× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 323b6da4f26925bf29b423f9ad1929f7a038f448a26af2e6d69f401524546f2a
File name: AGENT.EXE
Detection ratio: 0 / 67
Analysis date: 2018-04-13 02:51:46 UTC ( 1 year, 1 month ago )
Antivirus Result Update
Ad-Aware 20180413
AegisLab 20180413
AhnLab-V3 20180412
Alibaba 20180412
ALYac 20180413
Antiy-AVL 20180412
Arcabit 20180413
Avast 20180413
Avast-Mobile 20180412
AVG 20180413
Avira (no cloud) 20180412
AVware 20180413
Baidu 20180412
BitDefender 20180413
Bkav 20180410
CAT-QuickHeal 20180412
ClamAV 20180412
CMC 20180412
Comodo 20180413
CrowdStrike Falcon (ML) 20170201
Cybereason 20180225
Cylance 20180413
Cyren 20180413
DrWeb 20180413
eGambit 20180413
Emsisoft 20180413
Endgame 20180403
ESET-NOD32 20180413
F-Prot 20180413
F-Secure 20180412
Fortinet 20180413
GData 20180412
Ikarus 20180412
Sophos ML 20180121
Jiangmin 20180413
K7AntiVirus 20180412
K7GW 20180412
Kaspersky 20180413
Kingsoft 20180413
Malwarebytes 20180413
MAX 20180413
McAfee 20180413
McAfee-GW-Edition 20180413
Microsoft 20180413
eScan 20180413
NANO-Antivirus 20180413
nProtect 20180412
Palo Alto Networks (Known Signatures) 20180413
Panda 20180412
Qihoo-360 20180413
Rising 20180413
SentinelOne (Static ML) 20180225
Sophos AV 20180413
SUPERAntiSpyware 20180413
Symantec 20180412
Symantec Mobile Insight 20180412
Tencent 20180413
TheHacker 20180410
TrendMicro 20180413
TrendMicro-HouseCall 20180413
Trustlook 20180413
VBA32 20180412
VIPRE 20180413
ViRobot 20180412
Webroot 20180413
WhiteArmor 20180408
Yandex 20180412
Zillya 20180412
ZoneAlarm by Check Point 20180413
Zoner 20180412
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2005-2011 CHENGDU YIWO Tech Development Co., Ltd. All rights reserved.

Product EaseUS Todo Backup
Original name Agent.exe
Internal name Agent
File version 5.8.0.0
Description EaseUS Todo Backup Agent Application
Comments EaseUS Todo Backup Application
Signature verification Certificate out of its validity period
Signers
[+] CHENGDU YIWO Tech Development Co., Ltd.
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer VeriSign Class 3 Code Signing 2010 CA
Valid from 1:00 AM 9/3/2014
Valid to 12:59 AM 10/3/2017
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 7D182BBF0CE8C48112085C6E03F3C2E4DC338AFB
Serial number 7F 86 B4 4C 3E FB 81 FA C8 C8 B6 70 58 05 4F 6A
[+] VeriSign Class 3 Code Signing 2010 CA
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 2/8/2010
Valid to 12:59 AM 2/8/2020
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 495847A93187CFB8C71F840CB7B41497AD95C64F
Serial number 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7
[+] VeriSign
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 11/8/2006
Valid to 12:59 AM 7/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Serial number 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-12-09 21:46:11
Entry Point 0x000043BD
Number of sections 5
PE sections
Overlays
MD5 51886ed3818232f484e4ea899c6fb04b
File type data
Offset 31744
Size 5160
Entropy 7.38
PE imports
OpenServiceW
RegCloseKey
StartServiceW
SetServiceStatus
QueryServiceStatus
RegSetValueExW
OpenSCManagerW
RegOpenKeyExW
RegisterServiceCtrlHandlerExW
ControlService
StartServiceCtrlDispatcherW
DeleteService
CloseServiceHandle
CreateServiceW
GetLastError
EnterCriticalSection
GetModuleFileNameW
WaitForSingleObject
GetVersionExW
SetEvent
QueryPerformanceCounter
IsDebuggerPresent
GetTickCount
LoadLibraryA
DeleteCriticalSection
GetCurrentProcess
GetCurrentProcessId
UnhandledExceptionFilter
GetProcAddress
InterlockedCompareExchange
GetPrivateProfileStringW
CreateThread
InterlockedExchange
SetUnhandledExceptionFilter
CreateMutexW
CloseHandle
GetSystemTimeAsFileTime
GetSystemDirectoryA
FreeLibrary
TerminateProcess
CreateEventW
InitializeCriticalSection
OpenEventW
CreateFileW
InterlockedDecrement
Sleep
GetCurrentThreadId
InterlockedIncrement
LeaveCriticalSection
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
_purecall
__wgetmainargs
__p__fmode
memset
__dllonexit
__RTDynamicCast
_controlfp_s
swprintf_s
strcat_s
wcsncat
_invoke_watson
__winitenv
_amsg_exit
_crt_debugger_hook
?_type_info_dtor_internal_method@type_info@@QAEXXZ
??2@YAPAXI@Z
_lock
__p__commode
_onexit
_encode_pointer
_XcptFilter
exit
__setusermatherr
strcpy_s
_initterm_e
_adjust_fdiv
??_V@YAXPAX@Z
_cexit
_wcsicmp
?terminate@@YAXXZ
_unlock
wcsncpy
??3@YAXPAX@Z
__CxxFrameHandler3
_except_handler4_common
_initterm
_decode_pointer
wcsrchr
_configthreadlocale
_exit
__set_app_type
wsprintfW
PE exports
Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 1
CHINESE SIMPLIFIED 1
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
0

Comments
EaseUS Todo Backup Application

InitializedDataSize
15360

ImageVersion
0.0

ProductName
EaseUS Todo Backup

FileVersionNumber
5.0.0.1

LanguageCode
Unknown (0009)

FileFlagsMask
0x0017

FileDescription
EaseUS Todo Backup Agent Application

CharacterSet
Unicode

LinkerVersion
9.0

FileTypeExtension
exe

OriginalFileName
Agent.exe

MIMEType
application/octet-stream

Subsystem
Windows command line

FileVersion
5.8.0.0

TimeStamp
2015:12:09 22:46:11+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Agent

ProductVersion
5.8.0.0

SubsystemVersion
5.0

OSVersion
5.0

FileOS
Win32

LegalCopyright
Copyright (C) 2005-2011 CHENGDU YIWO Tech Development Co., Ltd. All rights reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
CHENGDU YIWO Tech Development Co., Ltd

CodeSize
15360

FileSubtype
0

ProductVersionNumber
5.0.0.1

EntryPoint
0x43bd

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
File identification
MD5 2b9bdae7e1e20cf0b07dc0df7a2278ba
SHA1 dfaf1a8b064180ddcabe6008b08d35807bf817e5
SHA256 323b6da4f26925bf29b423f9ad1929f7a038f448a26af2e6d69f401524546f2a
ssdeep
768:NWEHNmFCa7dZwzED0uPd0ZPpeNau5ROX9+Yk4AUB:0EHYvsKtd0ZPpesuTOtjk4n

authentihash a5d09ccf81fcd1ce1b7f6b9334b2c420ac527f59bf09e14693c0495a5f4385f3
imphash 4b76b71aed8b0115e080dbe0551a4791
File size 36.0 KB ( 36904 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (console) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2015-12-17 18:46:52 UTC ( 3 years, 5 months ago )
Last submission 2018-04-13 02:51:46 UTC ( 1 year, 1 month ago )
File names agent.exe
agent.exe
Agent.exe
is-30h7c.tmp
Agent.exe
agent.exe
Agent.exe
Agent.exe
Agent.exe
Agent.exe
Agent.exe
Agent.exe
AGENT.EXE
Agent
is-4uqla.tmp
Agent.exe
Agent.exe
is-gb79m.tmp
Agent.exe
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Created mutexes
Runtime DLLs