× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 6e24ac22f2ca5f7292982ad4b81be208c42c390bf75ff833c57a198970196b66
File name: ClearLNK.exe
Detection ratio: 0 / 56
Analysis date: 2016-11-29 19:31:01 UTC ( 1 year, 7 months ago ) View latest
Antivirus Result Update
Ad-Aware 20161129
AegisLab 20161129
AhnLab-V3 20161129
Alibaba 20161129
ALYac 20161129
Antiy-AVL 20161129
Arcabit 20161129
Avast 20161129
AVG 20161129
Avira (no cloud) 20161129
AVware 20161129
Baidu 20161129
BitDefender 20161129
Bkav 20161129
CAT-QuickHeal 20161129
ClamAV 20161129
CMC 20161129
Comodo 20161129
CrowdStrike Falcon (ML) 20161024
Cyren 20161129
DrWeb 20161129
Emsisoft 20161129
ESET-NOD32 20161129
F-Prot 20161129
F-Secure 20161129
Fortinet 20161129
GData 20161129
Ikarus 20161129
Sophos ML 20161128
Jiangmin 20161129
K7AntiVirus 20161129
K7GW 20161129
Kaspersky 20161129
Kingsoft 20161129
Malwarebytes 20161129
McAfee 20161129
McAfee-GW-Edition 20161129
Microsoft 20161129
eScan 20161129
NANO-Antivirus 20161129
nProtect 20161129
Panda 20161129
Qihoo-360 20161129
Rising 20161129
Sophos AV 20161129
SUPERAntiSpyware 20161129
Symantec 20161129
Tencent 20161129
TheHacker 20161126
TrendMicro 20161129
TrendMicro-HouseCall 20161129
Trustlook 20161129
VBA32 20161129
VIPRE 20161129
ViRobot 20161129
WhiteArmor 20161125
Yandex 20161128
Zillya 20161129
Zoner 20161129
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Alex Dragokas

Product ClearLNK
Original name ClearLNK.exe
Internal name ClearLNK
File version 2.09.0011
Description Программа для лечения ярлыков, вследствие заражения системы Adware и другим вредоносным ПО.
Signature verification A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Signing date 4:44 PM 7/4/2018
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-11-29 19:28:52
Entry Point 0x000069C4
Number of sections 3
PE sections
Overlays
MD5 6228e513742830eb4140b531808b67c5
File type data
Offset 458752
Size 4224
Entropy 7.41
PE imports
_adj_fdivr_m64
Ord(610)
Ord(546)
Ord(518)
Ord(537)
__vbaStrFixstr
_allmul
__vbaGet4
Ord(616)
EVENT_SINK_Invoke
__vbaGet3
Ord(527)
_adj_fprem
Ord(558)
__vbaAryMove
__vbaObjVar
__vbaForEachVar
Ord(526)
Ord(693)
__vbaStopExe
__vbaVarAnd
__vbaRedim
__vbaForEachCollObj
__vbaRefVarAry
__vbaRecDestruct
__vbaCopyBytes
__vbaRaiseEvent
_adj_fdiv_r
__vbaRecAnsiToUni
__vbaObjSetAddref
Ord(681)
__vbaDateStr
__vbaI4Var
_adj_fdiv_m64
__vbaHresultCheckObj
__vbaAryUnlock
_CIlog
__vbaRecAssign
Ord(595)
__vbaVarLateMemCallLd
_adj_fptan
__vbaFileClose
Ord(581)
__vbaFpCmpCy
__vbaLineInputStr
Ord(601)
__vbaRecUniToAnsi
Ord(608)
__vbaFreeStr
Ord(670)
__vbaLateIdCallLd
Ord(631)
__vbaStrI2
__vbaStrI4
__vbaBoolErrVar
Ord(709)
__vbaFreeStrList
_adj_fdiv_m16i
EVENT_SINK_QueryInterface
__vbaFpUI1
Ord(617)
Ord(648)
Ord(516)
Ord(320)
__vbaNextEachVar
__vbaI4Str
Ord(607)
__vbaLenBstr
Ord(525)
__vbaResume
Ord(594)
Ord(561)
__vbaHresultCheck
__vbaStrToUnicode
Ord(553)
__vbaInStr
_adj_fdiv_m32i
Ord(717)
Ord(600)
__vbaExceptHandler
__vbaSetSystemError
__vbaGetOwner4
DllFunctionCall
Zombie_GetTypeInfoCount
__vbaPowerR8
__vbaUbound
__vbaVarTstLt
Ord(564)
__vbaFreeVar
__vbaBoolVarNull
__vbaLbound
__vbaForEachAry
__vbaFileOpen
Ord(571)
Ord(319)
Ord(321)
Ord(696)
__vbaStrR4
Ord(606)
__vbaNew
__vbaAryLock
__vbaLsetFixstr
__vbaVarSetVarAddref
__vbaVarTstEq
__vbaStrMove
Ord(593)
Ord(667)
Ord(716)
Ord(539)
Ord(711)
__vbaOnError
_adj_fdivr_m32i
__vbaI4ErrVar
__vbaInStrVar
__vbaStrCat
__vbaVarDup
__vbaStrLike
__vbaNextEachAry
__vbaChkstk
__vbaPrintFile
EVENT_SINK_Release
__vbaStrCmp
__vbaI4Cy
Ord(570)
__vbaErase
__vbaBoolVar
__vbaStrComp
Ord(697)
__vbaStrVarCopy
__vbaFreeObjList
__vbaVarCmpGt
__vbaVarIndexLoad
EVENT_SINK_GetIDsOfNames
Ord(538)
__vbaFreeVarList
__vbaR4ErrVar
__vbaStrVarMove
__vbaCastObj
__vbaExitProc
Ord(542)
Zombie_GetTypeInfo
__vbaVarOr
__vbaVarTstNe
Ord(618)
__vbaLateMemCallLd
__vbaAryConstruct2
Ord(520)
__vbaFileSeek
__vbaFreeObj
_adj_fdivr_m32
__vbaStrVarVal
__vbaVarSub
__vbaFpCSngR8
__vbaUnkVar
_CIcos
__vbaDateVar
__vbaFpCSngR4
Ord(528)
__vbaR4Cy
__vbaStrErrVarCopy
__vbaExitEachVar
__vbaVarCmpNe
__vbaVarMove
__vbaFPInt
__vbaNew2
__vbaAryDestruct
__vbaAryCopy
_adj_fprem1
Ord(619)
Ord(543)
__vbaStrCompVar
Ord(698)
Ord(563)
_adj_fdiv_m32
Ord(535)
Ord(712)
Ord(560)
__vbaLenVar
__vbaEnd
__vbaVarZero
__vbaPutOwner3
Ord(685)
__vbaLateMemSt
__vbaVarIndexStore
_adj_fpatan
EVENT_SINK_AddRef
__vbaVarIndexLoadRefLock
Ord(652)
__vbaObjIs
__vbaVarVargNofree
__vbaCyMulI2
Ord(591)
Ord(632)
Ord(645)
__vbaFPException
__vbaAryVar
_adj_fdivr_m16i
__vbaVar2Vec
__vbaVarAdd
Ord(100)
Ord(544)
Ord(519)
__vbaNextEachCollObj
__vbaRedimPreserve
__vbaStrBool
_CIsin
_CIsqrt
__vbaVarCopy
__vbaLenBstrB
__vbaStrCopy
_CIatan
Ord(662)
__vbaLateMemCall
Ord(573)
__vbaPut3
__vbaObjSet
__vbaVarCmpLt
Ord(644)
__vbaVarCat
__vbaStr2Vec
__vbaFileCloseAll
_CIexp
__vbaStrToAnsi
_CItan
__vbaFpI4
Ord(598)
__vbaFpI2
Ord(545)
StringFromGUID2
LocalFree
Number of PE resources by type
CUSTOM 5
RT_ICON 3
RT_GROUP_ICON 1
RT_VERSION 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 6
NEUTRAL 4
RUSSIAN 1
PE resources
ExifTool file metadata
LegalTrademarks
Alex Dragokas

SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
2.9

FileSubtype
0

FileVersionNumber
2.9.0.11

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

FileDescription
, Adware .

CharacterSet
Unicode

InitializedDataSize
90112

EntryPoint
0x69c4

OriginalFileName
ClearLNK.exe

MIMEType
application/octet-stream

LegalCopyright
Alex Dragokas

FileVersion
2.09.0011

TimeStamp
2016:11:29 20:28:52+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
ClearLNK

ProductVersion
2.09.0011

UninitializedDataSize
0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Alex Dragokas

CodeSize
372736

ProductName
ClearLNK

ProductVersionNumber
2.9.0.11

FileTypeExtension
exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 4bd9c534e0077c2fd444e78cc13a114b
SHA1 1e345df814fb60f9f0822183690a37bed9dcc3f1
SHA256 6e24ac22f2ca5f7292982ad4b81be208c42c390bf75ff833c57a198970196b66
ssdeep
6144:mfS+LTU8u71iG+CR7TjarYHPUZDmLcTHhnLbqVWnY+60rgkXWi7WB/aggvu5zl+5:mxe/GsHPUZDmKHKKYDYABVfQD

imphash ebef775a5ab89df03d677c62a105c372
File size 452.1 KB ( 462976 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (54.1%)
Win32 Executable MS Visual C++ (generic) (20.6%)
Win64 Executable (generic) (18.2%)
Win32 Executable (generic) (2.9%)
OS/2 Executable (generic) (1.3%)
Tags
peexe overlay

VirusTotal metadata
First submission 2016-11-29 19:31:01 UTC ( 1 year, 7 months ago )
Last submission 2018-05-20 18:02:03 UTC ( 1 month, 3 weeks ago )
File names ClearLNK.exe
clearlnk_2.9.0.11.exe
ClearLNK.exe
CLEARLNK_2.9.0.11.EXE
ClearLNK.exe
ClearLNK.exe
ClearLNK.exe
ClearLNK.exe
ClearLNK.exe
clearlnk_2.9.0.11.exe
clearlnk_2.9.0.11.exe
ClearLNK.exe
clearlnk_2.9.0.11.exe
clearlnk_2.9.0.11.exe
ClearLNK.exe
ClearLNK
clearlnk_2.9.0.11.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created mutexes
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications