× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3cb4dba43b7adb952ed1b5299dea889e0f060e465289a3c58cc6202952dff1b0
File name: cshell.exe
Detection ratio: 0 / 68
Analysis date: 2018-07-30 09:12:30 UTC ( 2 weeks, 3 days ago )
Antivirus Result Update
Ad-Aware 20180730
AegisLab 20180730
AhnLab-V3 20180730
Alibaba 20180713
ALYac 20180730
Antiy-AVL 20180730
Arcabit 20180730
Avast 20180730
Avast-Mobile 20180730
AVG 20180730
Avira (no cloud) 20180730
AVware 20180727
Babable 20180725
Baidu 20180730
BitDefender 20180730
Bkav 20180728
CAT-QuickHeal 20180728
ClamAV 20180730
CMC 20180730
Comodo 20180730
CrowdStrike Falcon (ML) 20180723
Cybereason 20180225
Cylance 20180730
Cyren 20180730
DrWeb 20180730
eGambit 20180730
Emsisoft 20180730
Endgame 20180711
ESET-NOD32 20180730
F-Prot 20180730
F-Secure 20180730
Fortinet 20180730
GData 20180730
Ikarus 20180729
Sophos ML 20180717
Jiangmin 20180730
K7AntiVirus 20180727
K7GW 20180730
Kaspersky 20180730
Kingsoft 20180730
Malwarebytes 20180730
MAX 20180730
McAfee 20180730
McAfee-GW-Edition 20180730
Microsoft 20180730
eScan 20180730
NANO-Antivirus 20180730
Palo Alto Networks (Known Signatures) 20180730
Panda 20180729
Qihoo-360 20180730
Rising 20180730
SentinelOne (Static ML) 20180701
Sophos AV 20180730
SUPERAntiSpyware 20180729
Symantec 20180730
Symantec Mobile Insight 20180728
TACHYON 20180730
Tencent 20180730
TheHacker 20180730
TotalDefense 20180730
TrendMicro 20180730
TrendMicro-HouseCall 20180730
Trustlook 20180730
VBA32 20180727
VIPRE 20180730
ViRobot 20180730
Webroot 20180730
Yandex 20180730
Zillya 20180730
ZoneAlarm by Check Point 20180730
Zoner 20180730
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2009-2014, Ivo Beltchev

Product Classic Shell
Original name ClassicShellSetup.exe
Internal name ClassicShellSetup
File version 4, 0, 6, 0
Description Adds classic shell features to Windows 7 and Windows 8
Signature verification Certificate out of its validity period
Signers
[+] Ivaylo Beltchev
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer StartCom Class 2 Primary Intermediate Object CA
Valid from 10:10 AM 7/6/2013
Valid to 11:07 PM 7/6/2015
Valid usage Code Signing, 1.3.6.1.4.1.311.2.1.21, Lifetime Signing
Algorithm sha1RSA
Thumbprint 33F2C9DB85F76DDA4ECF00A77DA57B56B76F018D
Serial number 0A 5B
[+] StartCom Class 2 Primary Intermediate Object CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer StartCom Certification Authority
Valid from 11:01 PM 10/24/2007
Valid to 11:01 PM 10/24/2017
Valid usage All
Algorithm sha1RSA
Thumbprint D893C4F678F891F2823CD078AA5E1C48FD1DA225
Serial number 24
[+] StartCom Certification Authority
Status Valid
Issuer StartCom Certification Authority
Valid from 8:46 PM 9/17/2006
Valid to 8:46 PM 9/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha1RSA
Thumbprint 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Serial number 01
Counter signers
[+] COMODO Time Stamping Signer
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer UTN-USERFirst-Object
Valid from 1:00 AM 5/10/2010
Valid to 12:59 AM 5/11/2015
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 3DBB6DB5085C6DD5A1CA7F9CF84ECB1A3910CAC8
Serial number 47 8A 8E FB 59 E1 D8 3F 0C E1 42 D2 A2 87 07 BE
[+] USERTrust (Code Signing)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-04-05 20:19:17
Entry Point 0x00003AC0
Number of sections 5
PE sections
Overlays
MD5 e6ccd73f28e1b0a6120510f4b8fa2c28
File type data
Offset 6775808
Size 5824
Entropy 7.33
PE imports
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
InitCommonControlsEx
GetLastError
InitializeCriticalSectionAndSpinCount
HeapFree
GetStdHandle
EnterCriticalSection
GetConsoleOutputCP
SetHandleCount
GetModuleFileNameW
WaitForSingleObject
GetExitCodeProcess
QueryPerformanceCounter
IsDebuggerPresent
HeapAlloc
TlsAlloc
GetEnvironmentStringsW
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetModuleFileNameA
VirtualFree
DeleteCriticalSection
GetCurrentProcess
SizeofResource
GetLocaleInfoA
GetConsoleMode
HeapSize
GetCurrentProcessId
LCMapStringW
OpenProcess
LockResource
GetCommandLineW
WideCharToMultiByte
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
GetStartupInfoW
FreeEnvironmentStringsW
DeleteFileW
GetProcAddress
GetStringTypeA
GetFileType
SetStdHandle
RaiseException
GetCPInfo
SetEnvironmentVariableW
TlsFree
SetFilePointer
SetUnhandledExceptionFilter
WriteFile
GetStartupInfoA
CloseHandle
GetSystemTimeAsFileTime
GetACP
HeapReAlloc
GetStringTypeW
GetModuleHandleW
GetOEMCP
TerminateProcess
GetConsoleCP
LCMapStringA
WriteConsoleA
VirtualAlloc
IsValidCodePage
LoadResource
FindResourceW
CreateFileW
CreateProcessW
TlsGetValue
Sleep
SetLastError
GetTickCount
TlsSetValue
CreateFileA
GetCurrentThreadId
GetVersion
LeaveCriticalSection
ExitProcess
HeapCreate
WriteConsoleW
InterlockedIncrement
CommandLineToArgvW
DoEnvironmentSubstW
GetWindowThreadProcessId
MessageBoxW
EndDialog
CharUpperW
DialogBoxParamW
FindWindowW
SetProcessDPIAware
LoadStringW
GetDlgItemTextW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
Number of PE resources by type
RT_ICON 5
RT_STRING 3
MSI_FILE 3
RT_DIALOG 1
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 15
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
5.0

InitializedDataSize
6724608

ImageVersion
0.0

ProductName
Classic Shell

FileVersionNumber
4.0.6.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x0017

CharacterSet
Unicode

LinkerVersion
9.0

FileTypeExtension
exe

OriginalFileName
ClassicShellSetup.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
4, 0, 6, 0

TimeStamp
2014:04:05 21:19:17+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
ClassicShellSetup

ProductVersion
4, 0, 6, 0

FileDescription
Adds classic shell features to Windows 7 and Windows 8

OSVersion
5.0

FileOS
Win32

LegalCopyright
Copyright (C) 2009-2014, Ivo Beltchev

MachineType
Intel 386 or later, and compatibles

CompanyName
IvoSoft

CodeSize
50176

FileSubtype
0

ProductVersionNumber
4.0.6.0

EntryPoint
0x3ac0

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
Compressed bundles
File identification
MD5 262ce04d58a7e2da3692aab976984e79
SHA1 7a4a6d68894c3eca8f70c1145c610d1f75f6d269
SHA256 3cb4dba43b7adb952ed1b5299dea889e0f060e465289a3c58cc6202952dff1b0
ssdeep
196608:8cM32OQkzkqFiZi8zh0V18t9ooA9iqiXf27:89Qkzk5g

authentihash 87c6ba0dbb3577934b6ca72dfd750e3de134031c767b4148e5da60deeb48cef6
imphash c31df50c0128d7be11bbb3dc732477ea
File size 6.5 MB ( 6781632 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
peexe overlay signed software-collection

VirusTotal metadata
First submission 2014-04-06 05:32:19 UTC ( 4 years, 4 months ago )
Last submission 2018-07-30 09:12:30 UTC ( 2 weeks, 3 days ago )
File names ClassicShellSetup_4_0_6[1].exe
ClassicShellSetup_4_0_6.ex_
pjfg22ejjq7mvd3qyekfyyind527nutj.exe
Classic Shell_4.0.6.exe
ClassicShellSetup
4fvl1npk.exe.part
ClassicShellSetup_4_0_6.exe
ClassicShellSetup_4_0_6.exe
filename
ClassicShellSetup_4_0_6.exe
ClassicShellSetup_4_0_6.exe
classic-shell-4-0-6-en-win.exe
ClassicShellSetup_4_0_6.exe
ClassicShellSetup_4_0_6.exe
ClassicShellSetup_4_0_6.exe
ClassicShellSetup.exe
ClassicShellSetup_4_0_6.exe
classicshellsetup_4_0_6.exe
ClassicShellSetup_4_0_6.exe
cshell.exe
file-6821068_exe
Classicshellsetup_4_0_6.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!