× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 5fd271cdf943d8188666074db6d57c8069910d61cf34a009c54bd63bf5589fd4
File name: qstp.exe
Detection ratio: 0 / 53
Analysis date: 2016-01-04 10:04:55 UTC ( 2 years, 8 months ago ) View latest
Antivirus Result Update
Ad-Aware 20160104
AegisLab 20160104
Yandex 20160103
AhnLab-V3 20160104
Alibaba 20160104
Antiy-AVL 20160104
Arcabit 20160104
Avast 20160104
AVG 20160104
Avira (no cloud) 20160103
AVware 20160104
Baidu-International 20160103
BitDefender 20160104
Bkav 20151231
ByteHero 20160104
CAT-QuickHeal 20160104
ClamAV 20160103
CMC 20160104
Comodo 20160104
Cyren 20160101
DrWeb 20160104
Emsisoft 20160104
ESET-NOD32 20151231
F-Prot 20160104
F-Secure 20160104
Fortinet 20160104
GData 20160104
Ikarus 20151231
Jiangmin 20160104
K7AntiVirus 20160104
K7GW 20160104
Kaspersky 20160103
Malwarebytes 20160103
McAfee 20160104
McAfee-GW-Edition 20160104
Microsoft 20160104
eScan 20160104
NANO-Antivirus 20160104
nProtect 20151231
Panda 20160103
Rising 20160104
Sophos AV 20160104
SUPERAntiSpyware 20160104
Symantec 20160104
TheHacker 20160103
TotalDefense 20160104
TrendMicro 20160104
TrendMicro-HouseCall 20160104
VBA32 20160102
VIPRE 20160102
ViRobot 20160104
Zillya 20151231
Zoner 20160104
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2002-2015, Pantaray Research Ltd.

Product QSetup Installation Suite
Original name Composer.exe
File version 12.0.0.2
Description QSetup Installation Suite - Setup file
Comments
Signature verification Signed file, verified signature
Signing date 6:55 AM 12/22/2015
Signers
[+] Pantaray Research
Status Valid
Issuer thawte SHA256 Code Signing CA
Valid from 1:00 AM 2/12/2015
Valid to 12:59 AM 3/2/2017
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint C08E2EECD560DD92C71A11F5E87CAAB24C951B03
Serial number 32 AD A4 3F E4 75 45 E2 CE A4 F0 03 9E 4E 77 F4
[+] thawte SHA256 Code Signing CA
Status Valid
Issuer thawte Primary Root CA
Valid from 1:00 AM 12/10/2013
Valid to 12:59 AM 12/10/2023
Valid usage Client Auth, Code Signing
Algorithm sha256RSA
Thumbprint D00CFDBF46C98A838BC10DC4E097AE0152C461BC
Serial number 71 A0 B7 36 95 DD B1 AF C2 3B 2B 9A 18 EE 54 CB
[+] thawte
Status Valid
Issuer thawte Primary Root CA
Valid from 1:00 AM 11/17/2006
Valid to 12:59 AM 7/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 91C6D6EE3E8AC86384E548C299295C756C817B81
Serial number 34 4E D5 57 20 D5 ED EC 49 F4 2F CE 37 DB 2B 6D
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
PEiD BobSoft Mini Delphi -> BoB / BobSoft
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x00035CFC
Number of sections 8
PE sections
Overlays
MD5 33560de22879f3cddcf08344fb5d918c
File type data
Offset 255488
Size 5160144
Entropy 8.00
PE imports
RegOpenKeyExA
LookupAccountNameA
RegQueryValueExA
RegCloseKey
GetUserNameA
InitCommonControls
GetDeviceCaps
LineTo
SelectObject
GetTextExtentPoint32A
MoveToEx
CreatePen
GetTextMetricsA
CreateSolidBrush
DeleteObject
CreateFontA
GetStdHandle
FileTimeToDosDateTime
GetFileAttributesA
WaitForSingleObject
GetDriveTypeA
GetExitCodeProcess
DeleteCriticalSection
GetCurrentProcess
GetLocaleInfoA
LocalAlloc
SetErrorMode
SetFileAttributesA
GetTempPathA
WideCharToMultiByte
WriteFile
GetDiskFreeSpaceA
GetFullPathNameA
SetEvent
LocalFree
MoveFileA
GetEnvironmentVariableA
FindClose
TlsGetValue
FormatMessageA
GetStringTypeExA
PeekNamedPipe
DeviceIoControl
InitializeCriticalSection
GlobalFindAtomA
ExitProcess
GetModuleFileNameA
RaiseException
EnumCalendarInfoA
LoadLibraryExA
GetPrivateProfileStringA
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
GetLocalTime
GetModuleHandleA
CreatePipe
GlobalAddAtomA
MulDiv
GetSystemDirectoryA
TerminateProcess
VirtualQuery
LocalFileTimeToFileTime
SetEndOfFile
GetCurrentThreadId
InterlockedIncrement
SetCurrentDirectoryA
EnterCriticalSection
FreeLibrary
QueryPerformanceCounter
GetTickCount
GetVersionExA
LoadLibraryA
RtlUnwind
GetStartupInfoA
GetDateFormatA
GetFileSize
OpenProcess
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
GetProcAddress
FindFirstFileA
ResetEvent
GetComputerNameA
FindNextFileA
IsValidLocale
SetCommTimeouts
CreateEventA
CopyFileA
GetFileType
TlsSetValue
CreateFileA
LeaveCriticalSection
GetLastError
DosDateTimeToFileTime
GlobalDeleteAtom
lstrlenA
GetThreadLocale
IsDBCSLeadByte
RemoveDirectoryA
WinExec
FileTimeToLocalFileTime
WritePrivateProfileStringA
GetCurrentProcessId
SetFileTime
GetCPInfo
GetShortPathNameA
GetCommandLineA
QueryPerformanceFrequency
SetFilePointer
ReadFile
CloseHandle
lstrcpynA
GetACP
GetVersion
CreateProcessA
VirtualFree
Sleep
VirtualAlloc
CompareStringA
VariantChangeType
SafeArrayGetLBound
SafeArrayPtrOfIndex
SysAllocStringLen
VariantClear
SafeArrayCreate
SysReAllocStringLen
SafeArrayGetUBound
VariantCopy
SysFreeString
VariantInit
ShellExecuteA
SetFocus
GetMessageA
EnableWindow
ReleaseDC
PostQuitMessage
EnumWindows
KillTimer
RegisterWindowMessageA
DefWindowProcA
ShowWindow
SetWindowPos
GetClassNameA
GetWindowThreadProcessId
GetSystemMetrics
GetWindowRect
DispatchMessageA
EndPaint
LoadStringA
PostMessageA
DrawIcon
MessageBoxA
PeekMessageA
SetWindowLongA
TranslateMessage
GetWindow
GetSysColor
SetActiveWindow
GetDC
SystemParametersInfoA
BeginPaint
FindWindowA
UnregisterClassA
IsWindowVisible
SendMessageA
GetClientRect
SetTimer
EnableMenuItem
RegisterClassA
LoadIconA
GetWindowLongA
CreateWindowExA
LoadCursorA
OemToCharA
GetActiveWindow
CharNextA
GetDesktopWindow
GetSystemMenu
GetFocus
FillRect
GetWindowTextA
GetKeyboardType
CharToOemA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetSetOptionA
InternetGetLastResponseInfoA
Number of PE resources by type
RT_STRING 7
RT_RCDATA 2
RT_VERSION 2
RT_ICON 1
RT_MANIFEST 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 10
HEBREW DEFAULT 3
ENGLISH US 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
2.25

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
12.0.0.2

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Windows, Latin1

InitializedDataSize
37888

EntryPoint
0x35cfc

OriginalFileName
Composer.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) 2002-2015, Pantaray Research Ltd.

FileVersion
12.0.0.2

TimeStamp
1992:06:19 23:22:17+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
11.0.0.0

FileDescription
QSetup Installation Suite - Setup file

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Pantaray Research Ltd.

CodeSize
216576

ProductName
QSetup Installation Suite

ProductVersionNumber
11.0.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
File identification
MD5 5e0afed704ce0d1163019ae81569584d
SHA1 9dd76faeb23329a78324268cda13880837a796fb
SHA256 5fd271cdf943d8188666074db6d57c8069910d61cf34a009c54bd63bf5589fd4
ssdeep
98304:TGtLyoY/jMlQ1N1dWw+BUzebDcY6jK64y+YuGX+Bq0Rhf0LC:sfYbyAwBUabDL6Xp+BpL8O

authentihash dc678d7bf4eb0f5fa55ebf259f45125e0e219130a5bc8be2e1a9e83fcb443c18
imphash 2f45afee24007023355d72f427440a0b
File size 5.2 MB ( 5415632 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID InstallShield setup (49.2%)
Win32 Executable Delphi generic (16.2%)
Windows screen saver (14.9%)
Win32 Dynamic Link Library (generic) (7.5%)
Win32 Executable (generic) (5.1%)
Tags
bobsoft peexe signed overlay

VirusTotal metadata
First submission 2016-01-04 10:04:55 UTC ( 2 years, 8 months ago )
Last submission 2016-10-19 11:10:02 UTC ( 1 year, 11 months ago )
File names Composer.exe
5FD271CDF943D8188666074DB6D57C8069910D61CF34A009C54BD63BF5589FD4
5FD271CDF943D8188666074DB6D57C8069910D61CF34A009C54BD63BF5589FD4.dat
qstp.exe
qstp.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Searched windows
Runtime DLLs
UDP communications