× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d2d4e1ab1aa92cffebf215b224d3d89e5ad0d77f01fa078167fb5a7dbb5353f5
File name: VSubst_1.0.6.exe
Detection ratio: 1 / 66
Analysis date: 2018-08-28 23:33:21 UTC ( 3 weeks, 2 days ago )
Antivirus Result Update
Bkav W32.HfsAdware.AB89 20180828
Ad-Aware 20180829
AegisLab 20180828
AhnLab-V3 20180828
Alibaba 20180713
ALYac 20180828
Antiy-AVL 20180828
Arcabit 20180828
Avast 20180828
Avast-Mobile 20180828
AVG 20180828
Avira (no cloud) 20180828
AVware 20180823
Babable 20180822
Baidu 20180828
BitDefender 20180828
CAT-QuickHeal 20180828
ClamAV 20180828
CMC 20180828
Comodo 20180828
CrowdStrike Falcon (ML) 20180723
Cybereason 20180225
Cylance 20180829
Cyren 20180828
DrWeb 20180828
eGambit 20180829
Emsisoft 20180828
Endgame 20180730
ESET-NOD32 20180828
F-Prot 20180828
F-Secure 20180829
Fortinet 20180828
GData 20180828
Ikarus 20180828
Sophos ML 20180717
Jiangmin 20180828
K7AntiVirus 20180828
K7GW 20180828
Kaspersky 20180828
Kingsoft 20180829
Malwarebytes 20180828
MAX 20180829
McAfee 20180828
McAfee-GW-Edition 20180828
Microsoft 20180828
eScan 20180828
NANO-Antivirus 20180828
Palo Alto Networks (Known Signatures) 20180829
Panda 20180828
Qihoo-360 20180829
Rising 20180828
SentinelOne (Static ML) 20180701
Sophos AV 20180828
SUPERAntiSpyware 20180828
Symantec 20180828
Symantec Mobile Insight 20180822
TACHYON 20180828
Tencent 20180829
TheHacker 20180824
TrendMicro 20180828
TrendMicro-HouseCall 20180828
Trustlook 20180829
VBA32 20180828
VIPRE 20180828
ViRobot 20180828
Webroot 20180829
Yandex 20180827
ZoneAlarm by Check Point 20180828
Zoner 20180828
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© 2006-2008 NTWind Software

Product Visual Subst
File version 1.0.6.0
Description Visual Subst
Signature verification Signed file, verified signature
Signing date 9:37 AM 2/2/2008
Signers
[+] Alexander Avdonin
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer UTN-USERFirst-Object
Valid from 1:00 AM 2/27/2007
Valid to 12:59 AM 2/28/2008
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 13F0F415AE630897841028470115DD546ED82FF7
Serial number 3E 5A BF 29 BA 6B BD FB C0 CB 17 93 FE 97 87 5A
[+] USERTrust (Code Signing)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbprint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
Counter signers
[+] Comodo Time Stamping Signer
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer UTN-USERFirst-Object
Valid from 1:00 AM 5/17/2005
Valid to 12:59 AM 5/17/2010
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 95B2B8E34EB2CB768144ED07433EF0A3AFCAEEC0
Serial number 4F 63 D0 30 F8 15 A3 A5 B3 44 69 40 06 3D 16 89
[+] USERTrust (Code Signing)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
Packers identified
F-PROT NSIS
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2007-07-14 15:12:49
Entry Point 0x00003265
Number of sections 5
PE sections
Overlays
MD5 34f4d250620ac68fc9debaad0a93ed99
File type data
Offset 36352
Size 76744
Entropy 7.99
PE imports
RegDeleteKeyA
RegCloseKey
RegQueryValueExA
RegSetValueExA
RegEnumValueA
RegCreateKeyExA
RegOpenKeyExA
RegEnumKeyA
RegDeleteValueA
ImageList_Create
Ord(17)
ImageList_Destroy
ImageList_AddMasked
GetDeviceCaps
SetBkMode
CreateBrushIndirect
CreateFontIndirectA
SelectObject
SetBkColor
DeleteObject
SetTextColor
GetLastError
lstrlenA
GetFileAttributesA
GlobalFree
WaitForSingleObject
GetExitCodeProcess
CopyFileA
GetTickCount
SetFileTime
GlobalUnlock
GetModuleFileNameA
LoadLibraryA
GetShortPathNameA
GetCurrentProcess
LoadLibraryExA
CompareFileTime
GetPrivateProfileStringA
WritePrivateProfileStringA
GetFileSize
lstrcatA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
SetErrorMode
MultiByteToWideChar
GetCommandLineA
GlobalLock
SetFileAttributesA
SetFilePointer
GetTempPathA
CreateThread
lstrcmpiA
GetModuleHandleA
lstrcmpA
ReadFile
WriteFile
FindFirstFileA
CloseHandle
GetTempFileNameA
lstrcpynA
FindNextFileA
RemoveDirectoryA
GetSystemDirectoryA
GetDiskFreeSpaceA
ExpandEnvironmentStringsA
GetFullPathNameA
FreeLibrary
MoveFileA
CreateProcessA
GlobalAlloc
SearchPathA
FindClose
Sleep
CreateFileA
ExitProcess
GetProcAddress
SetCurrentDirectoryA
MulDiv
SHGetFileInfoA
SHGetSpecialFolderLocation
SHBrowseForFolderA
SHGetPathFromIDListA
ShellExecuteA
SHFileOperationA
EmptyClipboard
GetMessagePos
EndPaint
CharPrevA
EndDialog
BeginPaint
PostQuitMessage
DefWindowProcA
SetWindowTextA
SetClassLongA
LoadBitmapA
SetWindowPos
GetSystemMetrics
IsWindow
AppendMenuA
GetWindowRect
DispatchMessageA
ScreenToClient
SetDlgItemTextA
MessageBoxIndirectA
LoadImageA
GetDlgItemTextA
PeekMessageA
SetWindowLongA
IsWindowEnabled
GetSysColor
CheckDlgButton
GetDC
FindWindowExA
SystemParametersInfoA
CreatePopupMenu
wsprintfA
DialogBoxParamA
SetClipboardData
IsWindowVisible
GetClassInfoA
SetForegroundWindow
GetClientRect
CreateWindowExA
GetDlgItem
CreateDialogParamA
DrawTextA
EnableMenuItem
RegisterClassA
InvalidateRect
GetWindowLongA
SendMessageTimeoutA
SetTimer
LoadCursorA
TrackPopupMenu
SendMessageA
FillRect
ShowWindow
OpenClipboard
CharNextA
CallWindowProcA
GetSystemMenu
EnableWindow
CloseClipboard
DestroyWindow
ExitWindowsEx
SetCursor
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
OleUninitialize
CoTaskMemFree
OleInitialize
CoCreateInstance
Number of PE resources by type
RT_DIALOG 7
RT_ICON 2
RT_MANIFEST 1
RT_BITMAP 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 12
NEUTRAL 1
PE resources
ExifTool file metadata
UninitializedDataSize
1024

InitializedDataSize
119808

ImageVersion
0.0

ProductName
Visual Subst

FileVersionNumber
1.0.6.0

LanguageCode
Neutral

FileFlagsMask
0x0000

FileDescription
Visual Subst

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Windows, Latin1

LinkerVersion
6.0

FileTypeExtension
exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
1.0.6.0

TimeStamp
2007:07:14 16:12:49+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
1.0.6.0

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Win32

LegalCopyright
2006-2008 NTWind Software

MachineType
Intel 386 or later, and compatibles

CompanyName
NTWind Software

CodeSize
23040

FileSubtype
0

ProductVersionNumber
1.0.6.0

EntryPoint
0x3265

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
Compressed bundles
File identification
MD5 b183e3061dd2bfe8e090d553ffc85df4
SHA1 6c2c5118b4281bd1792ba532dd4b79727dc0bf10
SHA256 d2d4e1ab1aa92cffebf215b224d3d89e5ad0d77f01fa078167fb5a7dbb5353f5
ssdeep
3072:OYG6UVYxmJPbOrvlQwq32J+FoyGQ//FdDw:7hDrUm8FFGe

authentihash b63c9432dd11a974c2202678db203248aaab32d7c4357cac4cefeac2e24b9651
imphash b2a0d9368ec1be7deb968a920e5c993e
File size 110.4 KB ( 113096 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID NSIS - Nullsoft Scriptable Install System (94.6%)
Win32 Executable MS Visual C++ (generic) (3.4%)
Win32 Dynamic Link Library (generic) (0.7%)
Win32 Executable (generic) (0.5%)
OS/2 Executable (generic) (0.2%)
Tags
nsis peexe overlay signed software-collection

VirusTotal metadata
First submission 2009-05-28 21:24:25 UTC ( 9 years, 3 months ago )
Last submission 2018-05-06 00:04:47 UTC ( 4 months, 2 weeks ago )
File names smona131143331356332598416
VSubst_1.0.6.exe
visual-subst-1.0.6.exe
11160817
��ƿ.XP._VSubst_1.0.6.exe
b183e3061dd2bfe8e090d553ffc85df4
file-3100005_exe
filename
VSubst_1.0.6.exe
octet-stream
vsubst_1.0.6 (1).exe
malware.exe
file
VSubst_1.0.6.exe
31556
VSubst_1.0.620170702-15470-1xwl90i.exe
VSubst-1.0.6.exe
VSUBST_1.0.6.EXE
VSubst_1.0.6.exe
octet-stream
file
141482737817897-VSubst_1.0.6.exe
유틸.XP._VSubst_1.0.6.exe
VSubst_1.0.6.exe.bat
output.11160817.txt
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!