× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b77020f1ac3b0f803699018b5d6810111455c7cc66a841fc72cacaa8aeb1d4dc
File name: PhotoshopCS6%E9%94%9F%E6%96%A4%E6%8B%B7%E9%94%9F%E6%96%A4%E6%8B%B...
Detection ratio: 53 / 64
Analysis date: 2017-08-27 04:48:20 UTC ( 1 month, 3 weeks ago )
Antivirus Result Update
Ad-Aware Trojan.Generic.21511381 20170827
AhnLab-V3 PUP/Win32.Installer.R185010 20170826
ALYac Trojan.Generic.21511381 20170827
Antiy-AVL GrayWare[AdWare]/Win32.PackedNsisMod.o 20170827
Arcabit Trojan.Generic.D1483CD5 20170827
Avast Win32:AdwareSig [Adw] 20170827
AVG Win32:AdwareSig [Adw] 20170827
Avira (no cloud) TR/Dldr.Hafen.uouzd 20170826
AVware Trojan.Win32.Generic!BT 20170827
BitDefender Trojan.Generic.21511381 20170827
CAT-QuickHeal Browsermodifier.Xiazai 20170826
ClamAV Win.Trojan.Siggen-6261194-0 20170827
Comodo UnclassifiedMalware 20170827
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170804
Cylance Unsafe 20170827
Cyren W32/Mikey.U.gen!Eldorado 20170827
DrWeb Trojan.Siggen7.5997 20170827
Emsisoft Trojan.Generic.21511381 (B) 20170827
Endgame malicious (high confidence) 20170821
ESET-NOD32 a variant of Win32/Packed.NSISmod.O suspicious 20170826
F-Prot W32/Mikey.U.gen!Eldorado 20170827
F-Secure Trojan.Generic.21511381 20170827
Fortinet Riskware/NSIS_mod 20170827
GData Trojan.Generic.21511381 20170827
Ikarus Trojan.Win32.Agent 20170826
Sophos ML heuristic 20170822
K7AntiVirus Unwanted-Program ( 005030f41 ) 20170824
K7GW Unwanted-Program ( 005030f41 ) 20170821
Kaspersky not-a-virus:HEUR:Downloader.NSIS.Hafen.gen 20170827
Malwarebytes PUP.Optional.DownLoadAdmin 20170827
MAX malware (ai score=100) 20170827
McAfee PUP-FRS 20170826
McAfee-GW-Edition PUP-FRS 20170827
Microsoft BrowserModifier:Win32/Xiazai 20170827
eScan Trojan.Generic.21511381 20170827
NANO-Antivirus Trojan.Win32.Winlock.edusxx 20170827
Palo Alto Networks (Known Signatures) generic.ml 20170827
Panda Trj/Genetic.gen 20170826
Rising PUF.Packed-NSISmod!1.AA7E (classic) 20170827
SentinelOne (Static ML) static engine - malicious 20170806
Sophos AV NSIS_mod (PUA) 20170827
SUPERAntiSpyware PUP.DownloadAdmin/Variant 20170826
Symantec Trojan.Gen.2 20170826
TrendMicro TROJ_GEN.R047C0PBR17 20170827
TrendMicro-HouseCall TROJ_GEN.R047C0PBR17 20170827
VBA32 Downloader.Xiazai 20170825
VIPRE Trojan.Win32.Generic!BT 20170827
ViRobot Adware.Agent.721808 20170826
Webroot W32.Trojan.Gen 20170827
Yandex PUA.Downloader! 20170825
Zillya Adware.AgentCRTD.Win32.11167 20170825
ZoneAlarm by Check Point not-a-virus:HEUR:Downloader.NSIS.Hafen.gen 20170827
Zoner Trojan.Application 20170827
AegisLab 20170827
Alibaba 20170825
Baidu 20170825
Bkav 20170826
CMC 20170826
Jiangmin 20170827
Kingsoft 20170827
nProtect 20170827
Qihoo-360 20170827
Symantec Mobile Insight 20170825
TheHacker 20170825
TotalDefense 20170826
Trustlook 20170827
WhiteArmor 20170817
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Product Downloader
Original name Downloader
File version 6.0.0.1
Description Downloader
Signature verification Signed file, verified signature
Signing date 2:52 AM 2/21/2017
Signers
[+] 上海旭岑投资合伙企业(有限合伙)
Status Valid
Issuer Symantec Class 3 SHA256 Code Signing CA
Valid from 1:00 AM 9/19/2016
Valid to 12:59 AM 9/20/2017
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 7145CF5777CE8FD9C5A001BB18F87F60F071C9E6
Serial number 0A 2A BA 6B 7A 02 E3 C3 73 FD 2C 65 4B 31 1B 19
[+] Symantec Class 3 SHA256 Code Signing CA
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 12/10/2013
Valid to 12:59 AM 12/10/2023
Valid usage Client Auth, Code Signing
Algorithm sha256RSA
Thumbprint 007790F6561DAD89B0BCD85585762495E358F8A5
Serial number 3D 78 D7 F9 76 49 60 B2 61 7D F4 F0 1E CA 86 2A
[+] VeriSign
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 11/8/2006
Valid to 12:59 AM 7/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Serial number 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A
Counter signers
[+] COMODO SHA-1 Time Stamping Signer
Status Valid
Issuer UTN-USERFirst-Object
Valid from 1:00 AM 12/31/2015
Valid to 7:40 PM 7/9/2019
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 03A5B14663EB12023091B84A6D6A68BC871DE66B
Serial number 16 88 F0 39 25 5E 63 8E 69 14 39 07 E6 33 0B
[+] USERTrust (Code Signing)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
Packers identified
F-PROT 7Z
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-06-20 08:42:23
Entry Point 0x0000331D
Number of sections 5
PE sections
Overlays
MD5 6b505ebd11f73b7ce88464461a97a735
File type data
Offset 58880
Size 662928
Entropy 8.00
PE imports
RegDeleteKeyA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegEnumValueA
RegCreateKeyExA
SetFileSecurityA
RegEnumKeyA
RegDeleteValueA
ImageList_Create
Ord(17)
ImageList_Destroy
ImageList_AddMasked
GetDeviceCaps
SelectObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetBkColor
DeleteObject
SetTextColor
GetLastError
ReadFile
lstrlenA
GetFileAttributesA
GlobalFree
WaitForSingleObject
FreeLibrary
CopyFileA
ExitProcess
SetFileTime
GlobalUnlock
RemoveDirectoryA
GetModuleFileNameA
GetShortPathNameA
GetCurrentProcess
LoadLibraryExA
CompareFileTime
GetPrivateProfileStringA
WritePrivateProfileStringA
GetFileSize
lstrcatA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
SetErrorMode
MultiByteToWideChar
ExpandEnvironmentStringsA
GetCommandLineA
GlobalLock
GetFullPathNameA
GetModuleHandleA
GetTempPathA
CreateThread
lstrcmpiA
SetFilePointer
lstrcmpA
FindFirstFileA
WriteFile
CloseHandle
GetTempFileNameA
lstrcpynA
FindNextFileA
GetSystemDirectoryA
GetDiskFreeSpaceA
GetProcAddress
SetFileAttributesA
GetExitCodeProcess
MoveFileA
CreateProcessA
GlobalAlloc
SearchPathA
FindClose
Sleep
CreateFileA
GetTickCount
GetVersion
SetCurrentDirectoryA
MulDiv
SHGetFileInfoA
SHBrowseForFolderA
SHGetSpecialFolderLocation
SHGetPathFromIDListA
ShellExecuteA
SHFileOperationA
EmptyClipboard
GetMessagePos
EndPaint
CharPrevA
EndDialog
DestroyWindow
PostQuitMessage
DefWindowProcA
CreatePopupMenu
SetClassLongA
LoadBitmapA
SetWindowPos
GetSystemMetrics
IsWindow
AppendMenuA
GetWindowRect
DispatchMessageA
ScreenToClient
SetDlgItemTextA
MessageBoxIndirectA
LoadImageA
GetDlgItemTextA
PeekMessageA
SetWindowLongA
IsWindowEnabled
GetSysColor
CheckDlgButton
GetDC
FindWindowExA
SystemParametersInfoA
BeginPaint
GetClassInfoA
wsprintfA
ShowWindow
SetClipboardData
IsWindowVisible
SendMessageA
DialogBoxParamA
GetClientRect
SetTimer
GetDlgItem
SetForegroundWindow
CreateDialogParamA
DrawTextA
EnableMenuItem
RegisterClassA
InvalidateRect
GetWindowLongA
SendMessageTimeoutA
CreateWindowExA
LoadCursorA
TrackPopupMenu
SetWindowTextA
FillRect
CharNextA
CallWindowProcA
GetSystemMenu
EnableWindow
CloseClipboard
SetCursor
ExitWindowsEx
OpenClipboard
_alldiv
_allmul
_allshr
_allshl
_allrem
_aulldiv
OleUninitialize
CoTaskMemFree
OleInitialize
CoCreateInstance
Number of PE resources by type
RT_ICON 8
RT_DIALOG 3
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 13
CHINESE SIMPLIFIED 1
PE resources
ExifTool file metadata
SubsystemVersion
5.0

LinkerVersion
9.0

ImageVersion
6.0

FileSubtype
0

FileVersionNumber
6.0.0.1

UninitializedDataSize
8192

LanguageCode
Chinese (Simplified)

FileFlagsMask
0x0000

CharacterSet
Windows, Chinese (Simplified)

InitializedDataSize
263680

EntryPoint
0x331d

OriginalFileName
Downloader

MIMEType
application/octet-stream

FileVersion
6.0.0.1

TimeStamp
2016:06:20 09:42:23+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
6.0.0.1

FileDescription
Downloader

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
24576

ProductName
Downloader

ProductVersionNumber
6.0.0.1

FileTypeExtension
exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 c91456fcbe1d38b69f6efcd02590feb4
SHA1 7e94298bfd217ee5a51b8a7642d8cb785eb35b47
SHA256 b77020f1ac3b0f803699018b5d6810111455c7cc66a841fc72cacaa8aeb1d4dc
ssdeep
12288:r/qcd+QYWpCvirUDexm1ahlSUQb/molwPoc1HvAQ7gAEXGFL:r/Hd+kcvirUDcIafQVkocpqm

authentihash 24a329e6c52e2943068ac400145aa4cba6f287d47c55ddf52734d76b7ab92014
imphash 470282e4fe2ebbf8acb122584604aac8
File size 704.9 KB ( 721808 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2017-02-27 03:11:54 UTC ( 7 months, 3 weeks ago )
Last submission 2017-08-27 04:48:20 UTC ( 1 month, 3 weeks ago )
File names D3D12.dll@193_401261.exe
setup@899_3037.exe
Word@60_46726.exe
output.111653177.txt
0.3c%E9%94%9F%3F%E9%94%9F%3F)@11_36172.exe
VSODowloader5()v5.0.1.22@177_24753.exe
LeovoM7250@151_9706.exe
MP4RM34.4Build9450@19 2_10860.exe
setup@10_316308.exe
2.3@192_171892.exe
AX88179USB@151_17954.exe
CoolEditPro2.1@193_5043.exe
output.111653680.txt
ImmuetProtect3.1.13.9671@192_64969.exe
excel2007@60_52933.exe
T6HDDIstaller()3.1.4.0@192_90335.exe
PDFBider(PDF)1.2@192_364420.exe
IteretExplorer10(32%E4%BD%8D)@19_343190.exe
2015V5.12.15.1170@11_42194.exe
T6HDDIstaller()3.1.4.0@193_90335.exe
10.9@193_372436.exe
(FixVideo)3.23@192_372918.exe
setup@10_10144.exe
%E7%94%B5%E5%AD%90%E5%8D%B0%E7%AB%A0%E7%94%9F%E6%88%90%E5%99%A8V1.0(%E5%9B%BE%E7%AB%A0%E5%88%B6%E4%BD%9C%E5%B7%A5%E5%85%B7)%E4%B8%AD%E6%96%87%E7%BB%BF%E8%89%B2%E7%89%88@174_2987.exe
USBViewer3.3@192_62899.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created mutexes
Runtime DLLs
UDP communications