× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: cf87d26c3c0fe292e6931ea3ea0028d6ed706b3b126ce0d6a87f4562f5f764ba
Detection ratio: 1 / 66
Analysis date: 2018-06-23 02:55:53 UTC ( 11 months, 1 week ago ) View latest
Antivirus Result Update
Bkav W32.HfsAdware.7C1F 20180622
Ad-Aware 20180623
AegisLab 20180622
AhnLab-V3 20180622
Alibaba 20180622
ALYac 20180623
Antiy-AVL 20180623
Arcabit 20180623
Avast 20180623
Avast-Mobile 20180622
AVG 20180623
Avira (no cloud) 20180622
AVware 20180623
Babable 20180406
Baidu 20180622
BitDefender 20180623
CAT-QuickHeal 20180622
ClamAV 20180623
CMC 20180622
Comodo 20180623
CrowdStrike Falcon (ML) 20180530
Cylance 20180623
Cyren 20180623
DrWeb 20180623
eGambit 20180623
Emsisoft 20180623
Endgame 20180612
ESET-NOD32 20180623
F-Prot 20180623
F-Secure 20180622
Fortinet 20180623
GData 20180623
Ikarus 20180622
Sophos ML 20180601
Jiangmin 20180623
K7AntiVirus 20180622
K7GW 20180623
Kaspersky 20180623
Kingsoft 20180623
Malwarebytes 20180623
MAX 20180623
McAfee 20180623
McAfee-GW-Edition 20180623
Microsoft 20180623
eScan 20180623
NANO-Antivirus 20180623
Palo Alto Networks (Known Signatures) 20180623
Panda 20180622
Qihoo-360 20180623
Rising 20180623
SentinelOne (Static ML) 20180618
Sophos AV 20180623
SUPERAntiSpyware 20180623
Symantec 20180622
Symantec Mobile Insight 20180619
TACHYON 20180623
Tencent 20180623
TheHacker 20180622
TrendMicro 20180623
TrendMicro-HouseCall 20180623
Trustlook 20180623
VBA32 20180622
VIPRE 20180623
ViRobot 20180622
Webroot 20180623
Yandex 20180622
Zillya 20180622
ZoneAlarm by Check Point 20180623
Zoner 20180622
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
(c)2014 DigitalVolcano Software

Product TextCrawler Free
File version 3.0.2
Description TextCrawler Free Edition Setup
Comments Installer for TextCrawler Free.
Signature verification Signed file, verified signature
Signing date 12:16 PM 10/27/2014
Signers
[+] Digital Volcano software Ltd
Status This certificate or one of the certificates in the certificate chain is not time valid., Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer COMODO Code Signing CA 2
Valid from 12:00 AM 03/06/2013
Valid to 11:59 PM 03/05/2016
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 103E0A05323E2E813EE650F9F18A80E33F1D5D18
Serial number 00 87 77 8A AC 8A FD F6 90 B5 6A B0 A5 6F 94 63 87
[+] COMODO Code Signing CA 2
Status Valid
Issuer UTN-USERFirst-Object
Valid from 12:00 AM 08/24/2011
Valid to 10:48 AM 05/30/2020
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint B64771392538D1EB7A9281998791C14AFD0C5035
Serial number 10 70 9D 4F F5 54 08 D7 30 60 01 D8 EA 91 75 BB
[+] UTN-USERFirst-Object
Status Valid
Issuer AddTrust External CA Root
Valid from 08:09 AM 06/07/2005
Valid to 10:48 AM 05/30/2020
Valid usage All
Algorithm sha1RSA
Thumbprint 8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA
Serial number 42 1A F2 94 09 84 19 1F 52 0A 4B C6 24 26 A7 4B
[+] Sectigo (AddTrust)
Status Valid
Issuer AddTrust External CA Root
Valid from 10:48 AM 05/30/2000
Valid to 10:48 AM 05/30/2020
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha1RSA
Thumbprint 02FAF3E291435468607857694DF5E45B68851868
Serial number 01
Counter signers
[+] COMODO Time Stamping Signer
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer UTN-USERFirst-Object
Valid from 12:00 AM 05/10/2010
Valid to 11:59 PM 05/10/2015
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 3DBB6DB5085C6DD5A1CA7F9CF84ECB1A3910CAC8
Serial number 47 8A 8E FB 59 E1 D8 3F 0C E1 42 D2 A2 87 07 BE
[+] UTN-USERFirst-Object
Status Valid
Issuer AddTrust External CA Root
Valid from 08:09 AM 06/07/2005
Valid to 10:48 AM 05/30/2020
Valid usage All
Algorithm sha1RSA
Thumbrint 8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA
Serial number 42 1A F2 94 09 84 19 1F 52 0A 4B C6 24 26 A7 4B
[+] Sectigo (AddTrust)
Status Valid
Issuer AddTrust External CA Root
Valid from 10:48 AM 05/30/2000
Valid to 10:48 AM 05/30/2020
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha1RSA
Thumbrint 02FAF3E291435468607857694DF5E45B68851868
Serial number 01
Packers identified
F-PROT NSIS, appended, Unicode
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2009-12-05 22:50:52
Entry Point 0x000030FA
Number of sections 5
PE sections
Overlays
MD5 5ec733c83fd2650605dda663ce615b9d
File type data
Offset 185856
Size 2471968
Entropy 8.00
PE imports
RegDeleteKeyA
RegCloseKey
RegQueryValueExA
RegSetValueExA
RegEnumValueA
RegCreateKeyExA
RegOpenKeyExA
RegEnumKeyA
RegDeleteValueA
ImageList_Create
Ord(17)
ImageList_Destroy
ImageList_AddMasked
GetDeviceCaps
SetBkMode
CreateBrushIndirect
CreateFontIndirectA
SelectObject
SetBkColor
DeleteObject
SetTextColor
GetLastError
lstrlenA
GetFileAttributesA
GlobalFree
WaitForSingleObject
GetExitCodeProcess
CopyFileA
ExitProcess
SetFileTime
GlobalUnlock
LoadLibraryA
GetModuleFileNameA
GetShortPathNameA
GetCurrentProcess
LoadLibraryExA
CompareFileTime
GetPrivateProfileStringA
WritePrivateProfileStringA
GetFileSize
lstrcatA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
SetErrorMode
MultiByteToWideChar
GetCommandLineA
GlobalLock
SetFileAttributesA
SetFilePointer
GetTempPathA
CreateThread
lstrcmpiA
GetModuleHandleA
lstrcmpA
ReadFile
WriteFile
FindFirstFileA
CloseHandle
GetTempFileNameA
lstrcpynA
FindNextFileA
RemoveDirectoryA
GetSystemDirectoryA
GetDiskFreeSpaceA
ExpandEnvironmentStringsA
GetFullPathNameA
FreeLibrary
MoveFileA
CreateProcessA
GlobalAlloc
SearchPathA
FindClose
Sleep
CreateFileA
GetTickCount
GetVersion
GetProcAddress
SetCurrentDirectoryA
MulDiv
SHGetFileInfoA
SHGetSpecialFolderLocation
SHBrowseForFolderA
SHGetPathFromIDListA
ShellExecuteA
SHFileOperationA
EmptyClipboard
GetMessagePos
EndPaint
CharPrevA
EndDialog
BeginPaint
PostQuitMessage
DefWindowProcA
SetWindowTextA
SetClassLongA
LoadBitmapA
SetWindowPos
GetSystemMetrics
IsWindow
AppendMenuA
GetWindowRect
DispatchMessageA
ScreenToClient
SetDlgItemTextA
MessageBoxIndirectA
LoadImageA
GetDlgItemTextA
PeekMessageA
SetWindowLongA
IsWindowEnabled
GetSysColor
CheckDlgButton
GetDC
FindWindowExA
SystemParametersInfoA
CreatePopupMenu
wsprintfA
DialogBoxParamA
SetClipboardData
IsWindowVisible
GetClassInfoA
SetForegroundWindow
GetClientRect
CreateWindowExA
GetDlgItem
CreateDialogParamA
DrawTextA
EnableMenuItem
RegisterClassA
InvalidateRect
GetWindowLongA
SendMessageTimeoutA
SetTimer
LoadCursorA
TrackPopupMenu
SendMessageA
FillRect
ShowWindow
OpenClipboard
CharNextA
CallWindowProcA
GetSystemMenu
EnableWindow
CloseClipboard
DestroyWindow
ExitWindowsEx
SetCursor
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
OleUninitialize
CoTaskMemFree
OleInitialize
CoCreateInstance
Number of PE resources by type
RT_DIALOG 18
RT_ICON 12
RT_MANIFEST 1
RT_BITMAP 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 34
PE resources
ExifTool file metadata
SubsystemVersion
4.0

Comments
Installer for TextCrawler Free.

LinkerVersion
6.0

ImageVersion
6.0

FileSubtype
0

FileVersionNumber
3.0.0.2

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

FileDescription
TextCrawler Free Edition Setup

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
ASCII

InitializedDataSize
164864

EntryPoint
0x30fa

MIMEType
application/octet-stream

LegalCopyright
(c)2014 DigitalVolcano Software

FileVersion
3.0.2

TimeStamp
2009:12:05 23:50:52+01:00

FileType
Win32 EXE

PEType
PE32

UninitializedDataSize
1024

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
DigitalVolcano Software Ltd

CodeSize
24064

ProductName
TextCrawler Free

ProductVersionNumber
3.0.0.2

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
File identification
MD5 b32bb632d357c11dee36c307f769d6bf
SHA1 03bf044f1c3a1a747b7986143feae31f01998ed1
SHA256 cf87d26c3c0fe292e6931ea3ea0028d6ed706b3b126ce0d6a87f4562f5f764ba
ssdeep
49152:F5o92Q70PDprQpJtKXGwtllijoN5T6YErk2nfYYcdQl:F5o92Q0PNroViUJxrnYd4

authentihash 6eae4845a25af091ca2561398b7b2b5ca459472b500590bb55a1bb5fc7e07239
imphash 7fa974366048f9c551ef45714595665e
File size 2.5 MB ( 2657824 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID NSIS - Nullsoft Scriptable Install System (94.6%)
Win32 Executable MS Visual C++ (generic) (3.4%)
Win32 Dynamic Link Library (generic) (0.7%)
Win32 Executable (generic) (0.5%)
OS/2 Executable (generic) (0.2%)
Tags
nsis peexe overlay signed revoked-cert

VirusTotal metadata
First submission 2014-10-27 19:39:17 UTC ( 4 years, 7 months ago )
Last submission 2019-04-12 12:28:07 UTC ( 1 month, 2 weeks ago )
File names TextCrawler_Setup.exe
textcrawler_setup.exe
file-7681878_exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.