× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 8d155dd7e6c8245a378b58f658037de7880a319e8d91650febbcbc6cf2105230
File name: AutoHotkey.exe
Detection ratio: 3 / 57
Analysis date: 2015-05-10 14:50:35 UTC ( 1 month, 3 weeks ago )
Antivirus Result Update
CAT-QuickHeal Trojan.Agen.r4 20150509
Jiangmin Trojan/Fsysna.atq 20150506
VBA32 Trojan.Fsysna 20150508
ALYac 20150510
AVG 20150510
AVware 20150510
Ad-Aware 20150510
AegisLab 20150510
Agnitum 20150510
AhnLab-V3 20150510
Alibaba 20150510
Antiy-AVL 20150508
Avast 20150510
Avira 20150519
Baidu-International 20150510
BitDefender 20150510
Bkav 20150509
ByteHero 20150510
CMC 20150508
ClamAV 20150510
Comodo 20150510
Cyren 20150510
DrWeb 20150510
ESET-NOD32 20150510
Emsisoft 20150510
F-Prot 20150510
F-Secure 20150510
Fortinet 20150510
GData 20150510
Ikarus 20150510
K7AntiVirus 20150510
K7GW 20150510
Kaspersky 20150510
Kingsoft 20150510
Malwarebytes 20150510
McAfee 20150510
McAfee-GW-Edition 20150509
MicroWorld-eScan 20150510
Microsoft 20150510
NANO-Antivirus 20150510
Norman 20150510
Panda 20150510
Qihoo-360 20150510
Rising 20150510
SUPERAntiSpyware 20150509
Sophos 20150510
Symantec 20150510
Tencent 20150510
TheHacker 20150508
TotalDefense 20150510
TrendMicro 20150510
TrendMicro-HouseCall 20150510
VIPRE 20150510
ViRobot 20150510
Zillya 20150508
Zoner 20150507
nProtect 20150508
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Developer metadata
Copyright
Copyright (c) 2012 Steve Gray

Product AutoHotkey_L
File version 1.1.09.04
Description AutoHotkey_L Setup
Packers identified
F-PROT appended, 7Z, Unicode, UTF-8
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-11-18 18:41:55
Link date 7:41 PM 11/18/2010
Entry Point 0x0000643F
Number of sections 4
PE sections
Overlays
MD5 a8eae83d2382019ef43ad2eebf8cb8c3
File type data
Offset 47104
Size 2576030
Entropy 8.00
PE imports
GetLastError
GetModuleFileNameW
WaitForSingleObject
GetTickCount
GetStartupInfoA
GetCurrentProcessId
SetFileTime
GetCommandLineW
CreateDirectoryW
DeleteFileW
GetModuleHandleA
RemoveDirectoryW
SetFilePointer
FindNextFileW
GetTempPathW
ReadFile
FindFirstFileW
WriteFile
CreateFileW
CreateProcessW
FindClose
SetFileAttributesW
GetCurrentThreadId
CloseHandle
__p__fmode
malloc
memset
strlen
_except_handler3
wcslen
wcscmp
exit
_XcptFilter
memcmp
__setusermatherr
_controlfp
_adjust_fdiv
_acmdln
__p__commode
free
wcscat
__getmainargs
memcpy
memmove
wcscpy
_initterm
_exit
__set_app_type
ShellExecuteExW
MessageBoxA
Number of PE resources by type
RT_ICON 7
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 10
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.1.9.4

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

InitializedDataSize
32768

EntryPoint
0x643f

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
1.1.09.04

TimeStamp
2010:11:18 19:41:55+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
1.1.09.04

FileDescription
AutoHotkey_L Setup

OSVersion
4.0

FileOS
Windows NT 32-bit

LegalCopyright
Copyright (c) 2012 Steve Gray

MachineType
Intel 386 or later, and compatibles

CodeSize
22016

ProductName
AutoHotkey_L

ProductVersionNumber
1.1.9.4

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
Compressed bundles
File identification
MD5 9917f2351bacfcc698082f52e4ce4bfc
SHA1 baf135c988dbd3f19cca92638c1b3e335455d8c5
SHA256 8d155dd7e6c8245a378b58f658037de7880a319e8d91650febbcbc6cf2105230
ssdeep
49152:2p6num0tjZN2RzhovbtYFMlusF7El8bAlHry7ozVbx8rGAFdmruk:2p6wj5uFJsF7ERHrIMKrFdK

authentihash 12b30eeb41929958d64fee09ee8ba6211ffa2b545d90509656332e2b99b10584
imphash fa4d5c869351014d1ce952f2833a7558
File size 2.5 MB ( 2623134 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe armadillo overlay

VirusTotal metadata
First submission 2013-03-14 13:07:12 UTC ( 2 years, 3 months ago )
Last submission 2015-05-10 14:50:35 UTC ( 1 month, 3 weeks ago )
File names test.exe
AutoHotkey_L_Install(1).exe
2844926
2AutoHotkey_L_Install.exe
AutoHotkey_L_Install110904.exe
AutoHotkey.exe
file-5259364_exe
9917f2351bacfcc698082f52e4ce4bfc
AutoHotkey_L_Install (4).exe
AutoHotkey_L_Install_2.exe
Auto Hot Key By Palash.exe
AutoHotkey_L_Install.exe
AutoHotkey110904_Install.exe
AutoHotkey_L_Install.exe
AutoHotkey_L_Install old.exe
autohotkey_l_install.exe
AutoHotkey110904_Install.exe
AutoHotkey_L_Install (1).exe
autohotkey.exe
Auto Hot Key By Mr-Cracker.exe
output.2844926.txt
AUTOHO~1.EXE
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!