× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: bf654c79dd74c9cb58cf6325bae285f0d477ba31fd0985db250ef58a5ec61ae6
File name: btballoon
Detection ratio: 0 / 54
Analysis date: 2014-11-02 19:58:44 UTC ( 4 years, 6 months ago )
Antivirus Result Update
Ad-Aware 20141102
AegisLab 20141102
Yandex 20141102
AhnLab-V3 20141102
Antiy-AVL 20141102
Avast 20141102
AVG 20141102
Avira (no cloud) 20141102
AVware 20141031
Baidu-International 20141031
BitDefender 20141102
Bkav 20141027
ByteHero 20141102
CAT-QuickHeal 20141101
ClamAV 20141102
CMC 20141102
Comodo 20141102
Cyren 20141102
DrWeb 20141102
Emsisoft 20141102
ESET-NOD32 20141102
F-Prot 20141031
F-Secure 20141102
Fortinet 20141102
GData 20141102
Ikarus 20141102
Jiangmin 20141101
K7AntiVirus 20141031
K7GW 20141031
Kaspersky 20141102
Kingsoft 20141102
Malwarebytes 20141102
McAfee 20141102
McAfee-GW-Edition 20141102
Microsoft 20141102
eScan 20141101
NANO-Antivirus 20141102
Norman 20141102
nProtect 20141031
Qihoo-360 20141102
Rising 20141102
Sophos AV 20141031
SUPERAntiSpyware 20141101
Symantec 20141102
Tencent 20141102
TheHacker 20141102
TotalDefense 20141102
TrendMicro 20141102
TrendMicro-HouseCall 20141102
VBA32 20141031
VIPRE 20141102
ViRobot 20141102
Zillya 20141101
Zoner 20141031
The file being studied is a Portable Executable file! More specifically, it is a Win32 DLL file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright 2000-2008, Broadcom Corporation.

Publisher Broadcom Corporation
Product Bluetooth Software
Original name BtBalloon.dll
Internal name btballoon
File version 5.6.0.6500
Description Balloon Tooltip Routine DLL
Signature verification A certificate was explicitly revoked by its issuer.
Signers
[+] Broadcom Corporation
Status A certificate was explicitly revoked by its issuer.
Issuer None
Valid from 1:00 AM 2/27/2009
Valid to 12:59 AM 4/21/2012
Valid usage Code Signing
Algorithm SHA1
Thumbprint D1E1DF6516A9912556F3E471B431916D03944D0D
Serial number 3A 8E 49 11 EA 41 4D E5 37 BC EE 2A AA B7 4F C7
[+] VeriSign Class 3 Code Signing 2004 CA
Status Certificate out of its validity period
Issuer None
Valid from 1:00 AM 7/16/2004
Valid to 12:59 AM 7/16/2014
Valid usage Client Auth, Code Signing
Algorithm SHA1
Thumbprint 197A4AEBDB25F0170079BB8C73CB2D655E0018A4
Serial number 41 91 A1 5A 39 78 DF CF 49 65 66 38 1D 4C 75 C2
[+] VeriSign Class 3 Public Primary CA
Status Valid
Issuer None
Valid from 1:00 AM 1/29/1996
Valid to 12:59 AM 8/2/2028
Valid usage Email Protection, Client Auth, Code Signing, Server Auth
Algorithm MD2
Thumbprint 742C3192E607E424EB4549542BE1BBC53E6174E2
Serial number 70 BA E4 1D 10 D9 29 34 B6 38 CA 7B 03 CC BA BF
Counter signers
[+] VeriSign Time Stamping Services Signer - G2
Status Certificate out of its validity period
Issuer None
Valid from 1:00 AM 6/15/2007
Valid to 12:59 AM 6/15/2012
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Serial number 38 25 D7 FA F8 61 AF 9E F4 90 E7 26 B5 D6 5A D5
[+] VeriSign Time Stamping Services CA
Status Certificate out of its validity period
Issuer None
Valid from 1:00 AM 12/4/2003
Valid to 12:59 AM 12/4/2013
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Issuer None
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm MD5
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
PEiD Armadillo v1.xx - v2.xx
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-12-10 02:10:53
Entry Point 0x00001E9C
Number of sections 5
PE sections
PE imports
GetDeviceCaps
GetCurrentObject
CreatePolygonRgn
CreateRectRgn
FrameRgn
SetBkMode
CreateFontA
CreateFontIndirectA
CreateSolidBrush
CombineRgn
SelectObject
CreateRoundRectRgn
DeleteObject
GetLastError
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
SetHandleCount
GetOEMCP
LCMapStringA
HeapDestroy
HeapAlloc
IsBadWritePtr
TlsAlloc
GetEnvironmentStringsW
GetModuleFileNameA
RtlUnwind
LoadLibraryA
FreeEnvironmentStringsA
DeleteCriticalSection
GetStartupInfoA
GetEnvironmentStrings
GetCPInfo
UnhandledExceptionFilter
MultiByteToWideChar
FatalAppExitA
FreeEnvironmentStringsW
GetCommandLineA
GetProcAddress
TlsFree
GetCurrentThread
WideCharToMultiByte
GetStringTypeA
WriteFile
GetCurrentProcess
GetACP
HeapReAlloc
GetStringTypeW
GetVersion
TerminateProcess
InitializeCriticalSection
HeapCreate
VirtualFree
TlsGetValue
GetFileType
TlsSetValue
ExitProcess
GetCurrentThreadId
GetProcessHeap
VirtualAlloc
SetLastError
LeaveCriticalSection
SHAppBarMessage
RegisterClassA
SetWindowRgn
UpdateWindow
BeginPaint
DefWindowProcA
ShowWindow
SetWindowPos
EndPaint
PostMessageA
MoveWindow
SetWindowLongA
GetDC
SystemParametersInfoA
DrawIconEx
SendMessageA
GetClientRect
SetTimer
ScreenToClient
GetWindowLongA
FindWindowExA
CreateWindowExA
LoadIconA
DrawTextA
GetClassNameA
ReleaseDC
SetForegroundWindow
InvalidateRgn
DestroyWindow
PE exports
Number of PE resources by type
RT_VERSION 1
Number of PE resources by language
ENGLISH US 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
5.6.0.6500

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
16384

FileOS
Win32

MIMEType
application/octet-stream

LegalCopyright
Copyright 2000-2008, Broadcom Corporation.

FileVersion
5.6.0.6500

TimeStamp
2010:12:10 03:10:53+01:00

FileType
Win32 DLL

PEType
PE32

InternalName
btballoon

FileAccessDate
2014:11:02 21:00:40+01:00

ProductVersion
5.6.0.6500

FileDescription
Balloon Tooltip Routine DLL

OSVersion
4.0

FileCreateDate
2014:11:02 21:00:40+01:00

OriginalFilename
BtBalloon.dll

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Broadcom Corporation.

CodeSize
20480

ProductName
Bluetooth Software

ProductVersionNumber
5.6.0.6500

EntryPoint
0x1e9c

ObjectFileType
Dynamic link library

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
File identification
MD5 eaf4e898e55bd9b20633cf0696cb7d37
SHA1 a4a73a437c8cca830f279f8e32387176a355b73b
SHA256 bf654c79dd74c9cb58cf6325bae285f0d477ba31fd0985db250ef58a5ec61ae6
ssdeep
768:qZ0H9GKT78LXFyJyyhjEUj/xWZtqoLsbJ:HUKT78LXFJ8j5OMoMJ

authentihash fb2d38636bd372ae311c7e02f6e7fc2d78e0907ebb14a9d5ae1b02e90b489607
imphash e1323626f448bafa42430c06c9e7baf9
File size 45.3 KB ( 46416 bytes )
File type Win32 DLL
Magic literal
PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.3%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
armadillo pedll signed

VirusTotal metadata
First submission 2011-01-01 07:32:17 UTC ( 8 years, 4 months ago )
Last submission 2011-01-01 07:32:17 UTC ( 8 years, 4 months ago )
File names btballoon
BtBalloon.dll
BtBalloon.dll
bballoon.dll
2CBE33EA50204D0AB56A0031CA936D00FD3F0BD6.dll
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!