× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d124b17db4a78864dea31b35dbc6982777eda55156724d7074e7cedbb1d06a5a
File name: eUpdate.exe
Detection ratio: 31 / 50
Analysis date: 2014-03-06 08:24:16 UTC ( 1 month, 2 weeks ago )
Antivirus Result Update
AVG Agent4.BGSL 20140305
Agnitum Riskware.Agent! 20140305
AhnLab-V3 Malware/Win32.Suspicious 20140305
AntiVir Adware/ELEX.B 20140306
Antiy-AVL Trojan/Win32.Tgenic 20140306
Avast Win32:Malware-gen 20140306
Baidu-International Adware.Win32.ELEX.40 20140306
Bkav W32.Clod27f.Trojan.5c5d 20140305
CAT-QuickHeal TrojanDownloader.Wysotot 20140306
Comodo UnclassifiedMalware 20140306
DrWeb Adware.Mutabaha.30 20140306
ESET-NOD32 a variant of Win32/ELEX.O 20140306
Fortinet W32/VMProtBad.A 20140306
Ikarus Win32.Malware 20140306
Jiangmin Trojan/StartPage.ucj 20140306
K7AntiVirus Riskware ( 0040f01a1 ) 20140305
K7GW Riskware ( 0040f01a1 ) 20140305
Kingsoft Win32.Troj.Generic.a.(kcloud) 20140306
Malwarebytes Trojan.Downloader 20140306
McAfee RDN/Generic.hra!bs 20140306
McAfee-GW-Edition RDN/Generic.hra!bs 20140306
Microsoft TrojanDownloader:Win32/Wysotot.A 20140306
NANO-Antivirus Trojan.Win32.VMProtBadA.cgtssl 20140306
Panda Trj/CI.A 20140305
Qihoo-360 Win32/Trojan.43b 20140306
Sophos Mal/VMProtBad-A 20140306
Symantec exqWebSearch 20140306
TrendMicro TROJ_GEN.R0CBC0OJ213 20140306
TrendMicro-HouseCall TROJ_GEN.R0CBC0EJO13 20140306
VIPRE Trojan.Win32.Generic!BT 20140306
nProtect Adware/W32.Agent.709240 20140305
Ad-Aware 20140306
BitDefender 20140306
ByteHero 20140306
CMC 20140228
ClamAV 20140305
Commtouch 20140306
Emsisoft 20140306
F-Prot 20140306
F-Secure 20140306
GData 20140306
Kaspersky 20140306
MicroWorld-eScan 20140306
Norman 20140306
Rising 20140305
SUPERAntiSpyware 20140306
TheHacker 20140305
TotalDefense 20140306
VBA32 20140305
ViRobot 20140306
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Copyright
Copyright (C) 2013

Publisher Skytouch Technology Co.
Original name eUpdate.exe
Internal name eUpdate.exe
File version 10.2.0.2610
Signature verification A certificate was explicitly revoked by its issuer.
Signers
[+] Skytouch Technology Co.
Status A certificate was explicitly revoked by its issuer.
Valid from 9:29 AM 7/8/2013
Valid to 9:29 AM 7/9/2014
Valid usage Code Signing
Algorithm SHA1
Thumbrint 23F5AAF1D196D5CC01652E08F10097C56D123F0F
Serial number 11 21 60 78 02 2F A9 1C 0E B6 13 26 E0 E8 FD BE 9C 30
[+] GlobalSign CodeSigning CA - G2
Status Valid
Valid from 11:00 AM 4/13/2011
Valid to 11:00 AM 4/13/2019
Valid usage Code Signing
Algorithm SHA1
Thumbrint 9000401777DD2B43393D7B594D2FF4CBA4516B38
Serial number 04 00 00 00 00 01 2F 4E E1 35 5C
[+] GlobalSign
Status Valid
Valid from 1:00 PM 9/1/1998
Valid to 1:00 PM 1/28/2028
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, OCSP Signing, EFS, IPSEC Tunnel, IPSEC User, 1.3.6.1.5.5.8.2.2
Algorithm SHA1
Thumbrint B1BC968BD4F49D622AA89A81F2150152A41D829C
Serial number 04 00 00 00 00 01 15 4B 5A C3 94
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm MD5
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-08-21 11:11:53
Entry Point 0x000ED2A9
Number of sections 7
PE sections
PE imports
RegCreateKeyExW
LocalFree
LocalAlloc
GetModuleHandleA
GetModuleFileNameW
ExitProcess
TlsSetValue
LoadLibraryA
GetModuleFileNameA
SHChangeNotify
SHDeleteKeyW
IsNetworkAlive
wsprintfW
GetFileVersionInfoW
WinHttpOpenRequest
InternetCheckConnectionW
CoCreateGuid
Number of PE resources by type
RT_MANIFEST 1
SAFE 1
MAGIC 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 3
CHINESE SIMPLIFIED 1
ExifTool file metadata
UninitializedDataSize
0

InitializedDataSize
489984

ImageVersion
0.0

FileVersionNumber
10.2.0.2610

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
11.0

FileOS
Windows NT 32-bit

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
10.2.0.2610

TimeStamp
2013:08:21 12:11:53+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
eUpdate.exe

FileAccessDate
2014:03:06 09:28:15+01:00

ProductVersion
10.2.0.2610

SubsystemVersion
5.1

OSVersion
5.1

FileCreateDate
2014:03:06 09:28:15+01:00

OriginalFilename
eUpdate.exe

LegalCopyright
Copyright (C) 2013

MachineType
Intel 386 or later, and compatibles

CodeSize
132096

FileSubtype
0

ProductVersionNumber
10.2.0.2610

EntryPoint
0xed2a9

ObjectFileType
Executable application

File identification
MD5 331de39b80019a55da553830a92b3195
SHA1 8b46591b11a2124297c4a5ebb993ab08389c99ab
SHA256 d124b17db4a78864dea31b35dbc6982777eda55156724d7074e7cedbb1d06a5a
ssdeep
12288:j3lwFi3OwrVPbMdKVwgv21X1eCe3PBgZCaaNt+HBVeF+g7c0JQ2BQoIgbUQ3eB3g:7smPbn2GJgYl+HBsF+gXJVZJbU1rG

imphash a217e738b82f10d42e576ccc80b1a1f9
File size 692.6 KB ( 709240 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe signed

VirusTotal metadata
First submission 2013-09-26 16:29:31 UTC ( 6 months, 3 weeks ago )
Last submission 2013-11-15 15:11:17 UTC ( 5 months ago )
File names 331de39b80019a55da553830a92b3195.malware
_eUpdate_13.3.2.2700(1).exe
13220627.malware
13199950.malware
_eUpdate_13.3.2.2700.exe
file-6020014_exe
temp_000.exe
eUpdate.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Set keys
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections