× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 9a87c6d47e4495a6e7ddb4bd50fb4316a824201f314a4538ebee15375613a768
File name: SafeInstaller
Detection ratio: 48 / 69
Analysis date: 2018-10-06 00:20:52 UTC ( 1 month, 2 weeks ago )
Antivirus Result Update
Ad-Aware Application.Bundler.InstallIQ.D 20181005
AhnLab-V3 PUP/Win32.BundleInstaller.C578422 20181005
Antiy-AVL RiskWare[Downloader]/NSIS.Agent 20181005
Arcabit Application.Bundler.InstallIQ.D 20181006
Avast Win32:Evo-gen [Susp] 20181005
AVG FileRepMetagen [Adw] 20181005
Avira (no cloud) PUA/InstallIQ.Gen4 20181005
AVware InstallIQ Installer (fs) 20180925
Baidu Win32.Adware.Generic.cb 20180930
BitDefender Application.Bundler.InstallIQ.D 20181006
Bkav W32.HfsAdware.6260 20181005
Comodo Application.Win32.InstallIQ.B 20181006
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20180723
Cybereason malicious.a116c9 20180225
Cylance Unsafe 20181006
Cyren W32/InstallIQ.A.gen!Eldorado 20181006
DrWeb Adware.Downware.9566 20181006
Emsisoft Application.InstallSmart (A) 20181005
Endgame malicious (high confidence) 20180730
ESET-NOD32 a variant of Win32/InstallIQ.A potentially unwanted 20181005
F-Prot W32/InstallIQ.A.gen!Eldorado 20181006
F-Secure Application.Bundler.InstallIQ 20181006
Fortinet W32/Generic.AC.13E3F!tr 20181005
GData Win32.Application.InstallIQ.F 20181006
Ikarus AdWare.MultiBundle 20181005
Sophos ML heuristic 20180717
Jiangmin Variant.Kazy.aii 20181006
K7AntiVirus Trojan ( 004b51001 ) 20181005
K7GW Trojan ( 004b51001 ) 20181005
Kaspersky not-a-virus:Downloader.NSIS.Agent.ij 20181005
Malwarebytes PUP.Optional.SafeInstall 20181005
MAX malware (ai score=100) 20181006
Microsoft PUA:Win32/InstallIQ 20181006
eScan Application.Bundler.InstallIQ.D 20181005
NANO-Antivirus Riskware.Win32.Adw.efutes 20181005
Panda Trj/Genetic.gen 20181005
Qihoo-360 Win32/Application.c39 20181006
Rising Trojan.Win32.Generic.1731D3EF (C64:YzY0OmZsOlgIfxuA) 20181005
Sophos AV DomaIQ pay-per install (PUA) 20181005
SUPERAntiSpyware PUP.SafeInstall/Variant 20181005
Symantec SMG.Heur!gen 20181005
TrendMicro PUA_INSTALLIQ.SM 20181006
TrendMicro-HouseCall PUA_INSTALLIQ.SM 20181005
VBA32 BScope.Trojan.Domaiq 20181005
VIPRE InstallIQ Installer (fs) 20181005
Webroot Pua.Safe.Installer 20181006
Zillya Adware.AmonetizeCRT.Win32.150 20181005
ZoneAlarm by Check Point not-a-virus:Downloader.NSIS.Agent.ij 20181006
AegisLab 20181005
Alibaba 20180921
ALYac 20181005
Avast-Mobile 20181005
Babable 20180918
CAT-QuickHeal 20181005
ClamAV 20181005
CMC 20181005
eGambit 20181006
Kingsoft 20181006
McAfee 20181005
McAfee-GW-Edition 20181005
Palo Alto Networks (Known Signatures) 20181006
SentinelOne (Static ML) 20180926
Symantec Mobile Insight 20181001
TACHYON 20181005
Tencent 20181006
TheHacker 20181001
TotalDefense 20181005
Trustlook 20181006
ViRobot 20181005
Yandex 20181005
Zoner 20181005
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2014

Product SafeInstaller
Original name safeinstall.exe
Internal name SafeInstaller
File version 1.0.58.0
Description Safe Installer
Signature verification A certificate was explicitly revoked by its issuer.
Signers
[+] InstallX, LLC
Status This certificate or one of the certificates in the certificate chain is not time valid., Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer DigiCert Assured ID Code Signing CA-1
Valid from 1:00 AM 3/21/2014
Valid to 1:00 PM 4/8/2015
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint AB46C85672419A1B0C804810AA29D6F2620EF751
Serial number 0F 4D 18 81 92 31 8D 28 51 0F C8 86 CB B8 55 E6
[+] DigiCert Assured ID Code Signing CA-1
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 1:00 PM 2/11/2011
Valid to 1:00 PM 2/10/2026
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 409AA4A74A0CDA7C0FEE6BD0BB8823D16B5F1875
Serial number 0F A8 49 06 15 D7 00 A0 BE 21 76 FD C5 EC 6D BD
[+] DigiCert
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 1:00 AM 11/10/2006
Valid to 1:00 AM 11/10/2031
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
Algorithm sha1RSA
Thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Serial number 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
Packers identified
F-PROT PECompact, ZIP, PecBundle, UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-08-08 15:31:09
Entry Point 0x0005A9DA
Number of sections 28
PE sections
Overlays
MD5 948a0a8781f02fd151f42b80bed520c1
File type data
Offset 2030080
Size 4120
Entropy 6.93
PE imports
RegDeleteKeyA
RegOpenCurrentUser
RegCloseKey
RegQueryValueExA
LookupPrivilegeValueA
AdjustTokenPrivileges
RegCreateKeyExA
GetSidSubAuthorityCount
GetSidSubAuthority
OpenProcessToken
SetTokenInformation
RegOpenKeyExA
RegDeleteValueA
GetTokenInformation
DuplicateTokenEx
IsValidSid
GetSidIdentifierAuthority
GetLengthSid
RegEnumKeyExA
RegQueryInfoKeyA
RevertToSelf
RegSetValueExA
ImpersonateLoggedOnUser
RegOpenUserClassesRoot
ImageList_Create
InitCommonControlsEx
ImageList_LoadImageA
ImageList_Add
ImageList_Destroy
CryptUnprotectData
GetObjectA
DeleteDC
SelectObject
PatBlt
GetStockObject
SetWindowOrgEx
BitBlt
CreateCompatibleDC
DeleteObject
CreateCompatibleBitmap
GetPrivateProfileSectionNamesA
GetStdHandle
ReleaseMutex
FileTimeToSystemTime
GetFileAttributesA
WaitForSingleObject
SetEndOfFile
HeapDestroy
EncodePointer
GetFileAttributesW
GetLocalTime
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
LocalAlloc
Module32First
FreeEnvironmentStringsW
SetStdHandle
GetTempPathA
GetCPInfo
GetDiskFreeSpaceW
WriteFile
FormatMessageW
GetSystemTimeAsFileTime
EnumResourceLanguagesA
HeapReAlloc
GetStringTypeW
GetFullPathNameA
GetExitCodeProcess
LocalFree
MoveFileA
InitializeCriticalSection
OutputDebugStringW
FindClose
InterlockedDecrement
FormatMessageA
GetFullPathNameW
BeginUpdateResourceA
SetLastError
GetUserDefaultUILanguage
GetSystemTime
TlsGetValue
LoadResource
GetModuleFileNameW
IsDebuggerPresent
ExitProcess
GetVersionExA
GetModuleFileNameA
UpdateResourceA
LoadLibraryExA
GetPrivateProfileStringA
UnhandledExceptionFilter
LoadLibraryExW
MultiByteToWideChar
SetFilePointerEx
CreateMutexA
GetModuleHandleA
LockFileEx
CreateThread
SetFileAttributesA
RtlCaptureStackBackTrace
Module32Next
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
ExitThread
DecodePointer
SetEnvironmentVariableA
TerminateProcess
GetModuleHandleExW
VirtualQuery
ReadConsoleW
GetCurrentThreadId
LeaveCriticalSection
WriteConsoleW
CreateToolhelp32Snapshot
AreFileApisANSI
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
OpenProcess
LoadLibraryW
FreeLibrary
QueryPerformanceCounter
GetTickCount
TlsAlloc
FlushFileBuffers
LoadLibraryA
EndUpdateResourceA
RtlUnwind
GetSystemDirectoryA
Process32Next
UnlockFile
GetFileSize
Process32First
GetPrivateProfileIntA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
GetDateFormatW
GetStartupInfoW
SetEvent
DeleteFileW
GetProcAddress
GetProcessHeap
GetTimeFormatW
FindFirstFileA
GetDiskFreeSpaceA
EnumResourceNamesA
ResetEvent
GetTempFileNameA
CreateFileMappingA
FindNextFileA
ExpandEnvironmentStringsA
GetTempPathW
GetTimeZoneInformation
CreateFileW
CreateEventA
CopyFileA
GetFileType
TlsSetValue
CreateFileA
HeapAlloc
InterlockedIncrement
GetLastError
SystemTimeToFileTime
LCMapStringW
GetSystemInfo
lstrlenA
GetConsoleCP
CompareStringW
GetEnvironmentStringsW
FindResourceExA
LockFile
RemoveDirectoryA
WaitForSingleObjectEx
SizeofResource
WritePrivateProfileStringA
GetCurrentProcessId
LockResource
GetCurrentDirectoryA
HeapSize
GetCommandLineA
InterlockedCompareExchange
GetCurrentThread
RaiseException
MapViewOfFile
TlsFree
SetFilePointer
ReadFile
CloseHandle
UnlockFileEx
GetACP
GetModuleHandleW
GetFileAttributesExW
FindResourceExW
CreateProcessA
WideCharToMultiByte
IsValidCodePage
UnmapViewOfFile
FindResourceW
GetLongPathNameA
Sleep
FindResourceA
GetOEMCP
VariantChangeType
SafeArrayAccessData
SysStringLen
SysAllocStringLen
SafeArrayUnaccessData
VariantClear
SysAllocString
SafeArrayDestroy
SafeArrayCreateVector
SysFreeString
VariantInit
GetModuleFileNameExA
EnumProcesses
ShellExecuteExA
SHGetSpecialFolderPathA
Shell_NotifyIconA
PathFindExtensionA
PathRenameExtensionA
PathCombineA
PathStripPathA
SHDeleteEmptyKeyA
UrlEscapeA
SHCopyKeyA
PathIsDirectoryEmptyA
PathRemoveFileSpecA
SetFocus
GetMessageA
GetParent
IsIconic
UpdateWindow
EndDialog
BeginPaint
EnumWindows
MoveWindow
GetShellWindow
KillTimer
GetClassInfoExA
DestroyMenu
FindWindowA
ScreenToClient
ShowWindow
SetClassLongA
LoadBitmapA
SetWindowPos
GetWindowThreadProcessId
MessageBoxExA
GetSystemMetrics
EnableMenuItem
IsWindow
AppendMenuA
PostQuitMessage
GetWindowRect
DispatchMessageA
EnableWindow
SetDlgItemTextA
PostMessageA
LoadImageA
EnumChildWindows
MessageBoxA
DialogBoxParamA
SetWindowLongA
AdjustWindowRectEx
TranslateMessage
IsWindowEnabled
FrameRect
LoadAcceleratorsA
RegisterClassExA
ReleaseCapture
CreatePopupMenu
SystemParametersInfoA
SetWindowTextA
SendMessageW
LoadStringA
GetCursorPos
SetParent
FindWindowExA
IsWindowVisible
SendMessageA
SetForegroundWindow
GetClientRect
CreateWindowExA
GetDlgItem
OffsetRect
CreateDialogParamA
GetSystemMenu
ClientToScreen
DefWindowProcA
InvalidateRect
AnimateWindow
GetWindowLongA
GetWindowTextLengthA
SetTimer
LoadCursorA
GetKeyboardState
TrackPopupMenu
TranslateAcceleratorA
CopyRect
WaitForInputIdle
GetDesktopWindow
InflateRect
CallWindowProcA
GetClassNameA
GetFocus
LoadIconA
EndPaint
GetWindowTextA
InvalidateRgn
SetCursor
DestroyWindow
ExpandEnvironmentStringsForUserA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
FindCloseUrlCache
HttpSendRequestA
InternetSetStatusCallback
InternetReadFileExA
HttpAddRequestHeadersA
InternetSetCookieA
HttpOpenRequestA
InternetCombineUrlA
HttpQueryInfoA
FindFirstUrlCacheEntryA
InternetOpenA
FindNextUrlCacheEntryA
InternetConnectA
InternetGetCookieA
InternetSetOptionA
InternetErrorDlg
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetCloseHandle
GdipDeleteGraphics
GdipCreateFromHDC
GdipSetCompositingMode
OleUninitialize
CoInitialize
CoTaskMemAlloc
CoCreateGuid
CoCreateInstance
CoInitializeSecurity
CoTaskMemFree
StringFromGUID2
OleInitialize
IsValidURL
Number of PE resources by type
RT_ICON 9
RT_STRING 4
RT_DIALOG 3
RT_FILE 3
RT_GROUP_ICON 2
RT_MANIFEST 1
RT_RCDATA 1
RT_ACCELERATOR 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 24
NEUTRAL 1
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
5.1

InitializedDataSize
912896

ImageVersion
0.0

ProductName
SafeInstaller

FileVersionNumber
1.0.58.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

ImageFileCharacteristics
No relocs, Executable, 32-bit

CharacterSet
Unicode

LinkerVersion
11.0

FileTypeExtension
exe

OriginalFileName
safeinstall.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
1.0.58.0

TimeStamp
2014:08:08 16:31:09+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
SafeInstaller

ProductVersion
1.0.58.0

FileDescription
Safe Installer

OSVersion
5.1

FileOS
Windows NT 32-bit

LegalCopyright
Copyright (C) 2014

MachineType
Intel 386 or later, and compatibles

CompanyName
SafeInstall, LLC

CodeSize
1115136

FileSubtype
0

ProductVersionNumber
1.0.58.0

EntryPoint
0x5a9da

ObjectFileType
Executable application

File identification
MD5 eef1ccda116c943ae229111f2ac22ea5
SHA1 978cd147cffac59e1f6bea946942b13c5a32be26
SHA256 9a87c6d47e4495a6e7ddb4bd50fb4316a824201f314a4538ebee15375613a768
ssdeep
24576:LAy4hD6LSGJTXFDAfn67QuDGOVUab4Zn+xBl8Q+6QAELCtLmR3JyBTUgWTJyfCUh:2bfAQEVxNxIQjPEL33JzTyBh8V3K

authentihash cfe36a26192384d52dabb39bd1be1cc28cfa4dec14a7e26a5bf85b6c7382686d
imphash d9cdead5407531b98ec5c0343e9c2535
File size 1.9 MB ( 2034200 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (61.7%)
Win32 Dynamic Link Library (generic) (14.7%)
Win32 Executable (generic) (10.0%)
OS/2 Executable (generic) (4.5%)
Generic Win/DOS Executable (4.4%)
Tags
peexe overlay revoked-cert signed pecompact upx

VirusTotal metadata
First submission 2014-08-16 10:36:09 UTC ( 4 years, 3 months ago )
Last submission 2018-06-22 08:58:02 UTC ( 5 months ago )
File names 3f5a0d69e7b93ce11de27bcbe91a8ec54a9c7d2e
20161202154429
SafeInstaller
output.102695041.txt
output.42001505.txt
8HHIUeF.tgz
safeinstall.exe
9a87c6d47e4495a6e7ddb4bd50fb4316a824201f314a4538ebee15375613a768.vir
freeopener.exe
53f29dcb78353.exe
978cd147cffac59e1f6bea946942b13c5a32be26
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.R0EBC0OCS16.

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications