× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 71c054331ac32fb46842c6488010bd1a81eda90c131909e41eb3cee4c710fd88
File name: 1c4ca859e465e4c8d27ad3ca1eb2b926_34847-book.exe
Detection ratio: 7 / 54
Analysis date: 2016-01-19 10:05:48 UTC ( 2 years, 10 months ago ) View latest
Antivirus Result Update
AVG Generic.6FA 20160119
Avira (no cloud) ADWARE/FileTour.ika 20160119
Bkav W32.HfsAdware.650B 20160118
NANO-Antivirus Trojan.Win32.Agent.dxahtg 20160119
Qihoo-360 HEUR/QVM07.1.Malware.Gen 20160119
Rising PE:Malware.Generic(Thunder)!1.A1C4 [F] 20160119
VIPRE FileTour (fs) 20160119
Ad-Aware 20160119
AegisLab 20160119
Yandex 20160118
AhnLab-V3 20160119
Alibaba 20160119
ALYac 20160119
Antiy-AVL 20160119
Arcabit 20160119
Avast 20160119
Baidu-International 20160119
BitDefender 20160119
ByteHero 20160119
CAT-QuickHeal 20160119
ClamAV 20160119
CMC 20160111
Comodo 20160119
Cyren 20160119
DrWeb 20160119
Emsisoft 20160119
ESET-NOD32 20160119
F-Prot 20160119
F-Secure 20160119
Fortinet 20160119
GData 20160119
Ikarus 20160119
Jiangmin 20160119
K7AntiVirus 20160119
K7GW 20160119
Kaspersky 20160119
Malwarebytes 20160119
McAfee 20160119
McAfee-GW-Edition 20160119
Microsoft 20160119
eScan 20160119
nProtect 20160119
Panda 20160118
Sophos AV 20160119
SUPERAntiSpyware 20160119
Symantec 20160118
Tencent 20160119
TheHacker 20160119
TrendMicro 20160119
TrendMicro-HouseCall 20160119
VBA32 20160117
ViRobot 20160119
Zillya 20160118
Zoner 20160119
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Publisher Falcon Technology
Signature verification Signed file, verified signature
Signers
[+] Falcon Technology
Status Valid
Issuer COMODO RSA Code Signing CA
Valid from 1:00 AM 1/26/2015
Valid to 12:59 AM 1/27/2016
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 9A0127F6BB895BDA7F87EF22C7797FCC82818AB4
Serial number 00 8F 8A F4 45 1E 61 CD 49 3E 2A 49 11 ED F9 94 04
[+] COMODO RSA Code Signing CA
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 5/9/2013
Valid to 12:59 AM 5/9/2028
Valid usage Code Signing
Algorithm sha384RSA
Thumbprint B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Serial number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
[+] COMODO SECURE?
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 1/19/2010
Valid to 12:59 AM 1/19/2038
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha384RSA
Thumbprint AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Serial number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-01-19 06:11:31
Entry Point 0x0000160B
Number of sections 5
PE sections
Overlays
MD5 3a02851e81b16f2ddb5ccd66809f626e
File type data
Offset 647168
Size 6088
Entropy 7.49
PE imports
HeapFree
GetStdHandle
LCMapStringW
SetHandleCount
TerminateThread
FreeLibrary
LCMapStringA
HeapDestroy
ExitProcess
SetFileApisToANSI
GetEnvironmentStringsW
GetModuleFileNameA
RtlUnwind
LoadLibraryA
FreeEnvironmentStringsA
GetStartupInfoA
GetEnvironmentStrings
VirtualFreeEx
LockResource
DeleteFileA
GetCurrentProcess
UnhandledExceptionFilter
LoadLibraryExW
MultiByteToWideChar
FreeEnvironmentStringsW
GetCPInfo
GetCommandLineA
GetProcAddress
GetModuleHandleA
RaiseException
ReleaseSemaphore
CreateThread
GetStringTypeA
SetFilePointer
VirtualUnlock
InterlockedExchange
WriteFile
PulseEvent
VirtualFree
GetACP
HeapReAlloc
SetHandleInformation
GetModuleHandleW
GetBinaryTypeA
SetEvent
MoveFileA
TerminateProcess
CreateEventW
WideCharToMultiByte
HeapCreate
GetStringTypeW
CreateEventA
Sleep
GetFileType
SetFileAttributesW
HeapAlloc
GetVersion
OpenEventA
VirtualAlloc
GetOEMCP
CoUninitialize
Number of PE resources by type
RT_ICON 6
RT_GROUP_ICON 3
RT_BITMAP 1
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
RUSSIAN 12
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
6.0

ImageVersion
0.0

FileVersionNumber
4.29.527.1229

LanguageCode
Russian

FileFlagsMask
0x0007

CharacterSet
Unicode

InitializedDataSize
614400

EntryPoint
0x160b

MIMEType
application/octet-stream

TimeStamp
2016:01:19 07:11:31+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
4, 29, 527, 1229

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Unknown (0x5)

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
28672

FileSubtype
0

ProductVersionNumber
4.29.527.1294

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 20c1beafabe4a8cc0cfaa5a74b181935
SHA1 5c2b79e8b0e3dfffdeee79269ead287a23f3641f
SHA256 71c054331ac32fb46842c6488010bd1a81eda90c131909e41eb3cee4c710fd88
ssdeep
12288:tX2ZWEVSQdBKoGhIC7cNRtoEo4WAZsscWJdifV+12lQaFm:J2ZT8Qd1GhIucLoVossczfFm

authentihash 2e0997642434572be735a0cd8774530c39360fe36e0186c4db5f70b216b48ddc
imphash e4d46c8e36537fa3bf5186489334389e
File size 637.9 KB ( 653256 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.4%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2016-01-19 10:05:48 UTC ( 2 years, 10 months ago )
Last submission 2016-01-19 10:05:48 UTC ( 2 years, 10 months ago )
File names 1c4ca859e465e4c8d27ad3ca1eb2b926_34847-book.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
DNS requests
UDP communications