× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 6d1532e659c11e055029fc181521470e0d60e5433f6ecd05c5df1a17cc1e301a
File name: winrar-11-jetelecharge.exe
Detection ratio: 1 / 61
Analysis date: 2017-05-17 11:57:26 UTC ( 3 months ago ) View latest
Antivirus Result Update
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9997 20170503
Ad-Aware 20170517
AegisLab 20170517
AhnLab-V3 20170517
Alibaba 20170517
ALYac 20170517
Arcabit 20170517
Avast 20170517
AVG 20170517
Avira (no cloud) 20170517
AVware 20170517
BitDefender 20170517
Bkav 20170517
CAT-QuickHeal 20170517
ClamAV 20170517
CMC 20170517
Comodo 20170517
CrowdStrike Falcon (ML) 20170130
Cyren 20170517
DrWeb 20170517
Emsisoft 20170517
Endgame 20170515
ESET-NOD32 20170517
F-Prot 20170517
F-Secure 20170517
Fortinet 20170517
GData 20170517
Ikarus 20170517
Sophos ML 20170516
Jiangmin 20170517
K7AntiVirus 20170517
K7GW 20170517
Kaspersky 20170517
Kingsoft 20170517
Malwarebytes 20170517
McAfee 20170517
McAfee-GW-Edition 20170516
Microsoft 20170517
eScan 20170517
NANO-Antivirus 20170517
nProtect 20170517
Palo Alto Networks (Known Signatures) 20170517
Panda 20170516
Qihoo-360 20170517
Rising 20170517
SentinelOne (Static ML) 20170516
Sophos AV 20170517
SUPERAntiSpyware 20170517
Symantec 20170516
Symantec Mobile Insight 20170517
Tencent 20170517
TheHacker 20170516
TotalDefense 20170517
TrendMicro 20170517
TrendMicro-HouseCall 20170517
Trustlook 20170517
VBA32 20170517
VIPRE 20170517
ViRobot 20170517
Webroot 20170517
Yandex 20170516
Zillya 20170517
ZoneAlarm by Check Point 20170517
Zoner 20170517
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification Signed file, verified signature
Signing date 7:03 PM 8/17/2016
Signers
[+] win.rar GmbH
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer COMODO RSA Code Signing CA
Valid from 1:00 AM 6/1/2015
Valid to 12:59 AM 6/1/2017
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint CC6FD0D1EE3570E592A181D6B41E0FF308D833D3
Serial number 00 FE 46 A1 0A D9 42 69 C3 DD 22 5C 13 64 53 52 E4
[+] COMODO RSA Code Signing CA
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 5/9/2013
Valid to 12:59 AM 5/9/2028
Valid usage Code Signing
Algorithm sha384RSA
Thumbprint B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Serial number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
[+] COMODO SECURE™
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 1/19/2010
Valid to 12:59 AM 1/19/2038
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha384RSA
Thumbprint AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Serial number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT appended, RAR, Unicode
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-08-14 19:15:59
Entry Point 0x0001C445
Number of sections 6
PE sections
Overlays
MD5 47525835277ed2fa81f8dd1ae24db6df
File type audio/mpeg
Offset 266240
Size 1803424
Entropy 8.00
PE imports
GetStdHandle
FileTimeToSystemTime
WaitForSingleObject
FindNextFileA
EncodePointer
GetFileAttributesW
SystemTimeToTzSpecificLocalTime
DeleteCriticalSection
GetCurrentProcess
OpenFileMappingW
GetConsoleMode
FreeEnvironmentStringsW
InitializeSListHead
GetLocaleInfoW
SetStdHandle
SetFilePointerEx
GetCPInfo
WriteFile
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
GetExitCodeProcess
InitializeCriticalSection
AllocConsole
TlsGetValue
MoveFileW
SetFileAttributesW
SetLastError
GetSystemTime
DeviceIoControl
RemoveDirectoryW
IsDebuggerPresent
ExitProcess
GetModuleFileNameA
QueryPerformanceFrequency
LoadLibraryExA
SetThreadPriority
FindClose
UnhandledExceptionFilter
LoadLibraryExW
MultiByteToWideChar
GetLocalTime
FoldStringW
GetFullPathNameW
CreateThread
SetEnvironmentVariableW
MoveFileExW
GetSystemDirectoryW
CreateSemaphoreW
IsProcessorFeaturePresent
TzSpecificLocalTimeToSystemTime
TerminateProcess
SetUnhandledExceptionFilter
GetModuleHandleExW
SetCurrentDirectoryW
GlobalAlloc
LocalFileTimeToFileTime
SetEndOfFile
GetCurrentThreadId
GetNumberFormatW
WriteConsoleW
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
LoadLibraryW
GetVersionExW
FreeLibrary
QueryPerformanceCounter
GetTickCount
TlsAlloc
VirtualProtect
FlushFileBuffers
RtlUnwind
DecodePointer
GetDateFormatW
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetProcessHeap
CreateFileMappingW
GetTimeFormatW
GetModuleFileNameW
ExpandEnvironmentStringsW
FindFirstFileExA
FindNextFileW
ResetEvent
FreeConsole
FindFirstFileW
SetEvent
GetProcessAffinityMask
CreateEventW
CreateFileW
GetFileType
TlsSetValue
HeapAlloc
LeaveCriticalSection
GetLastError
AttachConsole
SystemTimeToFileTime
LCMapStringW
GetShortPathNameW
GetSystemInfo
GetConsoleCP
FindResourceW
CompareStringW
GetEnvironmentStringsW
IsDBCSLeadByte
VirtualQuery
FileTimeToLocalFileTime
GetCurrentDirectoryW
GetCurrentProcessId
SetFileTime
GetCommandLineW
WideCharToMultiByte
HeapSize
GetCommandLineA
RaiseException
ReleaseSemaphore
MapViewOfFile
TlsFree
SetFilePointer
ReadFile
CloseHandle
GetACP
GetModuleHandleW
SetThreadExecutionState
GetLongPathNameW
IsValidCodePage
UnmapViewOfFile
GetTempPathW
Sleep
GetOEMCP
CreateHardLinkW
Number of PE resources by type
RT_STRING 9
RT_DIALOG 4
RT_ICON 4
RT_MANIFEST 1
RT_BITMAP 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 20
PE resources
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2016:08:14 20:15:59+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
186880

LinkerVersion
14.0

EntryPoint
0x1c445

InitializedDataSize
204800

SubsystemVersion
5.1

ImageVersion
0.0

OSVersion
5.1

UninitializedDataSize
0

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
Compressed bundles
File identification
MD5 d9b60ed6703883e75eb6776ee7f49927
SHA1 08b34a89771256e0ceb77c1b7d0a3dc3513ae724
SHA256 6d1532e659c11e055029fc181521470e0d60e5433f6ecd05c5df1a17cc1e301a
ssdeep
49152:lDkMfABANDmvapkzWTCzVT3ZX+YtEOIYgNdn0:ZhJM0aRzgl0

authentihash 3e8e14ec7dc557f9db21f9646c49efef14efd182ed67f762cdcdfa6a49d5ab4f
imphash 027ea80e8125c6dda271246922d4c3b0
File size 2.0 MB ( 2069664 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (64.6%)
Win32 Dynamic Link Library (generic) (15.4%)
Win32 Executable (generic) (10.5%)
Generic Win/DOS Executable (4.6%)
DOS Executable Generic (4.6%)
Tags
peexe via-tor signed overlay

VirusTotal metadata
First submission 2016-08-17 19:23:10 UTC ( 12 months ago )
Last submission 2017-08-02 07:44:05 UTC ( 2 weeks, 1 day ago )
File names winrar-11-jetelecharge.exe
wrar540fr_2.exe
winrar-11-jetelecharge.exe
winrar-w32-5.40-fr.exe
wrar540fr.exe
winrar_w32_5.40_fr.exe
wrar540fr.exe
wrar540fr (1).exe
wrar540fr(Zip).exe
winrar-11-jetelecharge.exe
winrar-w32-5.40fr.exe
wrar540fr.exe
wrar540fr(1).exe
winrar.exe
WinRAR v5.40 win32 bit fr Setup.exe
wrar540fr.exe
winrar-32-bits_5-40_fr_9632(1).exe
winrar-32-bits_5-40_fr_9632.exe
d210.cdn.m6web.fr.bin
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Runtime DLLs