× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 92d08160791d5f7b941e57193cac72fe245e67b6c81d0fbac78b906f04444454
File name: 973fb4955add4ca88d4b661dfdaf6edc
Detection ratio: 1 / 56
Analysis date: 2016-09-05 12:25:54 UTC ( 2 years, 5 months ago ) View latest
Antivirus Result Update
Sophos ML virus.win32.sality.at 20160830
Ad-Aware 20160905
AegisLab 20160905
AhnLab-V3 20160905
Alibaba 20160901
ALYac 20160905
Antiy-AVL 20160905
Arcabit 20160905
Avast 20160905
AVG 20160905
Avira (no cloud) 20160905
AVware 20160905
Baidu 20160905
BitDefender 20160905
Bkav 20160905
CAT-QuickHeal 20160904
ClamAV 20160905
CMC 20160905
Comodo 20160905
Cyren 20160905
DrWeb 20160905
Emsisoft 20160905
ESET-NOD32 20160905
F-Prot 20160905
F-Secure 20160905
Fortinet 20160905
GData 20160905
Ikarus 20160905
Jiangmin 20160905
K7AntiVirus 20160905
K7GW 20160905
Kaspersky 20160905
Kingsoft 20160905
Malwarebytes 20160905
McAfee 20160905
McAfee-GW-Edition 20160904
Microsoft 20160905
eScan 20160905
NANO-Antivirus 20160905
nProtect 20160905
Panda 20160904
Qihoo-360 20160905
Rising 20160905
Sophos AV 20160905
SUPERAntiSpyware 20160905
Symantec 20160905
Tencent 20160905
TheHacker 20160903
TrendMicro 20160905
TrendMicro-HouseCall 20160905
VBA32 20160905
VIPRE 20160831
ViRobot 20160905
Yandex 20160904
Zillya 20160902
Zoner 20160905
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification A certificate was explicitly revoked by its issuer.
Signing date 6:44 AM 9/5/2016
Signers
[+] AMG Grupp
Status Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer COMODO RSA Code Signing CA
Valid from 1:00 AM 8/30/2016
Valid to 12:59 AM 8/31/2017
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 5FCC393E22B2ACFA9BD161D53FC12B553C5D2AAD
Serial number 00 9E DC 67 F6 4C 20 F0 DB 62 5D 75 68 E8 94 55 C4
[+] COMODO RSA Code Signing CA
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 5/9/2013
Valid to 12:59 AM 5/9/2028
Valid usage Code Signing
Algorithm sha384RSA
Thumbprint B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Serial number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
[+] COMODO SECURE?
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 1/19/2010
Valid to 12:59 AM 1/19/2038
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha384RSA
Thumbprint AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Serial number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-08-03 11:38:32
Entry Point 0x00002B8E
Number of sections 4
PE sections
Overlays
MD5 56f039bef3a78c5d6db73d70e6677707
File type data
Offset 227328
Size 6376
Entropy 7.40
PE imports
GetLastError
InterlockedDecrement
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
SetHandleCount
GetOEMCP
LCMapStringA
HeapDestroy
HeapAlloc
TlsAlloc
GetEnvironmentStringsW
GetVersionExA
LoadLibraryA
RtlUnwind
GetModuleFileNameA
FreeEnvironmentStringsA
DeleteCriticalSection
GetStartupInfoA
GetEnvironmentStrings
GetLocaleInfoA
GetCurrentProcessId
WideCharToMultiByte
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
HeapSize
FreeEnvironmentStringsW
GetCommandLineA
GetSystemDEPPolicy
TlsFree
GetProcessHeap
GetCPInfo
GetStringTypeA
GetModuleHandleA
SetUnhandledExceptionFilter
WriteFile
GetCurrentProcess
GetSystemTimeAsFileTime
GetACP
HeapReAlloc
GetStringTypeW
GetProcAddress
TerminateProcess
QueryPerformanceCounter
InitializeCriticalSection
HeapCreate
VirtualFree
IsDebuggerPresent
Sleep
GetFileType
GetTickCount
TlsSetValue
ExitProcess
GetCurrentThreadId
InterlockedIncrement
VirtualAlloc
SetLastError
LeaveCriticalSection
EndDialog
BeginPaint
CreateDialogIndirectParamA
CharLowerA
GetWindowRect
DispatchMessageA
EndPaint
SetDlgItemTextA
MoveWindow
MessageBoxA
PeekMessageA
SetWindowLongA
TranslateMessage
CharUpperA
GetDC
ReleaseDC
wsprintfA
SendMessageA
GetClientRect
GetDlgItem
CreateDialogParamA
GetWindowLongA
CharNextA
GetDesktopWindow
LoadImageA
DialogBoxIndirectParamA
IsDialogMessageA
DestroyWindow
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2016:08:03 12:38:32+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
31232

LinkerVersion
9.0

EntryPoint
0x2b8e

InitializedDataSize
271872

SubsystemVersion
5.0

ImageVersion
0.0

OSVersion
5.0

UninitializedDataSize
0

File identification
MD5 973fb4955add4ca88d4b661dfdaf6edc
SHA1 16d5bdb45e1a544050ee55e7a9267bf1868fc7e1
SHA256 92d08160791d5f7b941e57193cac72fe245e67b6c81d0fbac78b906f04444454
ssdeep
3072:lz5zidV1dBV+dsBvyO0tTt+aEqseFaJ7D8zIg7BRlS+beL/aJi+HAR5VWHzD8+pI:lzxidcdjdTjE8aJWrlBeL/0KTyzs

authentihash b0bf98df9315c867518ba95bb42128b8045c758cb8c27e644926b1276de4dc46
imphash a42d3d98f39c78eb5b2ee4080550d640
File size 228.2 KB ( 233704 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
revoked-cert peexe signed overlay

VirusTotal metadata
First submission 2016-09-05 12:25:54 UTC ( 2 years, 5 months ago )
Last submission 2016-09-05 12:25:54 UTC ( 2 years, 5 months ago )
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Code injections in the following processes
Created mutexes
Runtime DLLs
UDP communications