect_setup.exe
EtherDetect_setup.exe.dat
file-3170354_exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!