× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 5b842678b5ee0ff705932d563f90eaf4dd0384588bd8d269907bd9aa94bf12a3
File name: mod_isapi.so
Detection ratio: 0 / 48
Analysis date: 2013-10-21 11:44:47 UTC ( 5 years, 7 months ago )
Antivirus Result Update
Yandex 20131020
AhnLab-V3 20131021
AntiVir 20131021
Antiy-AVL 20131021
Avast 20131021
AVG 20131021
Baidu-International 20131021
BitDefender 20131012
Bkav 20131019
ByteHero 20131011
CAT-QuickHeal 20131021
ClamAV 20131021
Commtouch 20131021
Comodo 20131021
DrWeb 20131021
Emsisoft 20131021
ESET-NOD32 20131021
F-Prot 20131021
F-Secure 20131021
Fortinet 20131021
GData 20131021
Ikarus 20131021
Jiangmin 20131021
K7AntiVirus 20131018
K7GW 20131018
Kaspersky 20131021
Kingsoft 20130829
Malwarebytes 20131021
McAfee 20131021
McAfee-GW-Edition 20131021
Microsoft 20131021
eScan 20131021
NANO-Antivirus 20131021
Norman 20131021
nProtect 20131021
Panda 20131021
PCTools 20131002
Rising 20131021
Sophos AV 20131021
SUPERAntiSpyware 20131021
Symantec 20131021
TheHacker 20131018
TotalDefense 20131019
TrendMicro 20131021
TrendMicro-HouseCall 20131021
VBA32 20131021
VIPRE 20131021
ViRobot 20131021
The file being studied is a Portable Executable file! More specifically, it is a Win32 DLL file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright 2013 The Apache Software Foundation.

Publisher Apache Software Foundation
Product Apache HTTP Server
Version 2.4.4
Original name mod_isapi.so
Internal name mod_isapi.so
File version 2.4.4
Description isapi_module for Apache
Comments Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-02-23 12:03:24
Entry Point 0x00003819
Number of sections 5
PE sections
PE imports
GetLastError
GetCurrentProcess
TerminateProcess
SetUnhandledExceptionFilter
DecodePointer
GetCurrentProcessId
EncodePointer
InterlockedExchange
QueryPerformanceCounter
UnhandledExceptionFilter
IsDebuggerPresent
GetTickCount
DisableThreadLibraryCalls
GetSystemTimeAsFileTime
Sleep
GetCurrentThreadId
InterlockedCompareExchange
SetLastError
_malloc_crt
strncmp
_lock
_unlock
_crt_debugger_hook
memset
_except_handler4_common
free
_onexit
__dllonexit
_amsg_exit
_encoded_null
__clean_type_info_names_internal
__CppXcptFilter
isdigit
_initterm
_initterm_e
isspace
memchr
_apr_dso_sym@12
_apr_hash_get@12
_apr_palloc@8
_apr_table_elts@4
_apr_table_get@8
_apr_thread_mutex_lock@4
_apr_hash_set@16
_apr_file_info_get@12
_apr_cpystrn@12
apr_pstrcat
_apr_os_file_put@16
_apr_thread_mutex_unlock@4
_apr_dso_load@12
_apr_thread_rwlock_wrlock@4
_apr_thread_rwlock_create@8
_apr_table_set@12
_apr_table_unset@8
_apr_time_now@0
_apr_thread_mutex_create@12
_apr_table_setn@12
_apr_stat@16
_apr_thread_rwlock_rdlock@4
_apr_hash_make@4
apr_pool_cleanup_null
_apr_dso_unload@4
_apr_filepath_merge@20
_apr_pool_cleanup_register@16
_apr_thread_rwlock_unlock@4
_apr_pool_create_ex@16
_apr_pstrndup@12
_apr_pstrdup@8
_apr_bucket_flush_create@4
_apr_brigade_insert_file@28
_apr_bucket_eos_create@4
_apr_bucket_transient_create@12
_apr_brigade_destroy@4
_apr_brigade_create@8
ap_log_rerror_
_ap_hook_pre_config@16
_ap_get_status_line@4
ap_scan_script_header_err_strs_ex
_ap_destroy_sub_req@4
_ap_add_cgi_vars@4
_ap_allow_options@4
_ap_setup_client_block@8
_ap_should_client_block@4
_ap_internal_redirect@8
_ap_add_common_vars@4
ap_set_flag_slot
ap_log_error_
ap_set_int_slot
_ap_pass_brigade@8
_ap_server_root_relative@8
_ap_hook_handler@16
_ap_sub_req_lookup_uri@12
_ap_get_client_block@12
PE exports
Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 2
PE resources
ExifTool file metadata
FileDescription
isapi_module for Apache

Comments
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

InitializedDataSize
11264

ImageVersion
0.0

ProductName
Apache HTTP Server

FileVersionNumber
2.4.4.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
10.0

OriginalFilename
mod_isapi.so

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
2.4.4

TimeStamp
2013:02:23 13:03:24+01:00

FileType
Win32 DLL

PEType
PE32

InternalName
mod_isapi.so

SubsystemVersion
5.1

ProductVersion
2.4.4

UninitializedDataSize
0

OSVersion
5.1

FileOS
Win32

LegalCopyright
Copyright 2013 The Apache Software Foundation.

MachineType
Intel 386 or later, and compatibles

CompanyName
Apache Software Foundation

CodeSize
11776

FileSubtype
0

ProductVersionNumber
2.4.4.0

EntryPoint
0x3819

ObjectFileType
Dynamic link library

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
File identification
MD5 df1c6022559e7be99d8bf88f1b77ac55
SHA1 e45c748cfd592bf63cb0f6fbd262d532a1f272c7
SHA256 5b842678b5ee0ff705932d563f90eaf4dd0384588bd8d269907bd9aa94bf12a3
ssdeep
384:nlOUnDNnVyaRP1O0pVoE9cCb2EXZr11zLXpg+4fifPlxnPV5uqW:l7BnVyaRP1OcV5tXlxndAqW

File size 23.5 KB ( 24064 bytes )
File type Win32 DLL
Magic literal
PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
pedll

VirusTotal metadata
First submission 2013-03-04 13:32:59 UTC ( 6 years, 2 months ago )
Last submission 2013-03-04 13:32:59 UTC ( 6 years, 2 months ago )
File names mod_isapi.so
mod_isapi.so
mod_isapi.so
mod_isapi 2.so
~d91b5fba.tmp
mod_isapi.so
mod_isapi.so
mod_isapi.so
mod_isapi.so
643eb938-6549-d70d-5f82-c2d606498452_1d26c2478ca65ba
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!