× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ad6a7fadd0704f828adf7fc84d75126acaecc721a92b87b70e659ffc449cc89c
File name: 673339
Detection ratio: 1 / 53
Analysis date: 2015-12-18 09:03:08 UTC ( 3 years, 3 months ago ) View latest
Antivirus Result Update
SUPERAntiSpyware Trojan.Agent/Gen-Backdoor 20151218
Ad-Aware 20151218
AegisLab 20151218
Yandex 20151218
AhnLab-V3 20151218
Alibaba 20151208
Antiy-AVL 20151218
Arcabit 20151218
Avast 20151218
AVG 20151218
Avira (no cloud) 20151218
AVware 20151218
Baidu-International 20151218
BitDefender 20151218
Bkav 20151218
ByteHero 20151218
CAT-QuickHeal 20151217
ClamAV 20151217
CMC 20151217
Comodo 20151218
Cyren 20151218
DrWeb 20151218
Emsisoft 20151218
ESET-NOD32 20151218
F-Prot 20151218
F-Secure 20151218
Fortinet 20151218
GData 20151218
Ikarus 20151218
Jiangmin 20151218
K7AntiVirus 20151218
K7GW 20151218
Kaspersky 20151218
Malwarebytes 20151218
McAfee 20151218
McAfee-GW-Edition 20151218
Microsoft 20151217
eScan 20151218
NANO-Antivirus 20151218
nProtect 20151218
Panda 20151217
Rising 20151218
Sophos AV 20151218
Symantec 20151217
TheHacker 20151218
TotalDefense 20151218
TrendMicro 20151218
TrendMicro-HouseCall 20151218
VBA32 20151217
VIPRE 20151218
ViRobot 20151218
Zillya 20151217
Zoner 20151218
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification Certificate out of its validity period
Signers
[+] Novel Games Limited
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer GlobalSign CodeSigning CA - SHA256 - G2
Valid from 10:59 AM 4/13/2015
Valid to 10:01 AM 5/23/2016
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 6688B52B2382859E04E6FCD86FFD01E0B54BF5F0
Serial number 11 21 BD 8C 37 18 B9 8A 11 CF 31 D1 3E 64 43 F7 51 D9
[+] GlobalSign CodeSigning CA - SHA256 - G2
Status Valid
Issuer GlobalSign
Valid from 11:00 AM 8/2/2011
Valid to 11:00 AM 8/2/2019
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 4E34C4841080D07059EFC1F3C5DE4D79905A36FF
Serial number 04 00 00 00 00 01 31 89 C6 37 E8
[+] GlobalSign Root CA - R3
Status Valid
Issuer GlobalSign
Valid from 11:00 AM 3/18/2009
Valid to 11:00 AM 3/18/2029
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha256RSA
Thumbprint D69B561148F01C77C54578C10926DF5B856976AD
Serial number 04 00 00 00 00 01 21 58 53 08 A2
Packers identified
F-PROT ZIP
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-11-07 04:18:01
Entry Point 0x00001362
Number of sections 5
PE sections
Overlays
MD5 d04ec478a40ae13e6c8acaf03d1ff2a2
File type application/zip
Offset 126976
Size 542400
Entropy 8.00
PE imports
GetLastError
InitializeCriticalSectionAndSpinCount
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
SetHandleCount
LoadLibraryA
GetModuleFileNameW
WaitForSingleObject
GetExitCodeProcess
QueryPerformanceCounter
IsDebuggerPresent
HeapAlloc
TlsAlloc
GetEnvironmentStringsW
GetFileAttributesW
RtlUnwind
GetModuleFileNameA
GetCPInfo
FreeEnvironmentStringsA
DeleteCriticalSection
GetStartupInfoA
GetEnvironmentStrings
GetLocaleInfoA
GetCurrentProcessId
GetCommandLineW
WideCharToMultiByte
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
HeapSize
FreeEnvironmentStringsW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetStringTypeA
GetProcessHeap
GetTempFileNameW
RaiseException
CreateThread
TlsFree
SetFilePointer
ReadFile
SetUnhandledExceptionFilter
GetTempPathW
GetCurrentProcess
CloseHandle
GetSystemTimeAsFileTime
GetCommandLineA
GetACP
HeapReAlloc
GetStringTypeW
GetModuleHandleW
GetOEMCP
TerminateProcess
LCMapStringA
IsValidCodePage
HeapCreate
WriteFile
CreateFileW
VirtualFree
TlsGetValue
Sleep
GetFileType
GetTickCount
TlsSetValue
ExitProcess
GetCurrentThreadId
InterlockedIncrement
VirtualAlloc
SetLastError
LeaveCriticalSection
SHFileOperationW
ShellExecuteExW
PathAppendW
GetMessageW
DispatchMessageW
TranslateMessage
Number of PE resources by type
RT_ICON 7
RT_MANIFEST 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 9
PE resources
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

SubsystemVersion
5.0

MachineType
Intel 386 or later, and compatibles

TimeStamp
2011:11:07 05:18:01+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
60928

LinkerVersion
9.0

FileTypeExtension
exe

InitializedDataSize
65024

ImageFileCharacteristics
Executable, 32-bit

EntryPoint
0x1362

OSVersion
5.0

ImageVersion
0.0

UninitializedDataSize
0

File identification
MD5 b90a843c75fe6d1d9c6b099363d6b0a3
SHA1 6cc41c807bf94fc26ea5c064e42381b115f12d24
SHA256 ad6a7fadd0704f828adf7fc84d75126acaecc721a92b87b70e659ffc449cc89c
ssdeep
12288:3mftwnQC6yTILE+OPgIFD0SfRTzibZPaHUGB6JczcKuwyqJvT3YJF6HK0SUlS4:KtwQCFTILEjg4jubZPabU9KXyqJvbvHV

authentihash e592ef612a663aa45686bdaf5d46e67647e4f1449b9052ebe702188192c5f34c
imphash f3e974452807d25c2b9375c00e84e2c2
File size 653.7 KB ( 669376 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2015-04-18 20:14:56 UTC ( 3 years, 11 months ago )
Last submission 2016-04-05 04:26:31 UTC ( 2 years, 11 months ago )
File names peg.5.exe
8f401a0d5265b54deab81def8beb77947f0d5ba4
B90A843C75FE6D1D9C6B099363D6B0A3
ga2NX.dll
673339
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Shell commands
Created mutexes
Opened mutexes
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications