× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 9e3fefad1bf630fa52b882172895abf00f3f0e2df777a158e24d3eb1c1c662fd
File name: RWipeAndClean11.exe
Detection ratio: 0 / 54
Analysis date: 2016-01-31 19:36:08 UTC ( 3 years, 3 months ago ) View latest
Antivirus Result Update
Ad-Aware 20160130
AegisLab 20160130
Yandex 20160129
AhnLab-V3 20160129
Alibaba 20160202
ALYac 20160130
Antiy-AVL 20160130
Arcabit 20160130
Avast 20160130
AVG 20160130
Avira (no cloud) 20160130
Baidu-International 20160129
BitDefender 20160130
Bkav 20160129
ByteHero 20160131
CAT-QuickHeal 20160129
ClamAV 20160130
CMC 20160130
Comodo 20160130
Cyren 20160129
DrWeb 20160130
Emsisoft 20160130
ESET-NOD32 20160130
F-Prot 20160129
F-Secure 20160129
Fortinet 20160130
GData 20160130
Ikarus 20160129
Jiangmin 20160129
K7AntiVirus 20160129
K7GW 20160129
Kaspersky 20160129
Malwarebytes 20160130
McAfee 20160130
McAfee-GW-Edition 20160130
Microsoft 20160130
eScan 20160130
NANO-Antivirus 20160130
nProtect 20160129
Panda 20160129
Qihoo-360 20160131
Rising 20160129
Sophos AV 20160130
SUPERAntiSpyware 20160130
Symantec 20160129
TheHacker 20160130
TotalDefense 20160129
TrendMicro 20160130
TrendMicro-HouseCall 20160130
VBA32 20160128
VIPRE 20160130
ViRobot 20160129
Zillya 20160130
Zoner 20160130
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name WEXTRACT.EXE
Internal name Wextract
File version 6.00.2900.5512 (xpsp.080413-2105)
Description Win32 Cabinet Self-Extractor
Signature verification Signed file, verified signature
Signing date 11:45 AM 1/16/2016
Signers
[+] R-Tools Technology Inc.
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer GlobalSign CodeSigning CA - SHA256 - G2
Valid from 09:15 PM 01/15/2015
Valid to 07:22 PM 04/12/2018
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 802F9E3D7B65582E64033158B2265BD80C3956B4
Serial number 11 21 03 4B C5 81 77 DC 73 E6 83 F1 AA 39 1D 1B 31 39
[+] GlobalSign CodeSigning CA - SHA256 - G2
Status Valid
Issuer GlobalSign
Valid from 10:00 AM 08/02/2011
Valid to 10:00 AM 08/02/2019
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 4E34C4841080D07059EFC1F3C5DE4D79905A36FF
Serial number 04 00 00 00 00 01 31 89 C6 37 E8
[+] GlobalSign Root CA - R3
Status Valid
Issuer GlobalSign
Valid from 10:00 AM 03/18/2009
Valid to 10:00 AM 03/18/2029
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha256RSA
Thumbprint D69B561148F01C77C54578C10926DF5B856976AD
Serial number 04 00 00 00 00 01 21 58 53 08 A2
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 12:00 AM 10/18/2012
Valid to 11:59 PM 12/29/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 12:00 AM 12/21/2012
Valid to 11:59 PM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 12:00 AM 01/01/1997
Valid to 11:59 PM 12/31/2020
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT INNO, CAB, appended, UTF-8, Unicode
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2008-04-13 18:32:45
Entry Point 0x0000645C
Number of sections 3
PE sections
Overlays
MD5 98b7912e9639092f593a8ec1199bee13
File type data
Offset 5800448
Size 5792
Entropy 7.38
PE imports
GetTokenInformation
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegSetValueExA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
AdjustTokenPrivileges
EqualSid
RegCreateKeyExA
RegOpenKeyExA
RegDeleteValueA
RegQueryInfoKeyA
GetDeviceCaps
GetLastError
GetSystemTimeAsFileTime
DosDateTimeToFileTime
ReadFile
GetStartupInfoA
GetSystemInfo
lstrlenA
GetFileAttributesA
GlobalFree
WaitForSingleObject
LoadLibraryA
GetExitCodeProcess
QueryPerformanceCounter
MulDiv
ExitProcess
SetFileTime
GetVersionExA
GlobalUnlock
GetModuleFileNameA
IsDBCSLeadByte
GetShortPathNameA
FreeLibrary
GetCurrentProcess
GetVolumeInformationA
LoadLibraryExA
SizeofResource
GetCurrentDirectoryA
GetPrivateProfileStringA
WritePrivateProfileStringA
LocalAlloc
lstrcatA
GetPrivateProfileIntA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
UnhandledExceptionFilter
_llseek
GetCommandLineA
GlobalLock
EnumResourceLanguagesA
TerminateThread
GetTempPathA
CreateMutexA
GetModuleHandleA
_lclose
CreateThread
lstrcmpiA
SetFilePointer
lstrcmpA
FindFirstFileA
GetCurrentProcessId
CreateEventA
lstrcpyA
_lopen
CloseHandle
GetTempFileNameA
lstrcpynA
FindNextFileA
GetSystemDirectoryA
GetDiskFreeSpaceA
ExpandEnvironmentStringsA
FreeResource
SetFileAttributesA
SetEvent
LocalFree
FindResourceA
TerminateProcess
CreateProcessA
RemoveDirectoryA
SetUnhandledExceptionFilter
LockResource
LoadResource
WriteFile
GlobalAlloc
LocalFileTimeToFileTime
FindClose
FormatMessageA
GetTickCount
CreateFileA
GetDriveTypeA
GetCurrentThreadId
GetProcAddress
SetCurrentDirectoryA
ResetEvent
CharPrevA
EndDialog
ShowWindow
MessageBeep
SetWindowPos
SendDlgItemMessageA
GetSystemMetrics
GetWindowRect
DispatchMessageA
EnableWindow
SetDlgItemTextA
GetDlgItemTextA
MessageBoxA
PeekMessageA
SetWindowLongA
CharUpperA
GetDC
ReleaseDC
SetWindowTextA
GetWindowLongA
SendMessageA
GetDlgItem
wsprintfA
LoadStringA
CharNextA
GetDesktopWindow
CallWindowProcA
MsgWaitForMultipleObjects
SetForegroundWindow
ExitWindowsEx
DialogBoxIndirectParamA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
Number of PE resources by type
RT_RCDATA 14
RT_DIALOG 6
RT_STRING 6
RT_ICON 2
AVI 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 31
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
4.0

InitializedDataSize
5760000

ImageVersion
5.1

ProductName
Microsoft Windows Operating System

FileVersionNumber
6.0.2900.5512

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

LinkerVersion
7.1

FileTypeExtension
exe

OriginalFileName
WEXTRACT.EXE

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
6.00.2900.5512 (xpsp.080413-2105)

TimeStamp
2008:04:13 19:32:45+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Wextract

ProductVersion
6.00.2900.5512

FileDescription
Win32 Cabinet Self-Extractor

OSVersion
5.1

FileOS
Windows NT 32-bit

LegalCopyright
Microsoft Corporation. All rights reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
39424

FileSubtype
0

ProductVersionNumber
6.0.2900.5512

EntryPoint
0x645c

ObjectFileType
Executable application

Execution parents
Compressed bundles
File identification
MD5 6b294c0521649e7e6f10de4a995bcb5f
SHA1 53567d0b9468ae4fe3a2be7409fe0f83890ded24
SHA256 9e3fefad1bf630fa52b882172895abf00f3f0e2df777a158e24d3eb1c1c662fd
ssdeep
98304:aqwdo2/v2KfmK2f4AZYot7732HQIScA5hBr2OO509zl3bCx:aqwGO2KfmK2fzZYi7jAQISvBU509xOx

authentihash 71d0379522f0d9a01b46f4be1423023c33c2ad19dfdc046c6046b4233752e2b0
imphash 0ebb3c09b06b1666d307952e824c8697
File size 5.5 MB ( 5806240 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 MS Cabinet Self-Extractor (WExtract stub) (79.9%)
Win32 Executable MS Visual C++ (generic) (8.2%)
Win64 Executable (generic) (7.2%)
Win32 Dynamic Link Library (generic) (1.7%)
Win32 Executable (generic) (1.1%)
Tags
peexe overlay signed via-tor

VirusTotal metadata
First submission 2016-01-19 15:11:00 UTC ( 3 years, 4 months ago )
Last submission 2017-03-07 06:15:29 UTC ( 2 years, 2 months ago )
File names R-Wipe
RWipeAndClean11.exe
RWipeAndClean11.exe
RWipeAndClean11.exe
WEXTRACT.EXE
9E3FEFAD1BF630FA52B882172895ABF00F3F0E2DF777A158E24D3EB1C1C662FD
787241
Wextract
RWipeAndClean11.exe
RWipeAndClean11_2build2114.exe
RWipeAndClean11.exe
RWipeAndClean10.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Runtime DLLs
UDP communications