× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: bbe55148946af2f198c1c967de23e3a82c0aacf64d871bc926895ef6c92cf32a
File name: safe-saver.exe
Detection ratio: 12 / 56
Analysis date: 2015-10-27 16:20:12 UTC ( 9 months ago )
Antivirus Result Update
AVG MultiBundle.N 20151027
Yandex Riskware.VMDetector! 20151026
AhnLab-V3 Win-PUP/CrossRider 20151027
Bkav W32.HfsAdware.A7F9 20151027
CAT-QuickHeal PUA.Brightcirc1.Gen 20151027
Comodo Heur.Suspicious 20151027
DrWeb Trojan.Crossrider1.23864 20151027
ESET-NOD32 Win32/Packed.ScrambleWrapper.C potentially unwanted 20151027
Malwarebytes PUP.Optional.CrossRider 20151027
McAfee Artemis!A9198D21F5DA 20151027
McAfee-GW-Edition Artemis 20151027
NANO-Antivirus Trojan.Win32.Crossrider.dgkokp 20151027
ALYac 20151027
AVware 20151027
Ad-Aware 20151027
AegisLab 20151027
Alibaba 20151027
Antiy-AVL 20151027
Arcabit 20151027
Avast 20151027
Avira (no cloud) 20151027
Baidu-International 20151027
BitDefender 20151027
ByteHero 20151027
CMC 20151026
ClamAV 20151027
Cyren 20151027
Emsisoft 20151027
F-Prot 20151027
F-Secure 20151027
Fortinet 20151027
GData 20151027
Ikarus 20151027
Jiangmin 20151026
K7AntiVirus 20151027
K7GW 20151027
Kaspersky 20151027
eScan 20151027
Microsoft 20151027
Panda 20151027
Qihoo-360 20151027
Rising 20151026
SUPERAntiSpyware 20151027
Sophos 20151027
Symantec 20151026
Tencent 20151027
TheHacker 20151026
TotalDefense 20151027
TrendMicro 20151027
TrendMicro-HouseCall 20151027
VBA32 20151027
VIPRE 20151027
ViRobot 20151027
Zillya 20151027
Zoner 20151027
nProtect 20151027
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Mxbrwkscfzbde

Publisher Brightcircle Investments Limited
Product Haywpey
File version 1.1.1.1
Description Xxnteoqar
Signature verification Signed file, verified signature
Signers
[+] Brightcircle Investments Limited
Status Valid
Issuer None
Valid from 2:33 PM 3/8/2013
Valid to 2:33 PM 3/8/2016
Valid usage Code Signing
Algorithm SHA1
Thumbprint DBD0F7B4E369AA0E616E644A13B3BE650B8E8221
Serial number 04 7F 36 48 3D C8 4C
[+] Go Daddy Secure Certification Authority
Status Valid
Issuer None
Valid from 2:54 AM 11/16/2006
Valid to 2:54 AM 11/16/2026
Valid usage All
Algorithm SHA1
Thumbprint 7C4656C3061F7F4C0D67B319A855F60EBC11FC44
Serial number 03 01
[+] Go Daddy Class 2 Certification Authority
Status Valid
Issuer None
Valid from 6:06 PM 6/29/2004
Valid to 6:06 PM 6/29/2034
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm SHA1
Thumbprint 2796BAE63F1801E277261BA0D77770028F20EEE4
Serial number 00
Packers identified
F-PROT NSIS
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-01-05 12:09:32
Entry Point 0x00004044
Number of sections 7
PE sections
Overlays
MD5 c760232870acdad61bba265868310123
File type data
Offset 62464
Size 4874520
Entropy 8.00
PE imports
RegDeleteKeyA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegDeleteValueA
RegCreateKeyExA
RegEnumKeyA
RegEnumValueA
ImageList_Create
InitCommonControls
ImageList_Destroy
ImageList_AddMasked
GetDeviceCaps
SelectObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetBkColor
DeleteObject
SetTextColor
GetLastError
ReadFile
lstrlenA
GetFileAttributesA
GlobalFree
WaitForSingleObject
GetExitCodeProcess
CopyFileA
ExitProcess
SetFileTime
GlobalUnlock
GetModuleFileNameA
LoadLibraryA
GetShortPathNameA
GetCurrentProcess
LoadLibraryExA
CompareFileTime
GetPrivateProfileStringA
WritePrivateProfileStringA
GetFileSize
lstrcatA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
SetErrorMode
MultiByteToWideChar
GetCommandLineA
GetProcAddress
SetFileAttributesA
SetFilePointer
GetTempPathA
CreateThread
lstrcmpiA
GetModuleHandleA
lstrcmpA
FindFirstFileA
WriteFile
CloseHandle
GetTempFileNameA
lstrcpynA
FindNextFileA
RemoveDirectoryA
GetSystemDirectoryA
GetDiskFreeSpaceA
ExpandEnvironmentStringsA
GetFullPathNameA
FreeLibrary
MoveFileA
CreateProcessA
GlobalAlloc
GlobalLock
SearchPathA
FindClose
Sleep
CreateFileA
GetTickCount
GetVersion
SetCurrentDirectoryA
MulDiv
CoTaskMemFree
OleUninitialize
CoCreateInstance
OleInitialize
SHGetFileInfoA
SHGetSpecialFolderLocation
SHBrowseForFolderA
SHGetPathFromIDListA
ShellExecuteA
SHFileOperationA
CharPrevA
GetMessagePos
EmptyClipboard
EndDialog
BeginPaint
PostQuitMessage
DefWindowProcA
GetClassInfoA
SetClassLongA
LoadBitmapA
SetWindowPos
GetSystemMetrics
IsWindow
AppendMenuA
GetWindowRect
DispatchMessageA
EnableWindow
SetDlgItemTextA
MessageBoxIndirectA
LoadImageA
GetDlgItemTextA
ScreenToClient
PeekMessageA
SetWindowLongA
DialogBoxParamA
GetSysColor
CheckDlgButton
GetDC
DrawTextA
SystemParametersInfoA
CreatePopupMenu
wsprintfA
ShowWindow
SetClipboardData
IsWindowVisible
SendMessageA
IsWindowEnabled
GetClientRect
SetTimer
GetDlgItem
SetForegroundWindow
CreateDialogParamA
SetCursor
EnableMenuItem
RegisterClassA
InvalidateRect
GetWindowLongA
FindWindowExA
CreateWindowExA
LoadCursorA
TrackPopupMenu
SetWindowTextA
FillRect
SendMessageTimeoutA
CharNextA
CallWindowProcA
GetSystemMenu
EndPaint
CloseClipboard
OpenClipboard
ExitWindowsEx
DestroyWindow
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
Number of PE resources by type
RT_ICON 7
RT_DIALOG 3
RT_GROUP_ICON 1
RT_VERSION 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 13
ExifTool file metadata
SubsystemVersion
4.0

InitializedDataSize
14848

ImageVersion
6.0

ProductName
Haywpey

FileVersionNumber
1.1.1.1

UninitializedDataSize
110592

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
ASCII

LinkerVersion
2.56

FileTypeExtension
exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
1.1.1.1

TimeStamp
2010:01:05 13:09:32+01:00

FileType
Win32 EXE

PEType
PE32

FileDescription
Xxnteoqar

OSVersion
4.0

FileOS
Win32

LegalCopyright
Mxbrwkscfzbde

MachineType
Intel 386 or later, and compatibles

CompanyName
Xseeobiicmf

CodeSize
33792

FileSubtype
0

ProductVersionNumber
1.1.1.1

EntryPoint
0x4044

ObjectFileType
Executable application

File identification
MD5 a9198d21f5dacafa274b14dca257ea12
SHA1 977c522b3668f9c4a3ae4d80a4c332ac699fc4d4
SHA256 bbe55148946af2f198c1c967de23e3a82c0aacf64d871bc926895ef6c92cf32a
ssdeep
98304:3X0zI7OnFL+CideDhdbeNm/I3WJpJZ8LQPA+9Hpc0O8bu:H0cKfidsZLAGULiHjOH

authentihash a80496d2e88a09cee9294ead1135400e8a9f3254d699ebe925e422463749bcad
imphash 28a099a911237a28521d8b7ea250f089
File size 4.7 MB ( 4936984 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID NSIS - Nullsoft Scriptable Install System (91.9%)
Win32 Executable MS Visual C++ (generic) (3.3%)
Win64 Executable (generic) (3.0%)
Win32 Dynamic Link Library (generic) (0.7%)
Win32 Executable (generic) (0.4%)
Tags
nsis peexe signed overlay

VirusTotal metadata
First submission 2013-06-13 04:13:05 UTC ( 3 years, 1 month ago )
Last submission 2014-05-09 14:20:26 UTC ( 2 years, 2 months ago )
File names safe-saver.exe
vt-upload-4t377
safe-saver.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Moved files
Deleted files
Set keys
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications