× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 9a8e3a38edea1b387f23fbddab2ab2595271e557056f7da2f546d7e1c0e119be
File name: eaf334acbf6d24c.exe
Detection ratio: 7 / 56
Analysis date: 2016-12-12 23:53:19 UTC ( 2 years, 4 months ago ) View latest
Antivirus Result Update
AegisLab Heur.Advml.Gen!c 20161212
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9998 20161207
Comodo Heur.Packed.Unknown 20161212
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20161024
Sophos ML trojanspy.win32.nivdort.dy 20161202
Rising Malware.Generic!XLJQMh1AfWE@2 (thunder) 20161212
Symantec Heur.AdvML.B 20161212
Ad-Aware 20161213
AhnLab-V3 20161212
Alibaba 20161212
ALYac 20161212
Antiy-AVL 20161213
Arcabit 20161213
Avast 20161213
AVG 20161213
Avira (no cloud) 20161212
AVware 20161213
BitDefender 20161213
Bkav 20161212
CAT-QuickHeal 20161212
ClamAV 20161212
CMC 20161212
Cyren 20161212
DrWeb 20161212
Emsisoft 20161212
ESET-NOD32 20161212
F-Prot 20161212
F-Secure 20161212
Fortinet 20161212
GData 20161212
Ikarus 20161212
Jiangmin 20161212
K7AntiVirus 20161212
K7GW 20161212
Kaspersky 20161212
Kingsoft 20161213
Malwarebytes 20161212
McAfee 20161212
McAfee-GW-Edition 20161212
Microsoft 20161212
eScan 20161212
NANO-Antivirus 20161212
nProtect 20161212
Panda 20161212
Qihoo-360 20161213
Sophos AV 20161212
SUPERAntiSpyware 20161212
Tencent 20161213
TheHacker 20161212
TrendMicro 20161212
TrendMicro-HouseCall 20161212
Trustlook 20161213
VBA32 20161212
VIPRE 20161213
ViRobot 20161212
WhiteArmor 20161212
Yandex 20161212
Zillya 20161210
Zoner 20161212
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification A certificate was explicitly revoked by its issuer.
Signers
[+] Liberta LLC
Status Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer GlobalSign Extended Validation CodeSigning CA - SHA256 - G3
Valid from 4:19 PM 11/8/2016
Valid to 4:19 PM 11/9/2017
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 10E309844726EC6A4A56CA12889EE067EDA23F66
Serial number 40 6E C6 2E 46 9A 88 D3 60 E5 5C 2A
[+] GlobalSign Extended Validation CodeSigning CA - SHA256 - G3
Status Valid
Issuer GlobalSign
Valid from 1:00 AM 6/15/2016
Valid to 1:00 AM 6/15/2024
Valid usage Code Signing, OCSP Signing
Algorithm sha256RSA
Thumbprint 87A63D9ADB627D777836153C680A3DFCF27DE90C
Serial number 48 1B 6A 07 A9 42 4C 1E AA FE F3 CD F1 0F
[+] GlobalSign
Status Valid
Issuer GlobalSign
Valid from 11:00 AM 3/18/2009
Valid to 11:00 AM 3/18/2029
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha256RSA
Thumbprint D69B561148F01C77C54578C10926DF5B856976AD
Serial number 04 00 00 00 00 01 21 58 53 08 A2
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-12-12 22:26:22
Entry Point 0x00002860
Number of sections 7
PE sections
Overlays
MD5 58abd479dbbd72e085197b61cb7b98db
File type data
Offset 182272
Size 4200
Entropy 7.38
PE imports
SetWaitableTimer
UpdateResourceW
GetCommandLineW
CreateMemoryResourceNotification
CloseHandle
FreeConsole
DefineDosDeviceA
ExitThread
lstrlenW
VarBoolFromR8
VarNumFromParseNum
VarI2FromR8
SafeArrayGetRecordInfo
VarUI1FromCy
VarCyFromI4
CreateTypeLib
SafeArraySetIID
VarI1FromDec
VarBoolFromI2
SafeArrayGetIID
SafeArrayUnaccessData
VarI2FromUI2
GetActiveObject
CreateTypeLib2
VarBoolFromDate
VarR4FromStr
SysAllocStringByteLen
LoadRegTypeLib
VariantChangeType
VarUI4FromDate
LoadTypeLibEx
VarR8FromI1
VarCyFromStr
VarR4FromUI2
VarCyFromBool
SetErrorInfo
VarI4FromBool
VarI2FromDisp
VarDateFromUdate
SystemTimeToVariantTime
VarR8FromUI4
VarI2FromDec
VarFormatDateTime
VarCyInt
LoadIconA
GetMenu
FindWindowW
GetDesktopWindow
GetClientRect
wsprintfW
GetShellWindow
GetMenuDefaultItem
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows command line

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2016:12:12 23:26:22+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
16384

LinkerVersion
6.0

EntryPoint
0x2860

InitializedDataSize
164864

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

File identification
MD5 e86a57662d705e99974ab1b37c3ec3f7
SHA1 6b30662c37db58c55360894ba9ac47f691b95c7e
SHA256 9a8e3a38edea1b387f23fbddab2ab2595271e557056f7da2f546d7e1c0e119be
ssdeep
3072:Ousie5YcsIHyTz4wCkRoywiVyyqN4VRaPBWZhQxHhalpz7R/Fg:beWcsFqOo8czyaPBd/al97w

authentihash f634a691acea0be2849a0d7e2c1e7fbb165c60dbb24e571b0f72a31e1deadbd8
imphash faf49cee0c1ef798baa2437e3b348b18
File size 182.1 KB ( 186472 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (console) Intel 80386 32-bit

TrID Win32 Executable (generic) (42.6%)
Clipper DOS Executable (19.1%)
Generic Win/DOS Executable (18.9%)
DOS Executable Generic (18.9%)
VXD Driver (0.2%)
Tags
revoked-cert peexe signed overlay

VirusTotal metadata
First submission 2016-12-12 22:18:54 UTC ( 2 years, 4 months ago )
Last submission 2016-12-16 16:47:05 UTC ( 2 years, 4 months ago )
File names 50004c.exe
6b30662c37db58c55360894ba9ac47f691b95c7e
Roaming.EXE
eaf334acbf6d24c.e_xe
eaf334acbf6d24c.exe
06.vir
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Searched windows
Runtime DLLs
UDP communications