× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b0f6800b2bb4c86e091120e9087c75f9b1b3e46b89cf65744d65cf5ab01fd385
File name: Listdlls.exe
Detection ratio: 0 / 63
Analysis date: 2019-02-23 00:39:07 UTC ( 3 weeks, 6 days ago )
Antivirus Result Update
Acronis 20190222
Ad-Aware 20190223
AegisLab 20190222
AhnLab-V3 20190222
Alibaba 20180921
ALYac 20190222
Antiy-AVL 20190222
Arcabit 20190223
Avast 20190223
Avast-Mobile 20190222
AVG 20190223
Avira (no cloud) 20190223
Babable 20180918
Baidu 20190215
BitDefender 20190222
CAT-QuickHeal 20190222
ClamAV 20190222
CMC 20190222
Comodo 20190223
CrowdStrike Falcon (ML) 20181023
Cylance 20190223
Cyren 20190222
DrWeb 20190223
eGambit 20190223
Emsisoft 20190222
Endgame 20190215
ESET-NOD32 20190223
F-Secure 20190222
Fortinet 20190223
GData 20190222
Sophos ML 20181128
Jiangmin 20190223
K7AntiVirus 20190222
K7GW 20190222
Kaspersky 20190222
Kingsoft 20190223
Malwarebytes 20190222
MAX 20190223
McAfee 20190223
McAfee-GW-Edition 20190222
Microsoft 20190222
eScan 20190222
NANO-Antivirus 20190222
Palo Alto Networks (Known Signatures) 20190223
Panda 20190222
Qihoo-360 20190223
Rising 20190222
SentinelOne (Static ML) 20190203
Sophos AV 20190222
SUPERAntiSpyware 20190220
Symantec 20190222
Symantec Mobile Insight 20190220
TACHYON 20190223
Tencent 20190223
TheHacker 20190217
TotalDefense 20190222
Trapmine 20190123
Trustlook 20190223
VBA32 20190222
ViRobot 20190222
Webroot 20190223
Yandex 20190222
ZoneAlarm by Check Point 20190223
Zoner 20190223
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 1997-2016 Mark Russinovich

Product Sysinternals Listdlls
Original name Listdlls.exe
Internal name Listdlls
File version 3.2
Description Listdlls
Signature verification Signed file, verified signature
Signing date 10:29 AM 5/27/2016
Signers
[+] Microsoft Corporation
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Code Signing PCA
Valid from 04:42 PM 06/04/2015
Valid to 04:42 PM 09/04/2016
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC
Serial number 33 00 00 01 0A 2C 79 AE D7 79 7B A6 AC 00 01 00 00 01 0A
[+] Microsoft Code Signing PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 09:19 PM 08/31/2010
Valid to 09:29 PM 08/31/2020
Valid usage All
Algorithm sha1RSA
Thumbprint 3CAF9BA2DB5570CAF76942FF99101B993888E257
Serial number 61 33 26 1A 00 00 00 00 00 31
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 10:19 PM 05/09/2001
Valid to 10:28 PM 05/09/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Time-Stamp PCA
Valid from 06:21 PM 03/30/2016
Valid to 06:21 PM 06/30/2017
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 2AD6BD014B9381498ED5638C461ED67B89273AF0
Serial number 33 00 00 00 98 04 58 CB 7F 23 09 B0 9E 00 00 00 00 00 98
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 11:53 AM 04/03/2007
Valid to 12:03 PM 04/03/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 10:19 PM 05/09/2001
Valid to 10:28 PM 05/09/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-05-27 09:28:45
Entry Point 0x00009666
Number of sections 5
PE sections
Overlays
MD5 c038c65dbdd32dd7c07701c894d466a7
File type data
Offset 408064
Size 16032
Entropy 7.43
PE imports
LookupPrivilegeValueA
RegOpenKeyA
RegCloseKey
OpenProcessToken
AdjustTokenPrivileges
RegQueryValueExA
RegSetValueExA
RegOpenKeyExA
RegCreateKeyA
RegQueryValueExW
PrintDlgA
CertDuplicateCertificateContext
CertGetNameStringA
GetDeviceCaps
SetMapMode
StartDocA
EndDoc
StartPage
EndPage
GetStdHandle
GetFileAttributesA
WaitForSingleObject
HeapDestroy
EncodePointer
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
LocalAlloc
FreeEnvironmentStringsW
SetStdHandle
GetCPInfo
FindResourceExW
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
LocalFree
OutputDebugStringW
TlsGetValue
FormatMessageA
SetLastError
ReadConsoleInputA
LoadResource
GetModuleFileNameW
IsDebuggerPresent
HeapAlloc
GetModuleFileNameA
UnhandledExceptionFilter
LoadLibraryExW
MultiByteToWideChar
SetFilePointerEx
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
DecodePointer
SetEnvironmentVariableA
TerminateProcess
GetModuleHandleExW
SetEndOfFile
GetVersion
WriteConsoleW
AreFileApisANSI
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
GetOEMCP
QueryPerformanceCounter
TlsAlloc
FlushFileBuffers
LoadLibraryA
RtlUnwind
OpenProcess
DeleteFileA
GetStartupInfoW
ReadProcessMemory
GetProcAddress
GetProcessHeap
CompareStringW
WriteFile
GetCurrentThreadId
ExpandEnvironmentStringsA
ReadConsoleW
GetTimeZoneInformation
CreateFileW
GetFileType
TlsSetValue
CreateFileA
ExitProcess
LeaveCriticalSection
GetLastError
LCMapStringW
GetSystemInfo
GetConsoleCP
GetEnvironmentStringsW
SizeofResource
GetCurrentProcessId
LockResource
GetCommandLineW
WideCharToMultiByte
HeapSize
GetCommandLineA
RaiseException
TlsFree
GetModuleHandleA
ReadFile
CloseHandle
GetACP
GetModuleHandleW
CreateProcessA
IsValidCodePage
SetConsoleMode
FindResourceW
Sleep
FindResourceA
VariantClear
SendMessageA
LoadCursorA
InflateRect
EndDialog
GetSysColorBrush
GetDlgItem
SetWindowTextA
DialogBoxIndirectParamA
SetCursor
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueA
SymSetOptions
ImageNtHeader
EnumerateLoadedModules64
SymInitialize
Number of PE resources by type
BINRES 1
RT_VERSION 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 3
PE resources
ExifTool file metadata
SubsystemVersion
5.1

InitializedDataSize
302592

ImageVersion
0.0

ProductName
Sysinternals Listdlls

FileVersionNumber
3.20.0.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

ImageFileCharacteristics
Executable, 32-bit

CharacterSet
Unicode

LinkerVersion
12.0

FileTypeExtension
exe

OriginalFileName
Listdlls.exe

MIMEType
application/octet-stream

Subsystem
Windows command line

FileVersion
3.2

TimeStamp
2016:05:27 11:28:45+02:00

FileType
Win32 EXE

PEType
PE32

InternalName
Listdlls

ProductVersion
3.2

FileDescription
Listdlls

OSVersion
5.1

FileOS
Windows NT 32-bit

LegalCopyright
Copyright (C) 1997-2016 Mark Russinovich

MachineType
Intel 386 or later, and compatibles

CompanyName
Sysinternals

CodeSize
113664

FileSubtype
0

ProductVersionNumber
3.20.0.0

EntryPoint
0x9666

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Overlay parents
Compressed bundles
File identification
MD5 60a2331a2b28968585c7c7229d2424a8
SHA1 fbac538166d61b4f10db934bd4bc1b86c81e56fb
SHA256 b0f6800b2bb4c86e091120e9087c75f9b1b3e46b89cf65744d65cf5ab01fd385
ssdeep
6144:IejqfgaIqi0N5fZC9kqf7Uxv9VYO1s+rTiMCOoRb0pyeZ7:IinaIqi07C7krtxnkmB

authentihash 46fc26bb10d02ac2348b254a89b2d37a4d94ece1affdabf9a4ab38bf1e0aecbc
imphash 89d7b24bd25c29c0f3b867880ccc6d9a
File size 414.2 KB ( 424096 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (console) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
peexe overlay signed via-tor

VirusTotal metadata
First submission 2016-06-30 18:03:52 UTC ( 2 years, 8 months ago )
Last submission 2019-02-23 00:39:07 UTC ( 3 weeks, 6 days ago )
File names v7ighta04292
vthqi4a01188
vgv680a03920
listdlls-{9f551916-a513-4bb8-9a57-c0d6344391f3}-v175186674.exe
vc23ela04296
veq85ta04296
navba69.tmp
nav8e94.tmp
vfjbsaa04304
vgpu4ba04284
myfile.exe
Listdlls.exe
Listdlls.exe
Listdlls.exe
vgvrtta03936
vgq65ba04304
Listdlls.exe
vga4ica02432
va52o4a04288
Listdlls32.exe
vku41ca03920
listdlls.exe
vabnmqa01152
vsgo13d0.r9i
navaa73.tmp
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Runtime DLLs
UDP communications