× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: cf0e919892ca26c5fe79df916c61375544560d83169ef316c87206e971218c15
File name: 408315
Detection ratio: 2 / 58
Analysis date: 2016-03-28 13:14:23 UTC ( 3 years ago ) View latest
Antivirus Result Update
ClamAV Html.Trojan.GenericFakeAV-2 20160326
NANO-Antivirus Marker.Script.EICAR.dymlmx 20160328
Ad-Aware 20160328
AegisLab 20160328
Yandex 20160316
AhnLab-V3 20160328
Alibaba 20160323
ALYac 20160328
Antiy-AVL 20160328
Arcabit 20160328
Avast 20160328
AVG 20160328
Avira (no cloud) 20160328
AVware 20160328
Baidu 20160325
Baidu-International 20160328
BitDefender 20160328
Bkav 20160327
ByteHero 20160328
CAT-QuickHeal 20160328
CMC 20160322
Comodo 20160328
Cyren 20160328
DrWeb 20160328
Emsisoft 20160328
ESET-NOD32 20160328
F-Prot 20160328
F-Secure 20160328
Fortinet 20160328
GData 20160328
Ikarus 20160328
Jiangmin 20160328
K7AntiVirus 20160328
K7GW 20160323
Kaspersky 20160328
Kingsoft 20160328
Malwarebytes 20160328
McAfee 20160328
McAfee-GW-Edition 20160328
Microsoft 20160328
eScan 20160328
nProtect 20160325
Panda 20160328
Qihoo-360 20160328
Rising 20160328
Sophos AV 20160328
SUPERAntiSpyware 20160328
Symantec 20160328
Tencent 20160328
TheHacker 20160328
TotalDefense 20160328
TrendMicro 20160328
TrendMicro-HouseCall 20160328
VBA32 20160326
VIPRE 20160328
ViRobot 20160328
Zillya 20160328
Zoner 20160328
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name WEXTRACT.EXE
Internal name Wextract
File version 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Description Win32 Cabinet Self-Extractor
Signature verification Signed file, verified signature
Signing date 3:24 PM 4/7/2006
Signers
[+] SOFTWIN
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer VeriSign Class 3 Code Signing 2004 CA
Valid from 1:00 AM 2/14/2006
Valid to 12:59 AM 3/6/2008
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 71EDA3426E9531ECFEEE60BD75DE89FA15497166
Serial number 46 46 0F DE 16 F4 AD 69 94 40 34 77 29 F5 39 5E
[+] VeriSign Class 3 Code Signing 2004 CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Class 3 Public Primary Certification Authority
Valid from 1:00 AM 7/16/2004
Valid to 12:59 AM 7/16/2014
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 197A4AEBDB25F0170079BB8C73CB2D655E0018A4
Serial number 41 91 A1 5A 39 78 DF CF 49 65 66 38 1D 4C 75 C2
[+] VeriSign Class 3 Public Primary CA
Status Valid
Issuer Class 3 Public Primary Certification Authority
Valid from 1:00 AM 1/29/1996
Valid to 12:59 AM 8/2/2028
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm md2RSA
Thumbprint 742C3192E607E424EB4549542BE1BBC53E6174E2
Serial number 70 BA E4 1D 10 D9 29 34 B6 38 CA 7B 03 CC BA BF
Counter signers
[+] VeriSign Time Stamping Services Signer
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer VeriSign Time Stamping Services CA
Valid from 1:00 AM 12/4/2003
Valid to 12:59 AM 12/4/2008
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 817E78267300CB0FE5D631357851DB366123A690
Serial number 0D E9 2B F0 D4 D8 29 88 18 32 05 09 5E 9A 76 88
[+] VeriSign Time Stamping Services CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/4/2003
Valid to 12:59 AM 12/4/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT CAB, appended
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2004-08-04 06:01:37
Entry Point 0x0000645C
Number of sections 3
PE sections
Overlays
MD5 e02eae654c7db51fb0d90b00e1a15595
File type data
Offset 17194496
Size 5720
Entropy 7.26
PE imports
GetTokenInformation
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegSetValueExA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
AdjustTokenPrivileges
EqualSid
RegCreateKeyExA
RegOpenKeyExA
RegDeleteValueA
RegQueryInfoKeyA
GetDeviceCaps
GetLastError
GetSystemTimeAsFileTime
DosDateTimeToFileTime
ReadFile
GetStartupInfoA
GetSystemInfo
lstrlenA
GetFileAttributesA
GlobalFree
WaitForSingleObject
LoadLibraryA
GetExitCodeProcess
QueryPerformanceCounter
MulDiv
ExitProcess
SetFileTime
GetVersionExA
GlobalUnlock
GetModuleFileNameA
IsDBCSLeadByte
GetShortPathNameA
FreeLibrary
GetCurrentProcess
GetVolumeInformationA
LoadLibraryExA
SizeofResource
GetCurrentDirectoryA
GetPrivateProfileStringA
WritePrivateProfileStringA
LocalAlloc
lstrcatA
GetPrivateProfileIntA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
UnhandledExceptionFilter
_llseek
GetCommandLineA
GlobalLock
EnumResourceLanguagesA
TerminateThread
GetTempPathA
CreateMutexA
GetModuleHandleA
_lclose
CreateThread
lstrcmpiA
SetFilePointer
lstrcmpA
FindFirstFileA
GetCurrentProcessId
CreateEventA
lstrcpyA
_lopen
CloseHandle
GetTempFileNameA
lstrcpynA
FindNextFileA
GetSystemDirectoryA
GetDiskFreeSpaceA
ExpandEnvironmentStringsA
FreeResource
SetFileAttributesA
SetEvent
LocalFree
FindResourceA
TerminateProcess
CreateProcessA
RemoveDirectoryA
SetUnhandledExceptionFilter
LockResource
LoadResource
WriteFile
GlobalAlloc
LocalFileTimeToFileTime
FindClose
FormatMessageA
GetTickCount
CreateFileA
GetDriveTypeA
GetCurrentThreadId
GetProcAddress
SetCurrentDirectoryA
ResetEvent
CharPrevA
EndDialog
ShowWindow
MessageBeep
SetWindowPos
SendDlgItemMessageA
GetSystemMetrics
GetWindowRect
DispatchMessageA
EnableWindow
SetDlgItemTextA
GetDlgItemTextA
MessageBoxA
PeekMessageA
SetWindowLongA
CharUpperA
GetDC
ReleaseDC
SetWindowTextA
GetWindowLongA
SendMessageA
GetDlgItem
wsprintfA
LoadStringA
CharNextA
GetDesktopWindow
CallWindowProcA
MsgWaitForMultipleObjects
SetForegroundWindow
ExitWindowsEx
DialogBoxIndirectParamA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
Number of PE resources by type
RT_RCDATA 14
RT_STRING 7
RT_DIALOG 6
RT_ICON 2
Struct(255) 1
AVI 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 33
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
7.1

ImageVersion
5.1

FileSubtype
0

FileVersionNumber
6.0.2900.2180

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Win32 Cabinet Self-Extractor

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
17154048

EntryPoint
0x645c

OriginalFileName
WEXTRACT.EXE

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

TimeStamp
2004:08:04 07:01:37+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Wextract

ProductVersion
6.00.2900.2180

SubsystemVersion
4.0

OSVersion
5.1

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
39424

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.0.2900.2180

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 2650a6ffdeb47c0febfb8e9d770a6222
SHA1 766935dede8f7a078bce4f77c6b9c01e279f774d
SHA256 cf0e919892ca26c5fe79df916c61375544560d83169ef316c87206e971218c15
ssdeep
393216:IUXFdMgtQnLRkWPIPEZT4XaBRE3KjiQ/QDSODiT+2I:BFdlQnLiWPcJgE6ykTzI

authentihash b99ee96aeb84334c44a446957b97f08139eae6fdfdab51520c98917cc93881b3
imphash 0ebb3c09b06b1666d307952e824c8697
File size 16.4 MB ( 17200216 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 MS Cabinet Self-Extractor (WExtract stub) (88.8%)
Win64 Executable (generic) (8.0%)
Win32 Executable (generic) (1.3%)
OS/2 Executable (generic) (0.5%)
Generic Win/DOS Executable (0.5%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2008-07-31 12:58:23 UTC ( 10 years, 8 months ago )
Last submission 2018-05-16 01:23:18 UTC ( 11 months, 1 week ago )
File names bitdefender_std_v9.exe
WEXTRACT.EXE
octet-stream
Wextract
408315
getfile.php
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.