× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 7a52e02c902afb7e8a747e256300008720e80ca656766d05f340d76788c39375
File name: Robocopy.exe
Detection ratio: 0 / 63
Analysis date: 2017-08-08 16:40:57 UTC ( 1 week, 2 days ago )
Antivirus Result Update
Ad-Aware 20170808
AegisLab 20170808
AhnLab-V3 20170808
Alibaba 20170808
ALYac 20170808
Antiy-AVL 20170808
Arcabit 20170808
Avast 20170808
AVG 20170808
Avira (no cloud) 20170808
AVware 20170808
Baidu 20170808
BitDefender 20170808
Bkav 20170807
CAT-QuickHeal 20170808
ClamAV 20170808
CMC 20170808
Comodo 20170808
CrowdStrike Falcon (ML) 20170710
Cylance 20170808
Cyren 20170808
DrWeb 20170808
Emsisoft 20170808
Endgame 20170721
ESET-NOD32 20170808
F-Prot 20170808
F-Secure 20170808
Fortinet 20170808
GData 20170808
Ikarus 20170808
Sophos ML 20170607
Jiangmin 20170808
K7AntiVirus 20170808
K7GW 20170808
Kaspersky 20170808
Kingsoft 20170808
Malwarebytes 20170808
MAX 20170808
McAfee 20170808
McAfee-GW-Edition 20170808
Microsoft 20170808
eScan 20170808
NANO-Antivirus 20170808
nProtect 20170807
Palo Alto Networks (Known Signatures) 20170808
Panda 20170808
Qihoo-360 20170808
Rising 20170808
SentinelOne (Static ML) 20170806
Sophos AV 20170808
SUPERAntiSpyware 20170808
Symantec 20170808
Symantec Mobile Insight 20170808
Tencent 20170808
TheHacker 20170807
TrendMicro-HouseCall 20170808
Trustlook 20170808
VBA32 20170808
VIPRE 20170808
ViRobot 20170808
Webroot 20170808
WhiteArmor 20170731
Yandex 20170807
Zillya 20170807
ZoneAlarm by Check Point 20170808
Zoner 20170808
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem that targets 64bit architectures.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright ? 1995-2004

Product Microsoft Robocopy
Original name robocopy.exe
Internal name robocopy
File version 5, 1, 10, 1027
Description robocopy
Signature verification Signed file, verified signature
Signing date 8:37 PM 11/20/2010
Signers
[+] Microsoft Windows
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Windows Verification PCA
Valid from 10:57 PM 12/7/2009
Valid to 10:57 PM 3/7/2011
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4
Serial number 61 15 23 0F 00 00 00 00 00 0A
[+] Microsoft Windows Verification PCA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Root Certificate Authority
Valid from 10:55 PM 9/15/2005
Valid to 11:05 PM 3/15/2016
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 5DF0D7571B0780783960C68B78571FFD7EDAF021
Serial number 61 07 02 DC 00 00 00 00 00 0B
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Time-Stamp PCA
Valid from 8:12 PM 7/25/2008
Valid to 8:22 PM 7/25/2011
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 56E832A33DDC8CF2C916DA7CBB1175CBACABAE2C
Serial number 61 03 DC F6 00 00 00 00 00 0C
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 1:53 PM 4/3/2007
Valid to 2:03 PM 4/3/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
PE header basic information
Target machine x64
Compilation timestamp 2010-11-20 09:28:39
Entry Point 0x0001844C
Number of sections 5
PE sections
PE imports
ReadEncryptedFileRaw
GetNamedSecurityInfoW
RegDeleteValueW
RegCloseKey
OpenProcessToken
GetUserNameW
RegCreateKeyExW
RegSetValueExW
GetSecurityDescriptorControl
RegQueryValueExW
OpenEncryptedFileRawW
AdjustTokenPrivileges
WriteEncryptedFileRaw
LookupPrivilegeValueW
EncryptFileW
CloseEncryptedFileRaw
DecryptFileW
SetNamedSecurityInfoW
GetStdHandle
GetConsoleOutputCP
FileTimeToSystemTime
SubmitThreadpoolWork
WaitForSingleObject
GetFileAttributesW
GetLocalTime
GetCurrentProcess
GetConsoleMode
GetVolumeInformationW
SetErrorMode
GetFileInformationByHandle
GetFileTime
WideCharToMultiByte
GetSystemTimeAsFileTime
LocalFree
FormatMessageW
ResumeThread
SetWaitableTimer
CloseThreadpoolWork
FindClose
TlsGetValue
FindNextChangeNotification
SetFileAttributesW
SetLastError
GetSystemTime
OpenThread
RemoveDirectoryW
ExitProcess
CloseThreadpoolCleanupGroupMembers
HeapSetInformation
SetThreadPriority
RtlVirtualUnwind
UnhandledExceptionFilter
GetFullPathNameW
CreateThread
GetExitCodeThread
SetUnhandledExceptionFilter
ExitThread
TerminateProcess
FindCloseChangeNotification
GetVersion
LocalFileTimeToFileTime
CreateThreadpoolWork
GetCurrentThreadId
InitializeSRWLock
SleepEx
WriteConsoleW
HeapFree
DeviceIoControl
SetEvent
QueryPerformanceCounter
GetTickCount
TlsAlloc
lstrcmpiW
AcquireSRWLockExclusive
OpenProcess
CreateDirectoryW
DeleteFileW
WaitForMultipleObjects
GetProcessHeap
CreateWaitableTimerW
CompareStringW
CreateThreadpool
ExpandEnvironmentStringsW
FindNextFileW
BackupWrite
RtlLookupFunctionEntry
HeapValidate
FindFirstFileW
ReleaseSRWLockExclusive
lstrcmpW
FindFirstFileExW
CreateEventW
CreateFileW
GetFileType
TlsSetValue
HeapAlloc
GetLastError
SystemTimeToFileTime
GlobalFree
SetThreadpoolThreadMaximum
CreateThreadpoolCleanupGroup
WaitForSingleObjectEx
lstrlenW
FindFirstChangeNotificationW
CompareFileTime
GetCurrentProcessId
SetFileTime
HeapSize
BackupRead
CopyFileExW
QueryPerformanceFrequency
PrivCopyFileExW
RtlCaptureContext
CloseHandle
GetModuleHandleW
SetThreadUILanguage
Sleep
Ord(1379)
Ord(2629)
Ord(1483)
Ord(3830)
Ord(5933)
Ord(445)
Ord(6886)
Ord(6880)
Ord(4234)
Ord(624)
Ord(4523)
Ord(1262)
Ord(626)
Ord(6050)
Ord(1264)
Ord(940)
Ord(620)
Ord(1259)
Ord(1287)
Ord(5949)
Ord(2783)
Ord(6887)
Ord(1869)
Ord(4436)
Ord(1122)
Ord(1040)
Ord(1126)
Ord(1353)
LoadStringW
WSACleanup
__wgetmainargs
malloc
wprintf
memset
fclose
__dllonexit
swprintf_s
_setmode
printf
??_V@YAXPEAX@Z
fflush
_fmode
_vsnwprintf
_cexit
?terminate@@YAXXZ
__C_specific_handler
clock
_lock
??1type_info@@UEAA@XZ
_onexit
_get_osfhandle
exit
_XcptFilter
_fileno
fwprintf_s
__setusermatherr
_amsg_exit
_unlock
_wcsnicmp
_commode
free
__CxxFrameHandler3
_wfopen
fwprintf
_errno
_exit
ctime
??_U@YAPEAX_K@Z
_wsetlocale
fputws
__iob_func
memcpy
time
fprintf
_initterm
fgetws
__set_app_type
NtQuerySecurityObject
NtSetSecurityObject
RtlGetControlSecurityDescriptor
RtlGetSaclSecurityDescriptor
RtlGetDaclSecurityDescriptor
NtSetInformationProcess
RtlNtStatusToDosError
RtlSetControlSecurityDescriptor
Number of PE resources by type
RT_MANIFEST 1
MUI 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 3
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
6.1

LinkerVersion
9.0

ImageVersion
6.1

FileSubtype
0

FileVersionNumber
5.1.10.1027

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x001f

CharacterSet
Unicode

InitializedDataSize
411648

EntryPoint
0x1844c

OriginalFileName
robocopy.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright 1995-2004

FileVersion
5, 1, 10, 1027

TimeStamp
2010:11:20 10:28:39+01:00

FileType
Win64 EXE

PEType
PE32+

InternalName
robocopy

ProductVersion
XP027

FileDescription
robocopy

OSVersion
6.1

FileOS
Windows NT 32-bit

Subsystem
Windows command line

MachineType
AMD AMD64

CompanyName
Microsoft

CodeSize
117760

ProductName
Microsoft Robocopy

ProductVersionNumber
5.1.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
Compressed bundles
File identification
MD5 0a551ccdef9d6f99a008b5b075354650
SHA1 66fcd83002af4744afdf1ca172f986cd54374489
SHA256 7a52e02c902afb7e8a747e256300008720e80ca656766d05f340d76788c39375
ssdeep
3072:NKp2hJQTZGB5UQYlmmZcK4am9GGo0cKqQhnWzb9V0S+rydY:Ip2hSTZGB5SmmZcKDh0cu4Yyd

authentihash f71472ed31662a7cc596139ee3dbc218c11ac3038e558496245f020daaa1d626
imphash 7a4328f64196400ca2ab6c1c7ce59ce6
File size 125.0 KB ( 128000 bytes )
File type Win32 EXE
Magic literal
PE32+ executable for MS Windows (console) Mono/.Net assembly

TrID Win64 Executable (generic) (87.3%)
Generic Win/DOS Executable (6.3%)
DOS Executable Generic (6.3%)
Tags
64bits peexe assembly signed

VirusTotal metadata
First submission 2011-10-12 18:53:35 UTC ( 5 years, 10 months ago )
Last submission 2017-08-08 16:40:57 UTC ( 1 week, 2 days ago )
File names d1037caff4ecd04597e790d5e811f26f.tmp
path_hash-e1c1b57232210dc0d8cd7239998fbbe0177ed56890c22511ce6b886375a34e4f
fd39a488b15e663a724cb528eb2e49d4a5e09235.exe
bitdb3b.tmp
54e57add3408ff449207e6f95c6c4865.tmp
bita17.tmp
bitdd71.tmp
msl-5652-2860
bit1cad.tmp
e7dfb8c2311e6c45add64955cb797778.tmp
bitb7d.tmp
206d2ec34b20164cbfdb739c9b3eee48.tmp
msl-6920-1436
d4f56b65bde2b849b1dfd34d6ae17b84.tmp
Robocopy.exe
bit73b3.tmp
66785a332b220545b59ee0259f8c2755.tmp
bitbbab.tmp
robocopy.ex_
879d617aaa0cb942aebfb578273e2cec.tmp
wim2f7b.tmp
msl-5616-3539
robocopy.exe
bit5f6b.tmp
msl-4920-3705
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!