× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 41c5283b90b549a152a6aae2e4af8dbdf4ebec29d4d279fdaf71751ef14d1633
File name: uTorrent.exe
Detection ratio: 0 / 51
Analysis date: 2014-03-30 14:24:39 UTC ( 5 years, 1 month ago ) View latest
Antivirus Result Update
Ad-Aware 20140330
AegisLab 20140330
Yandex 20140329
AhnLab-V3 20140330
AntiVir 20140330
Antiy-AVL 20140330
Avast 20140330
AVG 20140330
Baidu-International 20140330
BitDefender 20140330
Bkav 20140329
ByteHero 20140330
CAT-QuickHeal 20140330
ClamAV 20140330
CMC 20140328
Commtouch 20140330
Comodo 20140330
DrWeb 20140330
Emsisoft 20140330
ESET-NOD32 20140330
F-Prot 20140330
F-Secure 20140330
Fortinet 20140330
GData 20140330
Ikarus 20140330
Jiangmin 20140330
K7AntiVirus 20140328
K7GW 20140328
Kaspersky 20140330
Kingsoft 20140330
Malwarebytes 20140330
McAfee 20140330
McAfee-GW-Edition 20140329
Microsoft 20140330
eScan 20140330
NANO-Antivirus 20140330
Norman 20140330
nProtect 20140330
Panda 20140330
Qihoo-360 20140330
Rising 20140330
Sophos AV 20140330
SUPERAntiSpyware 20140329
Symantec 20140330
TheHacker 20140329
TotalDefense 20140329
TrendMicro 20140330
TrendMicro-HouseCall 20140330
VBA32 20140328
VIPRE 20140330
ViRobot 20140330
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
©2014 BitTorrent, Inc. All Rights Reserved.

Product µTorrent
Original name uTorrent.exe
Internal name uTorrent.exe
File version 3.4.1.30740
Description µTorrent
Signature verification Signed file, verified signature
Signing date 5:42 AM 3/27/2014
Signers
[+] BitTorrent Inc
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer VeriSign Class 3 Code Signing 2010 CA
Valid from 12:00 AM 06/05/2013
Valid to 11:59 PM 09/03/2016
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint CC94057C4829F35E1EE219CD5F3B170800F148A5
Serial number 57 32 C1 57 4E 6A F8 28 E1 B4 F9 3A BB 34 ED 08
[+] VeriSign Class 3 Code Signing 2010 CA
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 12:00 AM 02/08/2010
Valid to 11:59 PM 02/07/2020
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 495847A93187CFB8C71F840CB7B41497AD95C64F
Serial number 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7
[+] VeriSign
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 12:00 AM 11/08/2006
Valid to 11:59 PM 07/16/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Serial number 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 12:00 AM 10/18/2012
Valid to 11:59 PM 12/29/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 12:00 AM 12/21/2012
Valid to 11:59 PM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 12:00 AM 01/01/1997
Valid to 11:59 PM 12/31/2020
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT UPX_LZMA, embedded
PEiD UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-03-27 05:42:04
Entry Point 0x00313E70
Number of sections 5
PE sections
Overlays
MD5 f71bf6c207372050e569b639079f1c2c
File type data
Offset 1660928
Size 10320
Entropy 6.81
PE imports
Ord(412)
GetOpenFileNameW
DnsFree
BitBlt
GetExtendedTcpTable
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
AlphaBlend
SafeArrayCreate
GetProcessImageFileNameW
SetupDiGetClassDevsW
DragFinish
VerQueryValueW
GdipFree
OleRun
Number of PE resources by type
RT_DIALOG 116
RT_ICON 64
RT_GROUP_ICON 51
PNG 23
JS 5
RT_BITMAP 4
RT_HTML 2
CSS 2
RT_MANIFEST 1
GIF 1
RT_RCDATA 1
RT_VERSION 1
Number of PE resources by language
SWEDISH 182
ENGLISH US 89
PE resources
ExifTool file metadata
SpecialBuild
stable34 stable

SubsystemVersion
5.1

InitializedDataSize
126976

ImageVersion
0.0

ProductName
Torrent

FileVersionNumber
3.4.1.30740

UninitializedDataSize
2093056

LanguageCode
English (U.S.)

FileFlagsMask
0x002b

ImageFileCharacteristics
No relocs, Executable, 32-bit

CharacterSet
Windows, Latin1

LinkerVersion
11.0

FileTypeExtension
exe

OriginalFileName
uTorrent.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
3.4.1.30740

TimeStamp
2014:03:27 05:42:04+00:00

FileType
Win32 EXE

PEType
PE32

InternalName
uTorrent.exe

ProductVersion
3.4.1.30740

FileDescription
Torrent

OSVersion
5.1

FileOS
Unknown (0)

LegalCopyright
2014 BitTorrent, Inc. All Rights Reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
BitTorrent Inc.

CodeSize
1134592

FileSubtype
0

ProductVersionNumber
3.4.1.30740

EntryPoint
0x313e70

ObjectFileType
Unknown

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
Compressed bundles
File identification
MD5 b3bf0fb371b61559f58c00841af135c8
SHA1 f514d1989cbd7d601ac7f2e5eea60244a3d8f9ec
SHA256 41c5283b90b549a152a6aae2e4af8dbdf4ebec29d4d279fdaf71751ef14d1633
ssdeep
24576:Fo7tD7rJsZDTRb+TWfrSwUZvent4VUriBgYXy8RdFVNYLC0kLTUzX+K7jHxUuzXc:FoJV2fh+TGuddemKStr0k87L7SAvJqek

authentihash 5fc92e0cbfe5186e61f8f10fa5338e31687785b7161f0edf9c6247a7bb5826b4
imphash 9b52a06418f1615b8b195a7861ea14f9
File size 1.6 MB ( 1671248 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (28.0%)
UPX compressed Win32 Executable (27.5%)
Win32 EXE Yoda's Crypter (27.0%)
Win32 Dynamic Link Library (generic) (6.6%)
Win32 Executable (generic) (4.5%)
Tags
peexe signed upx overlay

VirusTotal metadata
First submission 2014-03-28 17:36:39 UTC ( 5 years, 1 month ago )
Last submission 2018-05-26 17:57:32 UTC ( 11 months, 4 weeks ago )
File names uTorrent.exe
uTorrent(3.4.1(30740)).exe
file-6786042_exe
uTorrent.exe
uTorrent_SoftGozar.com.exe
vt-upload-laJGhz
uTorrent.exe
uTorrent3.4.1.exe
uTorrent.exe
uTorrent.exe
uTorrent.exe
uTorrent.exe
uTorrent_3.4.1.30740.exe
uTorrent.exe
utorrent_downloaded.exe
uTorrent_3.4.exe
uTorrent.exe
uTorrent.exe
uTorrent_30740.exe
target.exe
3.4.1_30740.exe
uTorrent_341_b30740.exe
utorrent.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Moved files
Replaced files
Deleted files
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections