× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: a56362f6acf1cf5a8d0bca9ddf4823d062419685719fa54618fe1cfd826d9421
File name: run[1].exe
Detection ratio: 27 / 64
Analysis date: 2019-02-19 07:17:13 UTC ( 3 months ago )
Antivirus Result Update
Acronis suspicious 20190213
AhnLab-V3 PUP/Win32.CrossRider.C931972 20190219
Antiy-AVL Trojan/Win32.TSGeneric 20190219
Avira (no cloud) TR/Agent.6656.681 20190219
CAT-QuickHeal Trojan.IGENERIC 20190218
Comodo Malware@#1gwyjal2uy871 20190219
DrWeb Trojan.Crossrider1.46801 20190219
eGambit Generic.Malware 20190219
Endgame malicious (high confidence) 20190215
ESET-NOD32 a variant of Win32/Toolbar.Crossrider.DC potentially unwanted 20190219
F-Secure Trojan.TR/Agent.6656.681 20190219
Fortinet PossibleThreat 20190219
GData Win32.Trojan.Agent.M94M6G 20190219
Jiangmin TrojanDownloader.Agent.feua 20190219
Malwarebytes PUP.Optional.CrossRider 20190219
McAfee RDN/Generic.grp 20190219
McAfee-GW-Edition RDN/Generic.grp 20190219
NANO-Antivirus Trojan.Win32.Crossrider1.dvmklv 20190219
Panda Trj/GdSda.A 20190218
Qihoo-360 Win32/Trojan.857 20190219
Rising Malware.Undefined!8.C (CLOUD) 20190219
Sophos AV Generic PUA KJ (PUA) 20190219
Symantec Adware.Crossid 20190219
Trapmine suspicious.low.ml.score 20190123
ViRobot Adware.Agent.6656.AC 20190219
Webroot W32.Adware.Gen 20190219
Yandex PUA.Toolbar.CrossRider! 20190215
Ad-Aware 20190219
AegisLab 20190219
Alibaba 20180921
ALYac 20190219
Arcabit 20190219
Avast 20190219
Avast-Mobile 20190218
AVG 20190219
Babable 20180918
Baidu 20190215
BitDefender 20190219
ClamAV 20190218
CMC 20190218
CrowdStrike Falcon (ML) 20181023
Cybereason 20190109
Cylance 20190219
Cyren 20190219
Emsisoft 20190219
Ikarus 20190218
Sophos ML 20181128
K7AntiVirus 20190219
K7GW 20190219
Kaspersky 20190219
Kingsoft 20190219
MAX 20190219
Microsoft 20190219
eScan 20190219
Palo Alto Networks (Known Signatures) 20190219
SentinelOne (Static ML) 20190203
SUPERAntiSpyware 20190213
Symantec Mobile Insight 20190207
TACHYON 20190219
Tencent 20190219
TheHacker 20190217
TotalDefense 20190219
Trustlook 20190219
VBA32 20190218
ZoneAlarm by Check Point 20190219
Zoner 20190219
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-08-10 14:12:06
Entry Point 0x00001000
Number of sections 5
PE sections
PE imports
RegCloseKey
RegSetValueExW
FreeSid
AllocateAndInitializeSid
CheckTokenMembership
RegOpenKeyExW
RegQueryValueExW
LocalFree
GetStartupInfoA
GetCommandLineW
CreateProcessW
CloseHandle
lstrcmpiW
lstrlenW
CommandLineToArgvW
wsprintfW
_cexit
__p__fmode
_c_exit
_except_handler3
_acmdln
_adjust_fdiv
__setusermatherr
__p__commode
exit
_XcptFilter
__getmainargs
_initterm
_exit
_controlfp
__set_app_type
memset
URLDownloadToCacheFileW
Number of PE resources by type
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 1
PE resources
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2015:08:10 16:12:06+02:00

FileType
Win32 EXE

PEType
PE32

CodeSize
1536

LinkerVersion
12.0

ImageFileCharacteristics
Executable, 32-bit

EntryPoint
0x1000

InitializedDataSize
4096

SubsystemVersion
5.1

ImageVersion
0.0

OSVersion
5.1

UninitializedDataSize
0

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
File identification
MD5 0af0c376500b9fae13f8a35b92369236
SHA1 a969c67f1466e49cc0bf5a41bded15b439c36b43
SHA256 a56362f6acf1cf5a8d0bca9ddf4823d062419685719fa54618fe1cfd826d9421
ssdeep
96:C51T0Vj8SAr8mLPXGUDBNWvCDILG+591bfONAm:CXTUir8mLPXGUD/0CDTQ916Am

authentihash 357eea495902fae92c724218c686c4771a45a42a940772378df0878bc7b19257
imphash 5a1c9f554b080154f56f2fe9714394bf
File size 6.5 KB ( 6656 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (33.7%)
Win64 Executable (generic) (29.8%)
Microsoft Visual C++ compiled executable (generic) (17.8%)
Win32 Dynamic Link Library (generic) (7.1%)
Win32 Executable (generic) (4.8%)
Tags
peexe

VirusTotal metadata
First submission 2015-08-10 18:45:05 UTC ( 3 years, 9 months ago )
Last submission 2018-05-25 17:44:41 UTC ( 12 months ago )
File names 63285_updater.exe
run(1).exe
0af0c376500b9fae13f8a35b92369236.exe
60804_updater.exe
run.exe
71569_updater.exe
63163_updater.exe
2415061641032459021
run[1].exe
file_0_1.xor
71383_updater.exe
71381_updater.exe
a969c67f1466e49cc0bf5a41bded15b439c36b43.dll
56116_updater.exe
35574_updater.exe
Advanced heuristic and reputation engines
TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.R047C0EI115.

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.