× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b2b2211401b9568a884b3f9b75a857ea55b61a3bb76d3db5b2319aa0c3f0be69
File name: SpyShelter.exe
Detection ratio: 1 / 57
Analysis date: 2015-05-23 10:34:28 UTC ( 3 years, 11 months ago )
Antivirus Result Update
Bkav HW32.Packed.5E3D 20150523
Ad-Aware 20150523
AegisLab 20150523
Yandex 20150521
AhnLab-V3 20150522
Alibaba 20150523
ALYac 20150523
Antiy-AVL 20150523
Avast 20150523
AVG 20150523
Avira (no cloud) 20150522
AVware 20150523
Baidu-International 20150523
BitDefender 20150523
ByteHero 20150523
CAT-QuickHeal 20150523
ClamAV 20150523
CMC 20150520
Comodo 20150523
Cyren 20150523
DrWeb 20150523
Emsisoft 20150523
ESET-NOD32 20150523
F-Prot 20150523
F-Secure 20150523
Fortinet 20150523
GData 20150523
Ikarus 20150523
Jiangmin 20150522
K7AntiVirus 20150523
K7GW 20150523
Kaspersky 20150523
Kingsoft 20150523
Malwarebytes 20150523
McAfee 20150523
McAfee-GW-Edition 20150522
Microsoft 20150523
eScan 20150523
NANO-Antivirus 20150523
Norman 20150523
nProtect 20150522
Panda 20150523
Qihoo-360 20150523
Rising 20150522
Sophos AV 20150523
SUPERAntiSpyware 20150523
Symantec 20150523
Tencent 20150523
TheHacker 20150521
TotalDefense 20150523
TrendMicro 20150523
TrendMicro-HouseCall 20150523
VBA32 20150523
VIPRE 20150523
ViRobot 20150523
Zillya 20150521
Zoner 20150521
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Publisher Datpol Janusz Siemienowicz
Product SpyShelter
Original name SpyShelter.exe
Internal name SpyShelter
File version 8,4,0,0
Description SpyShelter GUI
Signature verification Certificate out of its validity period
Signers
[+] Datpol Janusz Siemienowicz
Status Certificate out of its validity period
Issuer None
Valid from 1:58 AM 9/9/2012
Valid to 5:09 PM 11/7/2013
Valid usage Code Signing
Algorithm SHA1
Thumbprint A381C5B16194D21A79A873841BCFE84B44F69B6C
Serial number 11 21 EA B2 79 9A 41 77 69 A6 98 57 40 A2 E4 F3 F2 85
[+] GlobalSign CodeSigning CA - G2
Status Valid
Issuer None
Valid from 11:00 AM 4/13/2011
Valid to 11:00 AM 4/13/2019
Valid usage Code Signing
Algorithm SHA1
Thumbprint 9000401777DD2B43393D7B594D2FF4CBA4516B38
Serial number 04 00 00 00 00 01 2F 4E E1 35 5C
[+] GlobalSign
Status Valid
Issuer None
Valid from 1:00 PM 9/1/1998
Valid to 1:00 PM 1/28/2028
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, OCSP Signing, EFS, IPSEC Tunnel, IPSEC User, IPSEC IKE Intermediate
Algorithm SHA1
Thumbprint B1BC968BD4F49D622AA89A81F2150152A41D829C
Serial number 04 00 00 00 00 01 15 4B 5A C3 94
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x0025ECBE
Number of sections 13
PE sections
Overlays
MD5 02a7347afaefa1ab8cb0b2025fc9782a
File type data
Offset 3969024
Size 4408
Entropy 7.45
PE imports
GetOpenFileNameA
GetSaveFileNameA
CreateDCA
DeleteDC
SelectObject
CreatePalette
CreateDIBitmap
SelectPalette
BitBlt
CreateCompatibleDC
DeleteObject
RealizePalette
FreeConsole
ReleaseMutex
WaitForSingleObject
HeapDestroy
SetFileTime
GetFileAttributesW
GetLocalTime
GetStdHandle
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
GetLocaleInfoA
SetErrorMode
FreeEnvironmentStringsW
GetThreadContext
GetLocaleInfoW
SetStdHandle
GetFileTime
GetTempPathA
WideCharToMultiByte
WaitForDebugEvent
InterlockedExchange
GetTempPathW
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
GetOEMCP
LocalFree
MoveFileA
ResumeThread
GetExitCodeProcess
GetEnvironmentVariableA
OutputDebugStringW
FindClose
TlsGetValue
FormatMessageA
GetFullPathNameW
OutputDebugStringA
SetLastError
DeviceIoControl
InitializeCriticalSection
CopyFileW
WriteProcessMemory
GetModuleFileNameW
IsDebuggerPresent
ExitProcess
FlushFileBuffers
GetModuleFileNameA
EnumSystemLocalesA
GetPrivateProfileStringA
SetConsoleCtrlHandler
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
FatalAppExitA
SetFilePointerEx
CreateMutexA
GetModuleHandleA
GlobalAddAtomW
CreateDirectoryExW
CreateThread
MoveFileExW
GlobalAddAtomA
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
SetEnvironmentVariableA
SetThreadContext
TerminateProcess
SetCurrentDirectoryW
GlobalAlloc
DebugActiveProcess
SearchPathA
VirtualQueryEx
SetEndOfFile
GetCurrentThreadId
InterlockedIncrement
WriteConsoleW
AreFileApisANSI
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
SetHandleCount
LoadLibraryW
GlobalGetAtomNameW
FreeLibrary
QueryPerformanceCounter
GetTickCount
TlsAlloc
VirtualProtect
GetVersionExA
LoadLibraryA
RtlUnwind
GetStartupInfoA
GetDateFormatA
GetFileSize
LCMapStringW
DeleteFileA
GetWindowsDirectoryA
GetStartupInfoW
ReadProcessMemory
SetEvent
DeleteFileW
GetUserDefaultLCID
VirtualProtectEx
GetProcessHeap
GetTempFileNameW
CompareStringW
RemoveDirectoryW
GetFileInformationByHandle
FindNextFileW
CreateDirectoryW
GetTimeFormatA
GetTempFileNameA
CreateFileMappingA
FindFirstFileW
IsValidLocale
DuplicateHandle
GetProcAddress
GetTimeZoneInformation
CreateFileW
CreateEventA
GetFileType
TlsSetValue
CreateFileA
HeapAlloc
LeaveCriticalSection
GetLastError
GlobalDeleteAtom
GetShortPathNameW
HeapCreate
GlobalFree
GetConsoleCP
GlobalGetAtomNameA
GetEnvironmentStringsW
GlobalUnlock
GetShortPathNameA
GetCurrentDirectoryW
WritePrivateProfileStringA
GetCurrentProcessId
GetDiskFreeSpaceExW
ContinueDebugEvent
GetCommandLineW
GetCPInfo
HeapSize
GetCommandLineA
InterlockedCompareExchange
GetCurrentThread
OpenMutexA
SuspendThread
RaiseException
MapViewOfFile
TlsFree
SetFilePointer
ReadFile
CloseHandle
GetACP
GlobalLock
GetModuleHandleW
GetFileAttributesExW
CreateProcessA
IsValidCodePage
UnmapViewOfFile
WriteFile
Sleep
IsBadReadPtr
SetThreadPriority
VirtualAlloc
SHGetSpecialFolderPathA
GetMessageA
PackDDElParam
UpdateWindow
SetPropA
BeginPaint
EnumWindows
DefWindowProcW
CreateDialogIndirectParamA
KillTimer
FindWindowA
DefWindowProcA
ShowWindow
GetPropA
GetWindowThreadProcessId
FreeDDElParam
GetSystemMetrics
IsWindow
DispatchMessageA
EndPaint
PostMessageA
MoveWindow
MessageBoxA
PeekMessageA
TranslateMessage
DialogBoxParamA
PostMessageW
RegisterClassExA
GetAsyncKeyState
DrawTextA
SetWindowTextA
SendMessageW
LoadStringA
RegisterClassW
SendMessageA
LoadStringW
SetTimer
GetDlgItem
CreateDialogParamA
RegisterClassA
InSendMessage
GetWindowTextLengthA
CreateWindowExA
LoadCursorA
DefDlgProcA
EnumThreadWindows
WaitForInputIdle
GetDesktopWindow
IsWindowUnicode
UnpackDDElParam
CreateWindowExW
GetWindowTextA
DestroyWindow
Number of PE resources by type
RT_BITMAP 40
RT_RCDATA 35
RT_STRING 25
RT_GROUP_CURSOR 20
RT_CURSOR 20
RT_ICON 16
RT_GROUP_ICON 4
RT_DIALOG 2
RT_VERSION 2
RT_MANIFEST 1
Number of PE resources by language
NEUTRAL 89
ENGLISH US 48
GERMAN 12
ENGLISH NEUTRAL 7
POLISH DEFAULT 6
RUSSIAN 2
ENGLISH UK 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
83.82

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
8.4.0.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
3141632

EntryPoint
0x25ecbe

OriginalFileName
SpyShelter.exe

MIMEType
application/octet-stream

FileVersion
8,4,0,0

TimeStamp
1992:06:19 23:22:17+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
SpyShelter

ProductVersion
8,4,0,0

FileDescription
SpyShelter GUI

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
823296

ProductName
SpyShelter

ProductVersionNumber
8.4.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 8b98df5eae682bc7dc04e17b46d25c23
SHA1 332757b71a3374d1af5584439a706540e1413590
SHA256 b2b2211401b9568a884b3f9b75a857ea55b61a3bb76d3db5b2319aa0c3f0be69
ssdeep
98304:EtDlXyT+n2kqq3OHbyWXiqolRkO9zOwqY:yDgT+nQq3edXiPDl9ywV

authentihash 9330b62001c1a2fa1010742f1fafe4d8dd5a8fe53ef6e701d05ef8d23db6c0e8
imphash a9dfa3363d8e044cb38536d273bb593d
File size 3.8 MB ( 3973432 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable (generic) (52.9%)
Generic Win/DOS Executable (23.5%)
DOS Executable Generic (23.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2013-05-26 17:00:36 UTC ( 5 years, 11 months ago )
Last submission 2015-05-23 10:34:28 UTC ( 3 years, 11 months ago )
File names spyshelter.exe
SpyShelter.exe
SpyShelter
Behaviour characterization
Zemana
screen-capture

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Set keys
Deleted keys
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.