× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 363d98dc34d5b3eb525ed16cc3678afac70fac84e93addbc81be08407be6eb90
File name: ba3e7394fdb529ae108abdb7c1a751b2.exe
Detection ratio: 0 / 67
Analysis date: 2018-08-04 00:43:09 UTC ( 5 months, 2 weeks ago )
Antivirus Result Update
Ad-Aware 20180803
AegisLab 20180804
AhnLab-V3 20180803
Alibaba 20180713
ALYac 20180804
Antiy-AVL 20180804
Arcabit 20180804
Avast 20180804
Avast-Mobile 20180803
AVG 20180804
Avira (no cloud) 20180803
AVware 20180727
Babable 20180725
Baidu 20180802
BitDefender 20180804
Bkav 20180803
CAT-QuickHeal 20180803
ClamAV 20180804
CMC 20180803
Comodo 20180804
CrowdStrike Falcon (ML) 20180723
Cybereason 20180225
Cylance 20180804
Cyren 20180804
DrWeb 20180804
eGambit 20180804
Emsisoft 20180804
Endgame 20180730
ESET-NOD32 20180804
F-Prot 20180804
F-Secure 20180804
Fortinet 20180803
GData 20180804
Ikarus 20180803
Sophos ML 20180717
Jiangmin 20180804
K7AntiVirus 20180803
K7GW 20180803
Kaspersky 20180803
Kingsoft 20180804
Malwarebytes 20180804
MAX 20180804
McAfee 20180804
McAfee-GW-Edition 20180803
Microsoft 20180804
eScan 20180804
NANO-Antivirus 20180804
Palo Alto Networks (Known Signatures) 20180804
Panda 20180803
Qihoo-360 20180804
Rising 20180804
SentinelOne (Static ML) 20180701
Sophos AV 20180804
SUPERAntiSpyware 20180803
Symantec 20180803
Symantec Mobile Insight 20180801
TACHYON 20180804
Tencent 20180804
TheHacker 20180802
TotalDefense 20180803
TrendMicro 20180804
TrendMicro-HouseCall 20180804
Trustlook 20180804
VBA32 20180803
VIPRE 20180804
ViRobot 20180803
Webroot 20180804
Yandex 20180803
ZoneAlarm by Check Point 20180804
Zoner 20180803
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Product Instantbird
Original name 7zS.sfx.exe
Internal name 7zS.sfx
File version 4.42
Description Instantbird
Packers identified
F-PROT NSIS, Unicode, 7Z, UPX
PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2006-08-15 22:27:50
Entry Point 0x00021D00
Number of sections 3
PE sections
Overlays
MD5 3d12690b523341da0e14629b9c535799
File type data
Offset 70144
Size 19817760
Entropy 8.00
PE imports
VirtualProtect
LoadLibraryA
ExitProcess
GetProcAddress
SysAllocString
ShellExecuteExA
SetTimer
Number of PE resources by type
RT_ICON 9
RT_STRING 2
RT_DIALOG 1
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 15
PE resources
ExifTool file metadata
UninitializedDataSize
94208

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
4.42.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Instantbird

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
28672

EntryPoint
0x21d00

OriginalFileName
7zS.sfx.exe

MIMEType
application/octet-stream

FileVersion
4.42

TimeStamp
2006:08:15 23:27:50+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
7zS.sfx

ProductVersion
4.42

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
40960

ProductName
Instantbird

ProductVersionNumber
4.42.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
File identification
MD5 ba3e7394fdb529ae108abdb7c1a751b2
SHA1 64851ad6c74e7e75e7e3eb160f8f4d3cc1091eab
SHA256 363d98dc34d5b3eb525ed16cc3678afac70fac84e93addbc81be08407be6eb90
ssdeep
393216:IzHCJBfmqN1vCBIrqwmsVxHlUlByhBApZUHNZRlN1yz+AzO0Gluu/FGVdGxXneHn:gHC7fm8CBIrqwrxPzAeTafz1K/F6WuHn

authentihash 693acde704f9469cfa31e3c5730441483261cb2490e1e68e1d5f66e1c9e5d6c8
imphash 67b717da9ed8a8bd9f572a5820791f0c
File size 19.0 MB ( 19887904 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (28.0%)
UPX compressed Win32 Executable (27.5%)
Win32 EXE Yoda's Crypter (27.0%)
Win32 Dynamic Link Library (generic) (6.6%)
Win32 Executable (generic) (4.5%)
Tags
nsis peexe upx overlay

VirusTotal metadata
First submission 2013-12-20 15:15:49 UTC ( 5 years ago )
Last submission 2017-09-29 18:10:51 UTC ( 1 year, 3 months ago )
File names instantbird-1.5.en-US.win32.installer.exe
instantbird-1.5.en-us.win32.installer.exe
363D98DC34D5B3EB525ED16CC3678AFAC70FAC84E93ADDBC81BE08407BE6EB90
instantbird-1.5.en-US.win32.installer.exe
instantbird-1.5.en-US.win32.installer.exe
438223
7zS.sfx.exe
instantbird-1.5.en-US.win32.installer.exe
7zS.sfx
filename
instantbird-1.5.en-US.win32.installer.exe
instantbird-1.5.en-US.win32.installer.exe
ba3e7394fdb529ae108abdb7c1a751b2.exe
instantbird-1.5.en.exe
Instantbird_1.5_x86.exe
instantbird-1.5.en-US.win32.installer.exe
Instantbird(Multiple Messenger)_1.5_x86.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Deleted files
Runtime DLLs