× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 5a2729550420e40836fd2f5e2bb42fe4b9d36dd3fbb0f12fc05b829b5e295f80
File name: Profile Stalker - D.exe
Detection ratio: 3 / 47
Analysis date: 2013-06-10 11:06:28 UTC ( 4 years, 2 months ago ) View latest
Antivirus Result Update
AntiVir JS/Redirect.BR 20130610
DrWeb Trojan.AVKill.30538 20130610
ESET-NOD32 JS/TrojanClicker.Agent.NDL 20130610
Yandex 20130609
AhnLab-V3 20130609
Antiy-AVL 20130610
Avast 20130610
AVG 20130610
BitDefender 20130610
ByteHero 20130606
CAT-QuickHeal 20130610
ClamAV 20130610
Commtouch 20130610
Comodo 20130610
Emsisoft 20130610
eSafe 20130606
F-Prot 20130610
F-Secure 20130610
Fortinet 20130610
GData 20130610
Ikarus 20130610
Jiangmin 20130610
K7AntiVirus 20130607
K7GW 20130607
Kaspersky 20130610
Kingsoft 20130506
Malwarebytes 20130610
McAfee 20130610
McAfee-GW-Edition 20130610
Microsoft 20130610
eScan 20130610
NANO-Antivirus 20130610
Norman 20130610
nProtect 20130610
Panda 20130609
PCTools 20130521
Rising 20130607
Sophos AV 20130610
SUPERAntiSpyware 20130609
Symantec 20130610
TheHacker 20130608
TotalDefense 20130607
TrendMicro 20130610
TrendMicro-HouseCall 20130610
VBA32 20130610
VIPRE 20130610
ViRobot 20130610
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Facebook Inc.

Publisher rinim
Product Facebook Profile Viewer installer
Original name setup.exe
Internal name setup.exe
File version 2.0.0
Description Deploy Facebook Profile Viewer browsers extension
Signature verification A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Signers
[+] rinim
Status A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Issuer None
Valid from 11:00 PM 12/31/2012
Valid to 11:00 PM 12/31/2018
Valid usage Code Signing
Algorithm SHA1
Thumbprint D263125E4A1F1CE739D0F8D3297542BB73FEB405
Serial number 3D 93 94 A4 D3 EC 5E 8A 45 B5 17 1E 76 F8 19 9A
Packers identified
F-PROT NSIS
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-03-29 18:03:41
Entry Point 0x0001F3A0
Number of sections 9
PE sections
Overlays
MD5 0f35b33712cf117273cd22ff136d9ea5
File type data
Offset 4519424
Size 2752
Entropy 7.38
PE imports
SHGetFolderPathA
RegFlushKey
RegCloseKey
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegOpenKeyExA
GetLastError
GetEnvironmentVariableA
GetStdHandle
EnterCriticalSection
GetSystemInfo
lstrlenA
GetFileAttributesA
WaitForSingleObject
FreeLibrary
QueryPerformanceCounter
CopyFileA
GetTickCount
GetThreadLocale
GetVersionExA
GetModuleFileNameA
RtlUnwind
LoadLibraryA
GetLocalTime
WritePrivateProfileStringA
DeleteCriticalSection
GetStartupInfoA
GetDateFormatA
LoadLibraryExA
SizeofResource
GetPrivateProfileStringA
GetLocaleInfoA
GetFileSize
CreateDirectoryA
LockResource
IsDBCSLeadByte
DeleteFileA
GetWindowsDirectoryA
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
EnumCalendarInfoA
GetCPInfo
GetCommandLineA
GetProcAddress
FormatMessageA
GetFullPathNameA
SetFilePointer
GetTempPathA
RaiseException
CompareStringA
CloseHandle
WideCharToMultiByte
GetModuleHandleA
FindFirstFileA
WriteFile
GetCurrentProcess
ReadFile
ResetEvent
lstrcpynA
GetSystemDirectoryA
GetACP
GetDiskFreeSpaceA
FreeResource
SetFileAttributesA
SetEvent
FindResourceA
CreateProcessA
GetExitCodeProcess
InitializeCriticalSection
LoadResource
VirtualQuery
VirtualFree
CreateEventA
FindClose
InterlockedDecrement
Sleep
GetFileType
SetEndOfFile
TlsSetValue
CreateFileA
ExitProcess
GetCurrentThreadId
LeaveCriticalSection
VirtualAlloc
LocalAlloc
InterlockedIncrement
StringFromCLSID
CoTaskMemFree
CoCreateGuid
VariantChangeType
SafeArrayGetLBound
SafeArrayPtrOfIndex
SysAllocStringLen
VariantClear
SafeArrayCreate
SysReAllocStringLen
SafeArrayGetUBound
VariantCopy
SysFreeString
VariantInit
ShellExecuteExA
CharPrevA
MapVirtualKeyA
keybd_event
FindWindowA
GetSystemMetrics
DispatchMessageA
VkKeyScanA
CharUpperBuffA
MessageBoxA
PeekMessageA
TranslateMessage
GetWindow
SetKeyboardState
GetKeyState
LoadStringA
SendMessageA
GetKeyboardState
CharNextA
WaitForInputIdle
MsgWaitForMultipleObjects
GetWindowTextA
CharToOemA
GetKeyboardType
IsDialogMessageA
DestroyWindow
Number of PE resources by type
RT_STRING 8
RT_RCDATA 6
RT_ICON 5
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 14
ENGLISH US 8
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
2.25

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.0.0.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Windows, Latin1

InitializedDataSize
4402688

EntryPoint
0x1f3a0

OriginalFileName
setup.exe

MIMEType
application/octet-stream

LegalCopyright
Facebook Inc.

FileVersion
2.0.0

TimeStamp
2013:03:29 19:03:41+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
setup.exe

ProductVersion
2.0.0

FileDescription
Deploy Facebook Profile Viewer browsers extension

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
124416

ProductName
Facebook Profile Viewer installer

ProductVersionNumber
2.0.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 c9220176786fe074de210529570959c5
SHA1 3644da5a96035f5d0565086a736ae4ac36682a3f
SHA256 5a2729550420e40836fd2f5e2bb42fe4b9d36dd3fbb0f12fc05b829b5e295f80
ssdeep
98304:IQAr71MSDvsSgwDJWFPRF4V5sUheW1TxBq/j3F:IQMMSDv/jgL65sUhr57q/j1

authentihash 598651969d6a7def4276e91997cb6ffb48f3c02774f3e47499b346e163b49dcf
imphash 73747b911244725f88ce26d959287999
File size 4.3 MB ( 4522176 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID InstallShield setup (53.2%)
Win32 Executable Delphi generic (17.5%)
Windows screen saver (16.1%)
Win32 Executable (generic) (5.5%)
Win16/32 Executable Delphi generic (2.5%)
Tags
nsis peexe signed overlay

VirusTotal metadata
First submission 2013-06-10 11:06:28 UTC ( 4 years, 2 months ago )
Last submission 2013-06-12 10:08:33 UTC ( 4 years, 2 months ago )
File names setup.exe
vti-rescan
Profile Stalker - D.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Moved files
Deleted files
Set keys
Created processes
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications