× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b3737156a824c2d5f53d276c13d3ef523e8f10235c92ee147862ebc28e982212
File name: 9.exe
Detection ratio: 1 / 43
Analysis date: 2012-01-11 05:08:27 UTC ( 2 years, 3 months ago ) View latest
Antivirus Result Update
DrWeb Adware.InstallCore.15 20120111
AVG 20120111
AhnLab-V3 20120110
AntiVir 20120111
Antiy-AVL 20120111
Avast 20120110
BitDefender 20120111
ByteHero 20111231
CAT-QuickHeal 20120110
ClamAV 20120111
Commtouch 20120111
Comodo 20120110
Emsisoft 20120111
F-Prot 20120111
F-Secure 20120110
Fortinet 20120111
GData 20120111
Ikarus 20120111
Jiangmin 20120110
K7AntiVirus 20120110
Kaspersky 20120111
McAfee 20120111
McAfee-GW-Edition 20120110
Microsoft 20120110
NOD32 20120111
Norman 20120110
PCTools 20120111
Panda 20120110
Prevx 20120111
Rising 20120111
SUPERAntiSpyware 20120111
Sophos 20120111
Symantec 20120111
TheHacker 20120110
TrendMicro 20120111
TrendMicro-HouseCall 20120111
VBA32 20120110
VIPRE 20120111
ViRobot 20120111
VirusBuster 20120110
eSafe 20120110
eTrust-Vet 20120110
nProtect 20120110
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Copyright

Publisher Volonet Ltd
Product Facemoods
Internal name Installer
File version 2.0.1.0
Description Powered by InstallCore
Signature verification Signed file, verified signature
Signing date 4:42 PM 12/26/2011
Signers
[+] Volonet Ltd
Status Certificate out of its validity period
Valid from 1:00 AM 11/24/2010
Valid to 12:59 AM 11/24/2012
Valid usage Code Signing
Algorithm SHA1
Thumbrint 6DEC0D1BD0FEE8FCD4CC94FAA75AB4D7F23E3759
Serial number 27 22 80 02 C4 36 8B 89 85 B0 D5 7B C7 FE 75 CC
[+] USERTrust
Status Valid
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm SHA1
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
Counter signers
[+] COMODO Time Stamping Signer
Status Valid
Valid from 1:00 AM 5/10/2010
Valid to 12:59 AM 5/11/2015
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 3DBB6DB5085C6DD5A1CA7F9CF84ECB1A3910CAC8
Serial number 47 8A 8E FB 59 E1 D8 3F 0C E1 42 D2 A2 87 07 BE
[+] USERTrust
Status Valid
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm SHA1
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
Packers identified
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x00148A50
Number of sections 3
PE sections
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
RegCloseKey
ImageList_Add
SaveDC
VariantCopy
VerQueryValueA
Number of PE resources by type
RT_STRING 15
RT_BITMAP 11
RT_GROUP_CURSOR 7
RT_ICON 7
RT_CURSOR 7
RT_RCDATA 5
RT_DIALOG 1
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 43
ENGLISH US 13
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
2.25

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.0.1.0

UninitializedDataSize
782336

LanguageCode
Neutral

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
61440

MIMEType
application/octet-stream

FileVersion
2.0.1.0

TimeStamp
1992:06:19 23:22:17+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Installer

FileAccessDate
2014:03:12 18:32:08+01:00

ProductVersion
2.0.1.73

FileDescription
Powered by InstallCore

OSVersion
4.0

FileCreateDate
2014:03:12 18:32:08+01:00

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
561152

ProductName
Facemoods

ProductVersionNumber
2.0.1.73

Warning
Possibly corrupt Version resource

EntryPoint
0x148a50

ObjectFileType
Dynamic link library

File identification
MD5 5bac5c7fe7abab31e73ee335364b5e92
SHA1 d733037e615c5fbf83781322bee5daa399036dac
SHA256 b3737156a824c2d5f53d276c13d3ef523e8f10235c92ee147862ebc28e982212
ssdeep
12288:q4pecsd5vm0J4wgOS4S4x7c0A01G2yON1DUO89LWpRZybuW9r3L:qAc5vfCBTp4C0AJ2yONBUV9LuZwuMr3L

imphash 92644df84cdbba7637462c128671f148
File size 608.7 KB ( 623320 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (41.1%)
Win32 EXE Yoda's Crypter (35.7%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Win16/32 Executable Delphi generic (2.7%)
Tags
peexe upx signed

VirusTotal metadata
First submission 2012-01-09 12:21:46 UTC ( 2 years, 3 months ago )
Last submission 2014-03-12 17:29:33 UTC ( 1 month, 1 week ago )
File names 489-12.exe
d733037e615c5fbf83781322bee5daa399036dac.bin
13262865177491877128
9.exe
1 (67).exe
5bac5c7fe7abab31e73ee335364b5e92.exe
Installer
267974
13263655461670547557
Advanced heuristic and reputation engines
ClamAV PUA
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/index.php?s=pua&lang=en .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!