× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: cd56643dc3a657ad83b8edbe9f607a572643db0d7ea7376bb86b569c38f82cee
File name: SetupVCD5500.exe
Detection ratio: 0 / 68
Analysis date: 2018-12-12 19:40:57 UTC ( 3 months ago ) View latest
Antivirus Result Update
Ad-Aware 20181212
AegisLab 20181212
AhnLab-V3 20181212
Alibaba 20180921
ALYac 20181212
Antiy-AVL 20181212
Arcabit 20181212
Avast 20181212
Avast-Mobile 20181212
AVG 20181212
Avira (no cloud) 20181212
Babable 20180918
Baidu 20181207
BitDefender 20181212
Bkav 20181212
CAT-QuickHeal 20181212
ClamAV 20181212
CMC 20181212
Comodo 20181212
CrowdStrike Falcon (ML) 20181022
Cybereason 20180225
Cylance 20181212
Cyren 20181212
DrWeb 20181212
eGambit 20181212
Emsisoft 20181212
Endgame 20181108
ESET-NOD32 20181212
F-Prot 20181212
F-Secure 20181212
Fortinet 20181212
GData 20181212
Ikarus 20181212
Sophos ML 20181128
Jiangmin 20181212
K7AntiVirus 20181212
K7GW 20181212
Kaspersky 20181212
Kingsoft 20181212
Malwarebytes 20181212
MAX 20181212
McAfee 20181212
McAfee-GW-Edition 20181212
Microsoft 20181212
eScan 20181212
NANO-Antivirus 20181212
Palo Alto Networks (Known Signatures) 20181212
Panda 20181212
Qihoo-360 20181212
Rising 20181212
SentinelOne (Static ML) 20181011
Sophos AV 20181212
SUPERAntiSpyware 20181212
Symantec 20181212
Symantec Mobile Insight 20181212
TACHYON 20181212
Tencent 20181212
TheHacker 20181210
Trapmine 20181205
TrendMicro 20181212
TrendMicro-HouseCall 20181212
Trustlook 20181212
VBA32 20181212
ViRobot 20181212
Webroot 20181212
Yandex 20181212
Zillya 20181211
ZoneAlarm by Check Point 20181212
Zoner 20181212
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification Signed file, verified signature
Signing date 10:04 PM 1/14/2016
Signers
[+] Elaborate Bytes AG
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer GlobalSign CodeSigning CA - SHA256 - G2
Valid from 04:49 PM 09/29/2015
Valid to 04:09 PM 12/27/2018
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 4689F7BE5BAD4926B45C93BC82585135D1B176A6
Serial number 11 21 13 28 B7 81 0C 47 38 93 40 44 B5 01 03 E1 30 E8
[+] GlobalSign CodeSigning CA - SHA256 - G2
Status Valid
Issuer GlobalSign
Valid from 10:00 AM 08/02/2011
Valid to 10:00 AM 08/02/2019
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 4E34C4841080D07059EFC1F3C5DE4D79905A36FF
Serial number 04 00 00 00 00 01 31 89 C6 37 E8
[+] GlobalSign Root CA - R3
Status Valid
Issuer GlobalSign
Valid from 10:00 AM 03/18/2009
Valid to 10:00 AM 03/18/2029
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha256RSA
Thumbprint D69B561148F01C77C54578C10926DF5B856976AD
Serial number 04 00 00 00 00 01 21 58 53 08 A2
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 12:00 AM 10/18/2012
Valid to 11:59 PM 12/29/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 12:00 AM 12/21/2012
Valid to 11:59 PM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 12:00 AM 01/01/1997
Valid to 11:59 PM 12/31/2020
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT NSIS
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-01-14 20:58:55
Entry Point 0x00009747
Number of sections 4
PE sections
Overlays
MD5 71115ebb902eb3b3f0d25a99f0f2faa3
File type data
Offset 76800
Size 1633880
Entropy 8.00
PE imports
GetStdHandle
GetFileAttributesA
WaitForSingleObject
HeapDestroy
GetExitCodeProcess
FreeEnvironmentStringsA
DeleteCriticalSection
GetCurrentProcess
GetLocaleInfoA
LocalAlloc
lstrcatA
FreeEnvironmentStringsW
SetFileAttributesA
GetTempPathA
WideCharToMultiByte
GetStringTypeA
InterlockedExchange
WriteFile
GetSystemTimeAsFileTime
GetDiskFreeSpaceA
GetStringTypeW
GetFullPathNameA
SetEvent
LocalFree
MoveFileA
GetEnvironmentVariableA
FindClose
TlsGetValue
SetLastError
InitializeCriticalSection
GetUserDefaultLangID
CopyFileA
ExitProcess
RemoveDirectoryA
GetPrivateProfileStringA
UnhandledExceptionFilter
MultiByteToWideChar
GetModuleHandleA
CreateThread
MulDiv
GetSystemDirectoryA
SetEnvironmentVariableA
SetPriorityClass
TerminateProcess
GlobalAlloc
SearchPathA
SetEndOfFile
GetCurrentThreadId
SetCurrentDirectoryA
HeapFree
EnterCriticalSection
SetHandleCount
lstrcmpiA
FreeLibrary
QueryPerformanceCounter
GetTickCount
TlsAlloc
VirtualProtect
GetVersionExA
LoadLibraryA
RtlUnwind
GetStartupInfoA
GetFileSize
GetPrivateProfileIntA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
GetCPInfo
GetProcAddress
FindFirstFileA
lstrcpyA
GetTempFileNameA
CreateFileMappingA
FindNextFileA
ExpandEnvironmentStringsA
CreateEventA
GetFileType
TlsSetValue
CreateFileA
HeapAlloc
LeaveCriticalSection
GetLastError
LCMapStringW
HeapCreate
GetSystemInfo
lstrlenA
GlobalFree
LCMapStringA
HeapReAlloc
GetEnvironmentStringsW
VirtualQuery
GetModuleFileNameA
GetShortPathNameA
GetEnvironmentStrings
CompareFileTime
WritePrivateProfileStringA
GetCurrentProcessId
SetFileTime
GetCurrentDirectoryA
HeapSize
GetCommandLineA
GetCurrentThread
RaiseException
MapViewOfFile
TlsFree
SetFilePointer
ReadFile
CloseHandle
lstrcpynA
GetACP
CreateProcessA
UnmapViewOfFile
VirtualFree
Sleep
VirtualAlloc
GetOEMCP
Number of PE resources by type
RT_DIALOG 7
RT_BITMAP 2
RT_ICON 1
RT_MANIFEST 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 12
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
2016:01:14 21:58:55+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
53760

LinkerVersion
7.1

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

EntryPoint
0x9747

InitializedDataSize
121344

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Overlay parents
Compressed bundles
File identification
MD5 6df26d637c0c5fefcd248ee130837c2b
SHA1 1c989a62b2437245487c2d0f314dd38abc33a5e1
SHA256 cd56643dc3a657ad83b8edbe9f607a572643db0d7ea7376bb86b569c38f82cee
ssdeep
24576:uljES7IX6kiGYTDZNjN6xs1WeNOeuFB9X6gbu185BxbiFAfn+gxohTQtMmp4:ulkLYTDZPNy6gKRS+VhTyp4

authentihash 5c1304e9c10122a900d006d9d22ba804040c283b54e0dd90c06f46febec76ad8
imphash c3a10734ae3ae14ac0408cd958dba171
File size 1.6 MB ( 1710680 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID NSIS - Nullsoft Scriptable Install System (87.6%)
InstallShield setup (4.4%)
Win32 Executable MS Visual C++ (generic) (3.2%)
Win64 Executable (generic) (2.8%)
Win32 Dynamic Link Library (generic) (0.6%)
Tags
nsis peexe via-tor signed overlay

VirusTotal metadata
First submission 2016-01-15 14:28:21 UTC ( 3 years, 2 months ago )
Last submission 2019-03-15 23:13:55 UTC ( 3 days, 6 hours ago )
File names SetupVCD5500.exe
nstd6f1.tmp
Virtual_CloneDrive_v5.5.0.0.exe
Virtual CloneDrive 5.5.0.0.exe
SetupVCD5500.exe
SetupVirtualCloneDrive5500.exe
nst1f38.tmp
SetupVCD5500.exe
virtual-clonedrive-1919-jetelecharge.exe
VirtualCloneDrive.exe
virtual cloneDrive setupvcd5500.exe
elby SetupVCD5500.exe
virtual clone by yazan the basic.exe
1.exe
myfile.exe
SetupVCD5500.exe
SetupVCD5500.exe
SetupVirtualCloneDrive_5.5.0.0.exe
SetupVCD5500.exe
Virtual_CloneDrive_v5.5.0.0.exe
SetupVirtualCloneDrive5500_50081.exe
SetupVirtualClonDrive5500.exe
SetupVirtualCloneDrive5500.exe
Virtual_Clone_Drive_setupvcd5500.exe
virtual-clonedrive_5500.exe
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Moved files
Deleted files
Created processes
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
HTTP requests
DNS requests
TCP connections
UDP communications