× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e2d4d9bdda8015db16fd4b69357b646a679d829d32918596a50afbdafcb436d0
File name: ChgService.exe
Detection ratio: 3 / 63
Analysis date: 2017-07-09 09:06:16 UTC ( 6 months, 2 weeks ago ) View latest
Antivirus Result Update
DrWeb Trojan.Click3.15588 20170709
Rising Malware.Undefined!8.C (cloud:OWNnAl3cIYC) 20170709
TrendMicro-HouseCall Suspicious_GEN.F47V0603 20170709
Ad-Aware 20170709
AegisLab 20170709
AhnLab-V3 20170708
Alibaba 20170709
ALYac 20170709
Antiy-AVL 20170709
Arcabit 20170709
Avast 20170709
AVG 20170709
Avira (no cloud) 20170709
AVware 20170709
Baidu 20170707
BitDefender 20170709
Bkav 20170706
CAT-QuickHeal 20170708
ClamAV 20170709
CMC 20170707
Comodo 20170709
CrowdStrike Falcon (ML) 20170420
Cylance 20170709
Cyren 20170709
Emsisoft 20170709
Endgame 20170706
ESET-NOD32 20170709
F-Prot 20170709
F-Secure 20170709
Fortinet 20170629
GData 20170709
Ikarus 20170709
Sophos ML 20170607
Jiangmin 20170709
K7AntiVirus 20170707
K7GW 20170709
Kaspersky 20170709
Kingsoft 20170709
Malwarebytes 20170709
MAX 20170709
McAfee 20170709
McAfee-GW-Edition 20170708
Microsoft 20170709
eScan 20170709
NANO-Antivirus 20170709
nProtect 20170709
Palo Alto Networks (Known Signatures) 20170709
Panda 20170709
Qihoo-360 20170709
SentinelOne (Static ML) 20170516
Sophos AV 20170709
SUPERAntiSpyware 20170709
Symantec 20170708
Symantec Mobile Insight 20170707
Tencent 20170709
TheHacker 20170707
TrendMicro 20170709
Trustlook 20170709
VBA32 20170707
VIPRE 20170709
ViRobot 20170708
Webroot 20170709
WhiteArmor 20170706
Yandex 20170707
Zillya 20170707
ZoneAlarm by Check Point 20170709
Zoner 20170709
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-08-02 06:43:17
Entry Point 0x0000393F
Number of sections 4
PE sections
PE imports
SetSecurityDescriptorDacl
CloseServiceHandle
StartServiceCtrlDispatcherA
OpenServiceA
SetServiceStatus
CreateServiceA
QueryServiceStatus
InitializeSecurityDescriptor
ControlService
DeleteService
OpenSCManagerA
RegisterServiceCtrlHandlerA
SetMapMode
SaveDC
TextOutA
GetClipBox
GetDeviceCaps
OffsetViewportOrgEx
DeleteDC
RestoreDC
SetTextColor
GetObjectA
CreateBitmap
RectVisible
GetStockObject
SetViewportOrgEx
ScaleWindowExtEx
ExtTextOutA
PtVisible
ScaleViewportExtEx
SelectObject
SetWindowExtEx
SetViewportExtEx
Escape
SetBkColor
DeleteObject
GetStdHandle
WaitForSingleObject
HeapDestroy
GetLocalTime
FreeEnvironmentStringsA
DeleteCriticalSection
GetCurrentProcess
LocalAlloc
lstrcatA
GetLogicalDrives
FreeEnvironmentStringsW
SetStdHandle
GetCPInfo
GetStringTypeA
GetProcessVersion
WriteFile
HeapReAlloc
GetStringTypeW
ResumeThread
GetOEMCP
LocalFree
ConnectNamedPipe
InitializeCriticalSection
GlobalHandle
InterlockedDecrement
FormatMessageA
SetLastError
DeviceIoControl
LocalLock
GlobalFindAtomA
HeapAlloc
GetModuleFileNameA
GetPrivateProfileStringA
SetThreadPriority
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
CreateMutexA
SetFilePointer
CreateThread
GlobalAddAtomA
SetUnhandledExceptionFilter
ExitThread
TerminateProcess
GlobalAlloc
GetCurrentThreadId
LeaveCriticalSection
HeapFree
EnterCriticalSection
SetHandleCount
lstrcmpiA
SetEvent
IsBadWritePtr
TlsAlloc
FlushFileBuffers
LoadLibraryA
RtlUnwind
FreeLibrary
GetStartupInfoA
GlobalDeleteAtom
GlobalLock
GlobalReAlloc
lstrcmpA
lstrcpyA
GetProcAddress
CreateEventA
GetFileType
TlsSetValue
CreateFileA
ExitProcess
InterlockedIncrement
GetLastError
LocalReAlloc
LCMapStringW
lstrlenA
GlobalFree
LCMapStringA
GlobalGetAtomNameA
GetEnvironmentStringsW
GlobalUnlock
CreateNamedPipeA
GetEnvironmentStrings
WritePrivateProfileStringA
WideCharToMultiByte
HeapSize
GetCommandLineA
SuspendThread
RaiseException
GetModuleHandleA
ReadFile
GlobalFlags
CloseHandle
lstrcpynA
GetACP
GetVersion
HeapCreate
VirtualFree
Sleep
IsBadReadPtr
IsBadCodePtr
VirtualAlloc
PathFileExistsA
MapWindowPoints
GetMessagePos
SetMenuItemBitmaps
DestroyMenu
PostQuitMessage
GetForegroundWindow
LoadBitmapA
SetWindowPos
DispatchMessageA
GrayStringA
GetMessageTime
GetDC
GetCursorPos
ReleaseDC
GetDlgCtrlID
GetClassInfoA
GetMenu
SendMessageA
GetClientRect
GetNextDlgTabItem
CallNextHookEx
LoadAcceleratorsA
GetActiveWindow
GetTopWindow
GetWindowTextA
GetKeyState
DestroyWindow
GetMessageA
GetParent
UpdateWindow
SetPropA
ShowWindow
GetPropA
ValidateRect
EnableWindow
PeekMessageA
TranslateMessage
IsWindowEnabled
GetWindow
LoadStringA
GetWindowPlacement
EnableMenuItem
RegisterClassA
TabbedTextOutA
GetWindowLongA
CreateWindowExA
CopyRect
GetSysColorBrush
PtInRect
SetFocus
RegisterWindowMessageA
DefWindowProcA
GetSystemMetrics
IsIconic
GetWindowRect
PostMessageA
SetWindowLongA
RemovePropA
SetWindowTextA
CheckMenuItem
GetSubMenu
GetLastActivePopup
GetDlgItem
GetMenuCheckMarkDimensions
ClientToScreen
GetClassLongA
LoadCursorA
LoadIconA
SetWindowsHookExA
GetMenuItemCount
GetMenuState
GetMenuItemID
SetForegroundWindow
DrawTextA
GetCapture
FindWindowA
UnhookWindowsHookEx
MessageBoxA
AdjustWindowRectEx
GetSysColor
RegisterClassExA
SystemParametersInfoA
IsWindowVisible
WinHelpA
TranslateAcceleratorA
CallWindowProcA
GetClassNameA
GetFocus
ModifyMenuA
OpenPrinterA
DocumentPropertiesA
ClosePrinter
Number of PE resources by type
RT_ICON 7
RT_DIALOG 1
RT_GROUP_ICON 1
Number of PE resources by language
CHINESE SIMPLIFIED 9
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2012:08:02 07:43:17+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
61440

LinkerVersion
6.0

FileTypeExtension
exe

InitializedDataSize
61440

SubsystemVersion
4.0

EntryPoint
0x393f

OSVersion
4.0

ImageVersion
0.0

UninitializedDataSize
0

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
File identification
MD5 732b941cd5d448dd205fc7e51096c74d
SHA1 2bce14eecc9ba5c4e39a4b065187194a7484c9f6
SHA256 e2d4d9bdda8015db16fd4b69357b646a679d829d32918596a50afbdafcb436d0
ssdeep
3072:OEetI7+OEjcio4aQiuv8dkoDrfs3666j6:OEe6sODrf

authentihash 38e9b6b1ef31aa233357d3493f980cea3d820372aeb06d4c8dc7c819adc02eaa
imphash 90430bb3fb4f9c3ae7d7388adc675afe
File size 112.0 KB ( 114688 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe armadillo

VirusTotal metadata
First submission 2012-11-06 09:44:04 UTC ( 5 years, 2 months ago )
Last submission 2017-07-28 08:26:48 UTC ( 5 months, 3 weeks ago )
File names ChgService.exe_
ChgService.exe
cfcdb208-c27a-8379-04e9-d6386dee3c41
ChgService.exe
732b941cd5d448dd205fc7e51096c74d
ChgService.ex_
cfbc2f8f-2c8f-583c-6c65-02864548496e
dc0ef8dd-fc32-bf2c-0a77-77413aaf3cbc
c2e38438-ec06-b7c8-ee2c-05e1b0b576d0
bc5f5423-e7a6-8d4a-47fc-13971e65d950_1d205007b9d0a61
ChgService.exe
0be26d72-67a1-c7c0-10ed-4f3bf10f82ab
CHGSERVICE.EXE
chgservice.exe
65806e63-3c2d-8654-9951-e8f9dc951661
d88582b9-3101-a29d-c151-c5d4d9fbf69c_1d243c295c9813e
a877eccb-7919-8dda-617c-7a7715119656
ChgService.exe
E2D4D9BDDA8015DB16FD4B69357B646A679D829D32918596A50AFBDAFCB436D0.dat
1cf340f4-ed01-db30-0303-87924835c483_1d20457fd9b8c53
6a82b503-b868-c593-5c0b-7ad7f2765d40
chgservice.exe
file-6057421_exe
9b2a39b0-0fea-9952-ab37-12f7f69e632e
ChgService.exe1
Advanced heuristic and reputation engines
TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: Suspicious_GEN.F47V0822.

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
UDP communications