× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b77020f1ac3b0f803699018b5d6810111455c7cc66a841fc72cacaa8aeb1d4dc
File name: setup@20_120791.exe
Detection ratio: 48 / 62
Analysis date: 2017-06-24 20:03:33 UTC ( 2 days, 9 hours ago )
Antivirus Result Update
Ad-Aware Trojan.Generic.21511381 20170624
AhnLab-V3 PUP/Win32.Installer.R185010 20170624
ALYac Trojan.Generic.21511381 20170624
Antiy-AVL GrayWare[AdWare]/Win32.PackedNsisMod.o 20170624
Arcabit Trojan.Generic.D1483CD5 20170624
Avast Win32:AdwareSig [Adw] 20170624
AVG Win32:AdwareSig [Adw] 20170624
Avira (no cloud) TR/Dldr.Hafen.uouzd 20170624
AVware Trojan.Win32.Generic!BT 20170624
BitDefender Trojan.Generic.21511381 20170624
CAT-QuickHeal Browsermodifier.Xiazai 20170624
ClamAV Win.Trojan.Siggen-6261194-0 20170624
Comodo UnclassifiedMalware 20170624
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170420
Cyren W32/Mikey.U.gen!Eldorado 20170624
DrWeb Trojan.Siggen7.5997 20170624
Emsisoft Trojan.Generic.21511381 (B) 20170624
Endgame malicious (high confidence) 20170615
ESET-NOD32 a variant of Win32/Packed.NSISmod.O suspicious 20170624
F-Prot W32/Mikey.U.gen!Eldorado 20170624
F-Secure Trojan.Generic.21511381 20170624
Fortinet Riskware/NSIS_mod 20170624
GData Trojan.Generic.21511381 20170624
Ikarus PUA.NSISmod 20170624
Invincea heuristic 20170607
K7AntiVirus Unwanted-Program ( 005030f41 ) 20170623
K7GW Unwanted-Program ( 005030f41 ) 20170624
Kaspersky not-a-virus:AdWare.Win32.Agent.kazg 20170624
Malwarebytes PUP.Optional.DownLoadAdmin 20170624
McAfee PUP-FRS 20170624
McAfee-GW-Edition PUP-FRS 20170624
Microsoft BrowserModifier:Win32/Xiazai 20170624
eScan Trojan.Generic.21511381 20170624
NANO-Antivirus Trojan.Win32.Winlock.edusxx 20170624
Palo Alto Networks (Known Signatures) generic.ml 20170624
Panda Trj/Genetic.gen 20170624
SentinelOne (Static ML) static engine - malicious 20170516
Sophos NSIS_mod (PUA) 20170624
Symantec Trojan.Gen.2 20170624
TrendMicro TROJ_GEN.R047C0PBR17 20170624
TrendMicro-HouseCall TROJ_GEN.R047C0PBR17 20170624
VBA32 Downloader.Xiazai 20170623
VIPRE Trojan.Win32.Generic!BT 20170624
ViRobot Adware.Agent.721808 20170624
Webroot W32.Trojan.Gen 20170624
Yandex PUA.Downloader! 20170623
ZoneAlarm by Check Point not-a-virus:HEUR:Downloader.NSIS.Hafen.gen 20170624
Zoner Trojan.Application 20170624
AegisLab 20170623
Alibaba 20170623
Baidu 20170623
Bkav 20170624
CMC 20170619
Jiangmin 20170624
Kingsoft 20170624
nProtect 20170624
Qihoo-360 20170624
Rising 20170624
SUPERAntiSpyware 20170623
Symantec Mobile Insight 20170623
Tencent 20170624
TheHacker 20170623
TotalDefense 20170624
Trustlook 20170624
WhiteArmor 20170616
Zillya 20170623
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Product Downloader
Original name Downloader
File version 6.0.0.1
Description Downloader
Signature verification Signed file, verified signature
Signing date 2:52 AM 2/21/2017
Signers
[+] ????????????????
Status Valid
Issuer Symantec Class 3 SHA256 Code Signing CA
Valid from 1:00 AM 9/19/2016
Valid to 12:59 AM 9/20/2017
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 7145CF5777CE8FD9C5A001BB18F87F60F071C9E6
Serial number 0A 2A BA 6B 7A 02 E3 C3 73 FD 2C 65 4B 31 1B 19
[+] Symantec Class 3 SHA256 Code Signing CA
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 12/10/2013
Valid to 12:59 AM 12/10/2023
Valid usage Client Auth, Code Signing
Algorithm sha256RSA
Thumbprint 007790F6561DAD89B0BCD85585762495E358F8A5
Serial number 3D 78 D7 F9 76 49 60 B2 61 7D F4 F0 1E CA 86 2A
[+] VeriSign
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 11/8/2006
Valid to 12:59 AM 7/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Serial number 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A
Counter signers
[+] COMODO SHA-1 Time Stamping Signer
Status Valid
Issuer UTN-USERFirst-Object
Valid from 1:00 AM 12/31/2015
Valid to 7:40 PM 7/9/2019
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 03A5B14663EB12023091B84A6D6A68BC871DE66B
Serial number 16 88 F0 39 25 5E 63 8E 69 14 39 07 E6 33 0B
[+] USERTrust (Code Signing)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
Packers identified
F-PROT 7Z
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-06-20 08:42:23
Entry Point 0x0000331D
Number of sections 5
PE sections
Overlays
MD5 6b505ebd11f73b7ce88464461a97a735
File type data
Offset 58880
Size 662928
Entropy 8.00
PE imports
RegDeleteKeyA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegEnumValueA
RegCreateKeyExA
SetFileSecurityA
RegEnumKeyA
RegDeleteValueA
ImageList_Create
Ord(17)
ImageList_Destroy
ImageList_AddMasked
GetDeviceCaps
SelectObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetBkColor
DeleteObject
SetTextColor
GetLastError
ReadFile
lstrlenA
GetFileAttributesA
GlobalFree
WaitForSingleObject
FreeLibrary
CopyFileA
ExitProcess
SetFileTime
GlobalUnlock
RemoveDirectoryA
GetModuleFileNameA
GetShortPathNameA
GetCurrentProcess
LoadLibraryExA
CompareFileTime
GetPrivateProfileStringA
WritePrivateProfileStringA
GetFileSize
lstrcatA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
SetErrorMode
MultiByteToWideChar
ExpandEnvironmentStringsA
GetCommandLineA
GlobalLock
GetFullPathNameA
GetModuleHandleA
GetTempPathA
CreateThread
lstrcmpiA
SetFilePointer
lstrcmpA
FindFirstFileA
WriteFile
CloseHandle
GetTempFileNameA
lstrcpynA
FindNextFileA
GetSystemDirectoryA
GetDiskFreeSpaceA
GetProcAddress
SetFileAttributesA
GetExitCodeProcess
MoveFileA
CreateProcessA
GlobalAlloc
SearchPathA
FindClose
Sleep
CreateFileA
GetTickCount
GetVersion
SetCurrentDirectoryA
MulDiv
SHGetFileInfoA
SHBrowseForFolderA
SHGetSpecialFolderLocation
SHGetPathFromIDListA
ShellExecuteA
SHFileOperationA
EmptyClipboard
GetMessagePos
EndPaint
CharPrevA
EndDialog
DestroyWindow
PostQuitMessage
DefWindowProcA
CreatePopupMenu
SetClassLongA
LoadBitmapA
SetWindowPos
GetSystemMetrics
IsWindow
AppendMenuA
GetWindowRect
DispatchMessageA
ScreenToClient
SetDlgItemTextA
MessageBoxIndirectA
LoadImageA
GetDlgItemTextA
PeekMessageA
SetWindowLongA
IsWindowEnabled
GetSysColor
CheckDlgButton
GetDC
FindWindowExA
SystemParametersInfoA
BeginPaint
GetClassInfoA
wsprintfA
ShowWindow
SetClipboardData
IsWindowVisible
SendMessageA
DialogBoxParamA
GetClientRect
SetTimer
GetDlgItem
SetForegroundWindow
CreateDialogParamA
DrawTextA
EnableMenuItem
RegisterClassA
InvalidateRect
GetWindowLongA
SendMessageTimeoutA
CreateWindowExA
LoadCursorA
TrackPopupMenu
SetWindowTextA
FillRect
CharNextA
CallWindowProcA
GetSystemMenu
EnableWindow
CloseClipboard
SetCursor
ExitWindowsEx
OpenClipboard
_alldiv
_allmul
_allshr
_allshl
_allrem
_aulldiv
OleUninitialize
CoTaskMemFree
OleInitialize
CoCreateInstance
Number of PE resources by type
RT_ICON 8
RT_DIALOG 3
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 13
CHINESE SIMPLIFIED 1
PE resources
ExifTool file metadata
SubsystemVersion
5.0

LinkerVersion
9.0

ImageVersion
6.0

FileSubtype
0

FileVersionNumber
6.0.0.1

UninitializedDataSize
8192

LanguageCode
Chinese (Simplified)

FileFlagsMask
0x0000

CharacterSet
Windows, Chinese (Simplified)

InitializedDataSize
263680

EntryPoint
0x331d

OriginalFileName
Downloader

MIMEType
application/octet-stream

FileVersion
6.0.0.1

TimeStamp
2016:06:20 09:42:23+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
6.0.0.1

FileDescription
Downloader

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
24576

ProductName
Downloader

ProductVersionNumber
6.0.0.1

FileTypeExtension
exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 c91456fcbe1d38b69f6efcd02590feb4
SHA1 7e94298bfd217ee5a51b8a7642d8cb785eb35b47
SHA256 b77020f1ac3b0f803699018b5d6810111455c7cc66a841fc72cacaa8aeb1d4dc
ssdeep
12288:r/qcd+QYWpCvirUDexm1ahlSUQb/molwPoc1HvAQ7gAEXGFL:r/Hd+kcvirUDcIafQVkocpqm

authentihash 24a329e6c52e2943068ac400145aa4cba6f287d47c55ddf52734d76b7ab92014
imphash 470282e4fe2ebbf8acb122584604aac8
File size 704.9 KB ( 721808 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2017-02-27 03:11:54 UTC ( 4 months ago )
Last submission 2017-06-24 20:03:33 UTC ( 2 days, 9 hours ago )
File names D3D12.dll@193_401261.exe
LeovoM7250@151_9706.exe
Word@60_46726.exe
11@129_2054.exe
VSODowloader5()v5.0.1.22@177_24753.exe
setup@899_3037.exe
iSpeak@60_47654.exe
setup@10_316308.exe
2.3@192_171892.exe
PDFBider@87_23410.exe
AX88179USB@151_17954.exe
powerpoit2013@176_36156.exe
ImmuetProtect3.1.13.9671@192_64969.exe
RaySource(RayFile)2.4.0.3@193_62391.exe
ADSLv4.93@24_45993.exe
T6HDDIstaller()3.1.4.0@192_90335.exe
PDFBider(PDF)1.2@192_364420.exe
(GoogleEarth)7.1.8.3036@193_10745.exe
360wifi@195_33131.exe
SopCast4.2.0@192_459612.exe
T6HDDIstaller()3.1.4.0@193_90335.exe
10.9@193_372436.exe
(FixVideo)3.23@192_372918.exe
Xshell(SSH)V5.0.1060@31_1670.exe
PPT@148_b12345.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created mutexes
Runtime DLLs
UDP communications