× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 9a87c6d47e4495a6e7ddb4bd50fb4316a824201f314a4538ebee15375613a768
File name: SafeInstaller
Detection ratio: 50 / 70
Analysis date: 2019-01-25 13:57:17 UTC ( 1 month, 4 weeks ago )
Antivirus Result Update
Ad-Aware Application.Bundler.InstallIQ.D 20190125
AhnLab-V3 PUP/Win32.BundleInstaller.C578422 20190125
Antiy-AVL RiskWare[Downloader]/NSIS.Agent 20190125
Arcabit Application.Bundler.InstallIQ.D 20190125
Avast FileRepMetagen [Adw] 20190125
AVG FileRepMetagen [Adw] 20190125
Avira (no cloud) PUA/InstallIQ.Gen4 20190125
Baidu Win32.Adware.Generic.cb 20190125
BitDefender Application.Bundler.InstallIQ.D 20190125
Bkav W32.HfsAdware.6260 20190125
Comodo Application.Win32.InstallIQ.B@52inxm 20190125
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20181023
Cybereason malicious.a116c9 20190109
Cylance Unsafe 20190125
Cyren W32/InstallIQ.A.gen!Eldorado 20190125
DrWeb Adware.Downware.9566 20190125
eGambit Unsafe.AI_Score_91% 20190125
Emsisoft Application.InstallSmart (A) 20190125
Endgame malicious (high confidence) 20181108
ESET-NOD32 a variant of Win32/InstallIQ.A potentially unwanted 20190125
F-Prot W32/InstallIQ.A.gen!Eldorado 20190125
F-Secure Application.Bundler.InstallIQ 20190125
Fortinet W32/Generic.AC.13E3F!tr 20190125
GData Win32.Application.InstallIQ.F 20190125
Ikarus AdWare.MultiBundle 20190125
Sophos ML heuristic 20181128
Jiangmin Variant.Kazy.aii 20190125
K7AntiVirus Trojan ( 004b51001 ) 20190125
K7GW Trojan ( 004b51001 ) 20190125
Kaspersky not-a-virus:Downloader.NSIS.Agent.ij 20190125
Malwarebytes PUP.Optional.SafeInstall 20190125
MAX malware (ai score=100) 20190125
Microsoft PUA:Win32/InstallIQ 20190125
eScan Application.Bundler.InstallIQ.D 20190125
NANO-Antivirus Riskware.Win32.Adw.efutes 20190125
Panda Trj/Genetic.gen 20190125
Qihoo-360 Win32/Application.c39 20190125
Rising Trojan.Win32.Generic.1731D3EF (C64:YzY0OmZsOlgIfxuA) 20190125
SentinelOne (Static ML) static engine - malicious 20190124
Sophos AV DomaIQ pay-per install (PUA) 20190125
SUPERAntiSpyware PUP.SafeInstall/Variant 20190123
Symantec SMG.Heur!gen 20190125
Trapmine malicious.high.ml.score 20190123
TrendMicro PUA_INSTALLIQ.SM 20190125
TrendMicro-HouseCall PUA_INSTALLIQ.SM 20190125
VBA32 BScope.Trojan.Domaiq 20190125
VIPRE InstallIQ Installer (fs) 20190125
Webroot Pua.Safe.Installer 20190125
Zillya Adware.AmonetizeCRT.Win32.150 20190124
ZoneAlarm by Check Point not-a-virus:Downloader.NSIS.Agent.ij 20190125
Acronis 20190124
AegisLab 20190125
Alibaba 20180921
ALYac 20190125
Avast-Mobile 20190125
Babable 20180918
CAT-QuickHeal 20190125
ClamAV 20190125
CMC 20190125
Kingsoft 20190125
McAfee 20190125
McAfee-GW-Edition 20190125
Palo Alto Networks (Known Signatures) 20190125
TACHYON 20190125
Tencent 20190125
TheHacker 20190125
Trustlook 20190125
ViRobot 20190125
Yandex 20190124
Zoner 20190125
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2014

Product SafeInstaller
Original name safeinstall.exe
Internal name SafeInstaller
File version 1.0.58.0
Description Safe Installer
Signature verification A certificate was explicitly revoked by its issuer.
Signing date 2:59 PM 1/25/2019
Signers
[+] InstallX, LLC
Status This certificate or one of the certificates in the certificate chain is not time valid., Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer DigiCert Assured ID Code Signing CA-1
Valid from 12:00 AM 03/21/2014
Valid to 12:00 PM 04/08/2015
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint AB46C85672419A1B0C804810AA29D6F2620EF751
Serial number 0F 4D 18 81 92 31 8D 28 51 0F C8 86 CB B8 55 E6
[+] DigiCert Assured ID Code Signing CA-1
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 12:00 PM 02/11/2011
Valid to 12:00 PM 02/10/2026
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 409AA4A74A0CDA7C0FEE6BD0BB8823D16B5F1875
Serial number 0F A8 49 06 15 D7 00 A0 BE 21 76 FD C5 EC 6D BD
[+] DigiCert
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 12:00 AM 11/10/2006
Valid to 12:00 AM 11/10/2031
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
Algorithm sha1RSA
Thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Serial number 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
Packers identified
F-PROT PECompact, ZIP, PecBundle, UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-08-08 15:31:09
Entry Point 0x0005A9DA
Number of sections 28
PE sections
Overlays
MD5 948a0a8781f02fd151f42b80bed520c1
File type data
Offset 2030080
Size 4120
Entropy 6.93
PE imports
RegDeleteKeyA
RegOpenCurrentUser
RegCloseKey
RegQueryValueExA
LookupPrivilegeValueA
AdjustTokenPrivileges
RegCreateKeyExA
GetSidSubAuthorityCount
GetSidSubAuthority
OpenProcessToken
SetTokenInformation
RegOpenKeyExA
RegDeleteValueA
GetTokenInformation
DuplicateTokenEx
IsValidSid
GetSidIdentifierAuthority
GetLengthSid
RegEnumKeyExA
RegQueryInfoKeyA
RevertToSelf
RegSetValueExA
ImpersonateLoggedOnUser
RegOpenUserClassesRoot
ImageList_Create
InitCommonControlsEx
ImageList_LoadImageA
ImageList_Add
ImageList_Destroy
CryptUnprotectData
GetObjectA
DeleteDC
SelectObject
PatBlt
GetStockObject
SetWindowOrgEx
BitBlt
CreateCompatibleDC
DeleteObject
CreateCompatibleBitmap
GetPrivateProfileSectionNamesA
GetStdHandle
ReleaseMutex
FileTimeToSystemTime
GetFileAttributesA
WaitForSingleObject
SetEndOfFile
HeapDestroy
EncodePointer
GetFileAttributesW
GetLocalTime
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
LocalAlloc
Module32First
FreeEnvironmentStringsW
SetStdHandle
GetTempPathA
GetCPInfo
GetDiskFreeSpaceW
WriteFile
FormatMessageW
GetSystemTimeAsFileTime
EnumResourceLanguagesA
HeapReAlloc
GetStringTypeW
GetFullPathNameA
GetExitCodeProcess
LocalFree
MoveFileA
InitializeCriticalSection
OutputDebugStringW
FindClose
InterlockedDecrement
FormatMessageA
GetFullPathNameW
BeginUpdateResourceA
SetLastError
GetUserDefaultUILanguage
GetSystemTime
TlsGetValue
LoadResource
GetModuleFileNameW
IsDebuggerPresent
ExitProcess
GetVersionExA
GetModuleFileNameA
UpdateResourceA
LoadLibraryExA
GetPrivateProfileStringA
UnhandledExceptionFilter
LoadLibraryExW
MultiByteToWideChar
SetFilePointerEx
CreateMutexA
GetModuleHandleA
LockFileEx
CreateThread
SetFileAttributesA
RtlCaptureStackBackTrace
Module32Next
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
ExitThread
DecodePointer
SetEnvironmentVariableA
TerminateProcess
GetModuleHandleExW
VirtualQuery
ReadConsoleW
GetCurrentThreadId
LeaveCriticalSection
WriteConsoleW
CreateToolhelp32Snapshot
AreFileApisANSI
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
OpenProcess
LoadLibraryW
FreeLibrary
QueryPerformanceCounter
GetTickCount
TlsAlloc
FlushFileBuffers
LoadLibraryA
EndUpdateResourceA
RtlUnwind
GetSystemDirectoryA
Process32Next
UnlockFile
GetFileSize
Process32First
GetPrivateProfileIntA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
GetDateFormatW
GetStartupInfoW
SetEvent
DeleteFileW
GetProcAddress
GetProcessHeap
GetTimeFormatW
FindFirstFileA
GetDiskFreeSpaceA
EnumResourceNamesA
ResetEvent
GetTempFileNameA
CreateFileMappingA
FindNextFileA
ExpandEnvironmentStringsA
GetTempPathW
GetTimeZoneInformation
CreateFileW
CreateEventA
CopyFileA
GetFileType
TlsSetValue
CreateFileA
HeapAlloc
InterlockedIncrement
GetLastError
SystemTimeToFileTime
LCMapStringW
GetSystemInfo
lstrlenA
GetConsoleCP
CompareStringW
GetEnvironmentStringsW
FindResourceExA
LockFile
RemoveDirectoryA
WaitForSingleObjectEx
SizeofResource
WritePrivateProfileStringA
GetCurrentProcessId
LockResource
GetCurrentDirectoryA
HeapSize
GetCommandLineA
InterlockedCompareExchange
GetCurrentThread
RaiseException
MapViewOfFile
TlsFree
SetFilePointer
ReadFile
CloseHandle
UnlockFileEx
GetACP
GetModuleHandleW
GetFileAttributesExW
FindResourceExW
CreateProcessA
WideCharToMultiByte
IsValidCodePage
UnmapViewOfFile
FindResourceW
GetLongPathNameA
Sleep
FindResourceA
GetOEMCP
VariantChangeType
SafeArrayAccessData
SysStringLen
SysAllocStringLen
SafeArrayUnaccessData
VariantClear
SysAllocString
SafeArrayDestroy
SafeArrayCreateVector
SysFreeString
VariantInit
GetModuleFileNameExA
EnumProcesses
ShellExecuteExA
SHGetSpecialFolderPathA
Shell_NotifyIconA
PathFindExtensionA
PathRenameExtensionA
PathCombineA
PathStripPathA
SHDeleteEmptyKeyA
UrlEscapeA
SHCopyKeyA
PathIsDirectoryEmptyA
PathRemoveFileSpecA
SetFocus
GetMessageA
GetParent
IsIconic
UpdateWindow
EndDialog
BeginPaint
EnumWindows
MoveWindow
GetShellWindow
KillTimer
GetClassInfoExA
DestroyMenu
FindWindowA
ScreenToClient
ShowWindow
SetClassLongA
LoadBitmapA
SetWindowPos
GetWindowThreadProcessId
MessageBoxExA
GetSystemMetrics
EnableMenuItem
IsWindow
AppendMenuA
PostQuitMessage
GetWindowRect
DispatchMessageA
EnableWindow
SetDlgItemTextA
PostMessageA
LoadImageA
EnumChildWindows
MessageBoxA
DialogBoxParamA
SetWindowLongA
AdjustWindowRectEx
TranslateMessage
IsWindowEnabled
FrameRect
LoadAcceleratorsA
RegisterClassExA
ReleaseCapture
CreatePopupMenu
SystemParametersInfoA
SetWindowTextA
SendMessageW
LoadStringA
GetCursorPos
SetParent
FindWindowExA
IsWindowVisible
SendMessageA
SetForegroundWindow
GetClientRect
CreateWindowExA
GetDlgItem
OffsetRect
CreateDialogParamA
GetSystemMenu
ClientToScreen
DefWindowProcA
InvalidateRect
AnimateWindow
GetWindowLongA
GetWindowTextLengthA
SetTimer
LoadCursorA
GetKeyboardState
TrackPopupMenu
TranslateAcceleratorA
CopyRect
WaitForInputIdle
GetDesktopWindow
InflateRect
CallWindowProcA
GetClassNameA
GetFocus
LoadIconA
EndPaint
GetWindowTextA
InvalidateRgn
SetCursor
DestroyWindow
ExpandEnvironmentStringsForUserA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
FindCloseUrlCache
HttpSendRequestA
InternetSetStatusCallback
InternetReadFileExA
HttpAddRequestHeadersA
InternetSetCookieA
HttpOpenRequestA
InternetCombineUrlA
HttpQueryInfoA
FindFirstUrlCacheEntryA
InternetOpenA
FindNextUrlCacheEntryA
InternetConnectA
InternetGetCookieA
InternetSetOptionA
InternetErrorDlg
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetCloseHandle
GdipDeleteGraphics
GdipCreateFromHDC
GdipSetCompositingMode
OleUninitialize
CoInitialize
CoTaskMemAlloc
CoCreateGuid
CoCreateInstance
CoInitializeSecurity
CoTaskMemFree
StringFromGUID2
OleInitialize
IsValidURL
Number of PE resources by type
RT_ICON 9
RT_STRING 4
RT_DIALOG 3
RT_FILE 3
RT_GROUP_ICON 2
RT_MANIFEST 1
RT_RCDATA 1
RT_ACCELERATOR 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 24
NEUTRAL 1
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
5.1

InitializedDataSize
912896

ImageVersion
0.0

ProductName
SafeInstaller

FileVersionNumber
1.0.58.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

ImageFileCharacteristics
No relocs, Executable, 32-bit

CharacterSet
Unicode

LinkerVersion
11.0

FileTypeExtension
exe

OriginalFileName
safeinstall.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
1.0.58.0

TimeStamp
2014:08:08 16:31:09+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
SafeInstaller

ProductVersion
1.0.58.0

FileDescription
Safe Installer

OSVersion
5.1

FileOS
Windows NT 32-bit

LegalCopyright
Copyright (C) 2014

MachineType
Intel 386 or later, and compatibles

CompanyName
SafeInstall, LLC

CodeSize
1115136

FileSubtype
0

ProductVersionNumber
1.0.58.0

EntryPoint
0x5a9da

ObjectFileType
Executable application

File identification
MD5 eef1ccda116c943ae229111f2ac22ea5
SHA1 978cd147cffac59e1f6bea946942b13c5a32be26
SHA256 9a87c6d47e4495a6e7ddb4bd50fb4316a824201f314a4538ebee15375613a768
ssdeep
24576:LAy4hD6LSGJTXFDAfn67QuDGOVUab4Zn+xBl8Q+6QAELCtLmR3JyBTUgWTJyfCUh:2bfAQEVxNxIQjPEL33JzTyBh8V3K

authentihash cfe36a26192384d52dabb39bd1be1cc28cfa4dec14a7e26a5bf85b6c7382686d
imphash d9cdead5407531b98ec5c0343e9c2535
File size 1.9 MB ( 2034200 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (61.7%)
Win32 Dynamic Link Library (generic) (14.7%)
Win32 Executable (generic) (10.0%)
OS/2 Executable (generic) (4.5%)
Generic Win/DOS Executable (4.4%)
Tags
peexe overlay revoked-cert signed pecompact upx

VirusTotal metadata
First submission 2014-08-16 10:36:09 UTC ( 4 years, 7 months ago )
Last submission 2018-06-22 08:58:02 UTC ( 9 months ago )
File names 3f5a0d69e7b93ce11de27bcbe91a8ec54a9c7d2e
20161202154429
SafeInstaller
output.102695041.txt
output.42001505.txt
8HHIUeF.tgz
safeinstall.exe
9a87c6d47e4495a6e7ddb4bd50fb4316a824201f314a4538ebee15375613a768.vir
freeopener.exe
53f29dcb78353.exe
978cd147cffac59e1f6bea946942b13c5a32be26
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.R0EBC0OCS16.

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications