Antivirus scan for de09ede2330ad7f0bc692d30e5da8c97a6dc9a023af37075c2cf32cecfc4c7f1 at 2015-11-12 11:23:41 UTC

Antivirus	Result	Update
AegisLab		20151111
Yandex		20151111
AhnLab-V3		20151112
Alibaba		20151112
ALYac		20151112
Antiy-AVL		20151112
Arcabit		20151112
Avast		20151112
AVG		20151112
Avira (no cloud)		20151112
AVware		20151112
Baidu-International		20151111
BitDefender		20151112
Bkav		20151110
ByteHero		20151112
CAT-QuickHeal		20151110
ClamAV		20151112
CMC		20151109
Comodo		20151112
Cyren		20151112
DrWeb		20151112
Emsisoft		20151112
ESET-NOD32		20151112
F-Prot		20151112
F-Secure		20151112
Fortinet		20151112
GData		20151112
Ikarus		20151112
Jiangmin		20151111
K7AntiVirus		20151112
K7GW		20151112
Kaspersky		20151112
Malwarebytes		20151112
McAfee		20151112
McAfee-GW-Edition		20151112
Microsoft		20151112
eScan		20151112
NANO-Antivirus		20151112
nProtect		20151112
Panda		20151111
Qihoo-360		20151112
Rising		20151111
Sophos AV		20151112
SUPERAntiSpyware		20151112
Symantec		20151111
Tencent		20151112
TheHacker		20151110
TrendMicro		20151112
TrendMicro-HouseCall		20151112
VBA32		20151111
VIPRE		20151112
ViRobot		20151112
Zillya		20151111
Zoner		20151112

The file being studied is a Portable Executable file! More specifically, it is a Win32 DLL file for the Windows GUI subsystem.

PE header basic information

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2009-02-04 20:28:27

Entry Point 0x002162B0

Number of sections 5

PE sections

Name Virtual address Virtual size Raw size Entropy MD5

.text 4096 2266485 2269184 6.62 135c79fa17b55006803db9157980e155

.rdata 2273280 1103425 1105920 2.82 3731c01bf43584acd883fb94bf581550

.data 3379200 7548888 7503872 7.97 7b78aba5680cff8ef5c0c931800fb991

.rsrc 10928128 51904 53248 3.57 87027619ecaf14bea54bf04b46c05f96

.reloc 10981376 103806 106496 5.54 d88edf881e93145f5a3527bbf8ab36e9

PE imports

[+] ADVAPI32.dll

[+] GDI32.dll

[+] KERNEL32.dll

GetStdHandle

GetConsoleOutputCP

ReleaseMutex

FileTimeToSystemTime

GetFileAttributesA

WaitForSingleObject

GetDriveTypeA

HeapDestroy

FreeEnvironmentStringsA

CreatePipe

GetCurrentProcess

GetConsoleMode

GetLocaleInfoA

FreeEnvironmentStringsW

SetStdHandle

GetTempPathA

WideCharToMultiByte

GetStringTypeA

WriteFile

GetSystemTimeAsFileTime

HeapReAlloc

GetStringTypeW

GetFullPathNameA

GetOEMCP

MoveFileA

ResumeThread

InitializeCriticalSection

FindClose

TlsGetValue

SetLastError

GetSystemTime

GetModuleFileNameW

IsDebuggerPresent

HeapAlloc

GetVersionExA

GetModuleFileNameA

UnhandledExceptionFilter

InterlockedDecrement

MultiByteToWideChar

CreateMutexA

SetFilePointer

CreateSemaphoreA

CreateThread

DeleteCriticalSection

SetUnhandledExceptionFilter

ExitThread

SetEnvironmentVariableA

TerminateProcess

WriteConsoleA

GlobalAlloc

SetEndOfFile

GetCurrentThreadId

InterlockedIncrement

WriteConsoleW

HeapFree

EnterCriticalSection

PeekNamedPipe

SetHandleCount

LoadLibraryW

GetExitCodeProcess

QueryPerformanceCounter

GetTickCount

TlsAlloc

FlushFileBuffers

LoadLibraryA

RtlUnwind

GlobalSize

GetStartupInfoA

DeleteFileA

GetCPInfo

GlobalLock

GetProcessHeap

CompareStringW

GetFileInformationByHandle

FindFirstFileA

GetProfileStringA

CompareStringA

GetTempFileNameA

FindNextFileA

DuplicateHandle

GetProcAddress

GetTimeZoneInformation

GetFileType

TlsSetValue

CreateFileA

ExitProcess

LeaveCriticalSection

GetLastError

LCMapStringW

lstrlenA

GlobalFree

GetConsoleCP

LCMapStringA

GetEnvironmentStringsW

GlobalUnlock

FileTimeToLocalFileTime

GetEnvironmentStrings

GetCurrentProcessId

GetCurrentDirectoryA

HeapSize

GetCommandLineA

RaiseException

ReleaseSemaphore

TlsFree

GetModuleHandleA

ReadFile

CloseHandle

GetACP

GetVersion

CreateProcessA

IsValidCodePage

HeapCreate

VirtualFree

Sleep

VirtualAlloc

[+] USER32.dll

[+] WINSPOOL.DRV

[+] comdlg32.dll

PE exports

DllEntryPoint

DllMain

gsapi_delete_instance

gsapi_exit

gsapi_init_with_args

gsapi_new_instance

gsapi_revision

gsapi_run_file

gsapi_run_string

gsapi_run_string_begin

Number of PE resources by type

RT_ICON 18

RT_DIALOG 2

RT_GROUP_ICON 2

Number of PE resources by language

ENGLISH US 22

PE resources

32f0d9d9fd5c6ccc6c7296b0d9c7666723929df81bfce1e7e60ec588ee0ee17f data

3cb6d469f5810d7ba2948766830d31dc403cd61d79e14a27e0fccf48718748c0 data

4b92b3ff6fa7947ad0dc819819cb40d06a63b28fe30b8ea44d1222d3a9c4b758 data

7767f2e463112375a510e673eef0235e5c82292ac85cda1a5eabdd9cc26738e6 data

c01d803bd02005416997df7aeaa947aad22e95d94ab70c24181108d8f5d794d9 data

c2242380faacc13e78cfec0a3e6a91f8d0650a5be2cdf4df0d3320b7ef34b14b data

c484ee89d60d20340ffb6014693ee56eb310a85285a9b75bfc1011c0ab7d97ba data

ca82878ac6f8f5d26249f03257b496eebf06e2d20e02349a0b871bf92766535c data

cd5ee3ac59386ae50e1a57a3f1e15d6ec4cc9f90498d9a5b6a5b7938c790c581 data

d1e9a928bbea6b12b7fe512068f90cd199df662e261fbd7c4ea5b939476922bd data

ExifTool file metadata

MIMEType

application/octet-stream

Subsystem

Windows GUI

MachineType

Intel 386 or later, and compatibles

TimeStamp

2009:02:04 21:28:27+01:00

FileType

Win32 DLL

PEType

PE32

CodeSize

2269184

LinkerVersion

8.0

FileTypeExtension

dll

InitializedDataSize

8814592

SubsystemVersion

4.0

EntryPoint

0x2162b0

OSVersion

4.0

ImageVersion

0.0

UninitializedDataSize

CarbonBlack CarbonBlack acts as a surveillance camera for computers

While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.

03ba4490fcf2502f37c2ecaffa9421db

b2a62caf90a30d233134c9ef7d2c73a7

4315d6ecae85024a0567df2cb253b7b0

cd04ab8311ce5ab24c79f24fb13b9523

2158e7c54c3dc304db593c59b32b6be9

9da3b83f80e205b6c601eee1312fd0a0

d19bc37003290dc51e2fc9ba9f7987a1

da5a45587af653a9d8d9f15dab112d6f

332feab1435662fc6c672e25beb37be3

a4048ef1d4f8604ac00a3a4b8abe8bef

Execution parents

This file was created during the sandboxed execution of the following files.

a3fd7d9ef18d4e041c95145b899dcdc7fc1856bc45573fb895679e5dfcc57079

PE resource-wise parents

This file was seen as a resource in the following Portable Executables.

cf7729b4c919930e8f4b4777bc5a9a9a1eae63e5152b438d9f180e60b49b6b84

Compressed bundles

This file was also submitted to VirusTotal in the following compressed file bundles.

027094f5aa171c4bb296138e4e57840ca1b67c8b4624e84082d87a69bddfbfab

071c2896e7afea902e2850acabd91f3ca15bb87348c12f841612aa7ea4e0ac28

0c104168342dfa2ca04c54ed49d9499955d9c54c8797cc21c7e61a37eb93335b

166235e7d4694988d5a50125c0868968484483fb59014692dcd7836f9c7bb785

197905098193fa0807d5704a3eebb877a17fc0321a6ade4cb68b2aa870be218b

1b8a0a2dd6a383c82d04bc99713bf13bdbf87d80bbdf24320a255dd226f02db3

1fc4cb582eb6ad66c49c6e9d4d2a0af74f82ad48150c38c6c45f8a6efb8ab006

1fe254e495af64d8ca23b4920dc0ccc2e69f741c5aba444317b3ff52acc5d32e

2362026871503941a294fe7dafdf197c9d09b642efd270cc4f4b0722337538ac

24aae9cb4e80cb9127c53881ec9db01fed241834136a9c4a48f96437250f5a65

File identification

MD5 7f9005d8813a1def9878744f0cd5469c

SHA1 093d0607ee28e0eba2691aaafe2a73af71bddddb

SHA256 de09ede2330ad7f0bc692d30e5da8c97a6dc9a023af37075c2cf32cecfc4c7f1

ssdeep

196608:sNVTwKdWFUxSUfVeglAxLRABPwX9K9WSjGtEje:mVTw5UxRfVqxLqlwX9KAcSE

authentihash 6b369e0a3b31196ee732b4d2bbd18b85236275956183b3d77028405fc17d1483

imphash fbf212d60ca2bf4e1633cae4d523eae6

File size 10.5 MB ( 11042816 bytes )

File type Win32 DLL

Magic literal

PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

TrID	Win32 Executable MS Visual C++ (generic) (35.0%) Win64 Executable (generic) (31.0%) Windows screen saver (14.7%) Win32 Dynamic Link Library (generic) (7.3%) Win32 Executable (generic) (5.0%)

VirusTotal metadata

First submission 2010-03-24 18:06:53 UTC ( 8 years, 5 months ago )

Last submission 2018-07-04 10:49:27 UTC ( 1 month, 2 weeks ago )

File names

smona_de09ede2330ad7f0bc692d30e5da8c97a6dc9a023af37075c2cf32cecfc4c7f1.bin
vs860b10.90q
de09ede2330ad7f0bc692d30e5da8c97a6dc9a023af37075c2cf32cecfc4c7f1-ev20001f.2.temp
gsdll32.dll
gsdll32.dll
vsmq07c7.3ih
vsmn1v6f.15h
file111
~vv1.tmp
vsmn1v6f.3hn
gsdll32.dll
gsdll32.dll.12060_1.11323.partial
gsdll32.dll
gsdll32.dll
_A2CE9CE0AB254C1286A003628BADE6D4
DE09EDE2330AD7F0BC692D30E5DA8C97A6DC9A023AF37075C2CF32CECFC4C7F1
gsdll32.dll
gsdll32.dll
gsdll32.dll
gsdll32.dll.deploy
_F6E5668DD56F41608ACB4C0B8F0B1AFA
Hmpsdll32.dll
gsdll32.dll.12060_1.28292.partial
55-gsdll32.dll
gsdll32.dll.12060_1.9258.partial

Advanced heuristic and reputation engines

Symantec reputation Suspicious.Insight

SHA256:	de09ede2330ad7f0bc692d30e5da8c97a6dc9a023af37075c2cf32cecfc4c7f1
File name:	gsdll32.dll
Detection ratio:	0 / 54
Analysis date:	2015-11-12 11:23:41 UTC ( 2 years, 9 months ago ) View latest

Ciphered bundle