× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: a55c16f3b1ea89e43c15387a368d8d75ca489c6cc44d95c434de7c13825112be
File name: 9npDnan3.exe
Detection ratio: 23 / 47
Analysis date: 2013-11-02 20:48:54 UTC ( 5 years, 6 months ago ) View latest
Antivirus Result Update
AhnLab-V3 Trojan/Win32.SmartFortress2012 20131102
AntiVir TR/Crypt.XPACK.Gen7 20131102
Avast Win32:FakeAV-FCC [Trj] 20131102
AVG Generic35.UEI 20131102
BitDefender Gen:Variant.Graftor.120101 20131102
Comodo TrojWare.Win32.Kryptik.AIRH 20131102
DrWeb Trojan.FakeAV.15810 20131102
Emsisoft Gen:Variant.Graftor.120101 (B) 20131102
ESET-NOD32 a variant of Win32/Kryptik.BNRQ 20131102
F-Secure Gen:Variant.Graftor.120101 20131102
GData Gen:Variant.Graftor.120101 20131102
Jiangmin Trojan/SmartFortress2012.nfh 20131102
Kaspersky Trojan-FakeAV.Win32.SmartFortress2012.aiui 20131101
Kingsoft Win32.Troj.Undef.(kcloud) 20130829
Malwarebytes Rogue.FakeAV.IGEN 20131102
McAfee FakeSecTool-FCD!D972ACF66A67 20131102
McAfee-GW-Edition FakeSecTool-FCD!D972ACF66A67 20131102
Microsoft Rogue:Win32/Winwebsec 20131102
Norman FakeAV.CQVZ 20131102
Panda Trj/dtcontx.I 20131102
Sophos AV Mal/FakeAV-TP 20131102
SUPERAntiSpyware Trojan.Agent/Gen-Winwebsec 20131102
VIPRE Trojan.Win32.Foreign.b (v) 20131102
Yandex 20131102
Antiy-AVL 20131101
Baidu-International 20131102
Bkav 20131102
ByteHero 20131028
CAT-QuickHeal 20131102
ClamAV 20131102
Commtouch 20131102
F-Prot 20131102
Fortinet 20131102
Ikarus 20131102
K7AntiVirus 20131101
K7GW 20131101
eScan 20131028
NANO-Antivirus 20131102
nProtect 20131101
Rising 20131101
Symantec 20131102
TheHacker 20131029
TotalDefense 20131101
TrendMicro 20131102
TrendMicro-HouseCall 20131102
VBA32 20131101
ViRobot 20131102
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification A certificate was explicitly revoked by its issuer.
Signers
[+] FirsTech Inc.
Status This certificate or one of the certificates in the certificate chain is not time valid., Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer VeriSign Class 3 Code Signing 2010 CA
Valid from 1:00 AM 12/19/2011
Valid to 12:59 AM 12/19/2013
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint D91C882C9EB265AA45EE79D969B1660D11026DC0
Serial number 5C 43 39 91 ED 81 87 EE A0 A3 00 3A 1E 48 61 E8
[+] VeriSign Class 3 Code Signing 2010 CA
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 2/8/2010
Valid to 12:59 AM 2/8/2020
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 495847A93187CFB8C71F840CB7B41497AD95C64F
Serial number 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7
[+] VeriSign
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 11/8/2006
Valid to 12:59 AM 7/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Serial number 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-10-28 15:08:49
Entry Point 0x000809F0
Number of sections 3
PE sections
Overlays
MD5 6984eaea694c0af6a0890e993acd06d4
File type data
Offset 557056
Size 3720
Entropy 7.23
PE imports
CreatePen
GetLastError
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
ReleaseMutex
SetHandleCount
TerminateThread
WaitForSingleObject
GetOEMCP
QueryPerformanceCounter
HeapDestroy
GetTickCount
TlsAlloc
VirtualProtect
GetVersionExA
LoadLibraryA
RtlUnwind
GetModuleFileNameA
FreeEnvironmentStringsA
DeleteCriticalSection
GetStartupInfoA
GetEnvironmentStrings
GetLocaleInfoA
GetCurrentProcessId
DeleteFileA
GetCurrentProcess
UnhandledExceptionFilter
MultiByteToWideChar
HeapSize
FreeEnvironmentStringsW
GetCPInfo
GetCommandLineA
GetProcAddress
GetSystemInfo
SuspendThread
WideCharToMultiByte
TlsFree
GetModuleHandleA
WriteFile
PulseEvent
GetStringTypeA
GetSystemTimeAsFileTime
DeleteFileW
GetACP
HeapReAlloc
GetStringTypeW
HeapAlloc
TerminateProcess
ResumeThread
LCMapStringA
InitializeCriticalSection
HeapCreate
VirtualQuery
VirtualFree
GetEnvironmentStringsW
TlsGetValue
Sleep
GetFileType
TlsSetValue
ExitProcess
GetCurrentThreadId
VirtualAlloc
SetLastError
LeaveCriticalSection
VariantInit
DestroyWindow
mciSendCommandA
CoUninitialize
CoCreateInstance
Number of PE resources by type
RT_ICON 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 2
PE resources
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2013:10:28 16:08:49+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
0

LinkerVersion
7.0

FileTypeExtension
exe

InitializedDataSize
552960

SubsystemVersion
4.0

EntryPoint
0x809f0

OSVersion
4.0

ImageVersion
0.0

UninitializedDataSize
0

File identification
MD5 d972acf66a6752662d732819f5dfaa42
SHA1 6eb937ae9a6103bdb5a8724716a7fb36fab72a07
SHA256 a55c16f3b1ea89e43c15387a368d8d75ca489c6cc44d95c434de7c13825112be
ssdeep
12288:Vp0yGr0di3DhGkLBiUS6pTEMvi13Hoqg0eKsp:Vq6i3DQkL/Vdvbqgb7p

authentihash 5db35622bd90af5e7169407ea65541fc7e61f2373bb9f1a16d4eedeb11234bf0
imphash 752505b5d0a8078ff3262b5eb06d4a0a
File size 547.6 KB ( 560776 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
revoked-cert peexe signed overlay

VirusTotal metadata
First submission 2013-11-02 20:48:54 UTC ( 5 years, 6 months ago )
Last submission 2017-06-28 08:39:02 UTC ( 1 year, 10 months ago )
File names 9npDnan3.exe
9npDnan3.exe
9npDnan3.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.R047C0DC615.

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Deleted files
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.