× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
File name: itdownload.dll
Detection ratio: 1 / 45
Analysis date: 2013-08-10 21:59:09 UTC ( 1 year, 11 months ago ) View latest
Probably harmless! There are strong indicators suggesting that this file is safe to use.
Antivirus Result Update
TheHacker Trojan/Downloader.Murlo.dyr 20130810
AVG 20130810
Agnitum 20130810
AhnLab-V3 20130810
AntiVir 20130810
Antiy-AVL 20130810
Avast 20130810
BitDefender 20130810
ByteHero 20130804
CAT-QuickHeal 20130808
ClamAV 20130810
Commtouch 20130810
Comodo 20130810
DrWeb 20130810
ESET-NOD32 20130810
Emsisoft 20130810
F-Prot 20130810
F-Secure 20130810
Fortinet 20130810
GData 20130810
Ikarus 20130810
Jiangmin 20130810
K7AntiVirus 20130809
K7GW 20130809
Kaspersky 20130810
Kingsoft 20130723
Malwarebytes 20130810
McAfee 20130810
McAfee-GW-Edition 20130810
MicroWorld-eScan 20130810
Microsoft 20130810
NANO-Antivirus 20130810
Norman 20130810
PCTools 20130810
Panda 20130810
Rising 20130809
SUPERAntiSpyware 20130810
Symantec 20130810
TotalDefense 20130809
TrendMicro 20130810
TrendMicro-HouseCall 20130810
VBA32 20130809
VIPRE 20130810
ViRobot 20130810
nProtect 20130809
The file being studied is a Portable Executable file! More specifically, it is a Win32 DLL file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2008-10-15 03:44:50
Link date 4:44 AM 10/15/2008
Entry Point 0x0002C434
Number of sections 8
PE sections
PE imports
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
SetBkMode
GetTextExtentPoint32A
CreateFontA
TextOutA
GetTextMetricsA
SelectObject
DeleteObject
GetLastError
GetStdHandle
EnterCriticalSection
ReadFile
LoadLibraryA
lstrlenA
GetFileAttributesA
WaitForSingleObject
FreeLibrary
QueryPerformanceCounter
ExitProcess
GetThreadLocale
TlsAlloc
GetVersionExA
GetModuleFileNameA
RtlUnwind
ExitThread
GetLocalTime
QueryPerformanceFrequency
DeleteCriticalSection
GetStartupInfoA
GetDateFormatA
LoadLibraryExA
GetLocaleInfoA
LocalAlloc
CreateThread
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
GetCPInfo
GetCommandLineA
GetProcAddress
SetFilePointer
RaiseException
CompareStringA
CloseHandle
WideCharToMultiByte
TlsFree
GetModuleHandleA
FindFirstFileA
InterlockedExchange
WriteFile
EnumCalendarInfoA
ResetEvent
lstrcpynA
GetACP
GetDiskFreeSpaceA
OutputDebugStringA
GetFullPathNameA
SetEvent
LocalFree
ResumeThread
GetExitCodeThread
InitializeCriticalSection
VirtualQuery
VirtualFree
CreateEventA
FindClose
InterlockedDecrement
Sleep
FormatMessageA
SetEndOfFile
TlsSetValue
CreateFileA
GetTickCount
GetCurrentThreadId
LeaveCriticalSection
VirtualAlloc
InterlockedIncrement
VariantChangeType
SafeArrayGetLBound
SafeArrayPtrOfIndex
SysAllocStringLen
VariantClear
SafeArrayCreate
SysReAllocStringLen
SafeArrayGetUBound
VariantCopy
SysFreeString
VariantInit
GetMessageA
UpdateWindow
BeginPaint
PostQuitMessage
DefWindowProcA
SetWindowPos
GetSystemMetrics
GetWindowRect
DispatchMessageA
EndPaint
PostMessageA
CharUpperBuffA
MessageBoxA
PeekMessageA
SetWindowLongA
TranslateMessage
GetDC
RegisterClassExA
ReleaseDC
SetWindowTextA
LoadStringA
SendMessageA
ScreenToClient
InvalidateRect
GetWindowLongA
CreateWindowExA
FillRect
CharNextA
CallWindowProcA
MsgWaitForMultipleObjects
CharToOemA
GetKeyboardType
PostThreadMessageA
DestroyWindow
InternetQueryOptionA
PE exports
Number of PE resources by type
RT_STRING 8
RT_RCDATA 2
Number of PE resources by language
NEUTRAL 10
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
dll

TimeStamp
2008:10:15 04:44:50+01:00

FileType
Win32 DLL

PEType
PE32

CodeSize
176640

LinkerVersion
2.25

EntryPoint
0x2c434

InitializedDataSize
27648

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
PE resource-wise parents
Compressed bundles
File identification
MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
ssdeep
3072:lfb9mvexZXivFFmLFam1BEsW61HgAIwSMaentFGTaIgBx9rs0NBGZZuey2E0QeqB:lfbueviGLVUyHgAIwSMaenTrNWcmE

authentihash 197111620399da5579f252ebdd3099436e7a90368bc86c3166e38f75b4b27d6e
imphash 04c8754c68f4349c85ad5221e435c9bf
File size 200.5 KB ( 205312 bytes )
File type Win32 DLL
Magic literal
PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

TrID Win32 Executable Delphi generic (31.9%)
Windows screen saver (29.4%)
Win32 Dynamic Link Library (generic) (14.7%)
Win32 Executable (generic) (10.1%)
Win16/32 Executable Delphi generic (4.6%)
Tags
pedll via-tor

VirusTotal metadata
First submission 2009-11-28 11:20:12 UTC ( 5 years, 8 months ago )
Last submission 2015-08-04 18:55:03 UTC ( 3 hours, 1 minute ago )
File names is-se2io.tmp
is-h8p5a.tmp
is-odr51.tmp
itdownload.dll
is-a3p74.tmp
is-41npo.tmp
is-369qa.tmp
itdownload (5).dll
is-iqs39.tmp
is-85pic.tmp
is-rjs04.tmp
is-dqucp.tmp
is-6qivv.tmp
itdownload,1.dll
is-1inr5.tmp
is-ojsi0.tmp
3463cac.tmpscan
itdownload (5).dll
is-j8ola.tmp
is-pnpfa.tmp
is-vpc3o.tmp
is-nqpse.tmp
51
is-u78fc.tmp
is-ve0u5.tmp
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/doc/pua.html .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!