× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 4e00c97c10e4b6a013b41b5479c424aabaad04cbe70004699d60030a38602a65
File name: AdwCleaner.exe
Detection ratio: 0 / 67
Analysis date: 2017-12-13 20:31:13 UTC ( 39 minutes ago )
Antivirus Result Update
Ad-Aware 20171213
AegisLab 20171213
AhnLab-V3 20171213
Alibaba 20171213
ALYac 20171213
Antiy-AVL 20171213
Arcabit 20171213
Avast 20171213
Avast-Mobile 20171212
AVG 20171213
Avira (no cloud) 20171213
AVware 20171213
Baidu 20171212
BitDefender 20171213
Bkav 20171213
CAT-QuickHeal 20171212
ClamAV 20171213
CMC 20171213
Comodo 20171213
CrowdStrike Falcon (ML) 20171016
Cybereason 20171103
Cylance 20171213
Cyren 20171213
DrWeb 20171213
eGambit 20171213
Emsisoft 20171213
Endgame 20171130
ESET-NOD32 20171213
F-Prot 20171213
F-Secure 20171213
Fortinet 20171213
GData 20171213
Ikarus 20171213
Sophos ML 20170914
Jiangmin 20171211
K7AntiVirus 20171213
K7GW 20171213
Kaspersky 20171213
Kingsoft 20171213
Malwarebytes 20171213
MAX 20171213
McAfee 20171213
McAfee-GW-Edition 20171213
Microsoft 20171213
eScan 20171213
NANO-Antivirus 20171213
nProtect 20171213
Palo Alto Networks (Known Signatures) 20171213
Panda 20171213
Qihoo-360 20171213
Rising 20171213
SentinelOne (Static ML) 20171207
Sophos AV 20171213
SUPERAntiSpyware 20171213
Symantec 20171213
Symantec Mobile Insight 20171213
Tencent 20171213
TheHacker 20171210
TrendMicro 20171213
TrendMicro-HouseCall 20171213
Trustlook 20171213
VBA32 20171213
VIPRE 20171213
ViRobot 20171213
Webroot 20171213
WhiteArmor 20171204
Yandex 20171212
Zillya 20171213
ZoneAlarm by Check Point 20171213
Zoner 20171213
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Malwarebytes

File version 6.0.4.7
Description AdwCleaner is a free Adware/PUP removal tool.
Comments AdwCleaner is a free Adware/PUP removal tool.
Signature verification Signed file, verified signature
Signing date 3:08 PM 5/19/2017
Signers
[+] Malwarebytes Corporation
Status Valid
Issuer DigiCert Assured ID Code Signing CA-1
Valid from 1:00 AM 7/21/2016
Valid to 1:00 PM 7/25/2019
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 249BDA38A611CD746A132FA2AF995A2D3C941264
Serial number 04 4E 3B F5 89 76 88 0F FD 07 44 48 A8 F7 A0 58
[+] DigiCert Assured ID Code Signing CA-1
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 1:00 PM 2/11/2011
Valid to 1:00 PM 2/10/2026
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 409AA4A74A0CDA7C0FEE6BD0BB8823D16B5F1875
Serial number 0F A8 49 06 15 D7 00 A0 BE 21 76 FD C5 EC 6D BD
[+] DigiCert
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 1:00 AM 11/10/2006
Valid to 1:00 AM 11/10/2031
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
Algorithm sha1RSA
Thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Serial number 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
Counter signers
[+] DigiCert Timestamp Responder
Status Valid
Issuer DigiCert Assured ID CA-1
Valid from 1:00 AM 10/22/2014
Valid to 1:00 AM 10/22/2024
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 614D271D9102E30169822487FDE5DE00A352B01D
Serial number 03 01 9A 02 3A FF 58 B1 6B D6 D5 EA E6 17 F0 66
[+] DigiCert Assured ID CA-1
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 1:00 AM 11/10/2006
Valid to 1:00 AM 11/10/2021
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing
Algorithm sha1RSA
Thumbrint 19A09B5A36F4DD99727DF783C17A51231A56C117
Serial number 06 FD F9 03 96 03 AD EA 00 0A EB 3F 27 BB BA 1B
[+] DigiCert
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 1:00 AM 11/10/2006
Valid to 1:00 AM 11/10/2031
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
Algorithm sha1RSA
Thumbrint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Serial number 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
Packers identified
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-05-19 01:00:22
Entry Point 0x00469F50
Number of sections 3
PE sections
Overlays
MD5 77c8f9b480a6e710d59bcbbf3e0de45f
File type data
Offset 4094976
Size 15304
Entropy 7.20
PE imports
ImageList_Remove
GetOpenFileNameW
LineTo
IcmpSendEcho
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
WNetUseConnectionW
VariantInit
GetProcessMemoryInfo
DragFinish
LoadUserProfileW
IsThemeActive
VerQueryValueW
FtpOpenFileW
timeGetTime
connect
CoGetObject
Number of PE resources by type
RT_ICON 7
RT_STRING 7
RT_GROUP_ICON 2
RT_MANIFEST 1
RT_RCDATA 1
RT_VERSION 1
Number of PE resources by language
ENGLISH UK 16
FRENCH 2
NEUTRAL 1
PE resources
ExifTool file metadata
SubsystemVersion
5.1

Comments
AdwCleaner is a free Adware/PUP removal tool.

LinkerVersion
12.0

ImageVersion
0.0

FileVersionNumber
6.0.4.7

UninitializedDataSize
4272128

LanguageCode
French

FileFlagsMask
0x0000

CharacterSet
Unicode

InitializedDataSize
3743744

EntryPoint
0x469f50

MIMEType
application/octet-stream

LegalCopyright
Malwarebytes

FileVersion
6.0.4.7

TimeStamp
2017:05:19 02:00:22+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
3.3.14.2

FileDescription
AdwCleaner is a free Adware/PUP removal tool.

OSVersion
5.1

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
356352

FileSubtype
0

ProductVersionNumber
3.3.14.2

FileTypeExtension
exe

ObjectFileType
Unknown

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Compressed bundles
File identification
MD5 1ace8128cfa67e825635012b2cf705a9
SHA1 910562157ef9479215d067a2e07241489b69ccbc
SHA256 4e00c97c10e4b6a013b41b5479c424aabaad04cbe70004699d60030a38602a65
ssdeep
49152:HshdaIqNSu9zxSbR69KWHu1IRDhDjBhmOekSkPNg2tMDIRBwEAERjrnRJJEw:KqNSu9zxys9KaRJfEOejQM0R7lrR3Ew

authentihash d5b55c33dd29adc39fc1359231564ac214da66de69f17dad66c4be9672bd962c
imphash fc6683d30d9f25244a50fd5357825e79
File size 3.9 MB ( 4110280 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (28.6%)
UPX compressed Win32 Executable (28.0%)
Win32 EXE Yoda's Crypter (27.5%)
Win32 Dynamic Link Library (generic) (6.8%)
Win32 Executable (generic) (4.6%)
Tags
peexe overlay signed upx via-tor

VirusTotal metadata
First submission 2017-05-19 15:56:29 UTC ( 6 months, 4 weeks ago )
Last submission 2017-12-13 20:31:13 UTC ( 39 minutes ago )
File names AdwCleanerPortable_7.0.0.0_azo.exe
adwcleaner_6.047.exe
-.exe
AdwCleaner 6.0.4.7.exe
AdwCleaner_6.047.exe
AdwCleaner 6.047 - чистка и удаление рекламы.exe
18650-adwcleaner.exe
adwcleaner_6.047(2).exe
adwcleaner_quet_chrom tu mo tab moi.exe
adwcleaner_6.047 - Copia.exe
4e00c97c10e4b6a0_setup.exe
adwcleaner-6-047.exe
adwcleaner.exe
adwcleaner_6.047.exe
AdwCleaner2.exe
adwcleaner_6.047.exe
adwcleaner_6.047.exe
Masscan_GUI.exe
ADWCleaner_6.0.4.7.exe
2 adwcleaner_6.047.exe
adwcleaner_6-047_fr_430277.exe
adwcleaner_6.047_2.exe
AdwCleaner.6.047.exe
adwcleaner_6.047.exe
AdwCleaner (1).exe
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
UDP communications