× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 4ea01c831c24b70b75bcdf9b33ad9c69e097cbadafd30599555a43a1f412455d
File name: 4EA01C831C24B70B75BCDF9B33AD9C69E097CBADAFD30599555A43A1F412455D
Detection ratio: 23 / 71
Analysis date: 2019-01-25 16:42:13 UTC ( 3 months, 3 weeks ago ) View latest
Antivirus Result Update
Avast Win32:Trojan-gen 20190125
AVG Win32:Trojan-gen 20190125
CrowdStrike Falcon (ML) malicious_confidence_60% (W) 20181023
Cylance Unsafe 20190125
Cyren W32/Trojan.FZFC-6390 20190125
eGambit Unsafe.AI_Score_81% 20190125
ESET-NOD32 Win32/TrojanDownloader.Agent.EIW 20190125
Fortinet W32/Agent.EIW!tr.dldr 20190125
Kaspersky Trojan-Downloader.Win32.Agent.xxyopr 20190125
Malwarebytes Trojan.Downloader 20190125
McAfee Artemis!E2E1035F382C 20190125
McAfee-GW-Edition Artemis!Trojan 20190125
Microsoft Trojan:Win32/Ditertag.B 20190125
Palo Alto Networks (Known Signatures) generic.ml 20190125
Qihoo-360 Win32/Trojan.2ff 20190125
Rising Downloader.Agent!8.B23 (CLOUD) 20190125
Sophos AV Mal/Generic-S 20190125
Symantec Trojan Horse 20190125
Tencent Win32.Trojan-downloader.Agent.Alif 20190125
TrendMicro TROJ_GEN.R002C0OAO19 20190125
TrendMicro-HouseCall TROJ_GEN.R002C0OAO19 20190125
Webroot W32.Trojan.Gen 20190125
ZoneAlarm by Check Point Trojan-Downloader.Win32.Agent.xxyopr 20190125
Acronis 20190124
Ad-Aware 20190125
AegisLab 20190125
AhnLab-V3 20190125
Alibaba 20180921
ALYac 20190125
Antiy-AVL 20190125
Arcabit 20190125
Avast-Mobile 20190124
Avira (no cloud) 20190125
AVware 20180925
Babable 20180917
Baidu 20190124
BitDefender 20190125
Bkav 20190125
CAT-QuickHeal 20190124
ClamAV 20190125
CMC 20190125
Comodo 20190125
Cybereason 20190109
DrWeb 20190125
Emsisoft 20190125
Endgame 20181108
F-Prot 20190125
F-Secure 20190125
GData 20190125
Ikarus 20190125
Sophos ML 20181128
Jiangmin 20190125
K7AntiVirus 20190125
K7GW 20190125
Kingsoft 20190125
MAX 20190125
eScan 20190125
NANO-Antivirus 20190125
Panda 20190125
SentinelOne (Static ML) 20190124
SUPERAntiSpyware 20190123
TACHYON 20190124
TheHacker 20190124
TotalDefense 20190124
Trapmine 20190123
Trustlook 20190125
VBA32 20190125
ViRobot 20190125
Yandex 20190124
Zillya 20190124
Zoner 20190125
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
MicroSofts'Θ Copyrights (C) 1999 - 2018

Original name advapi.dll
Internal name AVICapture.dll
File version 6.1.7600.17638
Description AVI' Captures Windows classes
Signature verification Signed file, verified signature
Signing date 12:11 PM 1/4/2019
Signers
[+] SEVA MEDICAL LTD
Status Valid
Issuer COMODO RSA Code Signing CA
Valid from 12:00 AM 12/13/2018
Valid to 11:59 PM 12/13/2019
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 04D4BF4CCB9D13AEF41FE2B4530BBBB8DD780F04
Serial number 75 52 22 15 40 63 35 72 56 87 AF 88 8D CD C8 0C
[+] COMODO RSA Code Signing CA
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 11:00 PM 05/08/2013
Valid to 10:59 PM 05/08/2028
Valid usage Code Signing
Algorithm sha384RSA
Thumbprint B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Serial number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
[+] COMODO SECURE™
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 12:00 AM 01/19/2010
Valid to 11:59 PM 01/18/2038
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha384RSA
Thumbprint AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Serial number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
Counter signers
[+] DigiCert Timestamp Responder
Status Valid
Issuer DigiCert Assured ID CA-1
Valid from 11:00 PM 10/21/2014
Valid to 11:00 PM 10/21/2024
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 614D271D9102E30169822487FDE5DE00A352B01D
Serial number 03 01 9A 02 3A FF 58 B1 6B D6 D5 EA E6 17 F0 66
[+] DigiCert Assured ID CA-1
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 12:00 AM 11/10/2006
Valid to 12:00 AM 11/10/2021
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing
Algorithm sha1RSA
Thumbrint 19A09B5A36F4DD99727DF783C17A51231A56C117
Serial number 06 FD F9 03 96 03 AD EA 00 0A EB 3F 27 BB BA 1B
[+] DigiCert
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 12:00 AM 11/10/2006
Valid to 12:00 AM 11/10/2031
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
Algorithm sha1RSA
Thumbrint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Serial number 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2019-01-04 11:10:37
Entry Point 0x00008F53
Number of sections 6
PE sections
Overlays
MD5 55ae7a05360ffe698759b702a47aa796
File type data
Offset 120832
Size 9016
Entropy 7.36
PE imports
GetUserNameW
ResizePalette
DPtoLP
GetStdHandle
EncodePointer
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
lstrcatA
LoadLibraryExW
FreeEnvironmentStringsW
InitializeSListHead
SetStdHandle
GetCPInfo
WriteFile
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
FreeLibrary
LocalFree
IsWow64Process
GetEnvironmentVariableA
FindClose
InterlockedDecrement
SetLastError
GetModuleFileNameW
IsDebuggerPresent
ExitProcess
GetModuleFileNameA
VerSetConditionMask
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
SetFilePointerEx
CreateMutexA
EraseTape
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
DecodePointer
TerminateProcess
GetModuleHandleExW
GlobalAlloc
FindAtomA
GetCurrentThreadId
WriteConsoleW
CreateToolhelp32Snapshot
InitializeCriticalSectionAndSpinCount
HeapFree
GetMailslotInfo
EnterCriticalSection
LoadLibraryW
GetOEMCP
QueryPerformanceCounter
TlsAlloc
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetFileSize
AddAtomA
DeleteFileA
GetStartupInfoW
GetProcAddress
GetProcessHeap
lstrcpyW
FindFirstFileExA
lstrcpyA
FindNextFileA
FindAtomW
lstrcmpW
CreateFileW
GetFileType
SetVolumeLabelA
TlsSetValue
CreateFileA
HeapAlloc
LeaveCriticalSection
GetLastError
LCMapStringW
lstrlenA
GlobalFree
GetConsoleCP
GetEnvironmentStringsW
lstrlenW
GetShortPathNameA
Process32NextW
GetCurrentProcessId
GetCommandLineW
GetCurrentDirectoryA
HeapSize
GetCommandLineA
Process32FirstW
RaiseException
TlsFree
GetModuleHandleA
ReadFile
DeleteAtom
CloseHandle
lstrcpynA
GetACP
GetModuleHandleW
CreateProcessA
WideCharToMultiByte
IsValidCodePage
Sleep
SysFreeString
VariantInit
VariantClear
SysAllocString
UuidCreate
RpcMgmtSetAuthorizationFn
RpcSmDisableAllocate
ShellExecuteA
StrStrA
StrChrA
CharUpperBuffW
wsprintfA
VkKeyScanW
VkKeyScanA
MessageBoxA
joyGetThreshold
waveOutGetErrorTextA
OpenPrinterA
socket
closesocket
inet_addr
send
WSACleanup
WSAStartup
gethostbyname
connect
htons
recv
CoInitializeEx
CoUninitialize
CoUnmarshalHresult
CoCreateGuid
CoCreateInstance
CoInitializeSecurity
Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 2
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
14.0

ImageVersion
0.0

FileVersionNumber
6.1.7600.17638

LanguageCode
Unknown (4809)

FileFlagsMask
0x003f

FileDescription
AVI' Captures Windows classes

ImageFileCharacteristics
Executable, 32-bit

CharacterSet
Unicode

InitializedDataSize
43520

EntryPoint
0x8f53

OriginalFileName
advapi.dll

MIMEType
application/octet-stream

LegalCopyright
MicroSofts' Copyrights (C) 1999 - 2018

FileVersion
6.1.7600.17638

TimeStamp
2019:01:04 12:10:37+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
AVICapture.dll

ProductVersion
6.1.7600.17638

SubsystemVersion
5.1

OSVersion
5.1

FileOS
Unknown (0)

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
MicroSofts' Winfows Operation Systems AVI

CodeSize
80384

FileSubtype
0

ProductVersionNumber
6.1.7600.17638

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 e2e1035f382c397d64303e345876a9db
SHA1 c572ba3fcd991fd29919d171b8445dbb5277a51d
SHA256 4ea01c831c24b70b75bcdf9b33ad9c69e097cbadafd30599555a43a1f412455d
ssdeep
3072:9UwlzyMP5hbxvDteI9sqkwc0Ojip85571D2OA/u8+fLf:9Uw5yihdh9sVIqIjE

authentihash 7c65f02c0c565dd324f7ae7cc792e7c0ad8fb956e5c27e2903509a80bf4747ce
imphash 4ef2c75b2b7da4dae710f687106c39e6
File size 126.8 KB ( 129848 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (61.7%)
Win32 Dynamic Link Library (generic) (14.7%)
Win32 Executable (generic) (10.0%)
OS/2 Executable (generic) (4.5%)
Generic Win/DOS Executable (4.4%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2019-01-07 18:43:05 UTC ( 4 months, 1 week ago )
Last submission 2019-02-13 19:59:16 UTC ( 3 months ago )
File names AVICapture.dll
advapi.dll
kafan_sample_4ea01c831c24b70b75bcdf9b33ad9c69e097cbadafd30599555a43a1f412455d.exe
4ea01c831c24b70b75bcdf9b33ad9c69e097cbadafd30599555a43a1f412455d.exe
exe.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Shell commands
Created mutexes
Opened mutexes
Runtime DLLs
HTTP requests
TCP connections