× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 7ea537e563e0ed04d77b0d3f867e9cd29aa41116b1a16268ecfdb71f1b780515
File name: MBSTRING extension
Detection ratio: 0 / 62
Analysis date: 2017-05-02 13:52:24 UTC ( 1 year, 11 months ago )
Antivirus Result Update
Ad-Aware 20170502
AegisLab 20170502
AhnLab-V3 20170502
Alibaba 20170502
ALYac 20170502
Antiy-AVL 20170502
Arcabit 20170502
Avast 20170502
AVG 20170502
Avira (no cloud) 20170502
AVware 20170502
Baidu 20170502
BitDefender 20170502
Bkav 20170428
CAT-QuickHeal 20170502
ClamAV 20170502
CMC 20170502
Comodo 20170502
CrowdStrike Falcon (ML) 20170130
Cyren 20170502
DrWeb 20170502
Emsisoft 20170502
Endgame 20170419
ESET-NOD32 20170502
F-Prot 20170502
F-Secure 20170502
Fortinet 20170502
GData 20170502
Ikarus 20170502
Sophos ML 20170413
Jiangmin 20170502
K7AntiVirus 20170502
K7GW 20170426
Kaspersky 20170502
Kingsoft 20170502
Malwarebytes 20170502
McAfee 20170502
McAfee-GW-Edition 20170501
Microsoft 20170502
eScan 20170502
NANO-Antivirus 20170502
nProtect 20170502
Palo Alto Networks (Known Signatures) 20170502
Panda 20170502
Qihoo-360 20170502
Rising 20170429
SentinelOne (Static ML) 20170330
Sophos AV 20170502
SUPERAntiSpyware 20170502
Symantec 20170502
Symantec Mobile Insight 20170502
Tencent 20170502
TheHacker 20170429
TotalDefense 20170426
TrendMicro 20170502
TrendMicro-HouseCall 20170502
Trustlook 20170502
VBA32 20170502
VIPRE 20170502
ViRobot 20170502
Webroot 20170502
WhiteArmor 20170502
Yandex 20170428
Zillya 20170428
ZoneAlarm by Check Point 20170502
Zoner 20170502
The file being studied is a Portable Executable file! More specifically, it is a Win32 DLL file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright © 1997-2012 The PHP Group

Product PHP
Original name php_mbstring.dll
Internal name MBSTRING extension
File version 5.4.10
Description Multibyte String Functions
Comments Thanks to Tsukada Takuya, Rui Hirokawa
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-12-19 20:37:25
Entry Point 0x00006715
Number of sections 5
PE sections
PE imports
GetCurrentProcess
TerminateProcess
SetUnhandledExceptionFilter
GetCurrentProcessId
InterlockedExchange
QueryPerformanceCounter
UnhandledExceptionFilter
IsDebuggerPresent
Sleep
DisableThreadLibraryCalls
GetSystemTimeAsFileTime
GetTickCount
GetCurrentThreadId
InterlockedCompareExchange
_malloc_crt
malloc
realloc
memset
__dllonexit
_stricmp
fprintf
strchr
strncpy
_amsg_exit
_lock
_onexit
_encode_pointer
__clean_type_info_names_internal
exit
_decode_pointer
_crt_debugger_hook
sprintf
strtol
_unlock
_adjust_fdiv
free
_except_handler4_common
calloc
memcpy
_vsnprintf
memmove
_initterm_e
__iob_func
isspace
iscntrl
_encoded_null
__CppXcptFilter
_strnicmp
_initterm
strcmp
memchr
zend_ini_string_ex
sapi_handle_post
zend_parse_parameters
_array_init
zend_eval_stringl
zend_register_ini_entries
_estrndup
php_std_post_handler
zend_unregister_ini_entries
_safe_malloc
add_next_index_long
php_register_variable_safe
add_assoc_long_ex
zend_hash_internal_pointer_reset_ex
add_index_bool
php_info_print_table_start
_zval_dtor_func
rfc1867_post_handler
add_index_stringl
sapi_globals_id
executor_globals_id
spprintf
zend_hash_num_elements
_zval_ptr_dtor
zend_hash_get_current_data_ex
sapi_add_header_ex
php_default_treat_data
zend_call_function
_convert_to_string
sapi_module
add_assoc_zval_ex
zend_hash_del_key_or_index
zend_alter_ini_entry
OnUpdateBool
php_info_print_table_header
_zend_hash_init
ap_php_snprintf
sapi_register_post_entries
zend_register_long_constant
zend_hash_destroy
_ecalloc
display_ini_entries
php_info_print_table_end
php_trim
php_mail
OnUpdateLong
add_assoc_string_ex
zend_multibyte_set_internal_encoding
zend_hash_clean
zend_hash_exists
zend_hash_find
php_strtoupper
_zend_hash_add_or_update
php_rfc1867_set_multibyte_callbacks
php_url_decode
_efree
_erealloc
sapi_unregister_post_entry
zend_ini_boolean_displayer_cb
zend_hash_move_forward_ex
_safe_emalloc
zend_multibyte_set_functions
add_next_index_string
_estrdup
_emalloc
convert_to_long
sapi_read_standard_form_data
zend_ini_string
_zval_copy_ctor_func
add_next_index_stringl
sapi_register_treat_data
php_info_print_table_row
zend_rebuild_symbol_table
OnUpdateString
php_error_docref0
zend_make_compiled_string_description
core_globals_id
php_escape_shell_cmd
php_strtok_r
PE exports
Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 2
PE resources
Debug information
ExifTool file metadata
LegalTrademarks
PHP

SubsystemVersion
5.0

Comments
Thanks to Tsukada Takuya, Rui Hirokawa

LinkerVersion
9.0

ImageVersion
5.4

FileSubtype
0

FileVersionNumber
5.4.10.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Multibyte String Functions

CharacterSet
Unicode

InitializedDataSize
985600

EntryPoint
0x6715

OriginalFileName
php_mbstring.dll

MIMEType
application/octet-stream

LegalCopyright
Copyright 1997-2012 The PHP Group

FileVersion
5.4.10

URL
http://www.php.net

TimeStamp
2012:12:19 21:37:25+01:00

FileType
Win32 DLL

PEType
PE32

InternalName
MBSTRING extension

ProductVersion
5.4.10

UninitializedDataSize
0

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
The PHP Group

CodeSize
223232

ProductName
PHP

ProductVersionNumber
5.4.10.0

FileTypeExtension
dll

ObjectFileType
Dynamic link library

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
File identification
MD5 05e8678e0fbd5e5df998839c577c6e11
SHA1 76b85c7e167c21d760a24596e7dfe947fbb5b988
SHA256 7ea537e563e0ed04d77b0d3f867e9cd29aa41116b1a16268ecfdb71f1b780515
ssdeep
24576:53l4XWMPfzB9fnVAgg2zP0SGfwhKuEUqaOrbNRS+UA8j8:FSznzPT+wFEBrbNRS

authentihash 58afe724efbeffec4a74d247e6c7e14acc9ffc0b77d7cf9395410c6252479e9d
imphash 534cf0edfcf8b44714c9cacff10230a4
File size 1.2 MB ( 1209856 bytes )
File type Win32 DLL
Magic literal
PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (64.6%)
Win32 Dynamic Link Library (generic) (15.4%)
Win32 Executable (generic) (10.5%)
Generic Win/DOS Executable (4.6%)
DOS Executable Generic (4.6%)
Tags
pedll

VirusTotal metadata
First submission 2013-04-29 13:54:48 UTC ( 5 years, 12 months ago )
Last submission 2013-04-29 13:54:48 UTC ( 5 years, 12 months ago )
File names php_b47f.rra
php_d200.rra
php_3d0f.rra
php_mbstring.dll
php_13df.rra
php_mbstring.dll
7EA537E563E0ED04D77B0D3F867E9CD29AA41116B1A16268ECFDB71F1B780515
php_mbstring.dll
MBSTRING extension
php_ecc4.rra
php_a044.rra
php_mbstring.dll
vt-upload-ql_th
7EA537E563E0ED04D77B0D3F867E9CD29AA41116B1A16268ECFDB71F1B780515
_02284EA5FA00465BB5CB7419F69AC9BA
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!