× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d124b17db4a78864dea31b35dbc6982777eda55156724d7074e7cedbb1d06a5a
File name: temp_000.exe
Detection ratio: 38 / 56
Analysis date: 2015-07-21 22:35:49 UTC ( 1 week ago )
Antivirus Result Update
ALYac Trojan.Generic.AD.04143949 20150721
AVG Agent4.BGSL 20150721
AVware Trojan.Win32.Generic!BT 20150721
Agnitum Riskware.Agent! 20150721
AhnLab-V3 Malware/Win32.Suspicious 20150721
Antiy-AVL Trojan/Win32.Tgenic 20150721
Avast Win32:Malware-gen 20150721
Avira ADWARE/Elex.B 20150721
Baidu-International Adware.Win32.ELEX.81 20150720
Bkav W32.HfsAdware.A115 20150721
CAT-QuickHeal TrojanDownloader.Wysotot.r7 20150721
ClamAV Win.Trojan.Wysotot 20150721
Comodo UnclassifiedMalware 20150721
Cyren W32/Adware.DCLA-5142 20150721
DrWeb Adware.Mutabaha.30 20150721
ESET-NOD32 a variant of Win32/ELEX.O potentially unwanted 20150721
Fortinet W32/VMProtBad.A 20150721
GData Win32.Application.SubTab.B 20150721
Ikarus Trojan.Agent4 20150721
Jiangmin Trojan/StartPage.ucj 20150720
K7AntiVirus Riskware ( 0049f6ae1 ) 20150721
K7GW Riskware ( 0049f6ae1 ) 20150721
Kaspersky HEUR:Trojan.Win32.Generic 20150721
Kingsoft Win32.Troj.Generic.a.(kcloud) 20150722
Malwarebytes Trojan.Downloader 20150721
McAfee Generic.dx!331DE39B8001 20150721
McAfee-GW-Edition Generic.dx!331DE39B8001 20150721
Microsoft TrojanDownloader:Win32/Wysotot.A 20150721
NANO-Antivirus Trojan.Win32.Wysotot.cvnvmg 20150721
Panda Trj/CI.A 20150721
Qihoo-360 Win32/Trojan.Downloader.135 20150722
Sophos Mal/VMProtBad-A 20150721
Symantec PUA.exqWebSearch 20150721
Tencent Win32.Trojan.Bp-generic.Bskd 20150722
TrendMicro TROJ_GEN.R047C0CEE15 20150721
VBA32 Trojan.StartPage 20150721
VIPRE Trojan.Win32.Generic!BT 20150721
Zillya Trojan.StartPage.Win32.22364 20150721
Ad-Aware 20150721
AegisLab 20150721
Alibaba 20150721
Arcabit 20150721
BitDefender 20150721
ByteHero 20150722
Emsisoft 20150721
F-Prot 20150721
F-Secure 20150721
MicroWorld-eScan 20150721
Rising 20150721
SUPERAntiSpyware 20150721
TheHacker 20150721
TotalDefense 20150721
TrendMicro-HouseCall 20150721
ViRobot 20150721
Zoner 20150721
nProtect 20150721
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2013

Publisher Skytouch Technology Co.
Original name eUpdate.exe
Internal name eUpdate.exe
File version 10.2.0.2610
Signature verification A certificate was explicitly revoked by its issuer.
Signers
[+] Skytouch Technology Co.
Status Certificate out of its validity period
Valid from 9:29 AM 7/8/2013
Valid to 9:29 AM 7/9/2014
Valid usage Code Signing
Algorithm SHA1
Thumbprint 23F5AAF1D196D5CC01652E08F10097C56D123F0F
Serial number 11 21 60 78 02 2F A9 1C 0E B6 13 26 E0 E8 FD BE 9C 30
[+] GlobalSign CodeSigning CA - G2
Status Valid
Valid from 11:00 AM 4/13/2011
Valid to 11:00 AM 4/13/2019
Valid usage Code Signing
Algorithm SHA1
Thumbprint 9000401777DD2B43393D7B594D2FF4CBA4516B38
Serial number 04 00 00 00 00 01 2F 4E E1 35 5C
[+] GlobalSign
Status Valid
Valid from 1:00 PM 9/1/1998
Valid to 1:00 PM 1/28/2028
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, OCSP Signing, EFS, IPSEC Tunnel, IPSEC User, IPSEC IKE Intermediate
Algorithm SHA1
Thumbprint B1BC968BD4F49D622AA89A81F2150152A41D829C
Serial number 04 00 00 00 00 01 15 4B 5A C3 94
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm MD5
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-08-21 11:11:53
Link date 12:11 PM 8/21/2013
Entry Point 0x000ED2A9
Number of sections 7
PE sections
Overlays
MD5 2d9fdc5ae527781e96054cc7af1a21da
File type data
Offset 703488
Size 5752
Entropy 7.40
PE imports
RegCreateKeyExW
LocalFree
LocalAlloc
GetModuleHandleA
GetModuleFileNameW
ExitProcess
TlsSetValue
LoadLibraryA
GetModuleFileNameA
SHChangeNotify
SHDeleteKeyW
IsNetworkAlive
wsprintfW
GetFileVersionInfoW
WinHttpOpenRequest
InternetCheckConnectionW
CoCreateGuid
Number of PE resources by type
RT_MANIFEST 1
SAFE 1
MAGIC 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 3
CHINESE SIMPLIFIED 1
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
11.0

ImageVersion
0.0

FileVersionNumber
10.2.0.2610

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
489984

EntryPoint
0xed2a9

OriginalFileName
eUpdate.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) 2013

FileVersion
10.2.0.2610

TimeStamp
2013:08:21 12:11:53+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
eUpdate.exe

ProductVersion
10.2.0.2610

SubsystemVersion
5.1

OSVersion
5.1

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
132096

FileSubtype
0

ProductVersionNumber
10.2.0.2610

FileTypeExtension
exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 331de39b80019a55da553830a92b3195
SHA1 8b46591b11a2124297c4a5ebb993ab08389c99ab
SHA256 d124b17db4a78864dea31b35dbc6982777eda55156724d7074e7cedbb1d06a5a
ssdeep
12288:j3lwFi3OwrVPbMdKVwgv21X1eCe3PBgZCaaNt+HBVeF+g7c0JQ2BQoIgbUQ3eB3g:7smPbn2GJgYl+HBsF+gXJVZJbU1rG

authentihash 17b3b4c4c61255faf9abd0fb5f223660ba71115823b42cc2615f081b50fe033c
imphash a217e738b82f10d42e576ccc80b1a1f9
File size 692.6 KB ( 709240 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (64.6%)
Win32 Dynamic Link Library (generic) (15.3%)
Win32 Executable (generic) (10.5%)
Generic Win/DOS Executable (4.6%)
DOS Executable Generic (4.6%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2013-09-26 16:29:31 UTC ( 1 year, 10 months ago )
Last submission 2015-07-21 22:35:49 UTC ( 1 week ago )
File names temp_000.exe
331de39b80019a55da553830a92b3195.malware
_eUpdate_13.3.2.2700(1).exe
15499237
13199950.malware
13220627.malware
_eUpdate_13.3.2.2700.exe
331de39b80019a55da553830a92b3195__eUpdate_13.3.2.2700.exe.exe
file-6020014_exe
temp_000.exe
output.15499237.txt
eUpdate.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Set keys
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections