× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 7eeb035c7c629c55baeec0984a36059fc0e596828413671f3ecc85d1f4666bdf
File name: mod_cgi.so
Detection ratio: 0 / 46
Analysis date: 2013-03-04 13:32:56 UTC ( 6 years, 1 month ago )
Antivirus Result Update
Yandex 20130304
AhnLab-V3 20130304
AntiVir 20130304
Antiy-AVL 20130304
Avast 20130304
AVG 20130304
BitDefender 20130304
ByteHero 20130304
CAT-QuickHeal 20130304
ClamAV 20130304
Commtouch 20130304
Comodo 20130304
DrWeb 20130304
Emsisoft 20130304
eSafe 20130211
ESET-NOD32 20130304
F-Prot 20130304
F-Secure 20130304
Fortinet 20130304
GData 20130304
Ikarus 20130226
Jiangmin 20130304
K7AntiVirus 20130301
Kaspersky 20130304
Kingsoft 20130304
Malwarebytes 20130304
McAfee 20130304
McAfee-GW-Edition 20130304
Microsoft 20130304
eScan 20130304
NANO-Antivirus 20130304
Norman 20130303
nProtect 20130304
Panda 20130303
PCTools 20130304
Rising 20130304
Sophos AV 20130304
SUPERAntiSpyware 20130304
Symantec 20130304
TheHacker 20130302
TotalDefense 20130304
TrendMicro 20130304
TrendMicro-HouseCall 20130304
VBA32 20130304
VIPRE 20130304
ViRobot 20130304
The file being studied is a Portable Executable file! More specifically, it is a Win32 DLL file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright 2013 The Apache Software Foundation.

Publisher Apache Software Foundation
Product Apache HTTP Server
Original name mod_cgi.so
Internal name mod_cgi.so
File version 2.4.4
Description cgi_module for Apache
Comments Licensed under the Apache License, Version 2.0 (the _License_)_ you may not use this file except in compliance with the License. You may obtain a copy of the License at
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-02-23 12:03:38
Entry Point 0x00002D60
Number of sections 5
PE sections
PE imports
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
DecodePointer
GetCurrentProcessId
InterlockedExchange
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
GetTickCount
DisableThreadLibraryCalls
GetSystemTimeAsFileTime
Sleep
GetCurrentThreadId
InterlockedCompareExchange
EncodePointer
_amsg_exit
_malloc_crt
_unlock
_crt_debugger_hook
_lock
strchr
__dllonexit
_stricmp
_except_handler4_common
atoi
_encoded_null
free
atol
__CppXcptFilter
strncmp
_initterm
_onexit
_initterm_e
memcpy
__clean_type_info_names_internal
_apr_file_flush@4
_apr_file_gets@12
_apr_procattr_dir_set@8
apr_file_printf
_apr_table_elts@4
_apr_procattr_cmdtype_set@8
_apr_table_get@8
_apr_file_open@20
_apr_ctime@12
_apr_procattr_addrspace_set@8
apr_pstrcat
_apr_file_close@4
_apr_filepath_name_get@4
_apr_procattr_child_errfn_set@8
_apr_file_write_full@16
_apr_pool_note_subprocess@12
_apr_file_open_stderr@8
_apr_file_pipe_timeout_set@12
_apr_file_write@12
_apr_table_unset@8
_apr_time_now@0
_apr_procattr_create@8
_apr_palloc@8
_apr_table_setn@12
_apr_stat@16
_apr_strerror@12
_apr_file_puts@8
_apr_procattr_io_set@16
_apr_procattr_detach_set@8
_apr_pstrdup@8
_apr_bucket_pool_create@16
_apr_bucket_eos_create@4
_apr_brigade_cleanup@4
apr_bucket_type_flush
apr_bucket_type_eos
_apr_dynamic_fn_retrieve@4
_apr_brigade_destroy@4
_apr_brigade_create@8
_apr_bucket_pipe_create@8
ap_log_rerror_
_ap_getword_nulls@12
_ap_hook_post_config@16
_ap_allow_options@4
_ap_os_escape_path@12
_ap_scan_script_header_err_brigade_ex@16
_ap_server_root_relative@8
_ap_get_brigade@24
_ap_run_sub_req@4
_ap_pass_brigade@8
_ap_make_dirstr_parent@8
_ap_destroy_sub_req@4
_ap_sub_req_lookup_uri@12
_ap_internal_redirect_handler@8
_ap_hook_handler@16
_ap_unescape_url@4
_ap_escape_logitem@8
_ap_add_cgi_vars@4
_ap_escape_shell_cmd@8
_ap_set_content_type@8
_ap_os_create_privileged_process@28
_ap_escape_html2@12
_ap_add_common_vars@4
_ap_create_environment@8
PE exports
Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 2
ExifTool file metadata
FileDescription
cgi_module for Apache

Comments
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

InitializedDataSize
10240

ImageVersion
0.0

ProductName
Apache HTTP Server

FileVersionNumber
2.4.4.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
10.0

OriginalFilename
mod_cgi.so

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
2.4.4

TimeStamp
2013:02:23 13:03:38+01:00

FileType
Win32 DLL

PEType
PE32

InternalName
mod_cgi.so

ProductVersion
2.4.4

SubsystemVersion
5.1

OSVersion
5.1

FileOS
Win32

LegalCopyright
Copyright 2013 The Apache Software Foundation.

MachineType
Intel 386 or later, and compatibles

CompanyName
Apache Software Foundation

CodeSize
9216

FileSubtype
0

ProductVersionNumber
2.4.4.0

EntryPoint
0x2d60

ObjectFileType
Dynamic link library

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
File identification
MD5 abe48a6e3d028befd0f6a9cdb90d9f35
SHA1 5052ddb4ef65f51874b94d73fea83ab39f12100b
SHA256 7eeb035c7c629c55baeec0984a36059fc0e596828413671f3ecc85d1f4666bdf
ssdeep
384:635UapKm0vfBMh7Ykoq1y55eWnPV5JqQau:c5UaptefB67YkVWndfqQ

File size 20.0 KB ( 20480 bytes )
File type Win32 DLL
Magic literal
MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit

TrID Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
pedll

VirusTotal metadata
First submission 2013-03-04 13:32:56 UTC ( 6 years, 1 month ago )
Last submission 2013-03-04 13:32:56 UTC ( 6 years, 1 month ago )
File names mod_cgi.so
mod_cgi.so
mod_cgi.so
da2de3d3-a1cc-e8f6-2a5e-0406e9d5c6db_1d26c24573604fb
mod_cgi 2.so
mod_cgi.so
mod_cgi.so
mod_cgi.so
mod_cgi.so
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!