× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d73cc6a97c3edde637c7d952ee2e0efc5b09937e5300cb0ecaffda70f4efdef0
File name: winrar-x64-540.exe
Detection ratio: 1 / 67
Analysis date: 2018-02-11 07:35:41 UTC ( 1 week, 2 days ago ) View latest
Antivirus Result Update
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9985 20180208
Ad-Aware 20180211
AegisLab 20180211
AhnLab-V3 20180210
Alibaba 20180209
ALYac 20180211
Antiy-AVL 20180211
Arcabit 20180211
Avast 20180211
Avast-Mobile 20180210
AVG 20180211
Avira (no cloud) 20180210
AVware 20180210
BitDefender 20180211
Bkav 20180209
CAT-QuickHeal 20180210
ClamAV 20180211
CMC 20180211
Comodo 20180211
CrowdStrike Falcon (ML) 20170201
Cybereason 20180205
Cylance 20180211
Cyren 20180211
DrWeb 20180211
eGambit 20180211
Emsisoft 20180211
Endgame 20171130
ESET-NOD32 20180211
F-Prot 20180211
F-Secure 20180210
Fortinet 20180211
GData 20180211
Ikarus 20180210
Sophos ML 20180121
Jiangmin 20180211
K7AntiVirus 20180211
K7GW 20180211
Kaspersky 20180211
Kingsoft 20180211
Malwarebytes 20180211
MAX 20180211
McAfee 20180211
McAfee-GW-Edition 20180211
Microsoft 20180211
eScan 20180211
NANO-Antivirus 20180211
nProtect 20180209
Palo Alto Networks (Known Signatures) 20180211
Panda 20180210
Qihoo-360 20180211
Rising 20180211
SentinelOne (Static ML) 20180115
Sophos AV 20180211
SUPERAntiSpyware 20180211
Symantec 20180210
Symantec Mobile Insight 20180209
Tencent 20180211
TheHacker 20180208
TrendMicro 20180211
TrendMicro-HouseCall 20180211
Trustlook 20180211
VBA32 20180209
VIPRE 20180211
ViRobot 20180211
Webroot 20180211
WhiteArmor 20180205
Yandex 20180210
Zillya 20180209
ZoneAlarm by Check Point 20180211
Zoner 20180211
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem that targets 64bit architectures.
Authenticode signature block and FileVersionInfo properties
Signature verification Signed file, verified signature
Signing date 8:16 PM 8/14/2016
Signers
[+] win.rar GmbH
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer COMODO RSA Code Signing CA
Valid from 1:00 AM 6/1/2015
Valid to 12:59 AM 6/1/2017
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint CC6FD0D1EE3570E592A181D6B41E0FF308D833D3
Serial number 00 FE 46 A1 0A D9 42 69 C3 DD 22 5C 13 64 53 52 E4
[+] COMODO RSA Code Signing CA
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 5/9/2013
Valid to 12:59 AM 5/9/2028
Valid usage Code Signing
Algorithm sha384RSA
Thumbprint B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Serial number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
[+] COMODO SECURE™
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 1/19/2010
Valid to 12:59 AM 1/19/2038
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha384RSA
Thumbprint AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Serial number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT maxorder, appended, RAR, Unicode
PE header basic information
Target machine x64
Compilation timestamp 2016-08-14 19:16:02
Entry Point 0x00021ACC
Number of sections 7
PE sections
Overlays
MD5 3ad19959e5941f839f42888ad13372f6
File type application/x-rar
Offset 313344
Size 1866512
Entropy 8.00
PE imports
GetStdHandle
FileTimeToSystemTime
WaitForSingleObject
FindNextFileA
EncodePointer
GetFileAttributesW
SystemTimeToTzSpecificLocalTime
DeleteCriticalSection
GetCurrentProcess
OpenFileMappingW
GetConsoleMode
FreeEnvironmentStringsW
InitializeSListHead
GetLocaleInfoW
SetStdHandle
SetFilePointerEx
GetCPInfo
WriteFile
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
GetExitCodeProcess
InitializeCriticalSection
AllocConsole
TlsGetValue
MoveFileW
SetFileAttributesW
SetLastError
GetSystemTime
DeviceIoControl
RemoveDirectoryW
IsDebuggerPresent
ExitProcess
GetModuleFileNameA
QueryPerformanceFrequency
LoadLibraryExA
SetThreadPriority
FindClose
RtlVirtualUnwind
UnhandledExceptionFilter
LoadLibraryExW
MultiByteToWideChar
GetLocalTime
FoldStringW
GetFullPathNameW
CreateThread
SetEnvironmentVariableW
MoveFileExW
GetSystemDirectoryW
CreateSemaphoreW
IsProcessorFeaturePresent
TzSpecificLocalTimeToSystemTime
TerminateProcess
SetUnhandledExceptionFilter
GetModuleHandleExW
SetCurrentDirectoryW
GlobalAlloc
LocalFileTimeToFileTime
SetEndOfFile
GetCurrentThreadId
GetNumberFormatW
WriteConsoleW
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
LoadLibraryW
GetVersionExW
FreeLibrary
QueryPerformanceCounter
GetTickCount
TlsAlloc
VirtualProtect
FlushFileBuffers
RtlPcToFileHeader
GetDateFormatW
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetProcessHeap
CreateFileMappingW
GetTimeFormatW
GetModuleFileNameW
ExpandEnvironmentStringsW
FindFirstFileExA
FindNextFileW
RtlLookupFunctionEntry
ResetEvent
FreeConsole
FindFirstFileW
RtlUnwindEx
SetEvent
GetProcessAffinityMask
CreateEventW
CreateFileW
GetFileType
TlsSetValue
HeapAlloc
LeaveCriticalSection
GetLastError
AttachConsole
SystemTimeToFileTime
LCMapStringW
GetShortPathNameW
GetSystemInfo
GetConsoleCP
FindResourceW
CompareStringW
GetEnvironmentStringsW
IsDBCSLeadByte
VirtualQuery
FileTimeToLocalFileTime
GetCurrentDirectoryW
GetCurrentProcessId
SetFileTime
GetCommandLineW
WideCharToMultiByte
HeapSize
GetCommandLineA
RaiseException
ReleaseSemaphore
MapViewOfFile
TlsFree
SetFilePointer
ReadFile
RtlCaptureContext
CloseHandle
GetACP
GetModuleHandleW
SetThreadExecutionState
GetLongPathNameW
IsValidCodePage
UnmapViewOfFile
GetTempPathW
Sleep
GetOEMCP
CreateHardLinkW
Number of PE resources by type
RT_STRING 9
RT_DIALOG 4
RT_ICON 4
RT_MANIFEST 1
RT_BITMAP 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 20
PE resources
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
AMD AMD64

TimeStamp
2016:08:14 20:16:02+01:00

FileType
Win64 EXE

PEType
PE32+

CodeSize
206848

LinkerVersion
14.0

FileTypeExtension
exe

InitializedDataSize
234496

SubsystemVersion
5.2

EntryPoint
0x21acc

OSVersion
5.2

ImageVersion
0.0

UninitializedDataSize
0

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Overlay parents
Compressed bundles
File identification
MD5 2191cf9563cfc67efb45b8aff90c649e
SHA1 22ac3a032f37ce5dabd0673f401f3d0307f21b74
SHA256 d73cc6a97c3edde637c7d952ee2e0efc5b09937e5300cb0ecaffda70f4efdef0
ssdeep
49152:oxUmywYuFXIQaU/7+woJngMS4o/UFCiRU7Sr4bSx31NkiI:YzVXZaU/7+wxMyB7A4gFN2

authentihash 8070dbb8c91296faa544b8d508efddfad352b6b290a49cedefe8449d1cb6cc47
imphash 044b0f0861d15019544fb4177870a00d
File size 2.1 MB ( 2179856 bytes )
File type Win32 EXE
Magic literal
PE32+ executable for MS Windows (GUI) Mono/.Net assembly

TrID Win64 Executable (generic) (87.3%)
Generic Win/DOS Executable (6.3%)
DOS Executable Generic (6.3%)
Tags
peexe assembly overlay signed via-tor 64bits

VirusTotal metadata
First submission 2016-08-16 08:38:41 UTC ( 1 year, 6 months ago )
Last submission 2018-02-20 10:04:18 UTC ( 5 hours, 41 minutes ago )
File names Winrar 64 bits.exe
winrar540-x64.exe
winrar 540 x64.exe
winrar-x64-540 (3).exe
6928528
WinRAR 5.40 64 Bit.exe
WinRAR 5.40 - x64.exe
winrar-x64-540.exe
u1603.exe
winrar-x64-540(1).exe
WinRAR v5.40-64bit-Eng.exe
winrarx64-540.exe
~~~winrar-x64-540.exe
winrar-x64-540 en.exe
winrar-x64-540.exe.50lid4i.partial
WinRar 64 Bit.exe
winrar-x64-540.exe
WINRAR~1.EXE
winrar-64bit.exe
winrar-x64-540 (1).exe
winrar-x64-540[1].exe
unconfirmed 812896.crdownload
HTTP-FaIBIq1tlbMT5tLXlk.txt
winrar-5-40-64-bit.exe
win.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!