× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 474bc6a2b3df1dc58afbd3f9c82b5ac518d8c0da90c3350ceec9d8b563718754
File name: UserChange
Detection ratio: 36 / 57
Analysis date: 2016-05-31 22:03:29 UTC ( 1 year, 8 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Adware.Graftor.129002 20160531
AhnLab-V3 PUP/Win32.UserChange 20160531
Antiy-AVL Trojan/Win32.TSGeneric 20160531
Arcabit Trojan.Adware.Graftor.D1F7EA 20160531
Avast Win32:Onescan-Q [Adw] 20160531
AVG Fake_AntiSpyware.HCD 20160531
Avira (no cloud) TR/GnoyVT.B 20160531
AVware Trojan.Win32.Generic.pak!cobra 20160531
BitDefender Gen:Variant.Adware.Graftor.129002 20160531
Comodo UnclassifiedMalware 20160531
Cyren W32/FakeAlert.UA.gen!Eldorado 20160531
DrWeb Trojan.Fakealert.36942 20160531
Emsisoft Gen:Variant.Adware.Graftor.129002 (B) 20160531
ESET-NOD32 a variant of Win32/Adware.Kraddare.CG 20160531
F-Prot W32/FakeAlert.UA.gen!Eldorado 20160531
Fortinet W32/Onescan.D!tr 20160531
GData Gen:Variant.Adware.Graftor.129002 20160531
Ikarus Win32.SuspectCrc 20160531
Jiangmin Trojan/Onescan.hf 20160531
K7AntiVirus Adware ( 004c41671 ) 20160531
K7GW Adware ( 004c41671 ) 20160531
Kingsoft Win32.Troj.Agent.cg.(kcloud) 20160531
Malwarebytes Adware.Kraddare 20160531
McAfee Generic FakeAlert.hh 20160531
McAfee-GW-Edition Generic FakeAlert.hh 20160531
Microsoft Trojan:Win32/Bagsu!rfn 20160531
eScan Gen:Variant.Adware.Graftor.129002 20160531
NANO-Antivirus Trojan.Win32.Fakealert.cynqsl 20160531
Panda Trj/Genetic.gen 20160531
Qihoo-360 HEUR/Malware.QVM11.Gen 20160531
Sophos AV Mal/Generic-S 20160531
SUPERAntiSpyware Adware.Kraddare 20160531
Symantec Suspicious.Cloud.9 20160531
VIPRE Trojan.Win32.Generic.pak!cobra 20160531
Yandex Adware.Kraddare!td2biRIz7PI 20160531
Zillya Adware.Kraddare.Win32.1665 20160531
AegisLab 20160531
Alibaba 20160531
ALYac 20160531
Baidu 20160530
Baidu-International 20160531
Bkav 20160531
CAT-QuickHeal 20160531
ClamAV 20160531
CMC 20160530
F-Secure 20160531
Kaspersky 20160531
nProtect 20160531
Rising 20160531
Tencent 20160531
TheHacker 20160530
TotalDefense 20160531
TrendMicro 20160531
TrendMicro-HouseCall 20160531
VBA32 20160531
ViRobot 20160531
Zoner 20160531
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2012 Gold Security All rights reserved.

Product UserChange ?? ????
Original name UserChange
Internal name UserChange
File version 2, 0, 0, 1
Description UserChange ?? ????
Comments http://pcoptimum.net
Signature verification Signed file, verified signature
Signing date 9:06 AM 1/31/2013
Signers
[+] Gold Security
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Code Signing CA - G2
Valid from 1:00 AM 12/27/2012
Valid to 12:59 AM 12/28/2013
Valid usage Code Signing, 1.3.6.1.4.1.311.2.1.22
Algorithm sha1RSA
Thumbprint 408403ADD38E9EFA54A78736027544D95E72AFBA
Serial number 56 D9 6A 51 19 F9 0E CF 07 F5 17 76 05 0C 88 80
[+] Thawte Code Signing CA - G2
Status Valid
Issuer thawte Primary Root CA
Valid from 1:00 AM 2/8/2010
Valid to 12:59 AM 2/8/2020
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7
Serial number 47 97 4D 78 73 A5 BC AB 0D 2F B3 70 19 2F CE 5E
[+] thawte
Status Valid
Issuer thawte Primary Root CA
Valid from 1:00 AM 11/17/2006
Valid to 12:59 AM 7/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 91C6D6EE3E8AC86384E548C299295C756C817B81
Serial number 34 4E D5 57 20 D5 ED EC 49 F4 2F CE 37 DB 2B 6D
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
Command UPX
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-01-31 08:06:31
Entry Point 0x000801A0
Number of sections 3
PE sections
Overlays
MD5 50a617dfc23ec051ad97d5bf263597a5
File type data
Offset 151552
Size 5664
Entropy 7.37
PE imports
RegCloseKey
LineTo
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
SysAllocStringLen
Ord(253)
ShellExecuteA
IsNetworkAlive
CreateEnvironmentBlock
InternetOpenA
PlaySoundA
OpenPrinterA
GetFileTitleA
GetAdaptersInfo
OleInitialize
URLDownloadToFileA
Number of PE resources by type
RT_STRING 11
RT_BITMAP 10
RT_CURSOR 3
RT_DIALOG 2
RT_GROUP_CURSOR 2
RT_ICON 1
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
KOREAN 32
PE resources
ExifTool file metadata
SubsystemVersion
4.0

Comments
http://pcoptimum.net

InitializedDataSize
8192

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.0.0.1

LanguageCode
Korean

FileFlagsMask
0x003f

FileDescription
UserChange

CharacterSet
Unicode

LinkerVersion
6.0

EntryPoint
0x801a0

OriginalFileName
UserChange

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) 2012 Gold Security All rights reserved.

FileVersion
2, 0, 0, 1

TimeStamp
2013:01:31 09:06:31+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
UserChange

ProductVersion
2, 0, 0, 1

UninitializedDataSize
376832

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Gold Security

CodeSize
147456

ProductName
UserChange

ProductVersionNumber
2.0.0.1

FileTypeExtension
exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 8849f06d669f2a05266109011a0e7477
SHA1 2630cd618da2e1b9b92e2446c69210b77a7afa74
SHA256 474bc6a2b3df1dc58afbd3f9c82b5ac518d8c0da90c3350ceec9d8b563718754
ssdeep
3072:rTjMtM9aA28cG1YT3XoRVHNUPV8SVL7R4eNQaqX7gkZSVpi8epzEdBh:r72pIY7giKreNzqUrVpidpQ3h

authentihash c031403ca1cce873d9cfb590ac03d59f885b99ca6850a533df1b9d4351d8e221
imphash c35a70bbb6d944c813bbe0ec0cdc2b6c
File size 153.5 KB ( 157216 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (42.3%)
Win32 EXE Yoda's Crypter (36.7%)
Win32 Dynamic Link Library (generic) (9.1%)
Win32 Executable (generic) (6.2%)
Generic Win/DOS Executable (2.7%)
Tags
peexe signed upx overlay

VirusTotal metadata
First submission 2013-02-17 05:22:16 UTC ( 5 years ago )
Last submission 2016-05-31 22:03:29 UTC ( 1 year, 8 months ago )
File names 146862029_8849f06d669f2a05266109011a0e7477
8849F06D669F2A05266109011A0E7477.VIR
8849f06d669f2a05266109011a0e7477.exe
aa
2630cd618da2e1b9b92e2446c69210b77a7afa74_reserveinfoset.ex
8849f06d669f2a05266109011a0e7477
UserChange
reserveinfoset.exe
eReEX6.com
file-5234746_exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications