× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b127fe4d8bbe5e46b64b23c8fbdc23ac3dc2e8584a3197e77314fd55e291b456
File name: 321632
Detection ratio: 0 / 55
Analysis date: 2016-01-09 21:00:59 UTC ( 3 years, 2 months ago ) View latest
Antivirus Result Update
Ad-Aware 20160109
AegisLab 20160109
Yandex 20160108
AhnLab-V3 20160109
Alibaba 20160109
ALYac 20160109
Antiy-AVL 20160109
Arcabit 20160109
Avast 20160109
AVG 20160109
Avira (no cloud) 20160109
AVware 20160109
Baidu-International 20160109
BitDefender 20160109
Bkav 20160109
ByteHero 20160109
CAT-QuickHeal 20160109
ClamAV 20160109
CMC 20160107
Comodo 20160109
Cyren 20160109
DrWeb 20160109
Emsisoft 20160109
ESET-NOD32 20160109
F-Prot 20160109
F-Secure 20160108
Fortinet 20160109
GData 20160109
Ikarus 20160109
Jiangmin 20160109
K7AntiVirus 20160109
K7GW 20160109
Kaspersky 20160109
Malwarebytes 20160109
McAfee 20160109
McAfee-GW-Edition 20160109
Microsoft 20160109
eScan 20160109
NANO-Antivirus 20160109
nProtect 20160108
Panda 20160109
Qihoo-360 20160109
Rising 20160109
Sophos AV 20160109
SUPERAntiSpyware 20160109
Symantec 20160108
TheHacker 20160107
TotalDefense 20160109
TrendMicro 20160114
TrendMicro-HouseCall 20160114
VBA32 20160107
VIPRE 20160109
ViRobot 20160109
Zillya 20160107
Zoner 20160109
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright © 1997-2012 FileStream, Inc.

Product FileStream TurboZIP
Original name install.EXE
Internal name tzipent8.exe
File version 8.5
Description FileStream TurboZIP
Comments
Signature verification Signed file, verified signature
Signing date 11:18 AM 9/16/2012
Signers
[+] FileStream, Inc.
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer GlobalSign CodeSigning CA - G2
Valid from 01:34 PM 02/08/2012
Valid to 01:34 PM 02/08/2013
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 176580B260C8D516252F8A0C2D9A340BE8229475
Serial number 11 21 5C 8B AC B8 88 3B A3 7D 87 11 ED 9F 32 78 92 F7
[+] GlobalSign CodeSigning CA - G2
Status Valid
Issuer GlobalSign Root CA
Valid from 09:00 AM 04/13/2011
Valid to 09:00 AM 04/13/2019
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 9000401777DD2B43393D7B594D2FF4CBA4516B38
Serial number 04 00 00 00 00 01 2F 4E E1 35 5C
[+] GlobalSign Root CA - R1
Status Valid
Issuer GlobalSign Root CA
Valid from 11:00 AM 09/01/1998
Valid to 12:00 PM 01/28/2028
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, OCSP Signing, EFS, IPSEC Tunnel, IPSEC User, IPSEC IKE Intermediate
Algorithm sha1RSA
Thumbprint B1BC968BD4F49D622AA89A81F2150152A41D829C
Serial number 04 00 00 00 00 01 15 4B 5A C3 94
Counter signers
[+] GlobalSign Time Stamping Authority
Status The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer GlobalSign Timestamping CA
Valid from 09:32 AM 12/21/2009
Valid to 09:32 AM 12/22/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint AEDF7DF76BBA2410D67DBAF18F5BA15B417E496C
Serial number 01 00 00 00 00 01 25 B0 B4 CC 01
[+] GlobalSign Timestamping CA
Status Valid
Issuer GlobalSign Root CA
Valid from 11:00 AM 03/18/2009
Valid to 12:00 PM 01/28/2028
Valid usage All
Algorithm sha1RSA
Thumbrint 958D23902D5448314F2F811034356A58255CDC9B
Serial number 04 00 00 00 00 01 20 19 C1 90 66
[+] GlobalSign Root CA - R1
Status Valid
Issuer GlobalSign Root CA
Valid from 11:00 AM 09/01/1998
Valid to 12:00 PM 01/28/2028
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, OCSP Signing, EFS, IPSEC Tunnel, IPSEC User, IPSEC IKE Intermediate
Algorithm sha1RSA
Thumbrint B1BC968BD4F49D622AA89A81F2150152A41D829C
Serial number 04 00 00 00 00 01 15 4B 5A C3 94
Packers identified
F-PROT CAB, appended, embedded, Unicode
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-04-17 01:24:50
Entry Point 0x00021798
Number of sections 4
PE sections
Overlays
MD5 771f70e6e1e6e304dc21cc59f0e832ff
File type data
Offset 3772416
Size 5760
Entropy 7.43
PE imports
GetTokenInformation
CloseServiceHandle
LookupPrivilegeValueA
RegCloseKey
OpenServiceA
OpenProcessToken
RegSetValueExA
CreateServiceA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
OpenThreadToken
AdjustTokenPrivileges
ControlService
EqualSid
RegCreateKeyExA
QueryServiceStatus
RegOpenKeyExA
RegDeleteValueA
OpenSCManagerA
DeleteService
ImageList_Create
PropertySheetA
ImageList_ReplaceIcon
ImageList_Destroy
AddFontResourceA
PatBlt
CreateFontIndirectA
GetTextMetricsA
GetObjectA
DeleteDC
SetBkMode
BitBlt
RealizePalette
SetTextColor
GetDeviceCaps
CreateFontA
CreatePalette
GetStockObject
SelectPalette
GetDIBits
CreateCompatibleDC
StretchBlt
StretchDIBits
SelectObject
CreateSolidBrush
GetTextExtentPointA
SetBkColor
DeleteObject
CreateCompatibleBitmap
GetStdHandle
FileTimeToDosDateTime
GetFileAttributesA
WaitForSingleObject
GetDriveTypeA
HeapDestroy
GetLocalTime
FreeEnvironmentStringsA
GetDiskFreeSpaceA
lstrcatA
SetErrorMode
_llseek
FreeEnvironmentStringsW
SetStdHandle
GetFileTime
GetTempPathA
GetCPInfo
GetStringTypeA
WriteFile
_lopen
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
SetFileAttributesA
GetOEMCP
MoveFileA
ResumeThread
GetExitCodeProcess
GetEnvironmentVariableA
LoadResource
FindClose
SetLastError
GetSystemTime
CopyFileA
ExitProcess
FlushFileBuffers
GetModuleFileNameA
GetVolumeInformationA
GetPrivateProfileStringA
SetThreadPriority
UnhandledExceptionFilter
MultiByteToWideChar
GetModuleHandleA
_lclose
GetCurrentProcess
GetSystemDirectoryA
MoveFileExA
SetEnvironmentVariableA
SetPriorityClass
TerminateProcess
GlobalAlloc
LocalFileTimeToFileTime
SetEndOfFile
GetVersion
HeapFree
SetHandleCount
SetEvent
GetVersionExA
LoadLibraryA
RtlUnwind
FreeLibrary
CreateRemoteThread
GetStartupInfoA
DosDateTimeToFileTime
OpenProcess
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
GetProcAddress
_lread
CompareStringW
GlobalReAlloc
FindFirstFileA
lstrcpyA
CompareStringA
GetTempFileNameA
FindNextFileA
DuplicateHandle
GlobalLock
GetTimeZoneInformation
CreateEventA
GetFileType
SetVolumeLabelA
CreateFileA
HeapAlloc
GetLastError
SystemTimeToFileTime
LCMapStringW
lstrlenA
GlobalFree
LCMapStringA
GetEnvironmentStringsW
GlobalUnlock
WaitForSingleObjectEx
RemoveDirectoryA
GetShortPathNameA
OpenFile
_lwrite
SizeofResource
CompareFileTime
WritePrivateProfileStringA
LockResource
SetFileTime
WideCharToMultiByte
GetCommandLineA
GetCurrentThread
SetFilePointer
ReadFile
CloseHandle
GetACP
FreeResource
GetEnvironmentStrings
CreateProcessA
HeapCreate
VirtualFree
Sleep
FindResourceA
VirtualAlloc
WNetGetUniversalNameA
SHGetFileInfoA
FindExecutableA
SHChangeNotify
SHGetSpecialFolderLocation
SHBrowseForFolderA
SHGetDesktopFolder
SHGetPathFromIDListA
SHGetMalloc
ShellExecuteA
SHFileOperationA
GetMessageA
GetParent
CharPrevA
EndDialog
BeginPaint
EnumWindows
MoveWindow
CheckRadioButton
KillTimer
CharUpperA
PostQuitMessage
DefWindowProcA
ShowWindow
SetClassLongA
LoadBitmapA
GetClipboardData
GetWindowThreadProcessId
GetSysColorBrush
GetSystemMetrics
IsWindow
GetWindowRect
DispatchMessageA
EndPaint
SetDlgItemTextA
PostMessageA
CallWindowProcA
EnumChildWindows
ScreenToClient
MessageBoxA
PeekMessageA
SetWindowLongA
AdjustWindowRectEx
TranslateMessage
DialogBoxParamA
GetWindow
GetSysColor
CheckDlgButton
GetDC
ReleaseDC
SetWindowTextA
DestroyIcon
GetWindowLongA
PtInRect
GetDesktopWindow
OffsetRect
SendMessageA
GetWindowTextA
GetClientRect
SetTimer
GetDlgItem
SetForegroundWindow
CreateDialogParamA
BringWindowToTop
SetWindowPos
RegisterClassA
GetClassLongA
InvalidateRect
wsprintfA
SendMessageTimeoutA
CreateWindowExA
LoadCursorA
LoadIconA
DrawTextA
FillRect
CharLowerA
IsDlgButtonChecked
CharNextA
ExitWindowsEx
CreateIconFromResourceEx
CreateIconFromResource
LoadImageA
GetClassNameA
GetFocus
EnableWindow
CloseClipboard
DestroyWindow
IsChild
IsDialogMessageA
OpenClipboard
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
OleUninitialize
CoUninitialize
CoInitialize
OleInitialize
CoCreateInstance
Number of PE resources by type
RT_DIALOG 18
RT_ICON 14
Struct(300) 5
RT_GROUP_ICON 4
RT_MANIFEST 1
IDR_EXEDATA 1
IDR_CAB1 1
RT_BITMAP 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 44
NEUTRAL 2
PE resources
ExifTool file metadata
CodeSize
159744

SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
8.5.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
FileStream TurboZIP

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
3608576

EntryPoint
0x21798

OriginalFileName
install.EXE

MIMEType
application/octet-stream

LegalCopyright
Copyright 1997-2012 FileStream, Inc.

FileVersion
8.5

TimeStamp
2011:04:17 03:24:50+02:00

FileType
Win32 EXE

PEType
PE32

InternalName
tzipent8.exe

ProductVersion
Trial version 8.5

UninitializedDataSize
0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
FileStream, Inc.

LegalTrademarks
TurboZIP

ProductName
FileStream TurboZIP

ProductVersionNumber
0.0.8.5

Warning
Possibly corrupt Version resource

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
File identification
MD5 b532576c4f2869c73f2d84bc80eb08be
SHA1 0f5329540b54d7b19f8879fc0508c03b608e9a67
SHA256 b127fe4d8bbe5e46b64b23c8fbdc23ac3dc2e8584a3197e77314fd55e291b456
ssdeep
49152:5UHO633S0g2SWviRDzX+DJ0etkVUKDexDjbu5hAd5F9n6+6S2cdMiK0d3ZWsBqyv:5SO6n1YX+DOIsQDaenT2IqsMkbtV

authentihash 5db9a7cbe9af9ea3535b314ad3b41145a7edc463c0b9fd5c987172710b90c872
imphash 69d27b60cfe4d546703e42461312099c
File size 3.6 MB ( 3778176 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (33.7%)
Win64 Executable (generic) (29.8%)
Microsoft Visual C++ compiled executable (generic) (17.8%)
Win32 Dynamic Link Library (generic) (7.1%)
Win32 Executable (generic) (4.8%)
Tags
peexe armadillo signed overlay

VirusTotal metadata
First submission 2012-09-20 22:15:27 UTC ( 6 years, 6 months ago )
Last submission 2017-04-03 16:43:52 UTC ( 1 year, 11 months ago )
File names tzipent8.exe
19137263
install.EXE
1392471602-tzipent8.exe
B127FE4D8BBE5E46B64B23C8FBDC23AC3DC2E8584A3197E77314FD55E291B456
321632
tzipent8.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Runtime DLLs