× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 85e9c93b4659efb0eabe64e0643b2027349be3700b328a2ca98cedacf2eb7894
File name: Setup.exe
Detection ratio: 0 / 55
Analysis date: 2014-10-13 07:21:49 UTC ( 4 years, 4 months ago ) View latest
Antivirus Result Update
Ad-Aware 20141013
AegisLab 20141013
Yandex 20141012
AhnLab-V3 20141013
Antiy-AVL 20141013
Avast 20141013
AVG 20141013
Avira (no cloud) 20141012
AVware 20141013
Baidu-International 20141012
BitDefender 20141013
Bkav 20141011
ByteHero 20141013
CAT-QuickHeal 20141013
ClamAV 20141013
CMC 20141013
Comodo 20141013
Cyren 20141013
DrWeb 20141013
Emsisoft 20141013
ESET-NOD32 20141013
F-Prot 20141013
F-Secure 20141012
Fortinet 20141013
GData 20141013
Ikarus 20141013
Jiangmin 20141012
K7AntiVirus 20141010
K7GW 20141011
Kaspersky 20141013
Kingsoft 20141013
Malwarebytes 20141013
McAfee 20141013
McAfee-GW-Edition 20141012
Microsoft 20141013
eScan 20141013
NANO-Antivirus 20141013
Norman 20141013
nProtect 20141012
Panda 20141012
Qihoo-360 20141013
Rising 20141012
Sophos AV 20141013
SUPERAntiSpyware 20141011
Symantec 20141013
Tencent 20141013
TheHacker 20141010
TotalDefense 20141012
TrendMicro 20141013
TrendMicro-HouseCall 20141013
VBA32 20141010
VIPRE 20141013
ViRobot 20141013
Zillya 20141013
Zoner 20141010
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (c) OneBit IT. All rights reserved.

Publisher UA\rralfelt
Product PerforMax Cleaner
Original name Setup.exe
Internal name setup
File version 1.0.0.0
Description PerforMax Cleaner
Signature verification A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Signers
[+] UA\rralfelt
Status A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Issuer None
Valid from 9:57 PM 1/31/2014
Valid to 3:57 AM 2/1/2015
Valid usage All
Algorithm 1.2.840.113549.1.1.11
Thumbprint 66C3A1D9774D013C0AC0A61D9CB520E6B81B73F9
Serial number 54 2D A9 9F B4 90 3F 90 45 30 3C 53 57 38 F5 53
Packers identified
F-PROT CAB, UTF-8, Unicode
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-11-28 14:14:28
Entry Point 0x000267A5
Number of sections 7
PE sections
Overlays
MD5 6e2858ac6d6320007826c75d7cf0f604
File type data
Offset 383488
Size 2068928
Entropy 8.00
PE imports
SetSecurityDescriptorOwner
RegCreateKeyExW
RegCloseKey
OpenServiceW
AdjustTokenPrivileges
InitializeAcl
LookupPrivilegeValueW
RegDeleteKeyW
CryptHashData
CheckTokenMembership
DecryptFileW
RegQueryValueExW
CryptCreateHash
SetSecurityDescriptorDacl
CloseServiceHandle
ConvertStringSecurityDescriptorToSecurityDescriptorW
CreateWellKnownSid
OpenProcessToken
QueryServiceStatus
RegOpenKeyExW
QueryServiceConfigW
GetTokenInformation
CryptReleaseContext
GetUserNameW
RegQueryInfoKeyW
SetEntriesInAclW
RegEnumKeyExW
CryptAcquireContextW
CryptDestroyHash
InitializeSecurityDescriptor
RegDeleteValueW
RegSetValueExW
CryptGetHashParam
OpenSCManagerW
RegEnumValueW
AllocateAndInitializeSid
InitiateSystemShutdownExW
SetEntriesInAclA
ChangeServiceConfigW
SetSecurityDescriptorGroup
SetNamedSecurityInfoW
CertGetCertificateContextProperty
CryptHashPublicKeyInfo
Ord(23)
Ord(20)
Ord(22)
DeleteDC
SelectObject
GetObjectW
CreateCompatibleDC
DeleteObject
StretchBlt
GetVolumePathNameW
GetStdHandle
ReleaseMutex
WaitForSingleObject
EncodePointer
ProcessIdToSessionId
GetFileAttributesW
VerifyVersionInfoW
GetProcessId
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
LoadLibraryExW
FreeEnvironmentStringsW
SetStdHandle
GetCPInfo
InterlockedExchange
GetTempPathW
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
GetExitCodeProcess
LocalFree
FormatMessageW
ConnectNamedPipe
InitializeCriticalSection
OutputDebugStringW
FindClose
TlsGetValue
SetFileAttributesW
SetLastError
GetSystemTime
CopyFileW
GetUserDefaultLangID
RemoveDirectoryW
IsDebuggerPresent
HeapAlloc
VerSetConditionMask
HeapSetInformation
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
SystemTimeToTzSpecificLocalTime
SetFilePointerEx
CreateEventW
GetFullPathNameW
CreateThread
MoveFileExW
GetSystemDirectoryW
GetExitCodeThread
SetNamedPipeHandleState
SetUnhandledExceptionFilter
CreateMutexW
IsProcessorFeaturePresent
DecodePointer
TerminateProcess
GetModuleHandleExW
SetCurrentDirectoryW
GlobalAlloc
LocalFileTimeToFileTime
SetEndOfFile
GetCurrentThreadId
LeaveCriticalSection
WriteConsoleW
GetSystemWow64DirectoryW
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
LoadLibraryW
GetVersionExW
FreeLibrary
QueryPerformanceCounter
TlsAlloc
FlushFileBuffers
RtlUnwind
SystemTimeToFileTime
GetWindowsDirectoryW
LCMapStringW
OpenProcess
GetDateFormatW
GetStartupInfoW
SetEvent
DeleteFileW
GetProcAddress
GetProcessHeap
GetTempFileNameW
GetComputerNameW
CompareStringW
GetFileSizeEx
GetModuleFileNameW
ExpandEnvironmentStringsW
FindNextFileW
GetModuleHandleA
CreateDirectoryW
CompareStringA
FindFirstFileW
DuplicateHandle
WaitForMultipleObjects
GetTimeZoneInformation
CreateFileW
GetFileType
TlsSetValue
CreateFileA
ExitProcess
InterlockedIncrement
GetLastError
DosDateTimeToFileTime
CreateFileMappingW
CreateNamedPipeW
lstrlenA
GlobalFree
GetConsoleCP
GetThreadLocale
GetEnvironmentStringsW
lstrlenW
CreateProcessW
GetCurrentDirectoryW
GetCurrentProcessId
SetFileTime
GetCommandLineW
WideCharToMultiByte
HeapSize
CopyFileExW
InterlockedCompareExchange
GetSystemDefaultLangID
RaiseException
MapViewOfFile
TlsFree
SetFilePointer
ReadFile
CloseHandle
GetACP
GetModuleHandleW
SetThreadExecutionState
GetLocalTime
IsValidCodePage
UnmapViewOfFile
WriteFile
VirtualFree
Sleep
VirtualAlloc
GetOEMCP
ResetEvent
SysFreeString
VariantClear
VariantInit
SysAllocString
UuidCreate
SHGetFolderPathW
ShellExecuteExW
CommandLineToArgvW
GetMonitorInfoW
LoadBitmapW
DefWindowProcW
GetMessageW
PostQuitMessage
SetWindowLongW
MessageBoxW
PeekMessageW
TranslateMessage
PostMessageW
DispatchMessageW
GetCursorPos
RegisterClassW
UnregisterClassW
IsWindow
IsDialogMessageW
MonitorFromPoint
WaitForInputIdle
PostThreadMessageW
LoadCursorW
CreateWindowExW
MsgWaitForMultipleObjects
GetWindowLongW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
HttpQueryInfoW
InternetConnectW
InternetReadFile
InternetCloseHandle
InternetCrackUrlW
InternetSetOptionW
HttpSendRequestW
InternetErrorDlg
InternetOpenW
HttpOpenRequestW
HttpAddRequestHeadersW
CryptCATAdminCalcHashFromFileHandle
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
WinVerifyTrust
Ord(190)
Ord(70)
Ord(205)
Ord(171)
Ord(45)
Ord(173)
Ord(90)
Ord(111)
Ord(125)
Ord(169)
Ord(17)
Ord(141)
Ord(116)
Ord(118)
Ord(238)
Ord(115)
Ord(8)
Ord(88)
Ord(137)
CoInitializeEx
CLSIDFromProgID
CoInitialize
CoCreateInstance
CoInitializeSecurity
CoUninitialize
CoTaskMemFree
StringFromGUID2
Number of PE resources by type
RT_VERSION 1
RT_ICON 1
RT_MANIFEST 1
RT_MESSAGETABLE 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 5
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
5.1

LinkerVersion
11.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.0.0.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Windows, Latin1

InitializedDataSize
147456

EntryPoint
0x267a5

OriginalFileName
Setup.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright (c) OneBit IT. All rights reserved.

FileVersion
1.0.0.0

TimeStamp
2013:11:28 15:14:28+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
setup

ProductVersion
1.0.0.0

FileDescription
PerforMax Cleaner

OSVersion
5.1

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
OneBit IT

CodeSize
235008

ProductName
PerforMax Cleaner

ProductVersionNumber
1.0.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
File identification
MD5 e9ffa3416e7837019e5f7ec8e64de487
SHA1 da82ed14ab641c39d1460430e717fa67cc2e419e
SHA256 85e9c93b4659efb0eabe64e0643b2027349be3700b328a2ca98cedacf2eb7894
ssdeep
49152:0B4XTYCYQVzAnsxYGi3vbulBVmugpKm/j0YklnqCd1//Y/2:0qnYyzAGi3vbudmTIm/jnGnqCLI+

authentihash 80d3f3254b2d9a2ebcaf1914ccc2b192275772f553cfbc853016310c21ab11da
imphash 67715e556e3a78ea78c756db800102a3
File size 2.3 MB ( 2452416 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.3%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2014-09-19 23:09:25 UTC ( 4 years, 5 months ago )
Last submission 2015-01-16 08:15:12 UTC ( 4 years, 1 month ago )
File names Setup.exe
setup.exe
setup
setup.exe
setup.exe
PerforMax Cleaner 1.0.0.0.exe
Setup.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Moved files
Deleted files
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
DNS requests