× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 9974986978a2535d6b28947d48e16cccfd61d6de2e30aa08217f2eca112e75bf
File name: single.php2
Detection ratio: 13 / 66
Analysis date: 2018-10-17 01:40:27 UTC ( 4 months ago ) View latest
Antivirus Result Update
AegisLab W32.W.Gen.llEj 20181017
Avast FileRepMalware 20181017
AVG FileRepMalware 20181017
CrowdStrike Falcon (ML) malicious_confidence_70% (D) 20180723
Cylance Unsafe 20181017
Endgame malicious (high confidence) 20180730
ESET-NOD32 a variant of Win32/GenKryptik.COEJ 20181017
Sophos ML heuristic 20180717
Kaspersky Trojan-Spy.Win32.Ursnif.aatd 20181017
Microsoft Program:Win32/Unwaders.C!ml 20181017
Palo Alto Networks (Known Signatures) generic.ml 20181017
Webroot W32.Trojan.Gen 20181017
ZoneAlarm by Check Point Trojan-Spy.Win32.Ursnif.aatd 20181017
Ad-Aware 20181017
AhnLab-V3 20181016
Alibaba 20180921
ALYac 20181016
Antiy-AVL 20181017
Arcabit 20181017
Avast-Mobile 20181016
Avira (no cloud) 20181017
Babable 20180918
Baidu 20181015
BitDefender 20181017
Bkav 20181016
CAT-QuickHeal 20181013
ClamAV 20181016
CMC 20181016
Comodo 20181017
Cybereason 20180225
Cyren 20181016
DrWeb 20181017
eGambit 20181017
Emsisoft 20181017
F-Prot 20181017
F-Secure 20181017
Fortinet 20181016
GData 20181017
Ikarus 20181016
Jiangmin 20181016
K7AntiVirus 20181016
K7GW 20181016
Kingsoft 20181017
Malwarebytes 20181016
MAX 20181017
McAfee 20181017
McAfee-GW-Edition 20181016
eScan 20181017
NANO-Antivirus 20181016
Panda 20181016
Qihoo-360 20181017
Rising 20181017
SentinelOne (Static ML) 20181011
Sophos AV 20181016
SUPERAntiSpyware 20181015
Symantec 20181016
Symantec Mobile Insight 20181001
TACHYON 20181016
Tencent 20181017
TheHacker 20181015
TrendMicro 20181016
TrendMicro-HouseCall 20181016
Trustlook 20181017
VBA32 20181016
ViRobot 20181017
Yandex 20181016
Zillya 20181016
Zoner 20181016
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2008

Product itunescpy Application
Original name itunescpy.EXE
Internal name itunescpy
File version 1, 0, 0, 1
Description itunescpy
Signature verification A certificate was explicitly revoked by its issuer.
Signing date 10:16 PM 10/15/2018
Signers
[+] ZK9 LTD
Status Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer COMODO RSA Code Signing CA
Valid from 11:00 PM 08/13/2018
Valid to 10:59 PM 08/14/2019
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 204761E11DD042023B406AB6F3DA910F8F17FCE0
Serial number 00 AE B6 01 EF C3 F0 4A 41 D6 1F 0F 92 73 27 2D 7D
[+] COMODO RSA Code Signing CA
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 11:00 PM 05/08/2013
Valid to 10:59 PM 05/08/2028
Valid usage Code Signing
Algorithm sha384RSA
Thumbprint B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Serial number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
[+] COMODO SECURE™
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 12:00 AM 01/19/2010
Valid to 11:59 PM 01/18/2038
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha384RSA
Thumbprint AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Serial number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
Counter signers
[+] Starfield Timestamp Authority - G2
Status Valid
Issuer Starfield Secure Certificate Authority - G2
Valid from 07:00 AM 11/14/2017
Valid to 07:00 AM 11/14/2022
Valid usage Timestamp Signing
Algorithm sha256RSA
Thumbrint 0D5E347CD5B3793ECFEAE6B860DB0F555DBE24A5
Serial number 00 EF 95 C2 F4 80 E3 1B 93
[+] Starfield Secure Certificate Authority - G2
Status Valid
Issuer Starfield Root Certificate Authority - G2
Valid from 06:00 AM 05/03/2011
Valid to 06:00 AM 05/03/2031
Valid usage All
Algorithm sha256RSA
Thumbrint 7EDC376DCFD45E6DDF082C160DF6AC21835B95D4
Serial number 07
[+] Starfield Root Certificate Authority – G2
Status Valid
Issuer Starfield Root Certificate Authority - G2
Valid from 11:00 PM 08/31/2009
Valid to 11:59 PM 12/31/2037
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha256RSA
Thumbrint B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-04-25 20:22:27
Entry Point 0x000056CE
Number of sections 5
PE sections
Overlays
MD5 826bf24ea6b9eaf1f26cdb438ec1f7f1
File type data
Offset 155648
Size 6856
Entropy 7.37
PE imports
RegRestoreKeyA
LookupPrivilegeNameW
InitializeSid
IsValidSid
LockServiceDatabase
EnumServicesStatusExW
GetPrivateObjectSecurity
IsTextUnicode
EqualPrefixSid
GetSaveFileNameA
GetDeviceCaps
GetBkColor
GetTextExtentPoint32W
FillPath
GetTextAlign
SetPolyFillMode
GetTextExtentExPointI
EqualRgn
GetStockObject
ExtCreatePen
GetROP2
GetPixel
GetObjectType
GetSystemTime
DefineDosDeviceW
LocalLock
WriteProcessMemory
LoadLibraryW
GlobalCompact
GetCompressedFileSizeW
GetPrivateProfileSectionNamesW
VirtualProtect
FillConsoleOutputCharacterW
WaitForSingleObjectEx
LoadLibraryA
GetShortPathNameA
GetWindowsDirectoryW
DeleteFileA
GetWindowsDirectoryA
GetVolumeInformationW
LoadLibraryExW
GenerateConsoleCtrlEvent
GetConsoleProcessList
GetSystemPowerStatus
VirtualProtectEx
GlobalAddAtomW
GetFileSizeEx
GetOverlappedResult
GetSystemDefaultUILanguage
WritePrivateProfileStructA
lstrcpyA
GetProfileStringA
GetTimeFormatA
GetMailslotInfo
FindFirstFileW
GetCommConfig
GetModuleHandleW
GetThreadSelectorEntry
IsValidCodePage
SetConsoleMode
GetDefaultCommConfigW
GetLogicalDriveStringsW
DefineDosDeviceA
GetSystemWindowsDirectoryW
LoadAcceleratorsA
GetIconInfo
GetParent
DrawTextExW
EnableWindow
IsWinEventHookInstalled
EnumThreadWindows
DrawIconEx
DialogBoxParamW
GetDlgItemTextA
EnableScrollBar
GetWindowTextLengthW
DestroyAcceleratorTable
GetClipboardOwner
GetMessageW
DefMDIChildProcA
FindWindowExW
GetMenuContextHelpId
LoadMenuW
InsertMenuItemA
GetFileVersionInfoW
FindFirstUrlCacheEntryExA
DeletePrinterDriverExW
fputc
towupper
malloc
free
Number of PE resources by type
RT_ICON 2
RT_DIALOG 2
RT_STRING 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 7
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
11.1

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.0.0.1

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
itunescpy

ImageFileCharacteristics
No relocs, Executable, 32-bit

CharacterSet
Unicode

InitializedDataSize
56832

EntryPoint
0x56ce

OriginalFileName
itunescpy.EXE

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) 2008

FileVersion
1, 0, 0, 1

TimeStamp
2013:04:25 13:22:27-07:00

FileType
Win32 EXE

PEType
PE32

InternalName
itunescpy

ProductVersion
1, 0, 0, 1

SubsystemVersion
5.0

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
eTinySoft Inc.

CodeSize
795242121

ProductName
itunescpy Application

ProductVersionNumber
1.0.0.1

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 011eb1d90c961c715a11500f38c069d8
SHA1 783a6c469a9c9edfcd21ed7e2dd1a2a6d04798dd
SHA256 9974986978a2535d6b28947d48e16cccfd61d6de2e30aa08217f2eca112e75bf
ssdeep
1536:ZiXZsVEnKyqYyxE5tUcKbxT1K8d49nEMEPJALIqDRN6tSgx7E3gZonVm20ZOQic:UpvKlYyxW4xpKW45fIiN6sgRqMZOY

authentihash 83fcd277f4270917fab44a0566f50ef65c0a8c093fb56efddcbb5def8059679a
imphash ac68455aa4979994ce601407c187141f
File size 158.7 KB ( 162504 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable (generic) (42.7%)
OS/2 Executable (generic) (19.2%)
Generic Win/DOS Executable (18.9%)
DOS Executable Generic (18.9%)
Tags
revoked-cert peexe signed overlay

VirusTotal metadata
First submission 2018-10-16 12:11:15 UTC ( 4 months ago )
Last submission 2018-10-29 05:04:03 UTC ( 3 months, 3 weeks ago )
File names 011eb1d90c961c715a11500f38c069d8
itunescpy
single.php2
itunescpy.EXE
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.