× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 5a52964970564d363b9d676a182892b3ce61b3a1baa67bef59dfa29f15ed5815
File name: epmntdrv.sys
Detection ratio: 0 / 44
Analysis date: 2012-11-15 20:19:31 UTC ( 5 years, 9 months ago ) View latest
Antivirus Result Update
Yandex 20121114
AhnLab-V3 20121115
AntiVir 20121115
Antiy-AVL 20121115
Avast 20121115
AVG 20121115
BitDefender 20121115
ByteHero 20121110
CAT-QuickHeal 20121115
ClamAV 20121115
Commtouch 20121115
Comodo 20121115
DrWeb 20121115
Emsisoft 20121115
eSafe 20121115
ESET-NOD32 20121115
F-Prot 20121115
F-Secure 20121115
Fortinet 20121115
GData 20121115
Ikarus 20121115
Jiangmin 20121115
K7AntiVirus 20121115
Kaspersky 20121115
Kingsoft 20121112
McAfee 20121115
McAfee-GW-Edition 20121115
Microsoft 20121115
eScan 20121115
Norman 20121115
nProtect 20121115
Panda 20121115
PCTools 20121115
Rising 20121114
Sophos AV 20121115
SUPERAntiSpyware 20121115
Symantec 20121115
TheHacker 20121113
TotalDefense 20121115
TrendMicro 20121115
TrendMicro-HouseCall 20121115
VBA32 20121115
VIPRE 20121115
ViRobot 20121115
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Native subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification Certificate out of its validity period
Signers
[+] CHENGDU YIWO Tech Development Co., Ltd.
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer VeriSign Class 3 Code Signing 2004 CA
Valid from 1:00 AM 8/14/2008
Valid to 12:59 AM 8/15/2011
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 249B402EF4DEFBD80C492F2191BDFE04E2A2C496
Serial number 6C F2 F2 7C 3D F2 FB 0E 37 83 AA D5 45 78 AA 7E
[+] VeriSign Class 3 Code Signing 2004 CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Class 3 Public Primary Certification Authority
Valid from 1:00 AM 7/16/2004
Valid to 12:59 AM 7/16/2014
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 197A4AEBDB25F0170079BB8C73CB2D655E0018A4
Serial number 41 91 A1 5A 39 78 DF CF 49 65 66 38 1D 4C 75 C2
[+] VeriSign Class 3 Public Primary CA
Status Valid
Issuer Class 3 Public Primary Certification Authority
Valid from 1:00 AM 1/29/1996
Valid to 12:59 AM 8/2/2028
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm md2RSA
Thumbprint 742C3192E607E424EB4549542BE1BBC53E6174E2
Serial number 70 BA E4 1D 10 D9 29 34 B6 38 CA 7B 03 CC BA BF
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2008-08-05 05:35:45
Entry Point 0x00005005
Number of sections 5
PE sections
Overlays
MD5 bb6021162d512ecfb9d9df4578841a22
File type data
Offset 9728
Size 4488
Entropy 7.25
PE imports
RtlInitUnicodeString
RtlAnsiCharToUnicodeChar
RtlUnicodeStringToInteger
IoGetDeviceObjectPointer
KeInitializeEvent
MmMapLockedPagesSpecifyCache
IoBuildAsynchronousFsdRequest
DbgPrint
IoGetLowerDeviceObject
IoBuildDeviceIoControlRequest
IoCreateDevice
IoDeleteDevice
KeTickCount
ObDereferenceObjectDeferDelete
ExAllocatePoolWithTag
IoFreeIrp
memset
IofCompleteRequest
IoDeleteSymbolicLink
KeSetEvent
ObfDereferenceObject
ExFreePoolWithTag
memcpy
RtlCompareUnicodeString
IoGetAttachedDeviceReference
IoCreateSymbolicLink
KeBugCheckEx
KeWaitForSingleObject
IofCallDriver
ObfReferenceObject
IoFreeMdl
MmUnlockPages
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Native

MachineType
Intel 386 or later, and compatibles

TimeStamp
2008:08:05 06:35:45+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
7168

LinkerVersion
8.0

FileTypeExtension
exe

InitializedDataSize
1536

SubsystemVersion
6.0

EntryPoint
0x5005

OSVersion
6.0

ImageVersion
6.0

UninitializedDataSize
0

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
File identification
MD5 539ca34fbc74ec366a0d751028c32a08
SHA1 5a37118ef1712f20ce50e60c537373cef7d9f54b
SHA256 5a52964970564d363b9d676a182892b3ce61b3a1baa67bef59dfa29f15ed5815
ssdeep
192:W9Bgq7dIqqXU9piHf0etqlKdaK0zqMjGwP7oZgjl7Mcip+ebMZMCB:W9Bgq7dINXU/iHf03K06d6jVQbQ

authentihash 3015612af9c5bbb50c2a17921148d0e241fb6905f28693b68885a52b24987356
imphash 497ab08ca4751a30dbbe7158d270945d
File size 13.9 KB ( 14216 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (native) Intel 80386 32-bit

TrID Win32 Executable (generic) (42.7%)
OS/2 Executable (generic) (19.2%)
Generic Win/DOS Executable (18.9%)
DOS Executable Generic (18.9%)
Tags
peexe native signed overlay

VirusTotal metadata
First submission 2009-11-08 22:18:37 UTC ( 8 years, 9 months ago )
Last submission 2018-02-19 21:56:16 UTC ( 5 months, 3 weeks ago )
File names is-1lab3.tmp
is-acf3k.tmp
is-djtuf.tmp
EPMNTDRV.SYS._5A37118EF1712F20CE50E60C537373CEF7D9F54B
epmntdrv.sys
is-ec48q.tmp
CBA9C31B886C5F4E37480011D0030400F6D3E903.sys
is-4nkj0.tmp
is-lhldg.tmp
tsk0000.dta
epmntdrv.sys
is-v1u4t.tmp
file-1039986_sys
539ca34fbc74ec366a0d751028c32a08
file-3065466_sys
is-3greg.tmp
epmntdrv.sys
epmntdrv.sys
is-34eet.tmp
is-b7c0h.tmp
EPMNTDRV.SYS
epmntdrv.sys
is-hi6ka.tmp
is-ngj7b.tmp
epmntdrv.sy_
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!