× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: bbe55148946af2f198c1c967de23e3a82c0aacf64d871bc926895ef6c92cf32a
File name: safe-saver.exe
Detection ratio: 6 / 51
Analysis date: 2014-05-09 14:20:26 UTC ( 1 year ago )
Antivirus Result Update
AVG MultiBundle.N 20140509
Agnitum Riskware.VMDetector! 20140508
Comodo Heur.Suspicious 20140509
DrWeb Trojan.Crossrider.9 20140509
ESET-NOD32 Win32/Packed.ScrambleWrapper.C 20140509
Malwarebytes PUP.Optional.CrossRider 20140509
Ad-Aware 20140509
AegisLab 20140509
AhnLab-V3 20140509
AntiVir 20140509
Antiy-AVL 20140509
Avast 20140509
Baidu-International 20140509
BitDefender 20140509
Bkav 20140509
ByteHero 20140509
CAT-QuickHeal 20140508
CMC 20140506
ClamAV 20140509
Emsisoft 20140509
F-Prot 20140509
F-Secure 20140509
Fortinet 20140509
GData 20140509
Ikarus 20140509
Jiangmin 20140509
K7AntiVirus 20140509
K7GW 20140509
Kaspersky 20140509
Kingsoft 20140509
McAfee 20140509
McAfee-GW-Edition 20140508
MicroWorld-eScan 20140509
Microsoft 20140509
NANO-Antivirus 20140509
Norman 20140509
Panda 20140509
Qihoo-360 20140509
Rising 20140507
SUPERAntiSpyware 20140509
Sophos 20140509
Symantec 20140509
TheHacker 20140508
TotalDefense 20140509
TrendMicro 20140509
TrendMicro-HouseCall 20140509
VBA32 20140507
VIPRE 20140509
ViRobot 20140509
Zillya 20140509
nProtect 20140509
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Copyright
Mxbrwkscfzbde

Publisher Brightcircle Investments Limited
Product Haywpey
File version 1.1.1.1
Description Xxnteoqar
Signature verification Signed file, verified signature
Signers
[+] Brightcircle Investments Limited
Status Valid
Valid from 2:33 PM 3/8/2013
Valid to 2:33 PM 3/8/2016
Valid usage Code Signing
Algorithm SHA1
Thumbprint DBD0F7B4E369AA0E616E644A13B3BE650B8E8221
Serial number 04 7F 36 48 3D C8 4C
[+] Go Daddy Secure Certification Authority
Status Valid
Valid from 2:54 AM 11/16/2006
Valid to 2:54 AM 11/16/2026
Valid usage All
Algorithm SHA1
Thumbprint 7C4656C3061F7F4C0D67B319A855F60EBC11FC44
Serial number 03 01
[+] Go Daddy Class 2 Certification Authority
Status Valid
Valid from 6:06 PM 6/29/2004
Valid to 6:06 PM 6/29/2034
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm SHA1
Thumbprint 2796BAE63F1801E277261BA0D77770028F20EEE4
Serial number 00
Packers identified
F-PROT NSIS, NSIS, NSIS, NSIS, NSIS, NSIS
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-01-05 12:09:32
Entry Point 0x00004044
Number of sections 7
PE sections
PE imports
RegDeleteKeyA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegDeleteValueA
RegCreateKeyExA
RegEnumKeyA
RegEnumValueA
ImageList_Create
InitCommonControls
ImageList_Destroy
ImageList_AddMasked
GetDeviceCaps
SelectObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetBkColor
DeleteObject
SetTextColor
GetLastError
ReadFile
lstrlenA
GetFileAttributesA
GlobalFree
WaitForSingleObject
GetExitCodeProcess
CopyFileA
ExitProcess
SetFileTime
GlobalUnlock
GetModuleFileNameA
LoadLibraryA
GetShortPathNameA
GetCurrentProcess
LoadLibraryExA
CompareFileTime
GetPrivateProfileStringA
WritePrivateProfileStringA
GetFileSize
lstrcatA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
SetErrorMode
MultiByteToWideChar
GetCommandLineA
GetProcAddress
SetFileAttributesA
SetFilePointer
GetTempPathA
CreateThread
lstrcmpiA
GetModuleHandleA
lstrcmpA
FindFirstFileA
WriteFile
CloseHandle
GetTempFileNameA
lstrcpynA
FindNextFileA
RemoveDirectoryA
GetSystemDirectoryA
GetDiskFreeSpaceA
ExpandEnvironmentStringsA
GetFullPathNameA
FreeLibrary
MoveFileA
CreateProcessA
GlobalAlloc
GlobalLock
SearchPathA
FindClose
Sleep
CreateFileA
GetTickCount
GetVersion
SetCurrentDirectoryA
MulDiv
CoTaskMemFree
OleUninitialize
CoCreateInstance
OleInitialize
SHGetFileInfoA
SHGetSpecialFolderLocation
SHBrowseForFolderA
SHGetPathFromIDListA
ShellExecuteA
SHFileOperationA
CharPrevA
GetMessagePos
EmptyClipboard
EndDialog
BeginPaint
PostQuitMessage
DefWindowProcA
GetClassInfoA
SetClassLongA
LoadBitmapA
SetWindowPos
GetSystemMetrics
IsWindow
AppendMenuA
GetWindowRect
DispatchMessageA
EnableWindow
SetDlgItemTextA
MessageBoxIndirectA
LoadImageA
GetDlgItemTextA
ScreenToClient
PeekMessageA
SetWindowLongA
DialogBoxParamA
GetSysColor
CheckDlgButton
GetDC
DrawTextA
SystemParametersInfoA
CreatePopupMenu
wsprintfA
ShowWindow
SetClipboardData
IsWindowVisible
SendMessageA
IsWindowEnabled
GetClientRect
SetTimer
GetDlgItem
SetForegroundWindow
CreateDialogParamA
SetCursor
EnableMenuItem
RegisterClassA
InvalidateRect
GetWindowLongA
FindWindowExA
CreateWindowExA
LoadCursorA
TrackPopupMenu
SetWindowTextA
FillRect
SendMessageTimeoutA
CharNextA
CallWindowProcA
GetSystemMenu
EndPaint
CloseClipboard
OpenClipboard
ExitWindowsEx
DestroyWindow
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
Number of PE resources by type
RT_ICON 7
RT_DIALOG 3
RT_GROUP_ICON 1
RT_VERSION 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 13
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
2.56

ImageVersion
6.0

FileSubtype
0

FileVersionNumber
1.1.1.1

UninitializedDataSize
110592

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
ASCII

InitializedDataSize
14848

MIMEType
application/octet-stream

LegalCopyright
Mxbrwkscfzbde

FileVersion
1.1.1.1

TimeStamp
2010:01:05 13:09:32+01:00

FileType
Win32 EXE

PEType
PE32

FileAccessDate
2014:05:09 15:16:48+01:00

FileDescription
Xxnteoqar

OSVersion
4.0

FileCreateDate
2014:05:09 15:16:48+01:00

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Xseeobiicmf

CodeSize
33792

ProductName
Haywpey

ProductVersionNumber
1.1.1.1

EntryPoint
0x4044

ObjectFileType
Executable application

File identification
MD5 a9198d21f5dacafa274b14dca257ea12
SHA1 977c522b3668f9c4a3ae4d80a4c332ac699fc4d4
SHA256 bbe55148946af2f198c1c967de23e3a82c0aacf64d871bc926895ef6c92cf32a
ssdeep
98304:3X0zI7OnFL+CideDhdbeNm/I3WJpJZ8LQPA+9Hpc0O8bu:H0cKfidsZLAGULiHjOH

imphash 28a099a911237a28521d8b7ea250f089
File size 4.7 MB ( 4936984 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID NSIS - Nullsoft Scriptable Install System (91.9%)
Win32 Executable MS Visual C++ (generic) (3.3%)
Win64 Executable (generic) (3.0%)
Win32 Dynamic Link Library (generic) (0.7%)
Win32 Executable (generic) (0.4%)
Tags
nsis peexe signed

VirusTotal metadata
First submission 2013-06-13 04:13:05 UTC ( 1 year, 11 months ago )
Last submission 2014-05-09 14:20:26 UTC ( 1 year ago )
File names vt-upload-4t377
safe-saver.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Moved files
Deleted files
Set keys
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications